xorddos | 08a241e035c5702ebe46a89faf6a6e9544acf3a9d8f54e41aca69c508d193e24

Analysis

max time kernel
149s
max time network
152s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
31-07-2024 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b3e0b3c4420b86c1c9e19626deb9beb_JaffaCakes118
Size

647KB
MD5

7b3e0b3c4420b86c1c9e19626deb9beb
SHA1

33094eb2502965d98f6885e7b3dd801c1e4ef914
SHA256

08a241e035c5702ebe46a89faf6a6e9544acf3a9d8f54e41aca69c508d193e24
SHA512

34ec5d04c0cc5e9187dd53fe752420672e36b073371c250ff7069c9db9e0f216c22e9af54abfb2b7b38e4de868611387c6a5b67a8ca2aa7ccad7f06e953c6519
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonvp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mv6wvnDWXMN

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

aaaaaaaaaa.re67das.com:5859

l88833.f3322.net:1580

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorddos

Deletes itself 1 IoCs

Processes:

pid
1489

Executes dropped EXE 31 IoCs

Processes:

xgmmrdkzogzzlcpticeboilldlomatjwtzdvxllyuoheekomvkygjgkdpufcbobebbizrrlrxcyjijzkgodghrbbwykikkfuuqufftcqqttvuqtkvwbplbatxrfiznqozwzozyxcnfvuqjbgvjkfsowgqxpunzbgxqomxdnenctipoohmkplhczolxkwhxczwpkxbwrleilfbyyqwbksfvippgtbdhdrcymumuybctrvuztevrfutawtowcidfvwuaqdqxzgosktqknhyzwffocnpoitltxmzikffgxawuqhvpnnwefdxc

ioc	pid	Process
/boot/xgmmrdkzog	1494	xgmmrdkzog
/boot/zzlcpticeb	1514	zzlcpticeb
/boot/oilldlomat	1522	oilldlomat
/boot/jwtzdvxlly	1525	jwtzdvxlly
/boot/uoheekomvk	1528	uoheekomvk
/boot/ygjgkdpufc	1531	ygjgkdpufc
/boot/bobebbizrr	1534	bobebbizrr
/boot/lrxcyjijzk	1539	lrxcyjijzk
/boot/godghrbbwy	1542	godghrbbwy
/boot/kikkfuuquf	1545	kikkfuuquf
/boot/ftcqqttvuq	1548	ftcqqttvuq
/boot/tkvwbplbat	1551	tkvwbplbat
/boot/xrfiznqozw	1554	xrfiznqozw
/boot/zozyxcnfvu	1557	zozyxcnfvu
/boot/qjbgvjkfso	1560	qjbgvjkfso
/boot/wgqxpunzbg	1563	wgqxpunzbg
/boot/xqomxdnenc	1566	xqomxdnenc
/boot/tipoohmkpl	1569	tipoohmkpl
/boot/hczolxkwhx	1572	hczolxkwhx
/boot/czwpkxbwrl	1575	czwpkxbwrl
/boot/eilfbyyqwb	1578	eilfbyyqwb
/boot/ksfvippgtb	1581	ksfvippgtb
/boot/dhdrcymumu	1584	dhdrcymumu
/boot/ybctrvuzte	1587	ybctrvuzte
/boot/vrfutawtow	1590	vrfutawtow
/boot/cidfvwuaqd	1593	cidfvwuaqd
/boot/qxzgosktqk	1596	qxzgosktqk
/boot/nhyzwffocn	1599	nhyzwffocn
/boot/poitltxmzi	1602	poitltxmzi
/boot/kffgxawuqh	1605	kffgxawuqh
/boot/vpnnwefdxc	1608	vpnnwefdxc

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

Processes:

shxgmmrdkzog

description	ioc	Process
File opened for modification	/etc/crontab	sh
File opened for modification	/etc/cron.hourly/cron.sh	xgmmrdkzog

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

xgmmrdkzog

description	ioc	Process
File opened for modification	/etc/init.d/xgmmrdkzog	xgmmrdkzog

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

Processes:

7b3e0b3c4420b86c1c9e19626deb9beb_JaffaCakes118sedxgmmrdkzogsystemctl

description	ioc	Process
File opened for reading	/proc/rs_dev	7b3e0b3c4420b86c1c9e19626deb9beb_JaffaCakes118
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	xgmmrdkzog
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/rs_dev	xgmmrdkzog
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl

/tmp/7b3e0b3c4420b86c1c9e19626deb9beb_JaffaCakes118
/tmp/7b3e0b3c4420b86c1c9e19626deb9beb_JaffaCakes118
1⤵
- Reads runtime system information
PID:1488

/boot/xgmmrdkzog
/boot/xgmmrdkzog
1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Modifies init.d
- Reads runtime system information
PID:1494
- /bin/sh
  sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
  2⤵
  - Creates/modifies Cron job
  PID:1504
- - /bin/sed
    sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
    3⤵
    - Reads runtime system information
    PID:1507

/bin/chkconfig
chkconfig --add xgmmrdkzog
1⤵
PID:1500

/sbin/chkconfig
chkconfig --add xgmmrdkzog
1⤵
PID:1500

/usr/bin/chkconfig
chkconfig --add xgmmrdkzog
1⤵
PID:1500

/usr/sbin/chkconfig
chkconfig --add xgmmrdkzog
1⤵
PID:1500

/usr/local/bin/chkconfig
chkconfig --add xgmmrdkzog
1⤵
PID:1500

/usr/local/sbin/chkconfig
chkconfig --add xgmmrdkzog
1⤵
PID:1500

/usr/X11R6/bin/chkconfig
chkconfig --add xgmmrdkzog
1⤵
PID:1500

/bin/update-rc.d
update-rc.d xgmmrdkzog defaults
1⤵
PID:1503

/sbin/update-rc.d
update-rc.d xgmmrdkzog defaults
1⤵
PID:1503

/usr/bin/update-rc.d
update-rc.d xgmmrdkzog defaults
1⤵
PID:1503

/usr/sbin/update-rc.d
update-rc.d xgmmrdkzog defaults
1⤵
PID:1503
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1515

/boot/zzlcpticeb
/boot/zzlcpticeb "sleep 1" 1498
1⤵
- Executes dropped EXE
PID:1514

/boot/oilldlomat
/boot/oilldlomat "echo \"find\"" 1498
1⤵
- Executes dropped EXE
PID:1522

/boot/jwtzdvxlly
/boot/jwtzdvxlly "cat resolv.conf" 1498
1⤵
- Executes dropped EXE
PID:1525

/boot/uoheekomvk
/boot/uoheekomvk whoami 1498
1⤵
- Executes dropped EXE
PID:1528

/boot/ygjgkdpufc
/boot/ygjgkdpufc "ls -la" 1498
1⤵
- Executes dropped EXE
PID:1531

/boot/bobebbizrr
/boot/bobebbizrr "echo \"find\"" 1498
1⤵
- Executes dropped EXE
PID:1534

/boot/lrxcyjijzk
/boot/lrxcyjijzk gnome-terminal 1498
1⤵
- Executes dropped EXE
PID:1539

/boot/godghrbbwy
/boot/godghrbbwy "sleep 1" 1498
1⤵
- Executes dropped EXE
PID:1542

/boot/kikkfuuquf
/boot/kikkfuuquf "ps -ef" 1498
1⤵
- Executes dropped EXE
PID:1545

/boot/ftcqqttvuq
/boot/ftcqqttvuq id 1498
1⤵
- Executes dropped EXE
PID:1548

/boot/tkvwbplbat
/boot/tkvwbplbat "cat resolv.conf" 1498
1⤵
- Executes dropped EXE
PID:1551

/boot/xrfiznqozw
/boot/xrfiznqozw ls 1498
1⤵
- Executes dropped EXE
PID:1554

/boot/zozyxcnfvu
/boot/zozyxcnfvu "sleep 1" 1498
1⤵
- Executes dropped EXE
PID:1557

/boot/qjbgvjkfso
/boot/qjbgvjkfso "echo \"find\"" 1498
1⤵
- Executes dropped EXE
PID:1560

/boot/wgqxpunzbg
/boot/wgqxpunzbg uptime 1498
1⤵
- Executes dropped EXE
PID:1563

/boot/xqomxdnenc
/boot/xqomxdnenc id 1498
1⤵
- Executes dropped EXE
PID:1566

/boot/tipoohmkpl
/boot/tipoohmkpl "grep \"A\"" 1498
1⤵
- Executes dropped EXE
PID:1569

/boot/hczolxkwhx
/boot/hczolxkwhx top 1498
1⤵
- Executes dropped EXE
PID:1572

/boot/czwpkxbwrl
/boot/czwpkxbwrl "sleep 1" 1498
1⤵
- Executes dropped EXE
PID:1575

/boot/eilfbyyqwb
/boot/eilfbyyqwb ifconfig 1498
1⤵
- Executes dropped EXE
PID:1578

/boot/ksfvippgtb
/boot/ksfvippgtb whoami 1498
1⤵
- Executes dropped EXE
PID:1581

/boot/dhdrcymumu
/boot/dhdrcymumu id 1498
1⤵
- Executes dropped EXE
PID:1584

/boot/ybctrvuzte
/boot/ybctrvuzte gnome-terminal 1498
1⤵
- Executes dropped EXE
PID:1587

/boot/vrfutawtow
/boot/vrfutawtow bash 1498
1⤵
- Executes dropped EXE
PID:1590

/boot/cidfvwuaqd
/boot/cidfvwuaqd ls 1498
1⤵
- Executes dropped EXE
PID:1593

/boot/qxzgosktqk
/boot/qxzgosktqk "ps -ef" 1498
1⤵
- Executes dropped EXE
PID:1596

/boot/nhyzwffocn
/boot/nhyzwffocn top 1498
1⤵
- Executes dropped EXE
PID:1599

/boot/poitltxmzi
/boot/poitltxmzi "sleep 1" 1498
1⤵
- Executes dropped EXE
PID:1602

/boot/kffgxawuqh
/boot/kffgxawuqh "cd /etc" 1498
1⤵
- Executes dropped EXE
PID:1605

/boot/vpnnwefdxc
/boot/vpnnwefdxc "echo \"find\"" 1498
1⤵
- Executes dropped EXE
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/cron.sh

Filesize
223B

MD5
b791b087b1795e3674a9aa765c76fc04

SHA1
b53f478234ae97f3cdbf2e7fe7ec68d687feb7c1

SHA256
1c1e9b69cf8021bf7ce1f60dcaa2d31c1e21ed4b6e474f3571da81ffd5a9b69e

SHA512
2dcc2e478c51cf8118306fd5c744aad7147e368cbc4329db1cc5fac52088a7f3354079ae2b582b270495789e4fb4591538ec88bb5ea40eec646f360bac33bbb2

Download Submit
/etc/crontab

Filesize
764B

MD5
01de9c66a1aa26273160a69f31c78a1c

SHA1
e639288aed15e1482d2a99e568847926d9307447

SHA256
dbccbf08e2579449c96013a1679d84049e29761c7691eefcfb3d1a24db0f1109

SHA512
51aa75c7bed7e7f6a4538a453b24694bc7b31f23c1e8116eb6b92c7f0895351c3cc0cc5d78a51bcc35da29e36e1f28e9812f9585505327c151c7af649d42ccf8

Download Submit
/etc/init.d/xgmmrdkzog

Filesize
317B

MD5
3fb8b016bb1ddc1791da6e80f894951e

SHA1
0192b6a774e6e2ac8dd3cec989dbea0dae3dd9b8

SHA256
db6a112f403609e16ade309e6f66615d5382994b41a3c88e72d95510fb39eb34

SHA512
a6e23a90469fc4beb22de8da5f3f71277863ab23f538af04c3a360512700095ab1b2bbd1571e53d72c49deaf1a4ec821037ebb466f1046fd8b564cbfe21d02f0

Download Submit
/etc/sedVlctCK

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/udev/udev

Filesize
647KB

MD5
7b3e0b3c4420b86c1c9e19626deb9beb

SHA1
33094eb2502965d98f6885e7b3dd801c1e4ef914

SHA256
08a241e035c5702ebe46a89faf6a6e9544acf3a9d8f54e41aca69c508d193e24

SHA512
34ec5d04c0cc5e9187dd53fe752420672e36b073371c250ff7069c9db9e0f216c22e9af54abfb2b7b38e4de868611387c6a5b67a8ca2aa7ccad7f06e953c6519

Download Submit
/run/sftp.pid

Filesize
32B

MD5
9e16e390d861eaa7a859ab9fe1c9cfcb

SHA1
d18545c58d6071dc350e4e151f169a530d2b9a86

SHA256
31642674dd4f9cb4e76ceb3f71084207e3fb5baa76e1309e8555004ef4376e68

SHA512
dd8aaa8b37fcb48a91f632500d5becf9bdd5ead754e2fd10569a385142e6660119c71d26d2195e3d3937888d942a9c6709e043f20a7700fc124bb8bc985e2148

Download Submit