xorddos | 990de811f20eb0119c7d55c50f378d02062a51019079f9b013095fb860a9d9e7

General

Target

1fb5ff29548ab80e5cf4d13ffb00d6e1_JaffaCakes118
Size

647KB
MD5

1fb5ff29548ab80e5cf4d13ffb00d6e1
SHA1

604c6c0978190a47b823a1ac54ba7b767a8cd493
SHA256

990de811f20eb0119c7d55c50f378d02062a51019079f9b013095fb860a9d9e7
SHA512

dcb5452af5dac07351cf704c8700a57ad1b1dcc8d6bb46d4253f3609fba9bd2267d3ed6f8a1f736176c826fd7c01b909e06b4addd6efde328d7c91270363f7a1
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Ton7p6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1m76wvnDWXMN

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

C2

http://info1.3000uc.com/b/u.php

linux.jum2.com:2897

quanqiuzhuanshu.top:2897

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

Processes:

resource	yara_rule
/usr/lib/udev/udev	family_xorddos

Deletes itself 1 IoCs

Processes:

pid

1511

pid
1511

Executes dropped EXE 31 IoCs

Processes:

bvkhfdnjsiuueutvpnnxjvbjxgcsxyarvreruwstspkhsckpaachczjqmpqyxdgmxfcrwyqyayjsvyzidbincuahymeumhkbmiomewopvcucqkciudrrlgnkceeafilclxjkruaeetrjveqlsdxxxhinpavrneqytdvfuvwlvkfbrnjgilyvksikbmbfxekkctbxabuyaimxscnxphmdwllevuwyiizbengnkcizzyfiqhvseethdodhwofmapiirryiypyyczuaneqizypjmphotghnbkykphxrenxtjwfitqghtaftpi

ioc	pid	process
/boot/bvkhfdnjsi	1513	bvkhfdnjsi
/boot/uueutvpnnx	1524	uueutvpnnx
/boot/jvbjxgcsxy	1565	jvbjxgcsxy
/boot/arvreruwst	1568	arvreruwst
/boot/spkhsckpaa	1571	spkhsckpaa
/boot/chczjqmpqy	1574	chczjqmpqy
/boot/xdgmxfcrwy	1577	xdgmxfcrwy
/boot/qyayjsvyzi	1582	qyayjsvyzi
/boot/dbincuahym	1585	dbincuahym
/boot/eumhkbmiom	1588	eumhkbmiom
/boot/ewopvcucqk	1591	ewopvcucqk
/boot/ciudrrlgnk	1594	ciudrrlgnk
/boot/ceeafilclx	1597	ceeafilclx
/boot/jkruaeetrj	1600	jkruaeetrj
/boot/veqlsdxxxh	1603	veqlsdxxxh
/boot/inpavrneqy	1606	inpavrneqy
/boot/tdvfuvwlvk	1609	tdvfuvwlvk
/boot/fbrnjgilyv	1612	fbrnjgilyv
/boot/ksikbmbfxe	1630	ksikbmbfxe
/boot/kkctbxabuy	1633	kkctbxabuy
/boot/aimxscnxph	1636	aimxscnxph
/boot/mdwllevuwy	1639	mdwllevuwy
/boot/iizbengnkc	1642	iizbengnkc
/boot/izzyfiqhvs	1645	izzyfiqhvs
/boot/eethdodhwo	1648	eethdodhwo
/boot/fmapiirryi	1654	fmapiirryi
/boot/ypyyczuane	1657	ypyyczuane
/boot/qizypjmpho	1660	qizypjmpho
/boot/tghnbkykph	1663	tghnbkykph
/boot/xrenxtjwfi	1666	xrenxtjwfi
/boot/tqghtaftpi	1669	tqghtaftpi

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

bvkhfdnjsish

description ioc process

File opened for modification /etc/cron.hourly/cron.sh bvkhfdnjsi
File opened for modification /etc/crontab sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

bvkhfdnjsi

description ioc process

File opened for modification /etc/init.d/bvkhfdnjsi bvkhfdnjsi

description	ioc	process
File opened for modification	/etc/cron.hourly/cron.sh	bvkhfdnjsi
File opened for modification	/etc/crontab	sh

description	ioc	process
File opened for modification	/etc/init.d/bvkhfdnjsi	bvkhfdnjsi

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

Processes:

1fb5ff29548ab80e5cf4d13ffb00d6e1_JaffaCakes118bvkhfdnjsisedsystemctl

description	ioc	process
File opened for reading	/proc/rs_dev	1fb5ff29548ab80e5cf4d13ffb00d6e1_JaffaCakes118
File opened for reading	/proc/rs_dev	bvkhfdnjsi
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	bvkhfdnjsi
File opened for reading	/proc/filesystems	systemctl

/tmp/1fb5ff29548ab80e5cf4d13ffb00d6e1_JaffaCakes118
/tmp/1fb5ff29548ab80e5cf4d13ffb00d6e1_JaffaCakes118
1⤵
- Reads runtime system information
PID:1510

/boot/bvkhfdnjsi
/boot/bvkhfdnjsi
1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Modifies init.d
- Reads runtime system information
PID:1513
- /bin/sh
  sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
  2⤵
  - Creates/modifies Cron job
  PID:1519
- - /bin/sed
    sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
    3⤵
    - Reads runtime system information
    PID:1520

/bin/chkconfig
chkconfig --add bvkhfdnjsi
1⤵
PID:1516

/sbin/chkconfig
chkconfig --add bvkhfdnjsi
1⤵
PID:1516

/usr/bin/chkconfig
chkconfig --add bvkhfdnjsi
1⤵
PID:1516

/usr/sbin/chkconfig
chkconfig --add bvkhfdnjsi
1⤵
PID:1516

/usr/local/bin/chkconfig
chkconfig --add bvkhfdnjsi
1⤵
PID:1516

/usr/local/sbin/chkconfig
chkconfig --add bvkhfdnjsi
1⤵
PID:1516

/usr/X11R6/bin/chkconfig
chkconfig --add bvkhfdnjsi
1⤵
PID:1516

/bin/update-rc.d
update-rc.d bvkhfdnjsi defaults
1⤵
PID:1518

/sbin/update-rc.d
update-rc.d bvkhfdnjsi defaults
1⤵
PID:1518
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1525

/boot/uueutvpnnx
/boot/uueutvpnnx gnome-terminal 1514
1⤵
- Executes dropped EXE
PID:1524

/boot/jvbjxgcsxy
/boot/jvbjxgcsxy "netstat -an" 1514
1⤵
- Executes dropped EXE
PID:1565

/boot/arvreruwst
/boot/arvreruwst su 1514
1⤵
- Executes dropped EXE
PID:1568

/boot/spkhsckpaa
/boot/spkhsckpaa "ifconfig eth0" 1514
1⤵
- Executes dropped EXE
PID:1571

/boot/chczjqmpqy
/boot/chczjqmpqy bash 1514
1⤵
- Executes dropped EXE
PID:1574

/boot/xdgmxfcrwy
/boot/xdgmxfcrwy top 1514
1⤵
- Executes dropped EXE
PID:1577

/boot/qyayjsvyzi
/boot/qyayjsvyzi top 1514
1⤵
- Executes dropped EXE
PID:1582

/boot/dbincuahym
/boot/dbincuahym ls 1514
1⤵
- Executes dropped EXE
PID:1585

/boot/eumhkbmiom
/boot/eumhkbmiom "sleep 1" 1514
1⤵
- Executes dropped EXE
PID:1588

/boot/ewopvcucqk
/boot/ewopvcucqk "cd /etc" 1514
1⤵
- Executes dropped EXE
PID:1591

/boot/ciudrrlgnk
/boot/ciudrrlgnk id 1514
1⤵
- Executes dropped EXE
PID:1594

/boot/ceeafilclx
/boot/ceeafilclx id 1514
1⤵
- Executes dropped EXE
PID:1597

/boot/jkruaeetrj
/boot/jkruaeetrj ifconfig 1514
1⤵
- Executes dropped EXE
PID:1600

/boot/veqlsdxxxh
/boot/veqlsdxxxh "netstat -antop" 1514
1⤵
- Executes dropped EXE
PID:1603

/boot/inpavrneqy
/boot/inpavrneqy who 1514
1⤵
- Executes dropped EXE
PID:1606

/boot/tdvfuvwlvk
/boot/tdvfuvwlvk "netstat -antop" 1514
1⤵
- Executes dropped EXE
PID:1609

/boot/fbrnjgilyv
/boot/fbrnjgilyv uptime 1514
1⤵
- Executes dropped EXE
PID:1612

/boot/ksikbmbfxe
/boot/ksikbmbfxe pwd 1514
1⤵
- Executes dropped EXE
PID:1630

/boot/kkctbxabuy
/boot/kkctbxabuy top 1514
1⤵
- Executes dropped EXE
PID:1633

/boot/aimxscnxph
/boot/aimxscnxph "cat resolv.conf" 1514
1⤵
- Executes dropped EXE
PID:1636

/boot/mdwllevuwy
/boot/mdwllevuwy ifconfig 1514
1⤵
- Executes dropped EXE
PID:1639

/boot/iizbengnkc
/boot/iizbengnkc who 1514
1⤵
- Executes dropped EXE
PID:1642

/boot/izzyfiqhvs
/boot/izzyfiqhvs who 1514
1⤵
- Executes dropped EXE
PID:1645

/boot/eethdodhwo
/boot/eethdodhwo sh 1514
1⤵
- Executes dropped EXE
PID:1648

/boot/fmapiirryi
/boot/fmapiirryi bash 1514
1⤵
- Executes dropped EXE
PID:1654

/boot/ypyyczuane
/boot/ypyyczuane "grep \"A\"" 1514
1⤵
- Executes dropped EXE
PID:1657

/boot/qizypjmpho
/boot/qizypjmpho "ifconfig eth0" 1514
1⤵
- Executes dropped EXE
PID:1660

/boot/tghnbkykph
/boot/tghnbkykph "cat resolv.conf" 1514
1⤵
- Executes dropped EXE
PID:1663

/boot/xrenxtjwfi
/boot/xrenxtjwfi sh 1514
1⤵
- Executes dropped EXE
PID:1666

/boot/tqghtaftpi
/boot/tqghtaftpi top 1514
1⤵
- Executes dropped EXE
PID:1669

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/cron.sh

Filesize
223B

MD5
b791b087b1795e3674a9aa765c76fc04

SHA1
b53f478234ae97f3cdbf2e7fe7ec68d687feb7c1

SHA256
1c1e9b69cf8021bf7ce1f60dcaa2d31c1e21ed4b6e474f3571da81ffd5a9b69e

SHA512
2dcc2e478c51cf8118306fd5c744aad7147e368cbc4329db1cc5fac52088a7f3354079ae2b582b270495789e4fb4591538ec88bb5ea40eec646f360bac33bbb2

Download Submit
/etc/crontab

Filesize
1KB

MD5
8333938f8704c2a0c7c0277d4a2ddd37

SHA1
2a521562227e522aa045aa959bf5c9092fb3470d

SHA256
73561733495eb44881664ab0410642751e0afc3973c5a52ebd27900cde398988

SHA512
a415a5002a1636c6e0cf7a5aa06a221621c656864bbbdbf384affdf8f9eefcc17eef3c980c6be454d30eb109b973b92689ae418959ac331dca538782e6c9b649

Download Submit
/etc/init.d/bvkhfdnjsi

Filesize
317B

MD5
c3e7431843e4c53de93f12f9a1300578

SHA1
59c57aaa0d58d00e593d50db8b6499335ad582ee

SHA256
44568be7327ef739e0a3c7ea9f08c9eda60915d7fdfdcd1b75dfbed2381871cd

SHA512
7fe7c08d865afd2ca8c415f788918543a708f4c6bc49c9fd85499edb4a6659d94126169488d971a36cad0e5991dfbed9f55c0cd055c2724af1cc6ae0fb278d09

Download Submit
/etc/sedToj86K

Filesize
1KB

MD5
e57fd77c50de7b8a8eec19de0ec3f4f3

SHA1
835d38771a0c5b112596ab8841a7904f41c266ee

SHA256
3494e2d3ce0fb77633d00b247cad543cca29c7673da802a23bd5fe0364eb2c13

SHA512
e6103d07bb6ed51cba953a9a861e39a36be0dc37899ec0fa353f5c991f71f9e7ec8433c054ac18a74da0a1c46054ad7cd637a1c64301d52cb0e6ac3d59f5c86c

Download Submit
/run/sftp.pid

Filesize
32B

MD5
2730733071a76269de6113e45304e543

SHA1
bde56be5648bffe331ca796728e5d7f6f9c6c3cc

SHA256
b2b6428e2b8b4eae594dead888d465c4fbf90ed262bd90a69f433da1db9fb812

SHA512
316f00334a0f66c07ed4cdc554d2012d52a3ab77e2ff183a1b473800dfba7df0f14b09f42d0e746e6a84b9c4b6429c7c17c829ae2fc83c4dea3eba2409b697ec

Download Submit
/usr/lib/udev/udev

Filesize
647KB

MD5
1fb5ff29548ab80e5cf4d13ffb00d6e1

SHA1
604c6c0978190a47b823a1ac54ba7b767a8cd493

SHA256
990de811f20eb0119c7d55c50f378d02062a51019079f9b013095fb860a9d9e7

SHA512
dcb5452af5dac07351cf704c8700a57ad1b1dcc8d6bb46d4253f3609fba9bd2267d3ed6f8a1f736176c826fd7c01b909e06b4addd6efde328d7c91270363f7a1

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads