Overview

overview

10

Static

static

10

ea40ecec0b...abea73

ubuntu-18.04-amd64

10

Analysis

  • max time kernel
    39s
  • max time network
    40s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    28/08/2023, 19:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73

  • Size

    549KB

  • MD5

    f9191bab1e834d4aef3380700639cee9

  • SHA1

    9c20269df6694260a24ac783de2e30d627a6928a

  • SHA256

    ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73

  • SHA512

    3d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Score
10/10
xorddosbotnetdownloaderpersistence

Malware Config

Extracted

Family

xorddos

C2

api.markerbio.com:112

api.enoan2107.com:112

http://qq.com/lib.asp
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 20 IoCs
  • Deletes itself 22 IoCs
  • Executes dropped EXE 22 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Writes file to system bin folder 1 TTPs 21 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 41 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to shm directory 2 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes

  • /tmp/ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73
    /tmp/ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73
    1⤵
      PID:585
    • /bin/qxmlwltjz
      /bin/qxmlwltjz
      1⤵
      • Executes dropped EXE
      PID:589
    • /bin/yyqkcpar
      /bin/yyqkcpar -d 590
      1⤵
      • Executes dropped EXE
      PID:594
    • /bin/zzftzttm
      /bin/zzftzttm -d 590
      1⤵
      • Executes dropped EXE
      PID:601
    • /bin/cqtgdraxh
      /bin/cqtgdraxh -d 590
      1⤵
      • Executes dropped EXE
      PID:604
    • /bin/wuwocdzwjwjlvq
      /bin/wuwocdzwjwjlvq -d 590
      1⤵
      • Executes dropped EXE
      PID:607
    • /bin/xkclgedakgrmd
      /bin/xkclgedakgrmd -d 590
      1⤵
      • Executes dropped EXE
      PID:610
    • /bin/wxjunl
      /bin/wxjunl -d 590
      1⤵
      • Executes dropped EXE
      PID:614
    • /bin/ohjksuijafve
      /bin/ohjksuijafve -d 590
      1⤵
      • Executes dropped EXE
      PID:617
    • /bin/bivdub
      /bin/bivdub -d 590
      1⤵
      • Executes dropped EXE
      PID:620
    • /bin/ggxvcwexlpuzzf
      /bin/ggxvcwexlpuzzf -d 590
      1⤵
      • Executes dropped EXE
      PID:623
    • /bin/rzsaczvgrz
      /bin/rzsaczvgrz -d 590
      1⤵
      • Executes dropped EXE
      PID:626
    • /bin/mclnzutzpxv
      /bin/mclnzutzpxv -d 590
      1⤵
      • Executes dropped EXE
      PID:629
    • /bin/whltikys
      /bin/whltikys -d 590
      1⤵
      • Executes dropped EXE
      PID:632
    • /bin/eskiirx
      /bin/eskiirx -d 590
      1⤵
      • Executes dropped EXE
      PID:644
    • /bin/agkigiodfclub
      /bin/agkigiodfclub -d 590
      1⤵
      • Executes dropped EXE
      PID:647
    • /bin/kreavluksbc
      /bin/kreavluksbc -d 590
      1⤵
      • Executes dropped EXE
      PID:650
    • /bin/jlxgzy
      /bin/jlxgzy -d 590
      1⤵
      • Executes dropped EXE
      PID:653
    • /bin/jiuuyxbdkves
      /bin/jiuuyxbdkves -d 590
      1⤵
      • Executes dropped EXE
      PID:656
    • /bin/jbpjcsvzx
      /bin/jbpjcsvzx -d 590
      1⤵
      • Executes dropped EXE
      PID:665
    • /bin/hulsnuz
      /bin/hulsnuz -d 590
      1⤵
      • Executes dropped EXE
      PID:668
    • /bin/xhbgaynbtvqa
      /bin/xhbgaynbtvqa -d 590
      1⤵
      • Executes dropped EXE
      PID:671
    • /bin/idfhvd
      /bin/idfhvd -d 590
      1⤵
      • Executes dropped EXE
      PID:677

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /bin/ameclckcdb
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/bivdub
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/cqtgdraxh
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/ggxvcwexlpuzzf
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/jiuuyxbdkves
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/jlxgzy
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/kreavluksbc
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/mclnzutzpxv
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/ohjksuijafve
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/qxmlwltjz
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/rzsaczvgrz
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/whltikys
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/wlquarqwhqi
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/wuwocdzwjwjlvq
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/wxjunl
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/xhbgaynbtvqa
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/xkclgedakgrmd
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/yyqkcpar
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/zjtlwlmxq
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /bin/zzftzttm
      Filesize

      549KB

      MD5

      8ea13405f48873a15947c1f1f0f1aeca

      SHA1

      89afe31ec07c54c7b862fb71721de4f7e9f3c6f1

      SHA256

      551bb3ad5a425e5b6aebea782b3bab8974e9c645f05c138ec094f4e0feb42505

      SHA512

      ae399f34109952847f2c657307559c8e31e68a57fca49b36aebcd704ed05c03fb4b22b5d55f606045987e67b129fb928353128436111ae52d0921aea91dd2c94

      Download Submit

    • /dev/shm/sem.5xn3ao
      Filesize

      16B

      MD5

      076933ff9904d1110d896e2c525e39e5

      SHA1

      4188442577fa77f25820d9b2d01cc446e30684ac

      SHA256

      4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

      SHA512

      6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

      Download Submit

    • /etc/cron.hourly/zjtlwlmxq.sh
      Filesize

      146B

      MD5

      29812b2e4a51de67f8e2be7dbafd50c9

      SHA1

      cb63797d7e86b851912a6b7beddcb04f083943da

      SHA256

      43905e2ab0a99c994df0ad584904101346040860df961c98fca804d6a03ac1c7

      SHA512

      f8b1c27c433cc624aacd0c030b402679445227ed0283d54c9577054ab0b580503c82f8b45be953364f65235019a02564e2f709c58895ab0f6d94cf505dcb3c20

      Download Submit

    • /etc/daemon.cfg
      Filesize

      32B

      MD5

      c768e9237d59c233de95c344a6717f3b

      SHA1

      6e8dae949fbece288c1c77a0622faf0c17ae7702

      SHA256

      49a5d13488cce1b81592891323b3c3ac292245bf55a973c1ebfb98e884e68e52

      SHA512

      92d085d3ad77d03796987c2ba54af3fc49fa702a89ffac1eeff6530c858708a44944e818dbb01d3da7a42174183b264a391ad115c603902d522e1385b538b606

      Download Submit

    • /etc/init.d/zjtlwlmxq
      Filesize

      333B

      MD5

      256cbad7a7120f91a8ce0806f4eff281

      SHA1

      1d381e2e97c43fb998b5b17264e52d6fe5032271

      SHA256

      bfb42b7bf407a14b91a91d7cd3232dfb835228cc032688708d4dc97f7fc5ebdd

      SHA512

      f18108acf0e0a786b892aa4d2a01045a3233f9618c002feaaa610f311c1ed345f54f7b7df375820c795ce9f2103f44d65d515fa7a372f63b3cf04404779a765b

      Download Submit