xorddos | fe7c764a7458591fe29e52bf96c74e02fc4fee3d09b455fd67e8c6adb178cf21

Analysis

max time kernel
149s
max time network
149s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
30-07-2024 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f651328b7088ae6460724a40faa6c21_JaffaCakes118
Size

647KB
MD5

6f651328b7088ae6460724a40faa6c21
SHA1

8631258fff9828f96629eeaa4fc262b4fabded79
SHA256

fe7c764a7458591fe29e52bf96c74e02fc4fee3d09b455fd67e8c6adb178cf21
SHA512

94566e144586eee595647f27a4ea2ff9cf96a7805b9bf6d6af545ef6613fc7bd05846d31cf544c47a7d59954ffe8b134673746dfa2b8d3cb4c218f212996b912
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonfp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mf6wvnDWXMN

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

tt1.v5zz.com:3560

192.168.1.131:3826

abcd.com:8080

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorddos

Deletes itself 1 IoCs

pid
1570

Executes dropped EXE 31 IoCs

ioc	pid	Process
/boot/pufmbpylot	1572	pufmbpylot
/boot/ggtqdgqvko	1583	ggtqdgqvko
/boot/pzeopzcuvc	1629	pzeopzcuvc
/boot/lgykvctoaq	1632	lgykvctoaq
/boot/tgtasgdgdu	1635	tgtasgdgdu
/boot/sypcgtannk	1638	sypcgtannk
/boot/fmfrnmqjug	1641	fmfrnmqjug
/boot/xqtnhydsku	1661	xqtnhydsku
/boot/gjfcjlbkbc	1664	gjfcjlbkbc
/boot/gohlbqcirf	1667	gohlbqcirf
/boot/wkxrkmsrwo	1670	wkxrkmsrwo
/boot/nucvvzzffg	1673	nucvvzzffg
/boot/iksqrbimdu	1676	iksqrbimdu
/boot/wjropkvjzr	1679	wjropkvjzr
/boot/nsmkbojkry	1682	nsmkbojkry
/boot/jrrqgfsiea	1685	jrrqgfsiea
/boot/pjpfkagdnu	1688	pjpfkagdnu
/boot/cqdmmgsies	1691	cqdmmgsies
/boot/uwstjarham	1694	uwstjarham
/boot/aqithjrecu	1697	aqithjrecu
/boot/wpmrkvkrwe	1700	wpmrkvkrwe
/boot/vygjqshftn	1703	vygjqshftn
/boot/aknedclnuu	1706	aknedclnuu
/boot/admnmrigvm	1709	admnmrigvm
/boot/cgwedceuis	1712	cgwedceuis
/boot/bmpfxeyhxj	1718	bmpfxeyhxj
/boot/rzlxqznosg	1721	rzlxqznosg
/boot/wieemurcep	1724	wieemurcep
/boot/olivdehepm	1727	olivdehepm
/boot/rjhahbjunq	1730	rjhahbjunq
/boot/rgvlgtfopb	1733	rgvlgtfopb

Unexpected DNS network traffic destination 62 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/cron.sh	pufmbpylot
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/init.d/pufmbpylot	pufmbpylot

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	pufmbpylot
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/rs_dev	6f651328b7088ae6460724a40faa6c21_JaffaCakes118
File opened for reading	/proc/rs_dev	pufmbpylot

/tmp/6f651328b7088ae6460724a40faa6c21_JaffaCakes118
/tmp/6f651328b7088ae6460724a40faa6c21_JaffaCakes118
1⤵
- Reads runtime system information
PID:1569

/boot/pufmbpylot
/boot/pufmbpylot
1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Modifies init.d
- Reads runtime system information
PID:1572
- /bin/sh
  sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
  2⤵
  - Creates/modifies Cron job
  PID:1578
- - /bin/sed
    sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
    3⤵
    - Reads runtime system information
    PID:1579

/bin/chkconfig
chkconfig --add pufmbpylot
1⤵
PID:1575

/sbin/chkconfig
chkconfig --add pufmbpylot
1⤵
PID:1575

/usr/bin/chkconfig
chkconfig --add pufmbpylot
1⤵
PID:1575

/usr/sbin/chkconfig
chkconfig --add pufmbpylot
1⤵
PID:1575

/usr/local/bin/chkconfig
chkconfig --add pufmbpylot
1⤵
PID:1575

/usr/local/sbin/chkconfig
chkconfig --add pufmbpylot
1⤵
PID:1575

/usr/X11R6/bin/chkconfig
chkconfig --add pufmbpylot
1⤵
PID:1575

/bin/update-rc.d
update-rc.d pufmbpylot defaults
1⤵
PID:1577

/sbin/update-rc.d
update-rc.d pufmbpylot defaults
1⤵
PID:1577
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1584

/boot/ggtqdgqvko
/boot/ggtqdgqvko su 1573
1⤵
- Executes dropped EXE
PID:1583

/boot/pzeopzcuvc
/boot/pzeopzcuvc uptime 1573
1⤵
- Executes dropped EXE
PID:1629

/boot/lgykvctoaq
/boot/lgykvctoaq whoami 1573
1⤵
- Executes dropped EXE
PID:1632

/boot/tgtasgdgdu
/boot/tgtasgdgdu pwd 1573
1⤵
- Executes dropped EXE
PID:1635

/boot/sypcgtannk
/boot/sypcgtannk whoami 1573
1⤵
- Executes dropped EXE
PID:1638

/boot/fmfrnmqjug
/boot/fmfrnmqjug who 1573
1⤵
- Executes dropped EXE
PID:1641

/boot/xqtnhydsku
/boot/xqtnhydsku "netstat -an" 1573
1⤵
- Executes dropped EXE
PID:1661

/boot/gjfcjlbkbc
/boot/gjfcjlbkbc whoami 1573
1⤵
- Executes dropped EXE
PID:1664

/boot/gohlbqcirf
/boot/gohlbqcirf top 1573
1⤵
- Executes dropped EXE
PID:1667

/boot/wkxrkmsrwo
/boot/wkxrkmsrwo gnome-terminal 1573
1⤵
- Executes dropped EXE
PID:1670

/boot/nucvvzzffg
/boot/nucvvzzffg who 1573
1⤵
- Executes dropped EXE
PID:1673

/boot/iksqrbimdu
/boot/iksqrbimdu "echo \"find\"" 1573
1⤵
- Executes dropped EXE
PID:1676

/boot/wjropkvjzr
/boot/wjropkvjzr "netstat -antop" 1573
1⤵
- Executes dropped EXE
PID:1679

/boot/nsmkbojkry
/boot/nsmkbojkry "netstat -antop" 1573
1⤵
- Executes dropped EXE
PID:1682

/boot/jrrqgfsiea
/boot/jrrqgfsiea "ls -la" 1573
1⤵
- Executes dropped EXE
PID:1685

/boot/pjpfkagdnu
/boot/pjpfkagdnu "cd /etc" 1573
1⤵
- Executes dropped EXE
PID:1688

/boot/cqdmmgsies
/boot/cqdmmgsies su 1573
1⤵
- Executes dropped EXE
PID:1691

/boot/uwstjarham
/boot/uwstjarham bash 1573
1⤵
- Executes dropped EXE
PID:1694

/boot/aqithjrecu
/boot/aqithjrecu sh 1573
1⤵
- Executes dropped EXE
PID:1697

/boot/wpmrkvkrwe
/boot/wpmrkvkrwe "cat resolv.conf" 1573
1⤵
- Executes dropped EXE
PID:1700

/boot/vygjqshftn
/boot/vygjqshftn "echo \"find\"" 1573
1⤵
- Executes dropped EXE
PID:1703

/boot/aknedclnuu
/boot/aknedclnuu whoami 1573
1⤵
- Executes dropped EXE
PID:1706

/boot/admnmrigvm
/boot/admnmrigvm top 1573
1⤵
- Executes dropped EXE
PID:1709

/boot/cgwedceuis
/boot/cgwedceuis who 1573
1⤵
- Executes dropped EXE
PID:1712

/boot/bmpfxeyhxj
/boot/bmpfxeyhxj uptime 1573
1⤵
- Executes dropped EXE
PID:1718

/boot/rzlxqznosg
/boot/rzlxqznosg bash 1573
1⤵
- Executes dropped EXE
PID:1721

/boot/wieemurcep
/boot/wieemurcep gnome-terminal 1573
1⤵
- Executes dropped EXE
PID:1724

/boot/olivdehepm
/boot/olivdehepm ls 1573
1⤵
- Executes dropped EXE
PID:1727

/boot/rjhahbjunq
/boot/rjhahbjunq "ls -la" 1573
1⤵
- Executes dropped EXE
PID:1730

/boot/rgvlgtfopb
/boot/rgvlgtfopb bash 1573
1⤵
- Executes dropped EXE
PID:1733

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/cron.sh

Filesize
223B

MD5
b791b087b1795e3674a9aa765c76fc04

SHA1
b53f478234ae97f3cdbf2e7fe7ec68d687feb7c1

SHA256
1c1e9b69cf8021bf7ce1f60dcaa2d31c1e21ed4b6e474f3571da81ffd5a9b69e

SHA512
2dcc2e478c51cf8118306fd5c744aad7147e368cbc4329db1cc5fac52088a7f3354079ae2b582b270495789e4fb4591538ec88bb5ea40eec646f360bac33bbb2

Download Submit
/etc/crontab

Filesize
1KB

MD5
8333938f8704c2a0c7c0277d4a2ddd37

SHA1
2a521562227e522aa045aa959bf5c9092fb3470d

SHA256
73561733495eb44881664ab0410642751e0afc3973c5a52ebd27900cde398988

SHA512
a415a5002a1636c6e0cf7a5aa06a221621c656864bbbdbf384affdf8f9eefcc17eef3c980c6be454d30eb109b973b92689ae418959ac331dca538782e6c9b649

Download Submit
/etc/init.d/pufmbpylot

Filesize
317B

MD5
9b5694b6f50f139279f8a9417ec681f2

SHA1
bc063e85849ba7db4545f3692bc5f74ee7e80bee

SHA256
03b01985a0c8a54618ebd0f4f82614629e2d38b432db0796526e855895b97ab4

SHA512
b121bf371cae56e1f3df85e235c26b8e498fa964e0123e2d560d257c3740c04d194a9d5aec3f49bd9d091b9d74bb76b0c0b8efdd2ce7f62e26630a6b6c9bf17b

Download Submit
/etc/sedZEcojD

Filesize
1KB

MD5
e57fd77c50de7b8a8eec19de0ec3f4f3

SHA1
835d38771a0c5b112596ab8841a7904f41c266ee

SHA256
3494e2d3ce0fb77633d00b247cad543cca29c7673da802a23bd5fe0364eb2c13

SHA512
e6103d07bb6ed51cba953a9a861e39a36be0dc37899ec0fa353f5c991f71f9e7ec8433c054ac18a74da0a1c46054ad7cd637a1c64301d52cb0e6ac3d59f5c86c

Download Submit
/run/sftp.pid

Filesize
32B

MD5
37511cbea3a39861a4824ef9fa6febf5

SHA1
e0c2fdd2282ed9d2b1d1b25e9bf09aa20eacb7ec

SHA256
f8dd718c90a8aa03b8b63b0d51ed7fdcc2ced27ae750496f891657306b3d8270

SHA512
dac82d97383577a0cea47936623ce69380d953ccbeefb6bfad2accf1e8775de8d131996a80fc361050955ab6cba1c28e31d3e5babaaef69943f43d43a05c3ec6

Download Submit
/usr/lib/udev/udev

Filesize
647KB

MD5
6f651328b7088ae6460724a40faa6c21

SHA1
8631258fff9828f96629eeaa4fc262b4fabded79

SHA256
fe7c764a7458591fe29e52bf96c74e02fc4fee3d09b455fd67e8c6adb178cf21

SHA512
94566e144586eee595647f27a4ea2ff9cf96a7805b9bf6d6af545ef6613fc7bd05846d31cf544c47a7d59954ffe8b134673746dfa2b8d3cb4c218f212996b912

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads