xorddos | ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73

Analysis

max time kernel
151s
max time network
152s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231221-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231221-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
06-02-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73
Size

549KB
MD5

f9191bab1e834d4aef3380700639cee9
SHA1

9c20269df6694260a24ac783de2e30d627a6928a
SHA256

ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73
SHA512

3d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5
SSDEEP

12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

api.markerbio.com:112

api.enoan2107.com:112

http://qq.com/lib.asp

Attributes

crc_polynomial
CDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-2.dat	family_xorddos

Deletes itself 16 IoCs

pid
1593
1602
1605
1608
1611
1614
1622
1626
1629
1632
1634
1638
1641
1644
1647
1649

Executes dropped EXE 16 IoCs

ioc	pid	Process
/bin/ylpqawoii	1596	ylpqawoii
/bin/ddetotxzgeh	1601	ddetotxzgeh
/bin/wjbxxuskkooti	1604	wjbxxuskkooti
/bin/abojympkd	1607	abojympkd
/bin/wcbqwrmsdpsal	1610	wcbqwrmsdpsal
/bin/wzarjz	1613	wzarjz
/bin/clzrxelug	1621	clzrxelug
/bin/megayjpq	1624	megayjpq
/bin/bbyzcysnxjamon	1627	bbyzcysnxjamon
/bin/flttfbgrforeyi	1630	flttfbgrforeyi
/bin/jjxhkzicnhopw	1633	jjxhkzicnhopw
/bin/bdqzlkkxiujjco	1636	bdqzlkkxiujjco
/bin/lcohirttfyyae	1639	lcohirttfyyae
/bin/mqlpimc	1642	mqlpimc
/bin/xbfrlqvzpgdf	1645	xbfrlqvzpgdf
/bin/lwledjcdpppi	1648	lwledjcdpppi

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc
File opened for modification	/etc/cron.hourly/iiowaqply.sh

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc
File opened for reading	/proc/net/tcp

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/iiowaqply

Writes file to system bin folder 1 TTPs 18 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/bin/iiowaqply
File opened for modification	/bin/iiowaqply.sh
File opened for modification	/bin/bdqzlkkxiujjco
File opened for modification	/bin/lcohirttfyyae
File opened for modification	/bin/ylpqawoii
File opened for modification	/bin/wjbxxuskkooti
File opened for modification	/bin/abojympkd
File opened for modification	/bin/wzarjz
File opened for modification	/bin/clzrxelug
File opened for modification	/bin/bbyzcysnxjamon
File opened for modification	/bin/flttfbgrforeyi
File opened for modification	/bin/jjxhkzicnhopw
File opened for modification	/bin/megayjpq
File opened for modification	/bin/xbfrlqvzpgdf
File opened for modification	/bin/ddetotxzgeh
File opened for modification	/bin/wcbqwrmsdpsal
File opened for modification	/bin/mqlpimc
File opened for modification	/bin/lwledjcdpppi

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/tcp

Reads runtime system information 49 IoCs

Reads data from /proc virtual filesystem.

description	ioc
File opened for reading	/proc/551/fd
File opened for reading	/proc/1315/fd
File opened for reading	/proc/1342/fd
File opened for reading	/proc/490/fd
File opened for reading	/proc/526/fd
File opened for reading	/proc/1253/fd
File opened for reading	/proc/1261/fd
File opened for reading	/proc/1389/fd
File opened for reading	/proc/1569/fd
File opened for reading	/proc/1658/fd
File opened for reading	/proc/1350/fd
File opened for reading	/proc/420/fd
File opened for reading	/proc/499/fd
File opened for reading	/proc/542/fd
File opened for reading	/proc/332/fd
File opened for reading	/proc/281/fd
File opened for reading	/proc/485/fd
File opened for reading	/proc/1294/fd
File opened for reading	/proc/1297/fd
File opened for reading	/proc/1448/fd
File opened for reading	/proc/1/fd
File opened for reading	/proc/1471/fd
File opened for reading	/proc/437/fd
File opened for reading	/proc/471/fd
File opened for reading	/proc/478/fd
File opened for reading	/proc/1279/fd
File opened for reading	/proc/326/fd
File opened for reading	/proc/415/fd
File opened for reading	/proc/545/fd
File opened for reading	/proc/570/fd
File opened for reading	/proc/486/fd
File opened for reading	/proc/1319/fd
File opened for reading	/proc/1553/fd
File opened for reading	/proc/252/fd
File opened for reading	/proc/525/fd
File opened for reading	/proc/1334/fd
File opened for reading	/proc/1615/fd
File opened for reading	/proc/417/fd
File opened for reading	/proc/484/fd
File opened for reading	/proc/494/fd
File opened for reading	/proc/1661/fd
File opened for reading	/proc/483/fd
File opened for reading	/proc/1653/fd
File opened for reading	/proc/1655/fd
File opened for reading	/proc/1664/fd
File opened for reading	/proc/462/fd
File opened for reading	/proc/482/fd
File opened for reading	/proc/1308/fd
File opened for reading	/proc/1362/fd

Writes file to shm directory 2 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

description	ioc
File opened for modification	/dev/shm/sem.qiobll
File opened for modification	/dev/shm/sem.lgGcRy

/tmp/ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73
/tmp/ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73
1⤵
PID:1592

/bin/ylpqawoii
/bin/ylpqawoii
1⤵
- Executes dropped EXE
PID:1596

/bin/ddetotxzgeh
/bin/ddetotxzgeh -d 1597
1⤵
- Executes dropped EXE
PID:1601

/bin/wjbxxuskkooti
/bin/wjbxxuskkooti -d 1597
1⤵
- Executes dropped EXE
PID:1604

/bin/abojympkd
/bin/abojympkd -d 1597
1⤵
- Executes dropped EXE
PID:1607

/bin/wcbqwrmsdpsal
/bin/wcbqwrmsdpsal -d 1597
1⤵
- Executes dropped EXE
PID:1610

/bin/wzarjz
/bin/wzarjz -d 1597
1⤵
- Executes dropped EXE
PID:1613

/bin/clzrxelug
/bin/clzrxelug -d 1597
1⤵
- Executes dropped EXE
PID:1621

/bin/megayjpq
/bin/megayjpq -d 1597
1⤵
- Executes dropped EXE
PID:1624

/bin/bbyzcysnxjamon
/bin/bbyzcysnxjamon -d 1597
1⤵
- Executes dropped EXE
PID:1627

/bin/flttfbgrforeyi
/bin/flttfbgrforeyi -d 1597
1⤵
- Executes dropped EXE
PID:1630

/bin/jjxhkzicnhopw
/bin/jjxhkzicnhopw -d 1597
1⤵
- Executes dropped EXE
PID:1633

/bin/bdqzlkkxiujjco
/bin/bdqzlkkxiujjco -d 1597
1⤵
- Executes dropped EXE
PID:1636

/bin/lcohirttfyyae
/bin/lcohirttfyyae -d 1597
1⤵
- Executes dropped EXE
PID:1639

/bin/mqlpimc
/bin/mqlpimc -d 1597
1⤵
- Executes dropped EXE
PID:1642

/bin/xbfrlqvzpgdf
/bin/xbfrlqvzpgdf -d 1597
1⤵
- Executes dropped EXE
PID:1645

/bin/lwledjcdpppi
/bin/lwledjcdpppi -d 1597
1⤵
- Executes dropped EXE
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/bin/ylpqawoii

Filesize
549KB

MD5
6a760c9b1cc2e97a11c314030e6ec379

SHA1
8680b6eb0045b28ef7acd18ba805d0c9d2f29517

SHA256
1232c9ddde9499baff7b6ede22264ba094982d1aa75a981c250060b08253a7f6

SHA512
12cad5ddd944b1eb1e631dc7100ca14a6c92764d2ecd267b216df51f85e4fff836a65b619c7332a7edddfcef0625ac91f5151ddbea49a305b3d27ab4eb5ab80a

Download Submit
/etc/cron.hourly/iiowaqply.sh

Filesize
146B

MD5
d4c83a1c770d343b51f47dccd45a1a06

SHA1
d053edfe004efbbc3bcd38b25f26898f30c0d6a2

SHA256
ea41ae4eb30ac827f2f2d49bb0a9e3927ab97c7432c201e20a349de4278350b4

SHA512
c42c1f9c02be9d3bc4d141d0a81b76ad04be61071d67d971801ad349ebe1426b6adfaa19ed0b5b795663ffa4f66462eceb5c4c7dc8b2d0006078f1a28cb71069

Download Submit
/etc/daemon.cfg

Filesize
32B

MD5
77af310d7861efcd90cdc959d757c3ac

SHA1
63279d6a00f5e151e392115bbce531396fa0cb7b

SHA256
8ed3931bef31f0e47f1afb8254d8a77c0dd07c1498ba0699415c4d1a2a393fd7

SHA512
b3dba90f4a5cc6c60d80d29803d019e87b4805db7e8c461956f88b55ffa17052df25c9e837ff4cb95a9d804f9c7870daab627a6a2385d41eb7091c6602f27a82

Download Submit
/etc/init.d/iiowaqply

Filesize
333B

MD5
45a19f7a38eae29074e3f65e064f3af1

SHA1
0f9e9f9f3a43861dbb0150d78c8c40d18c192995

SHA256
730386406fc888ff9af315d379167a694f73ea2b11c8cda28a008f8085fbdb1e

SHA512
6bc7330133e68c70bf15aa7ae7f0335928d6a0d8834d46bdf4eaec2c91f934d870898d422d46b892e9af5151609f310133ba2b839b3f1794e910fe0ea3078fc7

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads