xorddos | c7ef93aef90181a38af98fd27cb0a380777593f5c04a575ca81643eaa5897fb0

General

Target

65b4eac6cbab5c4b11aa86484decce16_JaffaCakes118
Size

647KB
MD5

65b4eac6cbab5c4b11aa86484decce16
SHA1

847b8daa617e08840ecad2ba519856cc603d8660
SHA256

c7ef93aef90181a38af98fd27cb0a380777593f5c04a575ca81643eaa5897fb0
SHA512

3b5690ae5af11f069044f2ad6bd3c33fa0e76fc57d1312b95e44cfb62dfd18dd8db0f6557685540e8123652f76591b7019172d2cbf873f57ca9a79048d3d4e6c
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1TonTp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mT6wvnDWXMN

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

C2

http://info1.3000uc.com/b/u.php

aaaaaaaaaa.re67das.com:5859

182.18.22.240:8808

sx.gexgz.com:8808

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorddos

Deletes itself 1 IoCs

pid
1564

Executes dropped EXE 31 IoCs

ioc	pid	Process
/boot/bxryqfudom	1566	bxryqfudom
/boot/qkutmcrswd	1577	qkutmcrswd
/boot/xaugylggcl	1617	xaugylggcl
/boot/nvnghccqdi	1620	nvnghccqdi
/boot/yheqprfkba	1623	yheqprfkba
/boot/bhlzcqolxe	1626	bhlzcqolxe
/boot/cujumckuuo	1629	cujumckuuo
/boot/durdnepqfs	1634	durdnepqfs
/boot/kzsxgxdqjs	1637	kzsxgxdqjs
/boot/uurxspllwx	1640	uurxspllwx
/boot/kchezukfjr	1643	kchezukfjr
/boot/uahcehuvqg	1646	uahcehuvqg
/boot/ocxvxkiwpb	1649	ocxvxkiwpb
/boot/fwdbxxnxew	1658	fwdbxxnxew
/boot/pqnvqtievv	1676	pqnvqtievv
/boot/lzxgujwdho	1679	lzxgujwdho
/boot/odotpkmeqs	1682	odotpkmeqs
/boot/qyvpdmttcg	1685	qyvpdmttcg
/boot/nwweknivdj	1688	nwweknivdj
/boot/azunoahwwn	1691	azunoahwwn
/boot/lxvbpfnvmt	1694	lxvbpfnvmt
/boot/gaolrgxkrz	1697	gaolrgxkrz
/boot/fnoggizyxr	1700	fnoggizyxr
/boot/xbrwdtqleq	1703	xbrwdtqleq
/boot/puzbbhfiaz	1706	puzbbhfiaz
/boot/zxqnwtqdby	1712	zxqnwtqdby
/boot/wzylkvxohn	1715	wzylkvxohn
/boot/cwzkeuwmsd	1718	cwzkeuwmsd
/boot/xdbkzmkoqg	1721	xdbkzmkoqg
/boot/txyzqshore	1724	txyzqshore
/boot/umsmdojgmh	1727	umsmdojgmh

Unexpected DNS network traffic destination 33 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/cron.sh	bxryqfudom
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/init.d/bxryqfudom	bxryqfudom

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/rs_dev	65b4eac6cbab5c4b11aa86484decce16_JaffaCakes118
File opened for reading	/proc/rs_dev	bxryqfudom
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	bxryqfudom
File opened for reading	/proc/filesystems	systemctl

/tmp/65b4eac6cbab5c4b11aa86484decce16_JaffaCakes118
/tmp/65b4eac6cbab5c4b11aa86484decce16_JaffaCakes118
1⤵
- Reads runtime system information
PID:1563

/boot/bxryqfudom
/boot/bxryqfudom
1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Modifies init.d
- Reads runtime system information
PID:1566
- /bin/sh
  sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
  2⤵
  - Creates/modifies Cron job
  PID:1572
- - /bin/sed
    sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
    3⤵
    - Reads runtime system information
    PID:1573

/bin/chkconfig
chkconfig --add bxryqfudom
1⤵
PID:1569

/sbin/chkconfig
chkconfig --add bxryqfudom
1⤵
PID:1569

/usr/bin/chkconfig
chkconfig --add bxryqfudom
1⤵
PID:1569

/usr/sbin/chkconfig
chkconfig --add bxryqfudom
1⤵
PID:1569

/usr/local/bin/chkconfig
chkconfig --add bxryqfudom
1⤵
PID:1569

/usr/local/sbin/chkconfig
chkconfig --add bxryqfudom
1⤵
PID:1569

/usr/X11R6/bin/chkconfig
chkconfig --add bxryqfudom
1⤵
PID:1569

/bin/update-rc.d
update-rc.d bxryqfudom defaults
1⤵
PID:1571

/sbin/update-rc.d
update-rc.d bxryqfudom defaults
1⤵
PID:1571
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1582

/boot/qkutmcrswd
/boot/qkutmcrswd bash 1567
1⤵
- Executes dropped EXE
PID:1577

/boot/xaugylggcl
/boot/xaugylggcl ifconfig 1567
1⤵
- Executes dropped EXE
PID:1617

/boot/nvnghccqdi
/boot/nvnghccqdi whoami 1567
1⤵
- Executes dropped EXE
PID:1620

/boot/yheqprfkba
/boot/yheqprfkba whoami 1567
1⤵
- Executes dropped EXE
PID:1623

/boot/bhlzcqolxe
/boot/bhlzcqolxe "netstat -antop" 1567
1⤵
- Executes dropped EXE
PID:1626

/boot/cujumckuuo
/boot/cujumckuuo "ps -ef" 1567
1⤵
- Executes dropped EXE
PID:1629

/boot/durdnepqfs
/boot/durdnepqfs sh 1567
1⤵
- Executes dropped EXE
PID:1634

/boot/kzsxgxdqjs
/boot/kzsxgxdqjs "ifconfig eth0" 1567
1⤵
- Executes dropped EXE
PID:1637

/boot/uurxspllwx
/boot/uurxspllwx "ifconfig eth0" 1567
1⤵
- Executes dropped EXE
PID:1640

/boot/kchezukfjr
/boot/kchezukfjr pwd 1567
1⤵
- Executes dropped EXE
PID:1643

/boot/uahcehuvqg
/boot/uahcehuvqg sh 1567
1⤵
- Executes dropped EXE
PID:1646

/boot/ocxvxkiwpb
/boot/ocxvxkiwpb "grep \"A\"" 1567
1⤵
- Executes dropped EXE
PID:1649

/boot/fwdbxxnxew
/boot/fwdbxxnxew uptime 1567
1⤵
- Executes dropped EXE
PID:1658

/boot/pqnvqtievv
/boot/pqnvqtievv "netstat -an" 1567
1⤵
- Executes dropped EXE
PID:1676

/boot/lzxgujwdho
/boot/lzxgujwdho "grep \"A\"" 1567
1⤵
- Executes dropped EXE
PID:1679

/boot/odotpkmeqs
/boot/odotpkmeqs top 1567
1⤵
- Executes dropped EXE
PID:1682

/boot/qyvpdmttcg
/boot/qyvpdmttcg sh 1567
1⤵
- Executes dropped EXE
PID:1685

/boot/nwweknivdj
/boot/nwweknivdj bash 1567
1⤵
- Executes dropped EXE
PID:1688

/boot/azunoahwwn
/boot/azunoahwwn "cd /etc" 1567
1⤵
- Executes dropped EXE
PID:1691

/boot/lxvbpfnvmt
/boot/lxvbpfnvmt "route -n" 1567
1⤵
- Executes dropped EXE
PID:1694

/boot/gaolrgxkrz
/boot/gaolrgxkrz id 1567
1⤵
- Executes dropped EXE
PID:1697

/boot/fnoggizyxr
/boot/fnoggizyxr "netstat -an" 1567
1⤵
- Executes dropped EXE
PID:1700

/boot/xbrwdtqleq
/boot/xbrwdtqleq "cat resolv.conf" 1567
1⤵
- Executes dropped EXE
PID:1703

/boot/puzbbhfiaz
/boot/puzbbhfiaz uptime 1567
1⤵
- Executes dropped EXE
PID:1706

/boot/zxqnwtqdby
/boot/zxqnwtqdby "echo \"find\"" 1567
1⤵
- Executes dropped EXE
PID:1712

/boot/wzylkvxohn
/boot/wzylkvxohn uptime 1567
1⤵
- Executes dropped EXE
PID:1715

/boot/cwzkeuwmsd
/boot/cwzkeuwmsd top 1567
1⤵
- Executes dropped EXE
PID:1718

/boot/xdbkzmkoqg
/boot/xdbkzmkoqg "ls -la" 1567
1⤵
- Executes dropped EXE
PID:1721

/boot/txyzqshore
/boot/txyzqshore gnome-terminal 1567
1⤵
- Executes dropped EXE
PID:1724

/boot/umsmdojgmh
/boot/umsmdojgmh ifconfig 1567
1⤵
- Executes dropped EXE
PID:1727

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/cron.sh

Filesize
223B

MD5
b791b087b1795e3674a9aa765c76fc04

SHA1
b53f478234ae97f3cdbf2e7fe7ec68d687feb7c1

SHA256
1c1e9b69cf8021bf7ce1f60dcaa2d31c1e21ed4b6e474f3571da81ffd5a9b69e

SHA512
2dcc2e478c51cf8118306fd5c744aad7147e368cbc4329db1cc5fac52088a7f3354079ae2b582b270495789e4fb4591538ec88bb5ea40eec646f360bac33bbb2

Download Submit
/etc/crontab

Filesize
1KB

MD5
8333938f8704c2a0c7c0277d4a2ddd37

SHA1
2a521562227e522aa045aa959bf5c9092fb3470d

SHA256
73561733495eb44881664ab0410642751e0afc3973c5a52ebd27900cde398988

SHA512
a415a5002a1636c6e0cf7a5aa06a221621c656864bbbdbf384affdf8f9eefcc17eef3c980c6be454d30eb109b973b92689ae418959ac331dca538782e6c9b649

Download Submit
/etc/init.d/bxryqfudom

Filesize
317B

MD5
186a40bde4071f8d4d92c39282176c63

SHA1
ae4c0533e2f0801b18e1afc5d17120da43ba4a0c

SHA256
f78c3b755069cc8813e43094d50a3c70c56ac7f24d84c7f3216271a2ccc0bd7e

SHA512
eec254c5308a0d3a8a8d9f447a173a333356f239130dba2f10d2a66d21486a290997d5b26b605fa4ad7ad473c52cafe8bb16cff0fe8ee4174ed676f312bffa1b

Download Submit
/etc/seduBc8uC

Filesize
1KB

MD5
e57fd77c50de7b8a8eec19de0ec3f4f3

SHA1
835d38771a0c5b112596ab8841a7904f41c266ee

SHA256
3494e2d3ce0fb77633d00b247cad543cca29c7673da802a23bd5fe0364eb2c13

SHA512
e6103d07bb6ed51cba953a9a861e39a36be0dc37899ec0fa353f5c991f71f9e7ec8433c054ac18a74da0a1c46054ad7cd637a1c64301d52cb0e6ac3d59f5c86c

Download Submit
/run/sftp.pid

Filesize
32B

MD5
d4928b85febf659f3e0605f1c259595f

SHA1
2c6d5361ebc30a6bcc74ed9a51b82488cd109423

SHA256
9a9d1dbd8e6a5eee877c5bd53d13f5eb951cc50a37141f073d4688daaa2acd85

SHA512
803f43eea92f7e74336caef1bf5b500b841ada46b45cb149bb0062ec14ef5ae650d299bab00b55fd63f1ff153ad77c43e4e21c3f71a04036ca78b1d3da1b6dc9

Download Submit
/usr/lib/udev/udev

Filesize
647KB

MD5
65b4eac6cbab5c4b11aa86484decce16

SHA1
847b8daa617e08840ecad2ba519856cc603d8660

SHA256
c7ef93aef90181a38af98fd27cb0a380777593f5c04a575ca81643eaa5897fb0

SHA512
3b5690ae5af11f069044f2ad6bd3c33fa0e76fc57d1312b95e44cfb62dfd18dd8db0f6557685540e8123652f76591b7019172d2cbf873f57ca9a79048d3d4e6c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads