xorddos | ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73

Analysis

max time kernel
149s
max time network
151s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20250307-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20250307-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
02/04/2025, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

112s
Size

549KB
MD5

f9191bab1e834d4aef3380700639cee9
SHA1

9c20269df6694260a24ac783de2e30d627a6928a
SHA256

ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73
SHA512

3d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5
SSDEEP

12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Score

10^/10

xorddos botnet downloader rootkit

Malware Config

Extracted

Family

xorddos

api.markerbio.com:112

api.enoan2107.com:112

http://qq.com/lib.asp

Attributes

crc_polynomial
CDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorddos

Xorddos family
xorddos

Writes memory of remote process 2 IoCs

pid	Process
2847	112s
2850	112s

Loads a kernel module 64 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

pid	Process
2847	112s
2852	112s
2855	112s
2857	112s
2862	112s
2865	112s
2869	112s
2871	112s
2853	112s
2853	112s
2854	112s
2876	112s
2878	112s
2881	112s
2884	112s
2887	112s
2853	112s
2854	112s
2853	112s
2896	112s
2903	112s
2908	112s
2911	112s
2914	112s
2853	112s
2854	112s
2854	112s
2853	112s
2924	112s
2926	112s
2930	112s
2932	112s
2935	112s
2853	112s
2853	112s
2939	112s
2941	112s
2944	112s
2947	112s
2950	112s
2853	112s
2853	112s
2954	112s
2956	112s
2959	112s
2962	112s
2965	112s
2853	112s
2853	112s
2969	112s
2972	112s
2974	112s
2977	112s
2980	112s
2853	112s
2853	112s
2987	112s
2990	112s
2992	112s
2995	112s
2998	112s
2853	112s
2853	112s
3002	112s

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

/tmp/112s
/tmp/112s
1⤵
- Writes memory of remote process
- Loads a kernel module
PID:2847

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/dev/shm/sem.e4EtsD

Filesize
16B

MD5
076933ff9904d1110d896e2c525e39e5

SHA1
4188442577fa77f25820d9b2d01cc446e30684ac

SHA256
4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

SHA512
6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

Download Submit
/etc/cron.hourly/thkpec.sh

Filesize
155B

MD5
e777121c17823aaedf0e990d505257b8

SHA1
a2599319b2619680a5313402170d2b06aec5633b

SHA256
6985821b756f661d123845c06ce51ba71c65013bcd845293818de048b2c2b381

SHA512
6910fd2b5bd822fdb4a9923c36a3730347811d30baa5bc7850b621d25a9b9bbbc49e3b81204568f448d85ec9ed0c5e5e0023624db9f1fb2a9e080cef8c08730f

Download Submit
/etc/daemon.cfg

Filesize
32B

MD5
94518837d4129cbc9cf799410e2e67e6

SHA1
284bb5c777ddb13781a930367ef15152d1a1346d

SHA256
34dba3ebff55e3329f49fb727f45002c5ca0ef56e8411545a5b5794ed3cb3460

SHA512
b688ac59b25589e15639fd4c1c429daf81c5aa54608b25ec8dd4a0c105f5356f7be3105b0fe5f20941bcc4fa91970c2ba606b31d3af081c63ff80348ecbc6d13

Download Submit
/usr/bin/cepkht

Filesize
549KB

MD5
d9da6cfabacb96b30b83e7b8d1eb15d8

SHA1
19663b20bc707c72021da599a79c22ce8f9ddb38

SHA256
41e577a802a89f80c491419be8e1804809ce9f0b3b9e81fcce3fe5866e52407e

SHA512
ab55a76be85bac2e149b4694cd815c66fe449e4cfe17fec3c3bae3d1afd4310014280e0f642fd6ecd895bf9b00c1fa58da1bbc90aa9aa0db73a06273b88baaaa

Download Submit