Overview

overview

10

Static

static

10

2fd1d1a39b...23dfac

ubuntu-18.04-amd64

10

Analysis

  • max time kernel
    44s
  • max time network
    106s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231215-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    19-12-2023 22:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2fd1d1a39b6c6a58fb55967d3c23dfac

  • Size

    544KB

  • MD5

    2fd1d1a39b6c6a58fb55967d3c23dfac

  • SHA1

    9aafe38a1eb05565479bf6cf30ea32b4ef51bbeb

  • SHA256

    47bf33fd353be8b334f188c839dac4a6a1b71fe220a1c98122628cc5fddabe3d

  • SHA512

    99063a0f2cbf0473821ee0bc242f6edfc676f4e7b9ea61f7a1a9c84c5df30a6b42afb8a3e8e8e2c8380bfe98b261dc5100710e793a7162ce5eb17fc02770948b

  • SSDEEP

    12288:JbinNy0Y1nvEtXBx6DkkJmAGyPexU279WnjVZ6ySWK:1iNy0evmxvkJmApPexUm9cVE

Score
10/10
xorddosbotnetdownloaderpersistence

Malware Config

Extracted

Family

xorddos

C2

topbannersun.com:8623

wowapplecar.com:8623
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 3 IoCs
  • Deletes itself 32 IoCs
  • Executes dropped EXE 33 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Writes file to system bin folder 1 TTPs 36 IoCs
  • Writes file to shm directory 2 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes

  • /tmp/2fd1d1a39b6c6a58fb55967d3c23dfac
    /tmp/2fd1d1a39b6c6a58fb55967d3c23dfac
    1⤵
      PID:1578
    • /bin/nyjaphfbv
      /bin/nyjaphfbv
      1⤵
      • Executes dropped EXE
      PID:1582
    • /bin/pelhck
      /bin/pelhck -d 1583
      1⤵
      • Executes dropped EXE
      PID:1591
    • /bin/gsojwkiqxo
      /bin/gsojwkiqxo -d 1583
      1⤵
      • Executes dropped EXE
      PID:1594
    • /bin/qxutaqouezsguu
      /bin/qxutaqouezsguu -d 1583
      1⤵
      • Executes dropped EXE
      PID:1597
    • /bin/pmmjovd
      /bin/pmmjovd -d 1583
      1⤵
      • Executes dropped EXE
      PID:1600
    • /bin/eanoskdg
      /bin/eanoskdg -d 1583
      1⤵
      • Executes dropped EXE
      PID:1603
    • /bin/phtjuypidjnm
      /bin/phtjuypidjnm -d 1583
      1⤵
      • Executes dropped EXE
      PID:1606
    • /bin/jkppcrmqhwmzm
      /bin/jkppcrmqhwmzm -d 1583
      1⤵
      • Executes dropped EXE
      PID:1609
    • /bin/yrsfkdbk
      /bin/yrsfkdbk -d 1583
      1⤵
      • Executes dropped EXE
      PID:1612
    • /bin/jqeycpjzyupq
      /bin/jqeycpjzyupq -d 1583
      1⤵
      • Executes dropped EXE
      PID:1615
    • /bin/icopyapmfpfzur
      /bin/icopyapmfpfzur -d 1583
      1⤵
      • Executes dropped EXE
      PID:1618
    • /bin/knlivnxmozdc
      /bin/knlivnxmozdc -d 1583
      1⤵
      • Executes dropped EXE
      PID:1621
    • /bin/mbnjfm
      /bin/mbnjfm -d 1583
      1⤵
      • Executes dropped EXE
      PID:1624
    • /bin/zrwynkwiulv
      /bin/zrwynkwiulv -d 1583
      1⤵
      • Executes dropped EXE
      PID:1627
    • /bin/gjduzfydm
      /bin/gjduzfydm -d 1583
      1⤵
      • Executes dropped EXE
      PID:1630
    • /bin/nufrhqwviw
      /bin/nufrhqwviw -d 1583
      1⤵
      • Executes dropped EXE
      PID:1633
    • /bin/mrnxursovj
      /bin/mrnxursovj -d 1583
      1⤵
      • Executes dropped EXE
      PID:1636
    • /bin/xsbulaegkep
      /bin/xsbulaegkep -d 1583
      1⤵
      • Executes dropped EXE
      PID:1639
    • /bin/ahnxcnl
      /bin/ahnxcnl -d 1583
      1⤵
      • Executes dropped EXE
      PID:1642
    • /bin/aiqtbeomwk
      /bin/aiqtbeomwk -d 1583
      1⤵
      • Executes dropped EXE
      PID:1645
    • /bin/tffnqhrytvp
      /bin/tffnqhrytvp -d 1583
      1⤵
      • Executes dropped EXE
      PID:1648
    • /bin/yxwpflabqzaoo
      /bin/yxwpflabqzaoo -d 1583
      1⤵
      • Executes dropped EXE
      PID:1651
    • /bin/trtjdhnkvtglp
      /bin/trtjdhnkvtglp -d 1583
      1⤵
      • Executes dropped EXE
      PID:1654
    • /bin/wpfxmcmupov
      /bin/wpfxmcmupov -d 1583
      1⤵
      • Executes dropped EXE
      PID:1657
    • /bin/oyuctqwozbvpl
      /bin/oyuctqwozbvpl -d 1583
      1⤵
      • Executes dropped EXE
      PID:1660
    • /bin/iuezidqqad
      /bin/iuezidqqad -d 1583
      1⤵
      • Executes dropped EXE
      PID:1663
    • /bin/cgxwuygyv
      /bin/cgxwuygyv -d 1583
      1⤵
      • Executes dropped EXE
      PID:1668
    • /bin/rpjmhnfntzqnjl
      /bin/rpjmhnfntzqnjl -d 1583
      1⤵
      • Executes dropped EXE
      PID:1671
    • /bin/lmwysqcaqzu
      /bin/lmwysqcaqzu -d 1583
      1⤵
      • Executes dropped EXE
      PID:1674
    • /bin/huleldqxkfexag
      /bin/huleldqxkfexag -d 1583
      1⤵
      • Executes dropped EXE
      PID:1677
    • /bin/opagdocdiu
      /bin/opagdocdiu -d 1583
      1⤵
      • Executes dropped EXE
      PID:1680
    • /bin/sloxuzg
      /bin/sloxuzg -d 1583
      1⤵
      • Executes dropped EXE
      PID:1683
    • /bin/ctxopiebsfvg
      /bin/ctxopiebsfvg -d 1583
      1⤵
      • Executes dropped EXE
      PID:1686

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /bin/mrnxursovj
      Filesize

      11KB

      MD5

      05be3669b442dbf40bf408e205a2a394

      SHA1

      2c1890905f7a0eab5f4ce344852aabb47e85a1b0

      SHA256

      461cbbd14eb44bef5fa1c7c95f19a138785248131b2e9f86c782981aa7b756cd

      SHA512

      15cc1c8af0394a333af9ef0a37ba4b0af262a04453333657a83f99750100c509ab0c08089f459ba601f25d6fa03c00eded79f8ffa5e28f0a6d52f3f095bf5227

      Download Submit

    • /bin/nyjaphfbv
      Filesize

      544KB

      MD5

      41ac9d1c41012a7a3476587b90a42d11

      SHA1

      d1bf6fab59e70b1fa13c20df8ce361ad06c33d3f

      SHA256

      1b5bc50aaf97e358e38ba65361e4f2fc16b478062c16f993324b03556271c8cc

      SHA512

      8fea501c9aaacfa4bb2ee6bd4a36f748829931f6f9458a4b17ebf3ee2f37ca256391bb65e157e182bdd9c301b5441b9d03669eb6932b2a240edfdd2da9f1e324

      Download Submit

    • /bin/phtjuypidjnm
      Filesize

      4KB

      MD5

      891d36250593c95fd64c327de4ad19a7

      SHA1

      ae12a62838acd9c6b14342967976f08b35fd9a8c

      SHA256

      e0d871252ee8862bd57e1fef9fe0a15856c98a69b53cfd2f28202d51a06f1f13

      SHA512

      b60625095a8663f1dfe61030ac7c5e19aaa378be6823fee0e43696685c56fd960e25be85a97ec820f0f288ec88434c9b0bd76d938530ed6a892ede2d619460c0

      Download Submit

    • /etc/cron.hourly/vbfhpajyn.sh
      Filesize

      146B

      MD5

      55e4e5a9f8a3d135d402070838cd32e1

      SHA1

      f0a45c02ee08ba71443649bdd2fe3c5525a38075

      SHA256

      55cd0c15284f4c408793094c44d643061ca3e165e20e2992fcfa3ba23d3b1405

      SHA512

      6eee5facd8553ec05e6dde3f4c547bbc2b82a0cf5fbf4c39b2b134d01a6b12f0b0ee22aa46eb7b9a9340a40ebb26323c131db5fc0e3ad99e9ecedc8438d34b42

      Download Submit

    • /etc/daemon.cfg
      Filesize

      32B

      MD5

      9286daf2b02ba0c2498e97dd5efb30af

      SHA1

      0c397f004c49d45b4c140f911d743e30d0fc92b7

      SHA256

      46736cf26dfa24e654f3e88300baf0044f39609d5c115b68c2ae12a34348d9c3

      SHA512

      ea60cd329be0b24d9372be5ae9e2822869d9620f3e73b17d3f44909e6fb4a4b480efd29ab2eb68f9dd78e3524a15e9bf97a1ce1bbc6bcaa7f33cb151f42c4ce9

      Download Submit

    • /etc/init.d/vbfhpajyn
      Filesize

      333B

      MD5

      4a22df3800d3191732d28993719853f0

      SHA1

      eb554a7ed22db80cfd6c1b0257f9b37c1738cf3e

      SHA256

      bf41565f690a64a8890e4f2307112d707dce5ad5bb9b00341842a97d98d89e00

      SHA512

      c7998f87e7e7fa388e5da9cd638fd3721c67ff6e83ac8cfc713820ad9287cf4b4b41e6d89ede11f4a57d4cdcc389643897db0ff07427cc959ae2e5f738f63003

      Download Submit