Analysis
-
max time kernel
155s -
max time network
158s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
19-12-2023 22:56
Behavioral task
behavioral1
Sample
35793cbfd0a4376ea9380ffed9182334
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
General
-
Target
35793cbfd0a4376ea9380ffed9182334
-
Size
535KB
-
MD5
35793cbfd0a4376ea9380ffed9182334
-
SHA1
31e5d905407966ca953def90eb45df417127cf38
-
SHA256
303bb187a06415eedc0c5ece5692fe05b03e286435472d0e4fd4ca9386d9acf4
-
SHA512
89fc15518e82cb7c7f97acb433a1881612d404585b5228e4554a3f9e58c3db7e9a057f669d98c11c10cf3dd5e73b48a9ebf2b983319eae709d9751f21dfaaf4a
-
SSDEEP
12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36Eoj:/fUywKQ7Fb1pNL/p52fjQn36Eu
Malware Config
Extracted
xorddos
http://aa.hostasa.org/config.rar
ppp.gggatat456.com:1522
ppp.xxxatat456.com:1522
www1.gggatat456.com:1522
-
crc_polynomial
EDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 9 IoCs
Processes:
resource yara_rule behavioral1/files/fstream-5.dat family_xorddos behavioral1/files/fstream-8.dat family_xorddos behavioral1/files/fstream-9.dat family_xorddos behavioral1/files/fstream-11.dat family_xorddos behavioral1/files/fstream-12.dat family_xorddos behavioral1/files/fstream-14.dat family_xorddos behavioral1/files/fstream-15.dat family_xorddos behavioral1/files/fstream-20.dat family_xorddos behavioral1/files/fstream-21.dat family_xorddos -
Deletes itself 1 IoCs
Processes:
pid 1652 -
Executes dropped EXE 23 IoCs
Processes:
swtcfohpmeswtcfohpmeswtcfohpmeswtcfohpmeswtcfohpmexqkzljtawuxqkzljtawuxqkzljtawuxqkzljtawuxqkzljtawukqussdqncmkqussdqncmkqussdqncmkqussdqncmkqussdqncmhdqtxqoubshdqtxqoubshdqtxqoubshdqtxqoubshdqtxqoubsggxprshadeggxprshadeggxprshadeioc pid Process /usr/bin/swtcfohpme 1568 swtcfohpme /usr/bin/swtcfohpme 1573 swtcfohpme /usr/bin/swtcfohpme 1594 swtcfohpme /usr/bin/swtcfohpme 1596 swtcfohpme /usr/bin/swtcfohpme 1600 swtcfohpme /usr/bin/xqkzljtawu 1603 xqkzljtawu /usr/bin/xqkzljtawu 1606 xqkzljtawu /usr/bin/xqkzljtawu 1609 xqkzljtawu /usr/bin/xqkzljtawu 1612 xqkzljtawu /usr/bin/xqkzljtawu 1615 xqkzljtawu /usr/bin/kqussdqncm 1618 kqussdqncm /usr/bin/kqussdqncm 1621 kqussdqncm /usr/bin/kqussdqncm 1624 kqussdqncm /usr/bin/kqussdqncm 1626 kqussdqncm /usr/bin/kqussdqncm 1629 kqussdqncm /usr/bin/hdqtxqoubs 1633 hdqtxqoubs /usr/bin/hdqtxqoubs 1636 hdqtxqoubs /usr/bin/hdqtxqoubs 1638 hdqtxqoubs /usr/bin/hdqtxqoubs 1642 hdqtxqoubs /usr/bin/hdqtxqoubs 1644 hdqtxqoubs /usr/bin/ggxprshade 1650 ggxprshade /usr/bin/ggxprshade 1653 ggxprshade /usr/bin/ggxprshade 1655 ggxprshade -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
description ioc File opened for reading /proc/cpuinfo -
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
shdescription ioc Process File opened for modification /etc/cron.hourly/gcc.sh