xorddos | e19635381b2d291f2d2217efd78b80ad97d7ef34bfcbf10a4877263cfa7c9669

Analysis

max time kernel
151s
max time network
152s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231221-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231221-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
18-01-2024 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6488dcbdcea8b92132925c0561cbb5dd
Size

611KB
MD5

6488dcbdcea8b92132925c0561cbb5dd
SHA1

317404379d9c763ccd2930a4cc159c55856edf13
SHA256

e19635381b2d291f2d2217efd78b80ad97d7ef34bfcbf10a4877263cfa7c9669
SHA512

268d67117e4e0b03287c70ce871171e373fe8c404adaacffd9eadccfe095c14b3f1d637f04254bdc54008420f370ec566516c55a5dcf1eb1aa73f795552fbae0
SSDEEP

12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrpT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNpBVEBl/91h

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.hostasa.org/config.rar

cdn.search2c.com:53

cdn.netflix2cdn.com:53

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 12 IoCs

Processes:

resource	yara_rule
/lib/libudev.so	family_xorddos
/usr/bin/oxorvapqri	family_xorddos
/usr/bin/oxorvapqri	family_xorddos
/usr/bin/oxorvapqri	family_xorddos
/usr/bin/prbkgbpsxh	family_xorddos
/usr/bin/prbkgbpsxh	family_xorddos
/usr/bin/idrjglzzvm	family_xorddos
/usr/bin/idrjglzzvm	family_xorddos
/usr/bin/xaxzaraaex	family_xorddos
/usr/bin/xaxzaraaex	family_xorddos
/usr/bin/flwzuhxcal	family_xorddos
/usr/bin/flwzuhxcal	family_xorddos

Deletes itself 1 IoCs

Processes:

pid

1636

pid
1636

Executes dropped EXE 24 IoCs

Processes:

oxorvapqrioxorvapqrioxorvapqrioxorvapqrioxorvapqriprbkgbpsxhprbkgbpsxhprbkgbpsxhprbkgbpsxhprbkgbpsxhidrjglzzvmidrjglzzvmidrjglzzvmidrjglzzvmidrjglzzvmxaxzaraaexxaxzaraaexxaxzaraaexxaxzaraaexxaxzaraaexflwzuhxcalflwzuhxcalflwzuhxcalflwzuhxcal

ioc	pid	process
/usr/bin/oxorvapqri	1569	oxorvapqri
/usr/bin/oxorvapqri	1571	oxorvapqri
/usr/bin/oxorvapqri	1575	oxorvapqri
/usr/bin/oxorvapqri	1578	oxorvapqri
/usr/bin/oxorvapqri	1581	oxorvapqri
/usr/bin/prbkgbpsxh	1584	prbkgbpsxh
/usr/bin/prbkgbpsxh	1587	prbkgbpsxh
/usr/bin/prbkgbpsxh	1590	prbkgbpsxh
/usr/bin/prbkgbpsxh	1593	prbkgbpsxh
/usr/bin/prbkgbpsxh	1596	prbkgbpsxh
/usr/bin/idrjglzzvm	1599	idrjglzzvm
/usr/bin/idrjglzzvm	1602	idrjglzzvm
/usr/bin/idrjglzzvm	1605	idrjglzzvm
/usr/bin/idrjglzzvm	1607	idrjglzzvm
/usr/bin/idrjglzzvm	1610	idrjglzzvm
/usr/bin/xaxzaraaex	1614	xaxzaraaex
/usr/bin/xaxzaraaex	1616	xaxzaraaex
/usr/bin/xaxzaraaex	1620	xaxzaraaex
/usr/bin/xaxzaraaex	1623	xaxzaraaex
/usr/bin/xaxzaraaex	1626	xaxzaraaex
/usr/bin/flwzuhxcal	1629	flwzuhxcal
/usr/bin/flwzuhxcal	1631	flwzuhxcal
/usr/bin/flwzuhxcal	1635	flwzuhxcal
/usr/bin/flwzuhxcal	1638	flwzuhxcal

Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

sh

description ioc

File opened for modification /etc/cron.hourly/gcc.sh
File opened for modification /etc/crontab sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/6488dcbdcea8b92132925c0561cbb5dd

description	ioc
File opened for modification	/etc/cron.hourly/gcc.sh
File opened for modification	/etc/crontab	sh

description	ioc
File opened for modification	/etc/init.d/6488dcbdcea8b92132925c0561cbb5dd

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
File opened for modification	/usr/bin/oxorvapqri
File opened for modification	/usr/bin/prbkgbpsxh
File opened for modification	/usr/bin/idrjglzzvm
File opened for modification	/usr/bin/xaxzaraaex
File opened for modification	/usr/bin/flwzuhxcal

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsed

description	ioc	process
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/rs_dev
File opened for reading	/proc/stat

/tmp/6488dcbdcea8b92132925c0561cbb5dd
/tmp/6488dcbdcea8b92132925c0561cbb5dd
1⤵
PID:1533

/bin/chkconfig
chkconfig --add 6488dcbdcea8b92132925c0561cbb5dd
1⤵
PID:1536

/sbin/chkconfig
chkconfig --add 6488dcbdcea8b92132925c0561cbb5dd
1⤵
PID:1536

/usr/bin/chkconfig
chkconfig --add 6488dcbdcea8b92132925c0561cbb5dd
1⤵
PID:1536

/usr/sbin/chkconfig
chkconfig --add 6488dcbdcea8b92132925c0561cbb5dd
1⤵
PID:1536

/usr/local/bin/chkconfig
chkconfig --add 6488dcbdcea8b92132925c0561cbb5dd
1⤵
PID:1536

/usr/local/sbin/chkconfig
chkconfig --add 6488dcbdcea8b92132925c0561cbb5dd
1⤵
PID:1536

/usr/X11R6/bin/chkconfig
chkconfig --add 6488dcbdcea8b92132925c0561cbb5dd
1⤵
PID:1536

/bin/update-rc.d
update-rc.d 6488dcbdcea8b92132925c0561cbb5dd defaults
1⤵
PID:1538

/sbin/update-rc.d
update-rc.d 6488dcbdcea8b92132925c0561cbb5dd defaults
1⤵
PID:1538

/usr/bin/update-rc.d
update-rc.d 6488dcbdcea8b92132925c0561cbb5dd defaults
1⤵
PID:1538

/usr/sbin/update-rc.d
update-rc.d 6488dcbdcea8b92132925c0561cbb5dd defaults
1⤵
PID:1538
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1544

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1539
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1540

/usr/bin/oxorvapqri
/usr/bin/oxorvapqri "ifconfig eth0" 1534
1⤵
- Executes dropped EXE
PID:1569

/usr/bin/oxorvapqri
/usr/bin/oxorvapqri gnome-terminal 1534
1⤵
- Executes dropped EXE
PID:1571

/usr/bin/oxorvapqri
/usr/bin/oxorvapqri "netstat -antop" 1534
1⤵
- Executes dropped EXE
PID:1575

/usr/bin/oxorvapqri
/usr/bin/oxorvapqri uptime 1534
1⤵
- Executes dropped EXE
PID:1578

/usr/bin/oxorvapqri
/usr/bin/oxorvapqri bash 1534
1⤵
- Executes dropped EXE
PID:1581

/usr/bin/prbkgbpsxh
/usr/bin/prbkgbpsxh "echo \"find\"" 1534
1⤵
- Executes dropped EXE
PID:1584

/usr/bin/prbkgbpsxh
/usr/bin/prbkgbpsxh "cat resolv.conf" 1534
1⤵
- Executes dropped EXE
PID:1587

/usr/bin/prbkgbpsxh
/usr/bin/prbkgbpsxh bash 1534
1⤵
- Executes dropped EXE
PID:1590

/usr/bin/prbkgbpsxh
/usr/bin/prbkgbpsxh "route -n" 1534
1⤵
- Executes dropped EXE
PID:1593

/usr/bin/prbkgbpsxh
/usr/bin/prbkgbpsxh ifconfig 1534
1⤵
- Executes dropped EXE
PID:1596

/usr/bin/idrjglzzvm
/usr/bin/idrjglzzvm "netstat -an" 1534
1⤵
- Executes dropped EXE
PID:1599

/usr/bin/idrjglzzvm
/usr/bin/idrjglzzvm who 1534
1⤵
- Executes dropped EXE
PID:1602

/usr/bin/idrjglzzvm
/usr/bin/idrjglzzvm ifconfig 1534
1⤵
- Executes dropped EXE
PID:1605

/usr/bin/idrjglzzvm
/usr/bin/idrjglzzvm uptime 1534
1⤵
- Executes dropped EXE
PID:1607

/usr/bin/idrjglzzvm
/usr/bin/idrjglzzvm sh 1534
1⤵
- Executes dropped EXE
PID:1610

/usr/bin/xaxzaraaex
/usr/bin/xaxzaraaex gnome-terminal 1534
1⤵
- Executes dropped EXE
PID:1614

/usr/bin/xaxzaraaex
/usr/bin/xaxzaraaex "route -n" 1534
1⤵
- Executes dropped EXE
PID:1616

/usr/bin/xaxzaraaex
/usr/bin/xaxzaraaex "ls -la" 1534
1⤵
- Executes dropped EXE
PID:1620

/usr/bin/xaxzaraaex
/usr/bin/xaxzaraaex su 1534
1⤵
- Executes dropped EXE
PID:1623

/usr/bin/xaxzaraaex
/usr/bin/xaxzaraaex "route -n" 1534
1⤵
- Executes dropped EXE
PID:1626

/usr/bin/flwzuhxcal
/usr/bin/flwzuhxcal ifconfig 1534
1⤵
- Executes dropped EXE
PID:1629

/usr/bin/flwzuhxcal
/usr/bin/flwzuhxcal "ifconfig eth0" 1534
1⤵
- Executes dropped EXE
PID:1631

/usr/bin/flwzuhxcal
/usr/bin/flwzuhxcal "echo \"find\"" 1534
1⤵
- Executes dropped EXE
PID:1635

/usr/bin/flwzuhxcal
/usr/bin/flwzuhxcal "grep \"A\"" 1534
1⤵
- Executes dropped EXE
PID:1638

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/6488dcbdcea8b92132925c0561cbb5dd

Filesize
425B

MD5
d68a25ed3f3e1a5c521c040c1a211eff

SHA1
2b291a7a809f3e991b71eb4c97f1ca7499c8ab0e

SHA256
93813d56118f4b1f4016e4294dd997bf90cb936f23f491951dccc827ed57832d

SHA512
25e3daec62821c77454bad634a12ec26456554c778de186aa5cb4bd57e74cec120e9a6f07712e1be4d50d006511a6eb5a0280b2979a45f45b35de8b5a14cfddf

Download Submit
/etc/sedYBIzbr

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
611KB

MD5
6488dcbdcea8b92132925c0561cbb5dd

SHA1
317404379d9c763ccd2930a4cc159c55856edf13

SHA256
e19635381b2d291f2d2217efd78b80ad97d7ef34bfcbf10a4877263cfa7c9669

SHA512
268d67117e4e0b03287c70ce871171e373fe8c404adaacffd9eadccfe095c14b3f1d637f04254bdc54008420f370ec566516c55a5dcf1eb1aa73f795552fbae0

Download Submit
/run/gcc.pid

Filesize
32B

MD5
28f53f68a6a2e801b1dcc1e4cda2385d

SHA1
02c061fe2a6f1499d8fc0d46eefd496113d8d882

SHA256
c4729f59279155219c6e4449354a188ab1d4879676f8b0d87f746ce0f9ce79c5

SHA512
cb3d1f358c16e7c782a73bb97835f766b285cb7994db303eee58cf6fac88fb8fbe4244d9459a355b727a299aabd7d56f2b26edc963ce6f61f6ba1729bd4c444b

Download Submit
/usr/bin/flwzuhxcal

Filesize
611KB

MD5
3d721a2e03c21c9987cb5ec2c1bb8618

SHA1
339af3639878639d9d0878ddcc187ecdb7c2ecc3

SHA256
e2ad0f9b33eca7efef274d3cdda7500e98537064db49546b69d0655159a4fbe9

SHA512
c95887f1fb2997b4a69d50a68e6a72bc5b74de15618dd7d476ac10b9935af8e6f6326790dda4569a41f6dfcab02b149c79bc233f44321f6fe69957709632f909

Download Submit
/usr/bin/flwzuhxcal

Filesize
611KB

MD5
c9a24e164e95d880be2a38a218249080

SHA1
39ba6b8d9fc646f190de9d92059747a09fc54465

SHA256
7b93ff1b9b7d015d6196e0d6d3b6e4e851e1048234f5e624a4c9dc668577c93d

SHA512
2b0cb51118bfc9474530c8b273f7fa89f65454726fac1b30ab21939e9f2ba2f1cbb545525f8436015031ac26a4bdbd6b31b63e7403d08f5a6ce067e33dff235c

Download Submit
/usr/bin/idrjglzzvm

Filesize
611KB

MD5
593a80a41a77bcb0ddca492e0cc0fae9

SHA1
3a3fdb6205d27ae98b48851203b7a1b1ec3ae882

SHA256
84b8c98fb2dbfb3b5cac49f7d42a68a98c0db564204f62f63db2c94fd83700b6

SHA512
f629c5a9eba3ce315a145665cc35bb3e5fc8ff86fffcd467a1d47237007c496e3c78e2480fbf58ba17bf177325a23f35b5979d0c4e73d97b642eee26e8addc68

Download Submit
/usr/bin/idrjglzzvm

Filesize
611KB

MD5
93ad88b3c2fab389dcc55fa04078a591

SHA1
2a3f6322be75d3e1853e0032eaae45d793d2437d

SHA256
342812db5f3327434ae21f4ad98a16716e01e3e427580520a24cabd4d39c965b

SHA512
5ee0269247498e572e94538ee75a49c15218f7f01caa9c36536da5d35bd65ecd6c0bda8ae789973f3b4d94e0b5c9b11ed21390d18cb5eef74a0ed9281052876e

Download Submit
/usr/bin/oxorvapqri

Filesize
580KB

MD5
8b4aefcc4897ec601e2ff72f384d587d

SHA1
62d43a77f5898984f076ac88d2a10a39f1794a14

SHA256
6c6701ba07a4e0338d6b910edfbdd36accf1e059040b3b18a16f9ef8e8161cd2

SHA512
001c5eeabfec41b0582da3acb4bb685b1896d11f34c50d55eda62695e6ed7b6bd8a1a058dba91e89317c5f222ede77ff90f2b6a95ad981da024c512a5e90a993

Download Submit
/usr/bin/oxorvapqri

Filesize
611KB

MD5
28128f3c3b052fce022d67e9124f5806

SHA1
cc06464798603967588f63cd67a9d75aa9987619

SHA256
77a8868ec90702e1a9aaab2282da17aba70c80721bb655a7d8050904e2cd2e21

SHA512
f7a372565239ff3de90fd8abccbbf558c82194d9390545a491a7bbda73c2e57f80e09c072623f173198ba65fa58fefda8b580990fed5fb21bd96ecfb617ba582

Download Submit
/usr/bin/oxorvapqri

Filesize
611KB

MD5
ee31170461b97e767d9591125ed834ab

SHA1
b6018b809529e6b71365cef2541bb449d4059749

SHA256
52ecce7ad6f371317f9673945eea8138c69bef2de1da73a273174c3a01aa35e5

SHA512
7e97193e8267351cc7755e09dabb2e585409371fb2205af39bfd71e2c6cef04ab5553029436d3c440bdc3c4bc443d6a40d5fcfdc311055ac9a3ba1d75e29e680

Download Submit
/usr/bin/prbkgbpsxh

Filesize
611KB

MD5
28840967f3d5c87ecb48af52beb1305b

SHA1
209af2e1ebf156a96eae2001365ab4291b5e3949

SHA256
791e11d42ae9c40a3ca17914c848903a4e53f3b9680971ca8736c2547fda76d5

SHA512
66def060f70e2b1fcc085945c0ce21fd5d491e20b7fcc576190b344eca85318e150b9f8b40039d9eb41359871768d8f08f525fe5f0e928f5984d07ec9119d89a

Download Submit
/usr/bin/prbkgbpsxh

Filesize
611KB

MD5
f733f45abdad64603cf3d4351298f7ed

SHA1
fd68333ad6d2a35cd1fce13187e458d2bf7240c6

SHA256
1c7c5e6322e0551696317ed962f3213e84e4757554503fcbbaf90e68a1bfa9ad

SHA512
ffb56cff33c38d787e30c4a6fc210f4bad2724fd153576d58a247f88acc81d8ffc99aabf7cee9ff4f97b4b70fc11c020b7951fce6d2d2b8c6920b45e7abc4c42

Download Submit
/usr/bin/xaxzaraaex

Filesize
611KB

MD5
e0dfec6fdc181065bf45c7bb6613eae0

SHA1
fff73a2a73b6563f721299eda8bab9e4b3119fec

SHA256
e1044ece4cb91ada3d204a9ae388843e17eed5506bf6f203a8015e95954e4828

SHA512
ba36115002ffd60ecb9ed6b98436b2f7eb9a0f4b9d51e01e099c5e939e48e24c671dfb8fd7e7adfdf2f7b28c170b339f52a753be40abc122b20b6e81b603b086

Download Submit
/usr/bin/xaxzaraaex

Filesize
611KB

MD5
44f0eef566cdf0fa99bf74ed3b09040f

SHA1
b0069e626ec9fdc7cf05abe5f2df6133d029a299

SHA256
1af5c1a75eb3864374c5352dd543d29d2daa638cd26690bf5eecbafc6a7e20cd

SHA512
dd2b03bdc5e29319967cc25370e0288f3d80bd434e9c76c8c2780ee0b4aebb4a5857b7f4d627fa610cc50977c8fd7323824953d91e89af90c12dce968420a508

Download Submit