Analysis
-
max time kernel
152s -
max time network
158s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
-
submitted
20-12-2023 17:16
General
-
Target
f46885b16a85fd6f20a6d8c6b3836e74
-
Size
247KB
-
MD5
f46885b16a85fd6f20a6d8c6b3836e74
-
SHA1
21822af4b28c6174c4af73df8df87f1ea0282db4
-
SHA256
98982204bff4e5a3c206cfda13e2f2e899ab82db957596faf004d3698f707305
-
SHA512
d4d156ee913999e5b6a1bb488050510df3e96f739f0fd1a276acf4cd1f91fd9b77167b79dbfd93e940323c9c468e6300ce74d47070a7640c63d158ae4c25f188
-
SSDEEP
6144:JSDFOrnwRgUbMisI6sdkH+M6hWOcy5KOZW7U6NC9ihhhAYIl/mqYf:YZRgUY/fsJcO1KOiXSihhhAPef
Malware Config
Extracted
xorddos
-
crc_polynomial
EDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
Deletes itself 2 IoCs
-
Executes dropped EXE 22 IoCs
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 28 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
-
Write file to user bin folder 1 TTPs 5 IoCs
-
Reads runtime system information 8 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/f46885b16a85fd6f20a6d8c6b3836e74/tmp/f46885b16a85fd6f20a6d8c6b3836e741⤵
-
/bin/shsh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc4.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc4.sh' >> /etc/crontab"1⤵
- Creates/modifies Cron job
-
/bin/sedsed -i "/\\/etc\\/cron.hourly\\/gcc4.sh/d" /etc/crontab2⤵
- Reads runtime system information
-
-
/bin/chkconfigchkconfig --add f46885b16a85fd6f20a6d8c6b3836e741⤵
-
/sbin/chkconfigchkconfig --add f46885b16a85fd6f20a6d8c6b3836e741⤵
-
/usr/bin/chkconfigchkconfig --add f46885b16a85fd6f20a6d8c6b3836e741⤵
-
/usr/sbin/chkconfigchkconfig --add f46885b16a85fd6f20a6d8c6b3836e741⤵
-
/usr/local/bin/chkconfigchkconfig --add f46885b16a85fd6f20a6d8c6b3836e741⤵
-
/usr/local/sbin/chkconfigchkconfig --add f46885b16a85fd6f20a6d8c6b3836e741⤵
-
/usr/X11R6/bin/chkconfigchkconfig --add f46885b16a85fd6f20a6d8c6b3836e741⤵
-
/bin/update-rc.dupdate-rc.d f46885b16a85fd6f20a6d8c6b3836e74 defaults1⤵
-
/sbin/update-rc.dupdate-rc.d f46885b16a85fd6f20a6d8c6b3836e74 defaults1⤵
-
/usr/bin/update-rc.dupdate-rc.d f46885b16a85fd6f20a6d8c6b3836e74 defaults1⤵
-
/usr/sbin/update-rc.dupdate-rc.d f46885b16a85fd6f20a6d8c6b3836e74 defaults1⤵
-
/bin/systemctlsystemctl daemon-reload2⤵
- Reads runtime system information
-
-
/usr/bin/gaeqndwwey/usr/bin/gaeqndwwey "ls -la" 15391⤵
- Executes dropped EXE
-
/usr/bin/gaeqndwwey/usr/bin/gaeqndwwey whoami 15391⤵
- Executes dropped EXE
-
/usr/bin/gaeqndwwey/usr/bin/gaeqndwwey "cd /etc" 15391⤵
- Executes dropped EXE
-
/usr/bin/gaeqndwwey/usr/bin/gaeqndwwey id 15391⤵
- Executes dropped EXE
-
/usr/bin/gaeqndwwey/usr/bin/gaeqndwwey "grep \"A\"" 15391⤵
- Executes dropped EXE
-
/usr/bin/bjrxierdrn/usr/bin/bjrxierdrn ls 15391⤵
- Executes dropped EXE
-
/usr/bin/bjrxierdrn/usr/bin/bjrxierdrn ls 15391⤵
- Executes dropped EXE
-
/usr/bin/bjrxierdrn/usr/bin/bjrxierdrn "ls -la" 15391⤵
- Executes dropped EXE
-
/usr/bin/bjrxierdrn/usr/bin/bjrxierdrn "netstat -antop" 15391⤵
- Executes dropped EXE
-
/usr/bin/bjrxierdrn/usr/bin/bjrxierdrn gnome-terminal 15391⤵
- Executes dropped EXE
-
/usr/bin/zaepsfseuj/usr/bin/zaepsfseuj "echo \"find\"" 15391⤵
- Executes dropped EXE
-
/usr/bin/zaepsfseuj/usr/bin/zaepsfseuj "cat resolv.conf" 15391⤵
- Executes dropped EXE
-
/usr/bin/zaepsfseuj/usr/bin/zaepsfseuj uptime 15391⤵
- Executes dropped EXE
-
/usr/bin/zaepsfseuj/usr/bin/zaepsfseuj whoami 15391⤵
- Executes dropped EXE
-
/usr/bin/zaepsfseuj/usr/bin/zaepsfseuj "cd /etc" 15391⤵
- Executes dropped EXE
-
/usr/bin/zzuwjfpvvy/usr/bin/zzuwjfpvvy "grep \"A\"" 15391⤵
- Executes dropped EXE
-
/usr/bin/zzuwjfpvvy/usr/bin/zzuwjfpvvy "sleep 1" 15391⤵
- Executes dropped EXE
-
/usr/bin/zzuwjfpvvy/usr/bin/zzuwjfpvvy whoami 15391⤵
- Executes dropped EXE
-
/usr/bin/zzuwjfpvvy/usr/bin/zzuwjfpvvy "netstat -antop" 15391⤵
- Executes dropped EXE
-
/usr/bin/zzuwjfpvvy/usr/bin/zzuwjfpvvy ifconfig 15391⤵
- Executes dropped EXE
-
/usr/bin/dqedsqlhdg/usr/bin/dqedsqlhdg whoami 15391⤵
- Executes dropped EXE
-
/usr/bin/dqedsqlhdg/usr/bin/dqedsqlhdg "ifconfig eth0" 15391⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149B
MD54bc702c21d7b2bbb32638e37ec6c3943
SHA16b097d447b57c10f10f67ccd5efac4e4d39ddd38
SHA256f702b3fd1837f30a23c74d5605e0c9cf79a480b942ef7d3bb9f79d448101a8b3
SHA51219523b3e006eaa41a22a6af5ad1d0b23adf7eb5c653e367229b2d6bf69066a7630d637ae4131e5ae98e63434b00f6af5bef4ece54d7ad66d5c92b8f549f5b3f8
-
Filesize
425B
MD5f8450f23c46d2bf74bd5b2da8b6e164d
SHA1859d69c9058fde9be72fa16af8d949315d8d486e
SHA2566855a141a19f23c42b6a7c6e7b701f9adb87c8bfa64455d830e49cc5d9ca07cd
SHA512451879151007a5eebe26521063a99373ab992144f4aacb50f836baa5263e3b8dfaead69fcfa8f9b6e2ec335dd010517a8e4f26578f5ba91e4ce806543038bdda
-
Filesize
722B
MD58f111d100ea459f68d333d63a8ef2205
SHA1077ca9c46a964de67c0f7765745d5c6f9e2065c3
SHA2560e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354
SHA512d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb
-
Filesize
247KB
MD5f46885b16a85fd6f20a6d8c6b3836e74
SHA121822af4b28c6174c4af73df8df87f1ea0282db4
SHA25698982204bff4e5a3c206cfda13e2f2e899ab82db957596faf004d3698f707305
SHA512d4d156ee913999e5b6a1bb488050510df3e96f739f0fd1a276acf4cd1f91fd9b77167b79dbfd93e940323c9c468e6300ce74d47070a7640c63d158ae4c25f188
-
Filesize
32B
MD59bd60db0a1041e2c1d9cd3c2ce3c11b7
SHA168e393f2aa51b7b14b175c86b3a06f4ea40fd7ea
SHA2563752089072b5963b934c8538c7857b601c00ec5c4e64a617b0b69848234a8411
SHA5129af9382528286655fa44dab69fabe394dfb22e1810b54c7d58745bda6d8c1cfe2665b1cc1feefe67857bdb90c47b37637735c6a0b35710188ac2935844df4afb
-
Filesize
120KB
MD536261bc3108ebc74612f8cc64009b2f4
SHA1dc04b168fbd42c3e77cdcb819ae745c7190e74db
SHA256dfe1d6649cb04792f4791d4e6ef0682ed3a5645a60ee63fe0009776fd3c2456b
SHA5129ab80e47da52ae439010c0b54629f2c91a77f56771622bbd484302279c9dc0fc26fb10298f6aea9d437e23cf13151226d7419f0ae5920ea17b3d5c9b3b3249e5
-
Filesize
247KB
MD5ea32b9b1e42a89053de787ecce47c585
SHA12aadb09ec4cc3b201d52d448dcdef0e48e049623
SHA25620b7cfec3731efc5427ff78a509b77866ffcf9ec1fc77df14c8a6a5d5219481f
SHA5124cb002869324c226f1fb52f1b8e32631165361b7bb7b368666843eacb774f6e4607b2510558f30240def7949e5b8fb4687ec7ca34e1c585718f8b46327279c73
-
Filesize
247KB
MD549c308cfa9268cee37bfcf5b66a35bed
SHA1e2f8a936d7be9cf90882247d5c6501b4e7ae1fbb
SHA256d461ec12e2b6d359496ac70208fa76f1a0d6d332119892127ca1bd54ebb97d85
SHA5123dae4696c9929cb4930a01890b02e65900db0f5891307f4276bc8cb39883b5a248ef68dc9eb409fc23eadadb7b6ecf4b0876f6fb39aa5829bd5d04e7a68f276c
-
Filesize
247KB
MD5c1ec334a4d138a5d712438550bd656e2
SHA1460706fbc36a884caa10fd4ec50bacfff7a3095c
SHA25692797c2cfe0ad1d5dad224bd7a2940c80182b1b6a7922718d07037230039d78f
SHA5120b2ef9c5072bc52270218511632317312000c899cdfd99eb9f7b84d749235001fd4f5852cefe0249eef1a31caf50011ab17f033186c3dc54d34fbd780d3dca14
-
Filesize
247KB
MD58778ef00b525903fb10652989cc0ff50
SHA1c1ac55806c974e0f21bb70f3d29184c410da1066
SHA256d07f438838d44c4a837063a20cb053b46ec3f126c827dab43277e36a88447bf7
SHA512536fc2ec564bbaa256c150f4b15b11cb0cce6f21332edca8b4e0d546c3336c6d163450b6d1b25148f1c211ac689b8181b3b1986c01fe9d2d0b6684a0504d01e1
-
Filesize
247KB
MD5317acb147de14a5c5be154f54126fe3d
SHA17204148d77dde4d80f15e6e34d387beb4750ec2e
SHA256338c5a6d85334ba8c6471bf413f28bfa822d13c932302c947c6ec0bcf92be5ec
SHA51227d96f93081b64ea572fe04699ae1d68227113dfad85223542860e54e686a9a0b85f8e949253d545bdc34d330d18a67727bccd8e39fe8b46e5b20d7c6bba0119
-
Filesize
247KB
MD5ff208a798a395a7608dafa9d7c938f84
SHA137bfd614bf7d415253f7c4fe15148dec2cf3e13b
SHA256bf25cf32210d320ceeac85caad6122fc2d0955587bca2328a6d93c0be6871f28
SHA512113fbf8159206b44f5808a23ac4c1e676292c5b4bddec8e6d9c81034c63d5c8de07c2bab453345264251a7c0788e70df816f13984d686bb27c37883bf2da0e3b
-
Filesize
247KB
MD500dac0c25889ce4c66e0fe060134a0ed
SHA1764bc611d655150893d2a7cba60707197302b5c7
SHA25600c4a5e84b3df65f7d03101422b74303d376cd34164cdaeec36bd361b3b09d27
SHA51278d0980ff9dc2eba17a42cbbec68c961e42f63829b78e40c5fabcb4d75bf48b1bc9022883ce18ab4851cb9ba29a8b5cad63e474622078403891f511600267b6a
-
Filesize
247KB
MD5b40b94ccc2f4d77a1805c2fcdf2ff7c5
SHA1fac06320c78369524f5b9269d0b416849da6cbbe
SHA25621b3f856f215329ad9229cc27e54723693dbfa6621d60062355c4af595144b0b
SHA512108b8052e289dcc7a0de7b85799fe2d40bb1550d21a664f93fdcb02f316caa5c6530bbc645ddf2b5826c4b2096febdf044c28a95b507b9f1a2bfdd50a99bcb3e
-
Filesize
24KB
MD58c46cbe4f4296b5e900101e12780f430
SHA11bf2b203cf171151879ccd34d8bf7278ff90eda5
SHA2567f91e8a04cbecd91ab5bb9d9621d47e665058dc67cba5ead3e436fb1fec67948
SHA512b8c15d7ced10396080fb7e95af192e856861d6de450638149bb5e4549a1e25ede52fa98b6bdfa1c818d06775f59f4a62d185b6cce5aa208fcf507d2d55bd1e1a