xorddos | fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d

General

Target

fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf
Size

549KB
MD5

450cea21132fad13be77c7030d2a9e9d
SHA1

e0fdfb05fb79f5ba1cafc69b78a50a0eed6eeedb
SHA256

fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d
SHA512

6d282ecf3df15592a2e000906e5aca9665421309a35b31d7aed3cedcc0f46b2f7b6db2426afa7a02f49173b59b9be5c6089dbd0f8a4da8e962ca254e00854f49
SSDEEP

12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Score

10^/10

xorddos botnet discovery downloader persistence

Malware Config

Extracted

Family

xorddos

C2

user.myserv012.com:123

user.search2c.com:123

http://qq.com/lib.asp

Attributes

crc_polynomial
CDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

Processes:

resource	yara_rule
/usr/bin/uqgzbyvriie	family_xorddos

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes itself 36 IoCs

Processes:

pid

1495
1521
1526
1533
1538
1550
1604
1607
1610
1613
1616
1700
1703
1706
1709
1712
1717
1720
1723
1726
1729
1732
1735
1738
1741
1744
1747
1752
1753
1758
1759
1762
1767
1768
1773
1774

pid
1495
1521
1526
1533
1538
1550
1604
1607
1610
1613
1616
1700
1703
1706
1709
1712
1717
1720
1723
1726
1729
1732
1735
1738
1741
1744
1747
1752
1753
1758
1759
1762
1767
1768
1773
1774

Executes dropped EXE 36 IoCs

Processes:

uqgzbyvriiekhkzindyujfvhstgurmqazcwzgjjhiggpsdphbrsknsiwfrmktfjsecbxvrgtfsrfnirbwliwjmvqksauhffcqrwaagimgoighfwvyvojxtecvjjizytnmbjfvgeonkwihcrprtipdokldpqxovxxsnnkoxnvglhhxonesysfywevkzuhxnwmklmfrxosoqnwiydgwdrpzxctjevoojaxvkspakwuiwzoucgkhfjluucmkspjsviolnwfeeodztgssvpegjavkcebnzymkljrsnhpflmbkveceoxahcrkhoggtsmypngvdodwhsuwgiaoxhalimgo

ioc	pid	process
/usr/bin/uqgzbyvriie	1507	uqgzbyvriie
/usr/bin/khkzindyujf	1520	khkzindyujf
/usr/bin/vhstgurm	1525	vhstgurm
/usr/bin/qazcwzgjjh	1532	qazcwzgjjh
/usr/bin/iggpsdphbrs	1536	iggpsdphbrs
/usr/bin/knsiwfrmkt	1549	knsiwfrmkt
/usr/bin/fjsecbx	1603	fjsecbx
/usr/bin/vrgtfs	1606	vrgtfs
/usr/bin/rfnirbwliwj	1609	rfnirbwliwj
/usr/bin/mvqksa	1612	mvqksa
/usr/bin/uhffcqrwaagi	1615	uhffcqrwaagi
/usr/bin/mgoighfwv	1699	mgoighfwv
/usr/bin/yvojxtec	1702	yvojxtec
/usr/bin/vjjizytnmb	1705	vjjizytnmb
/usr/bin/jfvgeonk	1708	jfvgeonk
/usr/bin/wihcrprtipd	1711	wihcrprtipd
/usr/bin/okldpqxovx	1716	okldpqxovx
/usr/bin/xsnnkoxnvglhh	1719	xsnnkoxnvglhh
/usr/bin/xonesysf	1722	xonesysf
/usr/bin/ywevkzuhxnwm	1725	ywevkzuhxnwm
/usr/bin/klmfrxo	1728	klmfrxo
/usr/bin/soqnwi	1731	soqnwi
/usr/bin/ydgwdrp	1734	ydgwdrp
/usr/bin/zxctjevooj	1737	zxctjevooj
/usr/bin/axvkspak	1740	axvkspak
/usr/bin/wuiwzoucgkhfj	1743	wuiwzoucgkhfj
/usr/bin/luucmks	1746	luucmks
/usr/bin/pjsviolnwfeeo	1749	pjsviolnwfeeo
/usr/bin/dztgssvpegja	1751	dztgssvpegja
/usr/bin/vkcebn	1755	vkcebn
/usr/bin/zymkljrsnhp	1757	zymkljrsnhp
/usr/bin/flmbkvece	1761	flmbkvece
/usr/bin/oxahcrk	1766	oxahcrk
/usr/bin/hoggtsmyp	1764	hoggtsmyp
/usr/bin/ngvdodwhsuwgi	1772	ngvdodwhsuwgi
/usr/bin/aoxhalimgo	1770	aoxhalimgo

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

uqgzbyvriie

description ioc process

File opened for modification /etc/cron.hourly/eiirvybzgqu.sh uqgzbyvriie
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

uqgzbyvriie

description ioc process

File opened for modification /etc/init.d/eiirvybzgqu uqgzbyvriie

description	ioc	process
File opened for modification	/etc/cron.hourly/eiirvybzgqu.sh	uqgzbyvriie

description	ioc	process
File opened for modification	/etc/init.d/eiirvybzgqu	uqgzbyvriie

Write file to user bin folder 1 TTPs 38 IoCs

Hijack Execution Flow

T1574

Processes:

uqgzbyvriiefb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf

description	ioc	process
File opened for modification	/usr/bin/pjsviolnwfeeo	uqgzbyvriie
File opened for modification	/usr/bin/dztgssvpegja	uqgzbyvriie
File opened for modification	/usr/bin/vkcebn	uqgzbyvriie
File opened for modification	/usr/bin/knsiwfrmkt	uqgzbyvriie
File opened for modification	/usr/bin/vrgtfs	uqgzbyvriie
File opened for modification	/usr/bin/rfnirbwliwj	uqgzbyvriie
File opened for modification	/usr/bin/xsnnkoxnvglhh	uqgzbyvriie
File opened for modification	/usr/bin/uhffcqrwaagi	uqgzbyvriie
File opened for modification	/usr/bin/vjjizytnmb	uqgzbyvriie
File opened for modification	/usr/bin/hoggtsmyp	uqgzbyvriie
File opened for modification	/usr/bin/ngvdodwhsuwgi	uqgzbyvriie
File opened for modification	/usr/bin/yvojxtec	uqgzbyvriie
File opened for modification	/usr/bin/okldpqxovx	uqgzbyvriie
File opened for modification	/usr/bin/ydgwdrp	uqgzbyvriie
File opened for modification	/usr/bin/axvkspak	uqgzbyvriie
File opened for modification	/usr/bin/iggpsdphbrs	uqgzbyvriie
File opened for modification	/usr/bin/jfvgeonk	uqgzbyvriie
File opened for modification	/usr/bin/soqnwi	uqgzbyvriie
File opened for modification	/usr/bin/aoxhalimgo	uqgzbyvriie
File opened for modification	/usr/bin/wihcrprtipd	uqgzbyvriie
File opened for modification	/usr/bin/luucmks	uqgzbyvriie
File opened for modification	/usr/bin/oxahcrk	uqgzbyvriie
File opened for modification	/usr/bin/eiirvybzgqu	uqgzbyvriie
File opened for modification	/usr/bin/mvqksa	uqgzbyvriie
File opened for modification	/usr/bin/wuiwzoucgkhfj	uqgzbyvriie
File opened for modification	/usr/bin/zymkljrsnhp	uqgzbyvriie
File opened for modification	/usr/bin/mgoighfwv	uqgzbyvriie
File opened for modification	/usr/bin/zxctjevooj	uqgzbyvriie
File opened for modification	/usr/bin/flmbkvece	uqgzbyvriie
File opened for modification	/usr/bin/eiirvybzgqu.sh	uqgzbyvriie
File opened for modification	/usr/bin/khkzindyujf	uqgzbyvriie
File opened for modification	/usr/bin/qazcwzgjjh	uqgzbyvriie
File opened for modification	/usr/bin/fjsecbx	uqgzbyvriie
File opened for modification	/usr/bin/klmfrxo	uqgzbyvriie
File opened for modification	/usr/bin/uqgzbyvriie	fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf
File opened for modification	/usr/bin/vhstgurm	uqgzbyvriie
File opened for modification	/usr/bin/xonesysf	uqgzbyvriie
File opened for modification	/usr/bin/ywevkzuhxnwm	uqgzbyvriie

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

Processes:

fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elfuqgzbyvriie

description	ioc	process
File opened for reading	/proc/meminfo	fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf
File opened for reading	/proc/meminfo	uqgzbyvriie

Writes file to shm directory 2 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

uqgzbyvriie

description ioc process

File opened for modification /dev/shm/sem.bknxua uqgzbyvriie
File opened for modification /dev/shm/sem.DXoct2 uqgzbyvriie

description	ioc	process
File opened for modification	/dev/shm/sem.bknxua	uqgzbyvriie
File opened for modification	/dev/shm/sem.DXoct2	uqgzbyvriie

/tmp/fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf
/tmp/fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf
1⤵
- Write file to user bin folder
- Reads runtime system information
PID:1494

/usr/bin/uqgzbyvriie
/usr/bin/uqgzbyvriie
1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Modifies init.d
- Write file to user bin folder
- Reads runtime system information
- Writes file to shm directory
PID:1507

/usr/bin/khkzindyujf
/usr/bin/khkzindyujf -d 1508
1⤵
- Executes dropped EXE
PID:1520

/usr/bin/vhstgurm
/usr/bin/vhstgurm -d 1508
1⤵
- Executes dropped EXE
PID:1525

/usr/bin/qazcwzgjjh
/usr/bin/qazcwzgjjh -d 1508
1⤵
- Executes dropped EXE
PID:1532

/usr/bin/iggpsdphbrs
/usr/bin/iggpsdphbrs -d 1508
1⤵
- Executes dropped EXE
PID:1536

/usr/bin/knsiwfrmkt
/usr/bin/knsiwfrmkt -d 1508
1⤵
- Executes dropped EXE
PID:1549

/usr/bin/fjsecbx
/usr/bin/fjsecbx -d 1508
1⤵
- Executes dropped EXE
PID:1603

/usr/bin/vrgtfs
/usr/bin/vrgtfs -d 1508
1⤵
- Executes dropped EXE
PID:1606

/usr/bin/rfnirbwliwj
/usr/bin/rfnirbwliwj -d 1508
1⤵
- Executes dropped EXE
PID:1609

/usr/bin/mvqksa
/usr/bin/mvqksa -d 1508
1⤵
- Executes dropped EXE
PID:1612

/usr/bin/uhffcqrwaagi
/usr/bin/uhffcqrwaagi -d 1508
1⤵
- Executes dropped EXE
PID:1615

/usr/bin/mgoighfwv
/usr/bin/mgoighfwv -d 1508
1⤵
- Executes dropped EXE
PID:1699

/usr/bin/yvojxtec
/usr/bin/yvojxtec -d 1508
1⤵
- Executes dropped EXE
PID:1702

/usr/bin/vjjizytnmb
/usr/bin/vjjizytnmb -d 1508
1⤵
- Executes dropped EXE
PID:1705

/usr/bin/jfvgeonk
/usr/bin/jfvgeonk -d 1508
1⤵
- Executes dropped EXE
PID:1708

/usr/bin/wihcrprtipd
/usr/bin/wihcrprtipd -d 1508
1⤵
- Executes dropped EXE
PID:1711

/usr/bin/okldpqxovx
/usr/bin/okldpqxovx -d 1508
1⤵
- Executes dropped EXE
PID:1716

/usr/bin/xsnnkoxnvglhh
/usr/bin/xsnnkoxnvglhh -d 1508
1⤵
- Executes dropped EXE
PID:1719

/usr/bin/xonesysf
/usr/bin/xonesysf -d 1508
1⤵
- Executes dropped EXE
PID:1722

/usr/bin/ywevkzuhxnwm
/usr/bin/ywevkzuhxnwm -d 1508
1⤵
- Executes dropped EXE
PID:1725

/usr/bin/klmfrxo
/usr/bin/klmfrxo -d 1508
1⤵
- Executes dropped EXE
PID:1728

/usr/bin/soqnwi
/usr/bin/soqnwi -d 1508
1⤵
- Executes dropped EXE
PID:1731

/usr/bin/ydgwdrp
/usr/bin/ydgwdrp -d 1508
1⤵
- Executes dropped EXE
PID:1734

/usr/bin/zxctjevooj
/usr/bin/zxctjevooj -d 1508
1⤵
- Executes dropped EXE
PID:1737

/usr/bin/axvkspak
/usr/bin/axvkspak -d 1508
1⤵
- Executes dropped EXE
PID:1740

/usr/bin/wuiwzoucgkhfj
/usr/bin/wuiwzoucgkhfj -d 1508
1⤵
- Executes dropped EXE
PID:1743

/usr/bin/luucmks
/usr/bin/luucmks -d 1508
1⤵
- Executes dropped EXE
PID:1746

/usr/bin/pjsviolnwfeeo
/usr/bin/pjsviolnwfeeo -d 1508
1⤵
- Executes dropped EXE
PID:1749

/usr/bin/dztgssvpegja
/usr/bin/dztgssvpegja -d 1508
1⤵
- Executes dropped EXE
PID:1751

/usr/bin/vkcebn
/usr/bin/vkcebn -d 1508
1⤵
- Executes dropped EXE
PID:1755

/usr/bin/zymkljrsnhp
/usr/bin/zymkljrsnhp -d 1508
1⤵
- Executes dropped EXE
PID:1757

/usr/bin/flmbkvece
/usr/bin/flmbkvece -d 1508
1⤵
- Executes dropped EXE
PID:1761

/usr/bin/oxahcrk
/usr/bin/oxahcrk -d 1508
1⤵
- Executes dropped EXE
PID:1766

/usr/bin/hoggtsmyp
/usr/bin/hoggtsmyp -d 1508
1⤵
- Executes dropped EXE
PID:1764

/usr/bin/ngvdodwhsuwgi
/usr/bin/ngvdodwhsuwgi -d 1508
1⤵
- Executes dropped EXE
PID:1772

/usr/bin/aoxhalimgo
/usr/bin/aoxhalimgo -d 1508
1⤵
- Executes dropped EXE
PID:1770

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

1

T1574

Credential Access

Discovery

Network Service Discovery

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/dev/shm/sem.DXoct2

Filesize
16B

MD5
076933ff9904d1110d896e2c525e39e5

SHA1
4188442577fa77f25820d9b2d01cc446e30684ac

SHA256
4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

SHA512
6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

Download Submit
/etc/cron.hourly/eiirvybzgqu.sh

Filesize
160B

MD5
b4fa77a8b1af281a2b7ca703b9cdeba2

SHA1
1edbdc4bb48dbd07b1b55b4f47b466278fbd5320

SHA256
bb0f3e9386eb009a2d7ce8f40c12ae1c4ca69425f57f1d65603ad33e01d20015

SHA512
0ab0350b82a88dad9f05d6ac9ff15a7937b34e5c76e0d661bb61a5a794a696666c47d19221c13788027a7455f197acec89ea5550b619d3ab455d62a1b0d6ceb9

Download Submit
/etc/daemon.cfg

Filesize
32B

MD5
dd3a9d8e3dd2fc1de1a41467af0da1d8

SHA1
0de8c8510ea7251b3afced94d8636ee01f8247be

SHA256
5e46f097dfce3cf2d5f1bf573f1c85f9671cca43bd65495cc8dca7dae685c09e

SHA512
7aabaa6dcd0dc2f754e586d95b346461e14a5afc04c280f239e7e4ccbedf85af5c61b02a1e336250c121f71c953ff57c67eac8eb75bd019d17f0cd9e270dfd40

Download Submit
/etc/init.d/eiirvybzgqu

Filesize
351B

MD5
d4b124ec20e2206aa7b27a642a5cb181

SHA1
36eead902c57eb8c1efca7532aa3becf1539eb94

SHA256
2c072e3644f2857df3414a4f953dbc48675cb31471ef266137ac2c7fa654d610

SHA512
d32c74dffed0f968739d1650b598e9db07c05c886820532e4a2a54a185f403641b3792f2ac494ce3e93064c457c4565949ba576c89d24f304efcf02720a794a7

Download Submit
/usr/bin/uqgzbyvriie

Filesize
549KB

MD5
0fb6d6fffc40d9fe2cca8af68aa25952

SHA1
08a6569ef372c3057df1fd401d5a5c9f14168885

SHA256
213102a3010629b242d6feaca1636d58cee2e595e98f5d4d829888f84ab01d09

SHA512
267bd90c320da9ef3228dd51822ecc9e5c3a5c367c12d657c40523aa0804a4acc18081531a3bcc04b80aa6a4e037fe4b8a6c59b2bb72679a83906241f7b012af

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads