Overview

overview

10

Static

static

10

7beb45f0c5...b1060e

ubuntu-18.04-amd64

10

Analysis

  • max time kernel
    79s
  • max time network
    141s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231215-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    20-12-2023 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7beb45f0c5ee36d3747d9ab65eb1060e

  • Size

    546KB

  • MD5

    7beb45f0c5ee36d3747d9ab65eb1060e

  • SHA1

    2090ef27619730d7211bd5ee195f2bd896e4b171

  • SHA256

    03dde01384ac22b34f623f25d5c8ea284f8fb58e48a8d58efa4869b97479759e

  • SHA512

    74c2f2b67a5d72c0c449db61693059aba161446bb3acf09e4eade547c5361eae065d9e64d5ffd0fabb054192ccdbbec6a30d9af00ddec3ee6588b36725ee2f88

  • SSDEEP

    12288:D3P1A0+Kvdnd4Asvhc27/ao+PzENGtkZg0/CedRlZRqR6yse:Dfm0+KlZsJc27io2zYGtk20/LdF0+

Score
10/10
xorddosbotnetdownloaderpersistence

Malware Config

Extracted

Family

xorddos

C2

topbannersun.com:8623

wowapplecar.com:8623
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 6 IoCs
  • Deletes itself 33 IoCs
  • Executes dropped EXE 34 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Writes file to system bin folder 1 TTPs 37 IoCs
  • Writes file to shm directory 2 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes

  • /tmp/7beb45f0c5ee36d3747d9ab65eb1060e
    /tmp/7beb45f0c5ee36d3747d9ab65eb1060e
    1⤵
      PID:1533
    • /bin/mswhcgig
      /bin/mswhcgig
      1⤵
      • Executes dropped EXE
      PID:1537
    • /bin/ylzjsgtekhtn
      /bin/ylzjsgtekhtn -d 1538
      1⤵
      • Executes dropped EXE
      PID:1542
    • /bin/cpjmfpk
      /bin/cpjmfpk -d 1538
      1⤵
      • Executes dropped EXE
      PID:1548
    • /bin/nrwqll
      /bin/nrwqll -d 1538
      1⤵
      • Executes dropped EXE
      PID:1551
    • /bin/lfghubftfzfyd
      /bin/lfghubftfzfyd -d 1538
      1⤵
      • Executes dropped EXE
      PID:1554
    • /bin/syqzochw
      /bin/syqzochw -d 1538
      1⤵
      • Executes dropped EXE
      PID:1557
    • /bin/hzifdqgpvxesug
      /bin/hzifdqgpvxesug -d 1538
      1⤵
      • Executes dropped EXE
      PID:1570
    • /bin/yzrlnoedp
      /bin/yzrlnoedp -d 1538
      1⤵
      • Executes dropped EXE
      PID:1573
    • /bin/xbqxxh
      /bin/xbqxxh -d 1538
      1⤵
      • Executes dropped EXE
      PID:1576
    • /bin/ypmbis
      /bin/ypmbis -d 1538
      1⤵
      • Executes dropped EXE
      PID:1579
    • /bin/drzvmhrmglxwbb
      /bin/drzvmhrmglxwbb -d 1538
      1⤵
      • Executes dropped EXE
      PID:1582
    • /bin/wjvzmkwnf
      /bin/wjvzmkwnf -d 1538
      1⤵
      • Executes dropped EXE
      PID:1585
    • /bin/cnnkqfuayzpwih
      /bin/cnnkqfuayzpwih -d 1538
      1⤵
      • Executes dropped EXE
      PID:1588
    • /bin/pcfmxbvs
      /bin/pcfmxbvs -d 1538
      1⤵
      • Executes dropped EXE
      PID:1591
    • /bin/hfxwkikovza
      /bin/hfxwkikovza -d 1538
      1⤵
      • Executes dropped EXE
      PID:1593
    • /bin/guoewfdemuvr
      /bin/guoewfdemuvr -d 1538
      1⤵
      • Executes dropped EXE
      PID:1597
    • /bin/upvhsdckqbpj
      /bin/upvhsdckqbpj -d 1538
      1⤵
      • Executes dropped EXE
      PID:1600
    • /bin/khjgqdvn
      /bin/khjgqdvn -d 1538
      1⤵
      • Executes dropped EXE
      PID:1603
    • /bin/bgqxrtexhapc
      /bin/bgqxrtexhapc -d 1538
      1⤵
      • Executes dropped EXE
      PID:1606
    • /bin/nyfdxxwbw
      /bin/nyfdxxwbw -d 1538
      1⤵
      • Executes dropped EXE
      PID:1609
    • /bin/clhmuryoqlxbk
      /bin/clhmuryoqlxbk -d 1538
      1⤵
      • Executes dropped EXE
      PID:1612
    • /bin/ebvafoyl
      /bin/ebvafoyl -d 1538
      1⤵
      • Executes dropped EXE
      PID:1615
    • /bin/njuyhochkykolr
      /bin/njuyhochkykolr -d 1538
      1⤵
      • Executes dropped EXE
      PID:1620
    • /bin/rbbmok
      /bin/rbbmok -d 1538
      1⤵
      • Executes dropped EXE
      PID:1623
    • /bin/xtbhrl
      /bin/xtbhrl -d 1538
      1⤵
      • Executes dropped EXE
      PID:1626
    • /bin/vekraubbefeuy
      /bin/vekraubbefeuy -d 1538
      1⤵
      • Executes dropped EXE
      PID:1629
    • /bin/xnwcsqzydsbzue
      /bin/xnwcsqzydsbzue -d 1538
      1⤵
      • Executes dropped EXE
      PID:1632
    • /bin/bkybrtmobib
      /bin/bkybrtmobib -d 1538
      1⤵
      • Executes dropped EXE
      PID:1635
    • /bin/cgefftbhmuh
      /bin/cgefftbhmuh -d 1538
      1⤵
      • Executes dropped EXE
      PID:1638
    • /bin/rhbuafymutze
      /bin/rhbuafymutze -d 1538
      1⤵
      • Executes dropped EXE
      PID:1641
    • /bin/qucxozeykol
      /bin/qucxozeykol -d 1538
      1⤵
      • Executes dropped EXE
      PID:1644
    • /bin/gdarnofcz
      /bin/gdarnofcz -d 1538
      1⤵
      • Executes dropped EXE
      PID:1647
    • /bin/exeuqlkbtakw
      /bin/exeuqlkbtakw -d 1538
      1⤵
      • Executes dropped EXE
      PID:1650
    • /bin/msljhtnscmjlk
      /bin/msljhtnscmjlk -d 1538
      1⤵
      • Executes dropped EXE
      PID:1653

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /bin/bkybrtmobib
      Filesize

      243KB

      MD5

      8c8189905dc17c0a37464cccc6678d3a

      SHA1

      b9dbb86413e692056e22c62d1bbfc7a075427941

      SHA256

      b3a2afcb17674a3541255395c03c09e982540ba3c1ee0b70deb8dbb902e6af58

      SHA512

      b132465d82f04d2af30098c159891a89124137043fe8031d179673fa970aed02ef310308c77352c309daa05471d65dc7bacdf77aa6eee046fded73f6471a1d29

      Download Submit

    • /bin/cnnkqfuayzpwih
      Filesize

      484KB

      MD5

      eef37a5ee93d4602f8d0890ac4590de3

      SHA1

      72a4da7531623014f26c3faaacd6339509ddaafb

      SHA256

      29a476aecbbc2396777996ac965c2f56fd510c9f96eb99ad2c5ab831630baed8

      SHA512

      9751603af46ae0956a4164ed5726a6ba62ff59a3b6632d1aeac6927baf9f86e25dd6fb50c37a23a2a9d372f111f4f5ada87ffdbb67b8c35e377eb83c9b784e7d

      Download Submit

    • /bin/gdarnofcz
      Filesize

      35KB

      MD5

      59e778a923b0ef1f25b7ac741e0fef5b

      SHA1

      7a546e9ae9596966cd13da1acb182b6672d0f099

      SHA256

      b12eebd39c74e115a787ec15f946d8ea33b72766731868ac576b2ee8e2ad0806

      SHA512

      b36435e468a28be002a85b77cd593f126162ded80a6ef224dc611914e80b93b2201de1caaf0d51f054ca910ff6b90cc5fcc866ceff611798b795460778160afd

      Download Submit

    • /bin/mswhcgig
      Filesize

      546KB

      MD5

      98b491b01433a825fc436280d2c618cc

      SHA1

      8c3f445a83f5ff6379db9ad2750238291aa7a846

      SHA256

      b623413d516f4a903d3456193e6fe282703675d99d663791f0fe1415e21abcac

      SHA512

      15e75f644a3738f3c989376716b03238432a959c51c6c8271f5b84df6554cac7f8cb3141e6b3ccb185c95e5181179f17d31106aa50ed153b6b100980b9a642cc

      Download Submit

    • /bin/nyfdxxwbw
      Filesize

      112KB

      MD5

      5f1dfeba5f0752a36674e5df47ec8246

      SHA1

      f946ef7b6e9c9df2d48fcc29d6e9cedcf65c6de4

      SHA256

      cf3d3d0796d1e04a934e77714419aa156c493dcdfaf1c62fd842a597112e6fc9

      SHA512

      92e33a059d467947fb5742b71db62aaa122f6aec39a75619af830934273cbac8805a8fc698daad33c115650b920364a258fd2dabe6828ee5f42fe6bbec41150e

      Download Submit

    • /bin/reysvlp
      Filesize

      7KB

      MD5

      7cddf6e99352929bc47b0660ab89ef98

      SHA1

      ed6acfcf564052794c8d8cd47d509b73cede0214

      SHA256

      d0a9320035b538a60f872cebc9ce4f191bea6f34a8c2c564c82d6f7b4e350b2e

      SHA512

      73b98e010f698533bd414852173ab297e449ff1f805e1ad351dd612bb40217c704c92db18868b59204659a1f4079f2cb9033440dff341311cbbcb2f1918bed20

      Download Submit

    • /etc/cron.hourly/gigchwsm.sh
      Filesize

      145B

      MD5

      0be61b5103c3e2ec0fa2bf722ce29226

      SHA1

      5ddf77657de053bb455b16e7a640b3301e7ae985

      SHA256

      c1babf1e275dcf5db3f2e646c978b45312005331488e5a577fb4c6c3878e64f0

      SHA512

      c63623d4e153be5b634a6e3514c55594c8733df0e0af21b15798025631c8d441736f0715dd2396c26dce300f5e2fff24fb856082d1b2e29d7c3607877c729f37

      Download Submit

    • /etc/daemon.cfg
      Filesize

      32B

      MD5

      e837e0574cf1e1c2d27f0dc1e202e330

      SHA1

      84eca7ea011dad59e0f050f50ee3520de2fb5899

      SHA256

      210380c59589b58551b2e11d4a68888c376cba7f6cb05f7c4ea557acbc4a7145

      SHA512

      8edbf47063fc6e5c69e0733dcd1301d669fda9335e0728378213ef41c6260b6a25ebc93d2cbe448f7b43bbc3bfad68c8930aeb2f74d4b9bf4557d3b9b51ae1ea

      Download Submit

    • /etc/init.d/gigchwsm
      Filesize

      328B

      MD5

      de5a908a03c3bbdf2eaa5c20ef9fd666

      SHA1

      dc8aa0b901588759b6f9a3aee30da10238ae6318

      SHA256

      25fc77204b78d246aeb4aba97108c854ed684427403ab40a548f77d83241b853

      SHA512

      d8147c5c934b107b2c3e265ac046b35e00eac4513926a29de83fc609644c38e711fe8a8f40cfa1c944dc168947e72fe577fa7481cf78905462732aac9d4a011f

      Download Submit