xorddos | 84e40a4e1e02a719aa93c734049c96bae0cfa6d075f47d64b63b84eece3648d6

Analysis

max time kernel
149s
max time network
155s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
29-07-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5de386b209befcb96c835a048b3fd178_JaffaCakes118
Size

647KB
MD5

5de386b209befcb96c835a048b3fd178
SHA1

c701990533a21d5aae6c0067c475ef2d02fb4f16
SHA256

84e40a4e1e02a719aa93c734049c96bae0cfa6d075f47d64b63b84eece3648d6
SHA512

085b3d3b78896f8a11279d9c53ef433c0c620c02db5e79a162908738f652dd4c64e485a72706974fa4560ca5f67daf8ee30630a84bb27bae430077b2b29dd50b
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonjp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mj6wvnDWXMN

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

tt1.v5zz.com:350

192.168.1.131:3826

abcd.com:8080

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorddos

Deletes itself 1 IoCs

pid
1605

Executes dropped EXE 31 IoCs

ioc	pid	Process
/boot/uhtdntwicq	1607	uhtdntwicq
/boot/nibqgogkva	1618	nibqgogkva
/boot/usblucpwhy	1664	usblucpwhy
/boot/qwjgdknvfn	1667	qwjgdknvfn
/boot/kxmlkywhjh	1670	kxmlkywhjh
/boot/geayoygwwv	1673	geayoygwwv
/boot/qypzqnhdyj	1676	qypzqnhdyj
/boot/lxoilsbwjg	1681	lxoilsbwjg
/boot/dbunuamqne	1684	dbunuamqne
/boot/augzbxevvr	1687	augzbxevvr
/boot/orqtijfqie	1690	orqtijfqie
/boot/krjdujxfix	1693	krjdujxfix
/boot/dhwwbbmjwx	1696	dhwwbbmjwx
/boot/gfmghkvntj	1699	gfmghkvntj
/boot/hjzbjreprj	1717	hjzbjreprj
/boot/mlpzfqlzdq	1720	mlpzfqlzdq
/boot/putzlniuye	1723	putzlniuye
/boot/vzlmujlepv	1726	vzlmujlepv
/boot/spthyiuoml	1729	spthyiuoml
/boot/kbgdreentv	1732	kbgdreentv
/boot/owlyjixhov	1735	owlyjixhov
/boot/irzmccdacu	1738	irzmccdacu
/boot/psruwsmxev	1741	psruwsmxev
/boot/wnltvvyreg	1744	wnltvvyreg
/boot/ctuhpluvnq	1747	ctuhpluvnq
/boot/iwrojqictz	1753	iwrojqictz
/boot/iywnvlqoks	1756	iywnvlqoks
/boot/tkwfnzkqqi	1759	tkwfnzkqqi
/boot/cchvotxeob	1762	cchvotxeob
/boot/hbbzkxylwg	1765	hbbzkxylwg
/boot/xchxmstpjh	1768	xchxmstpjh

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/cron.sh	uhtdntwicq
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/init.d/uhtdntwicq	uhtdntwicq

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/rs_dev	5de386b209befcb96c835a048b3fd178_JaffaCakes118
File opened for reading	/proc/rs_dev	uhtdntwicq
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	uhtdntwicq
File opened for reading	/proc/filesystems	systemctl

/tmp/5de386b209befcb96c835a048b3fd178_JaffaCakes118
/tmp/5de386b209befcb96c835a048b3fd178_JaffaCakes118
1⤵
- Reads runtime system information
PID:1604

/boot/uhtdntwicq
/boot/uhtdntwicq
1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Modifies init.d
- Reads runtime system information
PID:1607
- /bin/sh
  sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
  2⤵
  - Creates/modifies Cron job
  PID:1613
- - /bin/sed
    sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
    3⤵
    - Reads runtime system information
    PID:1614

/bin/chkconfig
chkconfig --add uhtdntwicq
1⤵
PID:1610

/sbin/chkconfig
chkconfig --add uhtdntwicq
1⤵
PID:1610

/usr/bin/chkconfig
chkconfig --add uhtdntwicq
1⤵
PID:1610

/usr/sbin/chkconfig
chkconfig --add uhtdntwicq
1⤵
PID:1610

/usr/local/bin/chkconfig
chkconfig --add uhtdntwicq
1⤵
PID:1610

/usr/local/sbin/chkconfig
chkconfig --add uhtdntwicq
1⤵
PID:1610

/usr/X11R6/bin/chkconfig
chkconfig --add uhtdntwicq
1⤵
PID:1610

/bin/update-rc.d
update-rc.d uhtdntwicq defaults
1⤵
PID:1612

/sbin/update-rc.d
update-rc.d uhtdntwicq defaults
1⤵
PID:1612
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1622

/boot/nibqgogkva
/boot/nibqgogkva "route -n" 1608
1⤵
- Executes dropped EXE
PID:1618

/boot/usblucpwhy
/boot/usblucpwhy "echo \"find\"" 1608
1⤵
- Executes dropped EXE
PID:1664

/boot/qwjgdknvfn
/boot/qwjgdknvfn pwd 1608
1⤵
- Executes dropped EXE
PID:1667

/boot/kxmlkywhjh
/boot/kxmlkywhjh gnome-terminal 1608
1⤵
- Executes dropped EXE
PID:1670

/boot/geayoygwwv
/boot/geayoygwwv "cd /etc" 1608
1⤵
- Executes dropped EXE
PID:1673

/boot/qypzqnhdyj
/boot/qypzqnhdyj "sleep 1" 1608
1⤵
- Executes dropped EXE
PID:1676

/boot/lxoilsbwjg
/boot/lxoilsbwjg whoami 1608
1⤵
- Executes dropped EXE
PID:1681

/boot/dbunuamqne
/boot/dbunuamqne "ls -la" 1608
1⤵
- Executes dropped EXE
PID:1684

/boot/augzbxevvr
/boot/augzbxevvr "cd /etc" 1608
1⤵
- Executes dropped EXE
PID:1687

/boot/orqtijfqie
/boot/orqtijfqie gnome-terminal 1608
1⤵
- Executes dropped EXE
PID:1690

/boot/krjdujxfix
/boot/krjdujxfix "ps -ef" 1608
1⤵
- Executes dropped EXE
PID:1693

/boot/dhwwbbmjwx
/boot/dhwwbbmjwx whoami 1608
1⤵
- Executes dropped EXE
PID:1696

/boot/gfmghkvntj
/boot/gfmghkvntj bash 1608
1⤵
- Executes dropped EXE
PID:1699

/boot/hjzbjreprj
/boot/hjzbjreprj gnome-terminal 1608
1⤵
- Executes dropped EXE
PID:1717

/boot/mlpzfqlzdq
/boot/mlpzfqlzdq "ls -la" 1608
1⤵
- Executes dropped EXE
PID:1720

/boot/putzlniuye
/boot/putzlniuye "netstat -an" 1608
1⤵
- Executes dropped EXE
PID:1723

/boot/vzlmujlepv
/boot/vzlmujlepv pwd 1608
1⤵
- Executes dropped EXE
PID:1726

/boot/spthyiuoml
/boot/spthyiuoml sh 1608
1⤵
- Executes dropped EXE
PID:1729

/boot/kbgdreentv
/boot/kbgdreentv "ls -la" 1608
1⤵
- Executes dropped EXE
PID:1732

/boot/owlyjixhov
/boot/owlyjixhov su 1608
1⤵
- Executes dropped EXE
PID:1735

/boot/irzmccdacu
/boot/irzmccdacu gnome-terminal 1608
1⤵
- Executes dropped EXE
PID:1738

/boot/psruwsmxev
/boot/psruwsmxev uptime 1608
1⤵
- Executes dropped EXE
PID:1741

/boot/wnltvvyreg
/boot/wnltvvyreg "cat resolv.conf" 1608
1⤵
- Executes dropped EXE
PID:1744

/boot/ctuhpluvnq
/boot/ctuhpluvnq whoami 1608
1⤵
- Executes dropped EXE
PID:1747

/boot/iwrojqictz
/boot/iwrojqictz ls 1608
1⤵
- Executes dropped EXE
PID:1753

/boot/iywnvlqoks
/boot/iywnvlqoks who 1608
1⤵
- Executes dropped EXE
PID:1756

/boot/tkwfnzkqqi
/boot/tkwfnzkqqi "route -n" 1608
1⤵
- Executes dropped EXE
PID:1759

/boot/cchvotxeob
/boot/cchvotxeob sh 1608
1⤵
- Executes dropped EXE
PID:1762

/boot/hbbzkxylwg
/boot/hbbzkxylwg who 1608
1⤵
- Executes dropped EXE
PID:1765

/boot/xchxmstpjh
/boot/xchxmstpjh uptime 1608
1⤵
- Executes dropped EXE
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/cron.sh

Filesize
223B

MD5
b791b087b1795e3674a9aa765c76fc04

SHA1
b53f478234ae97f3cdbf2e7fe7ec68d687feb7c1

SHA256
1c1e9b69cf8021bf7ce1f60dcaa2d31c1e21ed4b6e474f3571da81ffd5a9b69e

SHA512
2dcc2e478c51cf8118306fd5c744aad7147e368cbc4329db1cc5fac52088a7f3354079ae2b582b270495789e4fb4591538ec88bb5ea40eec646f360bac33bbb2

Download Submit
/etc/crontab

Filesize
1KB

MD5
8333938f8704c2a0c7c0277d4a2ddd37

SHA1
2a521562227e522aa045aa959bf5c9092fb3470d

SHA256
73561733495eb44881664ab0410642751e0afc3973c5a52ebd27900cde398988

SHA512
a415a5002a1636c6e0cf7a5aa06a221621c656864bbbdbf384affdf8f9eefcc17eef3c980c6be454d30eb109b973b92689ae418959ac331dca538782e6c9b649

Download Submit
/etc/init.d/uhtdntwicq

Filesize
317B

MD5
7723ac20048d92a188a6cea09fe30d26

SHA1
1c536964e7fdff8777a868d5e7710540c5143381

SHA256
b754bf129f8d39e2566871963b73ed1826b0b375b483a9b4460a28116c009882

SHA512
c537d59930cd04216c7ffa9c2f4993fad4fbb24f40068afa71a1c4f229adb32d0066c2e1ca510879eed36c2a968a18f4b178f197d9825beca1a7da46ca892280

Download Submit
/etc/sedtyEFst

Filesize
1KB

MD5
e57fd77c50de7b8a8eec19de0ec3f4f3

SHA1
835d38771a0c5b112596ab8841a7904f41c266ee

SHA256
3494e2d3ce0fb77633d00b247cad543cca29c7673da802a23bd5fe0364eb2c13

SHA512
e6103d07bb6ed51cba953a9a861e39a36be0dc37899ec0fa353f5c991f71f9e7ec8433c054ac18a74da0a1c46054ad7cd637a1c64301d52cb0e6ac3d59f5c86c

Download Submit
/run/sftp.pid

Filesize
32B

MD5
39d27735755bb2b83cffe30f87b7d1ae

SHA1
e54d0a70a9625ffc6410e766495cc24a7536546f

SHA256
461f0a5ee3a266f5424f4559fda864725d556a9a7f1587c5baa582c1e135c149

SHA512
126c0e62d2bf835c559bd04e4c57168cba3a681a3ce363d1142121a88fb8134894f69c8e664fc04dff718f78a8cf192db0bd43be329ecdb7125bfb1dee655297

Download Submit
/usr/lib/udev/udev

Filesize
647KB

MD5
5de386b209befcb96c835a048b3fd178

SHA1
c701990533a21d5aae6c0067c475ef2d02fb4f16

SHA256
84e40a4e1e02a719aa93c734049c96bae0cfa6d075f47d64b63b84eece3648d6

SHA512
085b3d3b78896f8a11279d9c53ef433c0c620c02db5e79a162908738f652dd4c64e485a72706974fa4560ca5f67daf8ee30630a84bb27bae430077b2b29dd50b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads