xorddos | 84ab5a1714d831d74bbc16ece2083bf01b9d1f4c2e2196ae96347e36e56ee640

Analysis

max time kernel
59s
max time network
59s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
28-11-2024 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab345e737a5361eff25a154296b9f909_
Size

596KB
MD5

87f51da6ac1c718aab74c39bb32ba7de
SHA1

37b5749ff70ae8fcbb26a5bb7e99363432e1c368
SHA256

84ab5a1714d831d74bbc16ece2083bf01b9d1f4c2e2196ae96347e36e56ee640
SHA512

373821064abb6038b258e3680fe50f45816061f62c40c7deb4718c42a86dacf7fccaa6eb4c01ae26e4f3fd1aa50cc4632cefa0082334ccec9e97a99d42837b0d
SSDEEP

12288:0PTJS+naeW9kclFEcMWbHdxZ7GkR2fV/6y9P/YAh7Dxu9hc7L:UTJfrW99q4bHdxZ7G1fVFND4XcP

Score

10^/10

xorddos botnet discovery downloader execution persistence privilege_escalatio rootkit

Malware Config

Extracted

Family

xorddos

dns-google.org:60000

a-dns-google.com:60000

orx.dns-google.org:7795

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 13 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_xorddos
behavioral1/files/fstream-7.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-10.dat	family_xorddos
behavioral1/files/fstream-11.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-13.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-16.dat	family_xorddos
behavioral1/files/fstream-17.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos

Xorddos family
xorddos

Writes memory of remote process 2 IoCs

pid	Process
2534	ab345e737a5361eff25a154296b9f909_
2543	ab345e737a5361eff25a154296b9f909_

Loads a kernel module 64 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

pid	Process
2534	ab345e737a5361eff25a154296b9f909_
2535	ab345e737a5361eff25a154296b9f909_
2540	ab345e737a5361eff25a154296b9f909_
2535	ab345e737a5361eff25a154296b9f909_
2544	ab345e737a5361eff25a154296b9f909_
2543	ab345e737a5361eff25a154296b9f909_
2545	ab345e737a5361eff25a154296b9f909_
2535	ab345e737a5361eff25a154296b9f909_
2549	ab345e737a5361eff25a154296b9f909_
2547	ab345e737a5361eff25a154296b9f909_
2551	ab345e737a5361eff25a154296b9f909_
2553	ab345e737a5361eff25a154296b9f909_
2557	ab345e737a5361eff25a154296b9f909_
2555	ab345e737a5361eff25a154296b9f909_
2560	ab345e737a5361eff25a154296b9f909_
2559	ab345e737a5361eff25a154296b9f909_
2561	ab345e737a5361eff25a154296b9f909_
2562	ab345e737a5361eff25a154296b9f909_
2543	ab345e737a5361eff25a154296b9f909_
2543	ab345e737a5361eff25a154296b9f909_
2535	ab345e737a5361eff25a154296b9f909_
2535	ab345e737a5361eff25a154296b9f909_
2557	ab345e737a5361eff25a154296b9f909_
2557	ab345e737a5361eff25a154296b9f909_
2560	ab345e737a5361eff25a154296b9f909_
2560	ab345e737a5361eff25a154296b9f909_
2559	ab345e737a5361eff25a154296b9f909_
2559	ab345e737a5361eff25a154296b9f909_
2561	ab345e737a5361eff25a154296b9f909_
2561	ab345e737a5361eff25a154296b9f909_
2562	ab345e737a5361eff25a154296b9f909_
2562	ab345e737a5361eff25a154296b9f909_
2543	ab345e737a5361eff25a154296b9f909_
2543	ab345e737a5361eff25a154296b9f909_
2557	ab345e737a5361eff25a154296b9f909_
2557	ab345e737a5361eff25a154296b9f909_
2560	ab345e737a5361eff25a154296b9f909_
2560	ab345e737a5361eff25a154296b9f909_
2559	ab345e737a5361eff25a154296b9f909_
2559	ab345e737a5361eff25a154296b9f909_
2561	ab345e737a5361eff25a154296b9f909_
2561	ab345e737a5361eff25a154296b9f909_
2562	ab345e737a5361eff25a154296b9f909_
2562	ab345e737a5361eff25a154296b9f909_
2543	ab345e737a5361eff25a154296b9f909_
2543	ab345e737a5361eff25a154296b9f909_
2557	ab345e737a5361eff25a154296b9f909_
2557	ab345e737a5361eff25a154296b9f909_
2560	ab345e737a5361eff25a154296b9f909_
2560	ab345e737a5361eff25a154296b9f909_
2559	ab345e737a5361eff25a154296b9f909_
2559	ab345e737a5361eff25a154296b9f909_
2561	ab345e737a5361eff25a154296b9f909_
2561	ab345e737a5361eff25a154296b9f909_
2562	ab345e737a5361eff25a154296b9f909_
2562	ab345e737a5361eff25a154296b9f909_
2543	ab345e737a5361eff25a154296b9f909_
2543	ab345e737a5361eff25a154296b9f909_
2557	ab345e737a5361eff25a154296b9f909_
2557	ab345e737a5361eff25a154296b9f909_
2560	ab345e737a5361eff25a154296b9f909_
2560	ab345e737a5361eff25a154296b9f909_
2559	ab345e737a5361eff25a154296b9f909_
2559	ab345e737a5361eff25a154296b9f909_

Unexpected DNS network traffic destination 11 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/etc/crontab	ab345e737a5361eff25a154296b9f909_

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	systemctl

/tmp/ab345e737a5361eff25a154296b9f909_
/tmp/ab345e737a5361eff25a154296b9f909_
1⤵
- Writes memory of remote process
- Loads a kernel module
- Creates/modifies Cron job
PID:2534
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc4.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:2542
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc4.sh

Filesize
149B

MD5
4bc702c21d7b2bbb32638e37ec6c3943

SHA1
6b097d447b57c10f10f67ccd5efac4e4d39ddd38

SHA256
f702b3fd1837f30a23c74d5605e0c9cf79a480b942ef7d3bb9f79d448101a8b3

SHA512
19523b3e006eaa41a22a6af5ad1d0b23adf7eb5c653e367229b2d6bf69066a7630d637ae4131e5ae98e63434b00f6af5bef4ece54d7ad66d5c92b8f549f5b3f8

Download Submit
/etc/crontab

Filesize
1KB

MD5
d7bd8be873656590bcd306cb9560d50a

SHA1
cf3dc20140d87c4e1618174601ccb0c8e4c11aca

SHA256
3b2b5851a245091f7c26f611b476d72052f838a1078a3f7dd38f679a33b64457

SHA512
0e477701b43ffc8068b0ffc95ef105cdc09e6c856af4535287617e0e27f933d7f3cdbb9b6d95d156a05e554e37f734b40c72c2d709892838a7e8f95b5fe3b208

Download Submit
/etc/init.d/ab345e737a5361eff25a154296b9f909_

Filesize
430B

MD5
3041447d4c38778d2249b6a1edda7eab

SHA1
540cb065a6a86fb0a78aafc2818bc948993f7d20

SHA256
9157f10719826a76b79d33d2a3962540e1274114cdb6e79fcb8a391b4a5289be

SHA512
bb8d13e798e37a37462966ef5b9a20f714be33a48b0ca332e1befe7048ec13aa207d51189bf957e99e84d0adae4c6782044a5e068a7c80755abf7b4d91edb220

Download Submit
/etc/sedwekv1i

Filesize
1KB

MD5
85f7ff2020ac8c72212f076ddf33c0be

SHA1
df06ddd9c29e8da5cff1aa356e9529336573422f

SHA256
ffb48ad57868ed639fad049d11ef4b9bcdd3d2d3e556754ce69b4d6b016969a3

SHA512
d7e2d6116adbe768dd078b490575f7757c0e98859a96d280756446bd7e6bf46e24381b0cf86bf5ae3eb4e15bb3743a34cf910f30dd27888de4c5d12bc0a7ea00

Download Submit
/run/gcc4.pid

Filesize
32B

MD5
4a48107543eb726dbcdc465e47b01d28

SHA1
6702c7cb9a23c732b3fa07959fd2fc6de07a1de5

SHA256
8899bfe09ac1c4ab161185c3f0be2f33639b5ef8241333523e77ce49860b0156

SHA512
6f1dffdb8b2207412d1479839f79d10ab4fc1960e6a30933c178d16bf14876306701ed4e41d2231d77f1bcc74d6ccdf112e77da7e87de9dd67075232ececa18b

Download Submit
/usr/bin/ahvzvszibv

Filesize
596KB

MD5
16d13d554129284e86e5ab9cbc4d4a10

SHA1
c7911d2fb3794108aeae409d3526c64da0e8334a

SHA256
dbe4209a38bf336f80bec126954c3dc2865109ba43dcf870edb5851c5a5df7ba

SHA512
3df46b45414ec5dfb94aa7a454ea8a06c6ebe83e6eaa9d54b752a567e7f70c9c5339cfe95cb54d4c2a03beb642ea84c5e85785cb480506a16d87df6f9dfacc9c

Download Submit
/usr/bin/bgalykfteu

Filesize
596KB

MD5
0e0a980b8d07e43183916300175b4c16

SHA1
465e60151f87fd8934551176664c85949b1663ff

SHA256
fc67f6d587def1b2cdb9582b2f5471b48a6bcf9eb7f301134f7f8f6d61d2bf78

SHA512
e66fa12e386297674de1ec7d7b419bb65e2ee2263fb18689b670e1ad9a7dcd9c82334677275aa86d567f7e1fe0e67705fbbeb74fd44863d1c57ebae31aedcb1b

Download Submit
/usr/bin/dftibxpfrp

Filesize
596KB

MD5
e4577d13c7407e4ebfcdc7002f6cd75d

SHA1
e5d2c48a7decaa6f178b5492a614fbb8c54db96d

SHA256
665fa4fecc86c3658c403080bd18263e360c71609c9f52c953c449c3609275dd

SHA512
373d495d479b3574ea4c18ec5ed9cd30327488b3778ab1ba5435df1b352ae72dbb2721dac19856723c27d68d732cc2c6dbb2d3c49782d8ef25653d84e6942720

Download Submit
/usr/bin/dwtsjpesuk

Filesize
596KB

MD5
586e0a3bbf8cf1977e5eca0ee65c117e

SHA1
85332509c4601a97076daf38a3830262584067fe

SHA256
9670dae74ba5213fe09402509194f2a29f70ed4877bec89fb45f112e3087f40c

SHA512
105b5db3990342ecc54052be3425f55346abe41ad2c133265080d840c55d072b613d7055bede6662e50f45afa6afb0012245b4bcab3efb5bf25b892c6359a742

Download Submit
/usr/bin/hofsnomulp

Filesize
596KB

MD5
56e6df051ddb341a956a94f31fd33584

SHA1
b2d7b27bf28218508ef7c9055960cde1af458cff

SHA256
f6a173d0a40d266d0decec1880daa5e5f1a520b71759afe9a4a92b359e633090

SHA512
e6fa1addb8ff3a8a76c8b9b58e97afbc19c0be41d8060075695797bd99b39e65a557d2e511291ae461a6b39750c80b361f400865adad7f62536a59e8c3ead17d

Download Submit
/usr/bin/htizycyacz

Filesize
596KB

MD5
7c61c954dd1d906ab65976c94aa9b3e3

SHA1
c22b8a3532e1ebe31e447b2eb1772643c6bc9926

SHA256
b82c3bbf07f651f99181280453681e618b49da6f10d27d6f71c1f5c89fd8a199

SHA512
36dfe8bfa93e8ab30e47fb61148f4b1237208fb22501e215a45e1712fa0cb55832c1729b5f9dcc6cea693b63050b90c0c4f94939c80667495ee930be325ba130

Download Submit
/usr/bin/jaoqxprinh

Filesize
596KB

MD5
072074bdf7612b27f13d89871acaee62

SHA1
2e75cb1dc76d050cc190bf7396fb30ccd9738f75

SHA256
53b051d25a995121ed0b2cc50705818f9023d08bfd9ada2345755e2835025887

SHA512
ed732dc3222ad127b10899890aa035be5a996132f17fe482a065daddf9c99f3f370ef6d8feae1bbc6ec630b9e76181100f77802eadf53e1e49ecb6751b5ff9d7

Download Submit
/usr/bin/kxihbeesvy

Filesize
596KB

MD5
e82d0bf249f0d91fd592949f3888a5d3

SHA1
71ad950429c6ba751a810f228b2f95aca46d3ff5

SHA256
a45cc0a52e680075f28d8a46d6f802af17228b38e03c95f4d73f0207426e97c1

SHA512
6c2a1a84f63d7bb9099a843bee11958c46d829a67e988e8a3e907da87f527608638ba3a10d416fbd3f325db6fb2664d591103c2c02cf313891c5d7a2df50da35

Download Submit
/usr/bin/lxsccgplpq

Filesize
596KB

MD5
c35c8a2b3c0e356be7be938fd96fc1bb

SHA1
8593ed605f220219944091c73ca53442e5babaf3

SHA256
df9083fc668837b756d79f525183bb4514e407cd34c3e557a5dda6fa3c3b9bf4

SHA512
0c6b2a666e4d53b205e999a1f01abcf8aeb91b22fbb89745ca75a9456deba3400dd7dc892bbe147804f2f25db17bc005f6d150573863e90ab69fb941890cbe00

Download Submit
/usr/bin/npkqbnondq

Filesize
596KB

MD5
fdfec115ef97c7c31aae288159a62fba

SHA1
e446a6f61f9dfeda6f8314b2d9e8947e4346b56f

SHA256
17ac4a2aa8da7f2d20d81ea8c5518f80279971a51b8c15601ed6cd3b99390ed9

SHA512
a0968475119135aa3244c0d87936ff7acf6be9a4d915b6f39721e8a9c95ef23dfa71121b902e13a8fb8b25f903ff281dd8cda788acfed7b43b029cd22ae2d763

Download Submit
/usr/bin/oxaxxpkmrj

Filesize
596KB

MD5
ff815c8eae12cdbd0ed603791c881d14

SHA1
322ae03792155d04c81583ffbfeb0c6929135102

SHA256
44f96631e9775adcb5e11eac2965b2d4573b176dda5aff353b9ab6580f3948ad

SHA512
7bdce1cf78eee77885ef86ac473b449f90ae2071017512a43462cfcc121b39e46327689e896de8444ad282b41255e184411c843ee09a3cb72bc2ad0e9f11b894

Download Submit
/usr/bin/zoribiwthu

Filesize
596KB

MD5
e951423c614e0fd30db5c2afbf129835

SHA1
733472248337c6181d8e823104006371ad6d6f3c

SHA256
d174b3f83d1757571000bad0834eefb49039166098201b8dba438321a8c7f948

SHA512
b41b2cdf94aa1a5e33089eb5cbfbdbd4ec8937fe6204fc9960dff5c214919f6f8bc9a7ce763af278ac83adac4f401e9c5c16cf40ed3b4262cd894ef2f1abf749

Download Submit
/usr/lib/libudev4.so

Filesize
596KB

MD5
87f51da6ac1c718aab74c39bb32ba7de

SHA1
37b5749ff70ae8fcbb26a5bb7e99363432e1c368

SHA256
84ab5a1714d831d74bbc16ece2083bf01b9d1f4c2e2196ae96347e36e56ee640

SHA512
373821064abb6038b258e3680fe50f45816061f62c40c7deb4718c42a86dacf7fccaa6eb4c01ae26e4f3fd1aa50cc4632cefa0082334ccec9e97a99d42837b0d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads