Analysis
-
max time kernel
155s -
max time network
156s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
-
submitted
20-12-2023 14:40
General
-
Target
cab83472f26ffcc4bcf0053f703d44ca
-
Size
247KB
-
MD5
cab83472f26ffcc4bcf0053f703d44ca
-
SHA1
49a6df3d5ff918b1499dc8541d62479ecdc13114
-
SHA256
c7b9c2d1c89732219cb3fbc40f75675e19206aa13959c1a8046d58ec26a09477
-
SHA512
0b370a018b36a711f210ae4471ea87385c43f84d7d12b30f20aa5f0b929c81f1e16632439d93dcdd22386b0697640a32d2c170b3397d90d19e491a2c3287ea95
-
SSDEEP
6144:wSDFOrnwRgUbMisI6sdkH+M6hWOcy5KOZW7U6NCTyhhhInkD/mqYf:DZRgUY/fsJcO1KOiXsyhhhInkDef
Malware Config
Extracted
xorddos
-
crc_polynomial
EDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
Deletes itself 4 IoCs
-
Executes dropped EXE 25 IoCs
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 29 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
-
Write file to user bin folder 1 TTPs 5 IoCs
-
Reads runtime system information 8 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/cab83472f26ffcc4bcf0053f703d44ca/tmp/cab83472f26ffcc4bcf0053f703d44ca1⤵
-
/bin/shsh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc4.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc4.sh' >> /etc/crontab"1⤵
- Creates/modifies Cron job
-
/bin/sedsed -i "/\\/etc\\/cron.hourly\\/gcc4.sh/d" /etc/crontab2⤵
- Reads runtime system information
-
-
/bin/chkconfigchkconfig --add cab83472f26ffcc4bcf0053f703d44ca1⤵
-
/sbin/chkconfigchkconfig --add cab83472f26ffcc4bcf0053f703d44ca1⤵
-
/usr/bin/chkconfigchkconfig --add cab83472f26ffcc4bcf0053f703d44ca1⤵
-
/usr/sbin/chkconfigchkconfig --add cab83472f26ffcc4bcf0053f703d44ca1⤵
-
/usr/local/bin/chkconfigchkconfig --add cab83472f26ffcc4bcf0053f703d44ca1⤵
-
/usr/local/sbin/chkconfigchkconfig --add cab83472f26ffcc4bcf0053f703d44ca1⤵
-
/usr/X11R6/bin/chkconfigchkconfig --add cab83472f26ffcc4bcf0053f703d44ca1⤵
-
/bin/update-rc.dupdate-rc.d cab83472f26ffcc4bcf0053f703d44ca defaults1⤵
-
/sbin/update-rc.dupdate-rc.d cab83472f26ffcc4bcf0053f703d44ca defaults1⤵
-
/usr/bin/update-rc.dupdate-rc.d cab83472f26ffcc4bcf0053f703d44ca defaults1⤵
-
/usr/sbin/update-rc.dupdate-rc.d cab83472f26ffcc4bcf0053f703d44ca defaults1⤵
-
/bin/systemctlsystemctl daemon-reload2⤵
- Reads runtime system information
-
-
/usr/bin/byjpjmouij/usr/bin/byjpjmouij top 15531⤵
- Executes dropped EXE
-
/usr/bin/byjpjmouij/usr/bin/byjpjmouij sh 15531⤵
- Executes dropped EXE
-
/usr/bin/byjpjmouij/usr/bin/byjpjmouij gnome-terminal 15531⤵
- Executes dropped EXE
-
/usr/bin/byjpjmouij/usr/bin/byjpjmouij "ps -ef" 15531⤵
- Executes dropped EXE
-
/usr/bin/byjpjmouij/usr/bin/byjpjmouij "sleep 1" 15531⤵
- Executes dropped EXE
-
/usr/bin/proasxeivp/usr/bin/proasxeivp uptime 15531⤵
- Executes dropped EXE
-
/usr/bin/proasxeivp/usr/bin/proasxeivp ifconfig 15531⤵
- Executes dropped EXE
-
/usr/bin/proasxeivp/usr/bin/proasxeivp ifconfig 15531⤵
- Executes dropped EXE
-
/usr/bin/proasxeivp/usr/bin/proasxeivp whoami 15531⤵
- Executes dropped EXE
-
/usr/bin/proasxeivp/usr/bin/proasxeivp ifconfig 15531⤵
- Executes dropped EXE
-
/usr/bin/dzcdeqtajh/usr/bin/dzcdeqtajh ls 15531⤵
- Executes dropped EXE
-
/usr/bin/dzcdeqtajh/usr/bin/dzcdeqtajh sh 15531⤵
- Executes dropped EXE
-
/usr/bin/dzcdeqtajh/usr/bin/dzcdeqtajh uptime 15531⤵
- Executes dropped EXE
-
/usr/bin/dzcdeqtajh/usr/bin/dzcdeqtajh gnome-terminal 15531⤵
- Executes dropped EXE
-
/usr/bin/dzcdeqtajh/usr/bin/dzcdeqtajh "ls -la" 15531⤵
- Executes dropped EXE
-
/usr/bin/raqgvpylkh/usr/bin/raqgvpylkh "grep \"A\"" 15531⤵
- Executes dropped EXE
-
/usr/bin/raqgvpylkh/usr/bin/raqgvpylkh ls 15531⤵
- Executes dropped EXE
-
/usr/bin/raqgvpylkh/usr/bin/raqgvpylkh bash 15531⤵
- Executes dropped EXE
-
/usr/bin/raqgvpylkh/usr/bin/raqgvpylkh ls 15531⤵
- Executes dropped EXE
-
/usr/bin/raqgvpylkh/usr/bin/raqgvpylkh id 15531⤵
- Executes dropped EXE
-
/usr/bin/vehnhhngqp/usr/bin/vehnhhngqp "cat resolv.conf" 15531⤵
- Executes dropped EXE
-
/usr/bin/vehnhhngqp/usr/bin/vehnhhngqp "route -n" 15531⤵
- Executes dropped EXE
-
/usr/bin/vehnhhngqp/usr/bin/vehnhhngqp su 15531⤵
- Executes dropped EXE
-
/usr/bin/vehnhhngqp/usr/bin/vehnhhngqp "ifconfig eth0" 15531⤵
- Executes dropped EXE
-
/usr/bin/vehnhhngqp/usr/bin/vehnhhngqp uptime 15531⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149B
MD54bc702c21d7b2bbb32638e37ec6c3943
SHA16b097d447b57c10f10f67ccd5efac4e4d39ddd38
SHA256f702b3fd1837f30a23c74d5605e0c9cf79a480b942ef7d3bb9f79d448101a8b3
SHA51219523b3e006eaa41a22a6af5ad1d0b23adf7eb5c653e367229b2d6bf69066a7630d637ae4131e5ae98e63434b00f6af5bef4ece54d7ad66d5c92b8f549f5b3f8
-
Filesize
425B
MD52ddba026b6e10cf27d6691f37d088811
SHA1e50bc531a2dee15e99f6d84d28d9bea8b7ddd673
SHA2560544055741a826052cb37f2cfbecce7e39fd22bcd01acf78010add5111aa687a
SHA5123adfec1f33dcfb53849a594b028ed86e56e8d306ea33a22063e1767b272377cf8a742964d2cc34673f9a9d1bbc601bd1e9156823a67a9df353cb229f3cf9b6ea
-
Filesize
722B
MD58f111d100ea459f68d333d63a8ef2205
SHA1077ca9c46a964de67c0f7765745d5c6f9e2065c3
SHA2560e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354
SHA512d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb
-
Filesize
247KB
MD5cab83472f26ffcc4bcf0053f703d44ca
SHA149a6df3d5ff918b1499dc8541d62479ecdc13114
SHA256c7b9c2d1c89732219cb3fbc40f75675e19206aa13959c1a8046d58ec26a09477
SHA5120b370a018b36a711f210ae4471ea87385c43f84d7d12b30f20aa5f0b929c81f1e16632439d93dcdd22386b0697640a32d2c170b3397d90d19e491a2c3287ea95
-
Filesize
32B
MD56bf202e953cd0b3acd77d0787e97017d
SHA1a176ce397b3fe2d2111e26604d6aadd6ed229b77
SHA256de11ed31eb6ae23bf1437f1f96c7ef6ee281dca4d71d92094b72fcb430362d31
SHA5128633c2135e3fc66d4c44114cabb018d44d0e81edf64200f502b2a91ad48b37ea31ba1ee3d51f55dcab1834480ddd4bff2bcd84385aa6a1d3d1bb9d3d9d3a77bd
-
Filesize
247KB
MD5f1acca24ece2e72c9a255ebb5f2c4cac
SHA142a88ff17bf845044c42e29e3499bdda08865d44
SHA2568fb256f73513339587030ffd1e81261781ecfe9669e79f5be0cbc156884ebe75
SHA5123ac5deab9b4cf4af19493e0369723673f0c594afe1b4720e22a9866801e0f513ca4ec65c57b6b0b7f6d425c0aee320fab8d2fe8707939367d50686018f12ba12
-
Filesize
247KB
MD59753175fa28dfffa32b838cf12014bba
SHA1d0ccb914fdd8bae63ac84e15fed6a5068741fcc5
SHA25656eae3a31664135bfcdfb3cd31fbfa7053c1cbea45284ce4d30ac7581a9670c2
SHA512e1ba9e56f3420c8448ac6b6c78d14c8a1b873b5a099222f3ed3cf216ba410c3a59de6a867f2ee8baa8127c383acea3b44f13af67c08f6657ef4549d663fa6e15
-
Filesize
247KB
MD58ee4ac2cb40aaeb125f06ce6ce19bc6a
SHA1e98ded90ff30194a901f83ff91f7bdb61fd1ddb0
SHA256aacf8e82d1c0c17e38d23a1bae37b8b765fe281dc8cc7e8886011b8aff332c78
SHA5123436d2dd58a18e2a53f42940671948438e974f4f1bfbaa153c1ea6ab40eafdee40550dc32d1cd5986fa2fcff782008eb8a16da4e897f00c2a9b74d856b5ecc86
-
Filesize
247KB
MD57177b6913c471191e9815e46ca59b6ae
SHA1ec578dd2e23bfc6be8e1a76b026a2d3d5d0c5775
SHA2565c55db7c13baaec9fea6fdd2eb96eee5040443f12aa80a59365052a086b3ca6b
SHA512d0eef53dacc848d155b5756e203e01e31727708c342d9447be38c3a849d003236138d79effa0ccd2fd58da780e320c0cd678d3fe6000a66a54297e0ba487f072
-
Filesize
247KB
MD5bb2f73df9af87541a2124ef40fdc2c04
SHA1a8a2c12e109cc8a3b20581d5d5d6acb0251c2ec3
SHA256f9ca505a0d2bd2ea8049c461239bbaa14ee84b709516996c817fc5f189bcf05f
SHA512fd40b5940a3d6ec7ea59b647270182d2a86b5efb4b2ed57d928dd3b5bf861460ac749d07a3ec1cc3b262b7a51017e02419365bea15496187a9bf79c206d7e8ac
-
Filesize
247KB
MD5e8df4d9fc33dae7235b8b8d3388c03e6
SHA110af217d8e6daddfcc54874da4ef1bfbc0660be2
SHA2568bbefd40f51e8228a65bad72b9974e3b4c21cfea5587f3495fb60eb1172630a5
SHA51235d48c7dcc11119f1d8e74286ba720c8d516fd1c8af9bea0f1920d39f3c08f7187ba1933b980bd63ca4dc2da32da9431a178708aebf4fa7709320be3453143bb
-
Filesize
247KB
MD557266ea9b84dcd67162f8684b4f9a91a
SHA1d8a4bdd5ebb1088504d6e3eed0af56b2e54df35b
SHA25669692b85686a3c25a0189a58ad750515cb72eda659b35b5f35543c7615c49300
SHA512a6bf04b15fa769623cbdbe91bc82309c51dd38f66c1821f5d5f9cd42eb3d793ffdbd9f5d4f95905554ba2976dc6ee380c4318ddce8b093eeaa1c8b03e1b1c0ae
-
Filesize
247KB
MD52e43c7a839007c7f15d1811af6610fb6
SHA10d8196d9fdcdbe0ddf36170c672278743079b8f5
SHA256beee397b0cf439b4068d7d1e1f0428946a889e05ea84bcb46aa3ecff235fb8e3
SHA5125d382fcf9f5a3461a691cc192754e24b1aefa49a0a8d8b63dcd7218cd85ead4f013f7abba1cb15fb4e505fe8fb8ddfbbf9a7d939a219f9222d90aec96e987535
-
Filesize
247KB
MD580a50bf357e91c1fe60b8587c7b24df5
SHA19614dda7ab15f43af763ceb583d6101b240ee4e7
SHA256c44e840c57a684d7a00b298df865994e128fd253e83d9a7c4c4db37141dd23fc
SHA51271364fc22a94902c675ff9d5d49bd2dc3d30b7611763bc3e03638ae20e391c35909624a408407ac308e45479ca58c47f1b37157e892940d5e3f4931e04cf11e2
-
Filesize
247KB
MD5e7d9f2ab1cc6b5cd91dc2410f21010ad
SHA136904d672a712c828194b1fd74ed0d8197560220
SHA256fac0bf3167aca877cb8fac3f8d3c808400cb5d53a93932b59fb2712364a3e3c7
SHA512dba4397313006a21a58977a247d54637fee64cd9984284e90a20d1f578c968002256408d1c87f4c03dbaeb7a4541fdc19b2aa7e57d5c6765167fda08ddf3b616