xorddos | 08a241e035c5702ebe46a89faf6a6e9544acf3a9d8f54e41aca69c508d193e24

Analysis

max time kernel
149s
max time network
151s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
28-05-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b3e0b3c4420b86c1c9e19626deb9beb_JaffaCakes118
Size

647KB
MD5

7b3e0b3c4420b86c1c9e19626deb9beb
SHA1

33094eb2502965d98f6885e7b3dd801c1e4ef914
SHA256

08a241e035c5702ebe46a89faf6a6e9544acf3a9d8f54e41aca69c508d193e24
SHA512

34ec5d04c0cc5e9187dd53fe752420672e36b073371c250ff7069c9db9e0f216c22e9af54abfb2b7b38e4de868611387c6a5b67a8ca2aa7ccad7f06e953c6519
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonvp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mv6wvnDWXMN

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

aaaaaaaaaa.re67das.com:5859

l88833.f3322.net:1580

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorddos

Deletes itself 1 IoCs

pid
1512

Executes dropped EXE 31 IoCs

ioc	pid	Process
/boot/tivpehxcou	1514	tivpehxcou
/boot/hjmrjituay	1525	hjmrjituay
/boot/rbwqmohfyv	1537	rbwqmohfyv
/boot/hsaohhmwyp	1540	hsaohhmwyp
/boot/tvijazqcnl	1543	tvijazqcnl
/boot/qukipeaqkw	1546	qukipeaqkw
/boot/vtptcugrwa	1549	vtptcugrwa
/boot/gxgwaqgshx	1554	gxgwaqgshx
/boot/atewlwxrog	1557	atewlwxrog
/boot/xkphkayfid	1560	xkphkayfid
/boot/nqlaidotal	1563	nqlaidotal
/boot/epctyjygaf	1581	epctyjygaf
/boot/edlcjhzpad	1584	edlcjhzpad
/boot/nzmarartmp	1587	nzmarartmp
/boot/tctdivxwsx	1590	tctdivxwsx
/boot/tiptcwnetn	1593	tiptcwnetn
/boot/ijtvxdogaq	1596	ijtvxdogaq
/boot/dvxpzsdloy	1599	dvxpzsdloy
/boot/xutittodor	1602	xutittodor
/boot/zdofefdygk	1605	zdofefdygk
/boot/uaiwezoyka	1608	uaiwezoyka
/boot/rdqnvnyrxs	1611	rdqnvnyrxs
/boot/sagxrcozld	1614	sagxrcozld
/boot/urturnhacd	1617	urturnhacd
/boot/fmxdelnylr	1620	fmxdelnylr
/boot/tlrsycuibt	1623	tlrsycuibt
/boot/jmojhqguzw	1626	jmojhqguzw
/boot/phlyggxgyf	1629	phlyggxgyf
/boot/ipgixjssrn	1632	ipgixjssrn
/boot/iopsvgyuuz	1635	iopsvgyuuz
/boot/zxgrqsxndx	1638	zxgrqsxndx

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/cron.sh	tivpehxcou
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/init.d/tivpehxcou	tivpehxcou

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/rs_dev	tivpehxcou
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/rs_dev	7b3e0b3c4420b86c1c9e19626deb9beb_JaffaCakes118
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	tivpehxcou
File opened for reading	/proc/self/stat	systemctl

/tmp/7b3e0b3c4420b86c1c9e19626deb9beb_JaffaCakes118
/tmp/7b3e0b3c4420b86c1c9e19626deb9beb_JaffaCakes118
1⤵
- Reads runtime system information
PID:1511

/boot/tivpehxcou
/boot/tivpehxcou
1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Modifies init.d
- Reads runtime system information
PID:1514
- /bin/sh
  sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
  2⤵
  - Creates/modifies Cron job
  PID:1520
- - /bin/sed
    sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
    3⤵
    - Reads runtime system information
    PID:1521

/bin/chkconfig
chkconfig --add tivpehxcou
1⤵
PID:1517

/sbin/chkconfig
chkconfig --add tivpehxcou
1⤵
PID:1517

/usr/bin/chkconfig
chkconfig --add tivpehxcou
1⤵
PID:1517

/usr/sbin/chkconfig
chkconfig --add tivpehxcou
1⤵
PID:1517

/usr/local/bin/chkconfig
chkconfig --add tivpehxcou
1⤵
PID:1517

/usr/local/sbin/chkconfig
chkconfig --add tivpehxcou
1⤵
PID:1517

/usr/X11R6/bin/chkconfig
chkconfig --add tivpehxcou
1⤵
PID:1517

/bin/update-rc.d
update-rc.d tivpehxcou defaults
1⤵
PID:1519

/sbin/update-rc.d
update-rc.d tivpehxcou defaults
1⤵
PID:1519

/usr/bin/update-rc.d
update-rc.d tivpehxcou defaults
1⤵
PID:1519

/usr/sbin/update-rc.d
update-rc.d tivpehxcou defaults
1⤵
PID:1519
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1526

/boot/hjmrjituay
/boot/hjmrjituay pwd 1515
1⤵
- Executes dropped EXE
PID:1525

/boot/rbwqmohfyv
/boot/rbwqmohfyv "ifconfig eth0" 1515
1⤵
- Executes dropped EXE
PID:1537

/boot/hsaohhmwyp
/boot/hsaohhmwyp "ifconfig eth0" 1515
1⤵
- Executes dropped EXE
PID:1540

/boot/tvijazqcnl
/boot/tvijazqcnl sh 1515
1⤵
- Executes dropped EXE
PID:1543

/boot/qukipeaqkw
/boot/qukipeaqkw "ifconfig eth0" 1515
1⤵
- Executes dropped EXE
PID:1546

/boot/vtptcugrwa
/boot/vtptcugrwa uptime 1515
1⤵
- Executes dropped EXE
PID:1549

/boot/gxgwaqgshx
/boot/gxgwaqgshx ls 1515
1⤵
- Executes dropped EXE
PID:1554

/boot/atewlwxrog
/boot/atewlwxrog "netstat -an" 1515
1⤵
- Executes dropped EXE
PID:1557

/boot/xkphkayfid
/boot/xkphkayfid gnome-terminal 1515
1⤵
- Executes dropped EXE
PID:1560

/boot/nqlaidotal
/boot/nqlaidotal id 1515
1⤵
- Executes dropped EXE
PID:1563

/boot/epctyjygaf
/boot/epctyjygaf ls 1515
1⤵
- Executes dropped EXE
PID:1581

/boot/edlcjhzpad
/boot/edlcjhzpad su 1515
1⤵
- Executes dropped EXE
PID:1584

/boot/nzmarartmp
/boot/nzmarartmp id 1515
1⤵
- Executes dropped EXE
PID:1587

/boot/tctdivxwsx
/boot/tctdivxwsx "ls -la" 1515
1⤵
- Executes dropped EXE
PID:1590

/boot/tiptcwnetn
/boot/tiptcwnetn uptime 1515
1⤵
- Executes dropped EXE
PID:1593

/boot/ijtvxdogaq
/boot/ijtvxdogaq "ifconfig eth0" 1515
1⤵
- Executes dropped EXE
PID:1596

/boot/dvxpzsdloy
/boot/dvxpzsdloy "ifconfig eth0" 1515
1⤵
- Executes dropped EXE
PID:1599

/boot/xutittodor
/boot/xutittodor "sleep 1" 1515
1⤵
- Executes dropped EXE
PID:1602

/boot/zdofefdygk
/boot/zdofefdygk id 1515
1⤵
- Executes dropped EXE
PID:1605

/boot/uaiwezoyka
/boot/uaiwezoyka "ps -ef" 1515
1⤵
- Executes dropped EXE
PID:1608

/boot/rdqnvnyrxs
/boot/rdqnvnyrxs su 1515
1⤵
- Executes dropped EXE
PID:1611

/boot/sagxrcozld
/boot/sagxrcozld "netstat -antop" 1515
1⤵
- Executes dropped EXE
PID:1614

/boot/urturnhacd
/boot/urturnhacd "route -n" 1515
1⤵
- Executes dropped EXE
PID:1617

/boot/fmxdelnylr
/boot/fmxdelnylr "netstat -antop" 1515
1⤵
- Executes dropped EXE
PID:1620

/boot/tlrsycuibt
/boot/tlrsycuibt "grep \"A\"" 1515
1⤵
- Executes dropped EXE
PID:1623

/boot/jmojhqguzw
/boot/jmojhqguzw "ifconfig eth0" 1515
1⤵
- Executes dropped EXE
PID:1626

/boot/phlyggxgyf
/boot/phlyggxgyf whoami 1515
1⤵
- Executes dropped EXE
PID:1629

/boot/ipgixjssrn
/boot/ipgixjssrn "ls -la" 1515
1⤵
- Executes dropped EXE
PID:1632

/boot/iopsvgyuuz
/boot/iopsvgyuuz "ls -la" 1515
1⤵
- Executes dropped EXE
PID:1635

/boot/zxgrqsxndx
/boot/zxgrqsxndx pwd 1515
1⤵
- Executes dropped EXE
PID:1638

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/cron.sh

Filesize
223B

MD5
b791b087b1795e3674a9aa765c76fc04

SHA1
b53f478234ae97f3cdbf2e7fe7ec68d687feb7c1

SHA256
1c1e9b69cf8021bf7ce1f60dcaa2d31c1e21ed4b6e474f3571da81ffd5a9b69e

SHA512
2dcc2e478c51cf8118306fd5c744aad7147e368cbc4329db1cc5fac52088a7f3354079ae2b582b270495789e4fb4591538ec88bb5ea40eec646f360bac33bbb2

Download Submit
/etc/crontab

Filesize
764B

MD5
01de9c66a1aa26273160a69f31c78a1c

SHA1
e639288aed15e1482d2a99e568847926d9307447

SHA256
dbccbf08e2579449c96013a1679d84049e29761c7691eefcfb3d1a24db0f1109

SHA512
51aa75c7bed7e7f6a4538a453b24694bc7b31f23c1e8116eb6b92c7f0895351c3cc0cc5d78a51bcc35da29e36e1f28e9812f9585505327c151c7af649d42ccf8

Download Submit
/etc/init.d/tivpehxcou

Filesize
317B

MD5
9599ff291eb5669ec0927ff9286c4624

SHA1
c044c77b7e663bdaab471a6db81e7e89759af559

SHA256
20f7b56c9771ff28659332593835521a3e8ea5e83d3e18254935683a82d41baa

SHA512
8ed201f98a3662c7033f0c02cb58a2bb9b1938af580a907382f150f519ee196e5524a18e5a12c944be61865845d1ce7553781b09aef1c38fd6b69d8e6366bd43

Download Submit
/etc/sedptP6QU

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/udev/udev

Filesize
647KB

MD5
7b3e0b3c4420b86c1c9e19626deb9beb

SHA1
33094eb2502965d98f6885e7b3dd801c1e4ef914

SHA256
08a241e035c5702ebe46a89faf6a6e9544acf3a9d8f54e41aca69c508d193e24

SHA512
34ec5d04c0cc5e9187dd53fe752420672e36b073371c250ff7069c9db9e0f216c22e9af54abfb2b7b38e4de868611387c6a5b67a8ca2aa7ccad7f06e953c6519

Download Submit
/run/sftp.pid

Filesize
32B

MD5
783b570166ad78695f0297c346f133e3

SHA1
b22f8ecff382e64a8c7c54c265db773445b0cf9c

SHA256
201ac228d31c618d535c646e65d10089b2e898c76f391dfc4c75a7514cfcaaa4

SHA512
43699386a1986b27f03375c463e0d60d28217b7892fdcf98f37ef01085a41891420d99b446a9154bcd6c6a92feab00bb5bfc4d287043afb9c19848098ce28cca

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads