xorddos | 77eaa6e5b8111228cba1de51b04f96676513736b18834bde2d35de4e1a1cf032

General

Target

9e3f2816aedb9f6fcf1b614c0a9aa0f3_JaffaCakes118
Size

647KB
MD5

9e3f2816aedb9f6fcf1b614c0a9aa0f3
SHA1

53bc1cef220187799bfba92fe7a709f0ef5f18b1
SHA256

77eaa6e5b8111228cba1de51b04f96676513736b18834bde2d35de4e1a1cf032
SHA512

676414a067309a7d80e5e149f794feb6a264ca1db77cd47cce385b1d2c182cfaa936127dbb9d0d49b81e4be8e328a7f19c85c615fe4178b14e11b0c12ead9033
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1TonTp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mT6wvnDWXMN

Score

10^/10

xorddos botnet downloader infostealer persistence

Malware Config

Extracted

Family

xorddos

C2

http://info1.3000uc.com/b/u.php

godaddy.gdgaoxiang.com:5858

xinlong888.f3322.net:5210

43.252.231.202:5210

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

Processes:

resource	yara_rule
/usr/lib/udev/udev	family_xorddos

Deletes itself 1 IoCs

Processes:

pid

1397

pid
1397

Executes dropped EXE 31 IoCs

Processes:

xhjczzohiagnbcccviaaowadpizstjmjvquqskqqmruprowqesbnhjaabhjivyukskntfphqjploelxdzixppwaowuoifqcbyzfehdjxgynmsxhgklslmnezhuinerxslleueitvoiylzelkunrwqgrkrepqdoejycfjyhhkylwdnobitxndhpdqcuvdycsdbycgwtnjqwbrfqbkqwzbyhdbvwydynswydmfairwyknulaimutbuidalnfovkavyfchngfepqjbivjzwnadhrcvxujpjsneeisbvjpcoiueyjruqzdlxpy

ioc	pid	process
/boot/xhjczzohia	1399	xhjczzohia
/boot/gnbcccviaa	1410	gnbcccviaa
/boot/owadpizstj	1493	owadpizstj
/boot/mjvquqskqq	1496	mjvquqskqq
/boot/mruprowqes	1499	mruprowqes
/boot/bnhjaabhji	1502	bnhjaabhji
/boot/vyukskntfp	1505	vyukskntfp
/boot/hqjploelxd	1525	hqjploelxd
/boot/zixppwaowu	1528	zixppwaowu
/boot/oifqcbyzfe	1531	oifqcbyzfe
/boot/hdjxgynmsx	1534	hdjxgynmsx
/boot/hgklslmnez	1537	hgklslmnez
/boot/huinerxsll	1540	huinerxsll
/boot/eueitvoiyl	1549	eueitvoiyl
/boot/zelkunrwqg	1552	zelkunrwqg
/boot/rkrepqdoej	1555	rkrepqdoej
/boot/ycfjyhhkyl	1558	ycfjyhhkyl
/boot/wdnobitxnd	1561	wdnobitxnd
/boot/hpdqcuvdyc	1564	hpdqcuvdyc
/boot/sdbycgwtnj	1567	sdbycgwtnj
/boot/qwbrfqbkqw	1570	qwbrfqbkqw
/boot/zbyhdbvwyd	1573	zbyhdbvwyd
/boot/ynswydmfai	1576	ynswydmfai
/boot/rwyknulaim	1579	rwyknulaim
/boot/utbuidalnf	1582	utbuidalnf
/boot/ovkavyfchn	1586	ovkavyfchn
/boot/gfepqjbivj	1589	gfepqjbivj
/boot/zwnadhrcvx	1592	zwnadhrcvx
/boot/ujpjsneeis	1595	ujpjsneeis
/boot/bvjpcoiuey	1598	bvjpcoiuey
/boot/jruqzdlxpy	1601	jruqzdlxpy

Reads EFI boot settings 1 IoCs
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
infostealer

Processes:

systemctl

description ioc process

File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl

description	ioc	process
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl

Unexpected DNS network traffic destination 28 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

xhjczzohiash

description ioc process

File opened for modification /etc/cron.hourly/cron.sh xhjczzohia
File opened for modification /etc/crontab sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

xhjczzohia

description ioc process

File opened for modification /etc/init.d/xhjczzohia xhjczzohia
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery
T1082

Processes:

systemctl

description ioc process

File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl

description	ioc	process
File opened for modification	/etc/cron.hourly/cron.sh	xhjczzohia
File opened for modification	/etc/crontab	sh

description	ioc	process
File opened for modification	/etc/init.d/xhjczzohia	xhjczzohia

description	ioc	process
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlxhjczzohiased9e3f2816aedb9f6fcf1b614c0a9aa0f3_JaffaCakes118

description	ioc	process
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/stat	xhjczzohia
File opened for reading	/proc/rs_dev	xhjczzohia
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/rs_dev	9e3f2816aedb9f6fcf1b614c0a9aa0f3_JaffaCakes118

/tmp/9e3f2816aedb9f6fcf1b614c0a9aa0f3_JaffaCakes118
/tmp/9e3f2816aedb9f6fcf1b614c0a9aa0f3_JaffaCakes118
1⤵
- Reads runtime system information
PID:1396

/boot/xhjczzohia
/boot/xhjczzohia
1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Modifies init.d
- Reads runtime system information
PID:1399
- /bin/sh
  sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
  2⤵
  - Creates/modifies Cron job
  PID:1405
- - /bin/sed
    sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
    3⤵
    - Reads runtime system information
    PID:1406

/bin/chkconfig
chkconfig --add xhjczzohia
1⤵
PID:1402

/sbin/chkconfig
chkconfig --add xhjczzohia
1⤵
PID:1402

/usr/bin/chkconfig
chkconfig --add xhjczzohia
1⤵
PID:1402

/usr/sbin/chkconfig
chkconfig --add xhjczzohia
1⤵
PID:1402

/usr/local/bin/chkconfig
chkconfig --add xhjczzohia
1⤵
PID:1402

/usr/local/sbin/chkconfig
chkconfig --add xhjczzohia
1⤵
PID:1402

/usr/X11R6/bin/chkconfig
chkconfig --add xhjczzohia
1⤵
PID:1402

/bin/update-rc.d
update-rc.d xhjczzohia defaults
1⤵
PID:1404

/sbin/update-rc.d
update-rc.d xhjczzohia defaults
1⤵
PID:1404
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads EFI boot settings
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:1411

/boot/gnbcccviaa
/boot/gnbcccviaa "ls -la" 1400
1⤵
- Executes dropped EXE
PID:1410

/boot/owadpizstj
/boot/owadpizstj "grep \"A\"" 1400
1⤵
- Executes dropped EXE
PID:1493

/boot/mjvquqskqq
/boot/mjvquqskqq ls 1400
1⤵
- Executes dropped EXE
PID:1496

/boot/mruprowqes
/boot/mruprowqes ifconfig 1400
1⤵
- Executes dropped EXE
PID:1499

/boot/bnhjaabhji
/boot/bnhjaabhji "ps -ef" 1400
1⤵
- Executes dropped EXE
PID:1502

/boot/vyukskntfp
/boot/vyukskntfp pwd 1400
1⤵
- Executes dropped EXE
PID:1505

/boot/hqjploelxd
/boot/hqjploelxd pwd 1400
1⤵
- Executes dropped EXE
PID:1525

/boot/zixppwaowu
/boot/zixppwaowu "sleep 1" 1400
1⤵
- Executes dropped EXE
PID:1528

/boot/oifqcbyzfe
/boot/oifqcbyzfe "ps -ef" 1400
1⤵
- Executes dropped EXE
PID:1531

/boot/hdjxgynmsx
/boot/hdjxgynmsx bash 1400
1⤵
- Executes dropped EXE
PID:1534

/boot/hgklslmnez
/boot/hgklslmnez who 1400
1⤵
- Executes dropped EXE
PID:1537

/boot/huinerxsll
/boot/huinerxsll ifconfig 1400
1⤵
- Executes dropped EXE
PID:1540

/boot/eueitvoiyl
/boot/eueitvoiyl "route -n" 1400
1⤵
- Executes dropped EXE
PID:1549

/boot/zelkunrwqg
/boot/zelkunrwqg "cd /etc" 1400
1⤵
- Executes dropped EXE
PID:1552

/boot/rkrepqdoej
/boot/rkrepqdoej "ifconfig eth0" 1400
1⤵
- Executes dropped EXE
PID:1555

/boot/ycfjyhhkyl
/boot/ycfjyhhkyl ifconfig 1400
1⤵
- Executes dropped EXE
PID:1558

/boot/wdnobitxnd
/boot/wdnobitxnd "cat resolv.conf" 1400
1⤵
- Executes dropped EXE
PID:1561

/boot/hpdqcuvdyc
/boot/hpdqcuvdyc gnome-terminal 1400
1⤵
- Executes dropped EXE
PID:1564

/boot/sdbycgwtnj
/boot/sdbycgwtnj "netstat -an" 1400
1⤵
- Executes dropped EXE
PID:1567

/boot/qwbrfqbkqw
/boot/qwbrfqbkqw "sleep 1" 1400
1⤵
- Executes dropped EXE
PID:1570

/boot/zbyhdbvwyd
/boot/zbyhdbvwyd who 1400
1⤵
- Executes dropped EXE
PID:1573

/boot/ynswydmfai
/boot/ynswydmfai "netstat -an" 1400
1⤵
- Executes dropped EXE
PID:1576

/boot/rwyknulaim
/boot/rwyknulaim ifconfig 1400
1⤵
- Executes dropped EXE
PID:1579

/boot/utbuidalnf
/boot/utbuidalnf top 1400
1⤵
- Executes dropped EXE
PID:1582

/boot/ovkavyfchn
/boot/ovkavyfchn "ps -ef" 1400
1⤵
- Executes dropped EXE
PID:1586

/boot/gfepqjbivj
/boot/gfepqjbivj bash 1400
1⤵
- Executes dropped EXE
PID:1589

/boot/zwnadhrcvx
/boot/zwnadhrcvx who 1400
1⤵
- Executes dropped EXE
PID:1592

/boot/ujpjsneeis
/boot/ujpjsneeis id 1400
1⤵
- Executes dropped EXE
PID:1595

/boot/bvjpcoiuey
/boot/bvjpcoiuey "cd /etc" 1400
1⤵
- Executes dropped EXE
PID:1598

/boot/jruqzdlxpy
/boot/jruqzdlxpy su 1400
1⤵
- Executes dropped EXE
PID:1601

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/cron.sh

Filesize
223B

MD5
b791b087b1795e3674a9aa765c76fc04

SHA1
b53f478234ae97f3cdbf2e7fe7ec68d687feb7c1

SHA256
1c1e9b69cf8021bf7ce1f60dcaa2d31c1e21ed4b6e474f3571da81ffd5a9b69e

SHA512
2dcc2e478c51cf8118306fd5c744aad7147e368cbc4329db1cc5fac52088a7f3354079ae2b582b270495789e4fb4591538ec88bb5ea40eec646f360bac33bbb2

Download Submit
/etc/crontab

Filesize
1KB

MD5
025668d5c5556a09e474efb8c86a5386

SHA1
3946e355c493dae571f427906058d877dd000bc5

SHA256
442a198f06e95043ad28dd345a2ec9b84799a434425b21ab24eeea6f296915d5

SHA512
f72df72c05fdcc6e3d11a4dcfe5b48486d391b4d61e25d82f6707b02bcd84b5d0989abf037abebcc6518ca106061de9c8d1b0dd2c2bd0b73649e85617aa15218

Download Submit
/etc/init.d/xhjczzohia

Filesize
317B

MD5
be39ca011986d32acc194cf226ec5c4a

SHA1
d3717e7edbe28383c428439d833e0a7d6ccb54c8

SHA256
8f33fa217812c66a2ceb740eecee102e84ccb50b139223201e2b99eec5634acf

SHA512
99e353bc3e3a7f0b2158d4082ae5c664da543151862992bc25c120b623903b580327b06523ad7224929870c12dd1af7b11939980e12c5d482264da668a61cc8d

Download Submit
/etc/sedcytezw

Filesize
1KB

MD5
44df62f8c671c9306af920e2839cda53

SHA1
90db86feb0aa6d41208eeb8097929407d79d95cc

SHA256
c5c9241274bee45e7e60d8b247a15bd5f69bf821b813215194156fd60fc4afc9

SHA512
0b86ddc2a648da07820a8ef90c71a54908650f589cc7a6c9ca40d74083909f56cdc68633dca82174ca6ddfd340bbd538bdb3a9ace8ba5031b474a4db01d5427d

Download Submit
/run/sftp.pid

Filesize
32B

MD5
f0f2ab86175a8a911ab57a0a530eba25

SHA1
5a746ecd5fd2746c9dfcd56d4c2432bc6e1c2cd9

SHA256
f0919ae408914886725f869949d9c5de33ca5e1194b7c63fb41630c35dc54639

SHA512
c8976fd3df20be5c1d0de4fd52a78a13ebdb2461f5fd5e4370e95fafd9863935c7a785b76252ae28ca070ab507d91867d622a691335f995ca9b0bff28dc6dde1

Download Submit
/usr/lib/udev/udev

Filesize
647KB

MD5
9e3f2816aedb9f6fcf1b614c0a9aa0f3

SHA1
53bc1cef220187799bfba92fe7a709f0ef5f18b1

SHA256
77eaa6e5b8111228cba1de51b04f96676513736b18834bde2d35de4e1a1cf032

SHA512
676414a067309a7d80e5e149f794feb6a264ca1db77cd47cce385b1d2c182cfaa936127dbb9d0d49b81e4be8e328a7f19c85c615fe4178b14e11b0c12ead9033

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads