Analysis
-
max time kernel
153s -
max time network
160s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
-
submitted
20-12-2023 17:22
General
-
Target
f60e7e3d7e68fac8a5a5827974ff78f0
-
Size
647KB
-
MD5
f60e7e3d7e68fac8a5a5827974ff78f0
-
SHA1
7bc91c75d85097f885ad507d8c6c7d8b6924b22e
-
SHA256
a518b18d18736dbf2f9c75442753dc9489e46cfc7fab169f80bff4b7bf09c625
-
SHA512
b99b7d4d7bb43ad175977fe9aff8d7cc9a3a3aac2258f5a28cb0edf92bf5b28a71c85ba90cb13b961662f1e486fd6a1312ad98af10bd5072533d08537216ee4d
-
SSDEEP
12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Ton7p6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1m76wvnDWXMN
Malware Config
Extracted
xorddos
http://info1.3000uc.com/b/u.php
aaaaaaaaaa.re67das.com:5859
vtqq.f3322.net:25
bii.f3322.net:25
-
crc_polynomial
EDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 4 IoCs
-
Deletes itself 2 IoCs
-
Executes dropped EXE 25 IoCs
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
-
Reads runtime system information 9 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/f60e7e3d7e68fac8a5a5827974ff78f0/tmp/f60e7e3d7e68fac8a5a5827974ff78f01⤵
-
/boot/vfbzgutxrw/boot/vfbzgutxrw1⤵
- Executes dropped EXE
-
/bin/shsh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"1⤵
- Creates/modifies Cron job
-
/bin/sedsed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab2⤵
- Reads runtime system information
-
-
/bin/update-rc.dupdate-rc.d vfbzgutxrw defaults1⤵
-
/sbin/update-rc.dupdate-rc.d vfbzgutxrw defaults1⤵
-
/usr/bin/update-rc.dupdate-rc.d vfbzgutxrw defaults1⤵
-
/usr/sbin/update-rc.dupdate-rc.d vfbzgutxrw defaults1⤵
-
/bin/systemctlsystemctl daemon-reload2⤵
- Reads runtime system information
-
-
/bin/chkconfigchkconfig --add vfbzgutxrw1⤵
-
/sbin/chkconfigchkconfig --add vfbzgutxrw1⤵
-
/usr/bin/chkconfigchkconfig --add vfbzgutxrw1⤵
-
/usr/sbin/chkconfigchkconfig --add vfbzgutxrw1⤵
-
/usr/local/bin/chkconfigchkconfig --add vfbzgutxrw1⤵
-
/usr/local/sbin/chkconfigchkconfig --add vfbzgutxrw1⤵
-
/usr/X11R6/bin/chkconfigchkconfig --add vfbzgutxrw1⤵
-
/boot/gnmcqorbxn/boot/gnmcqorbxn "echo \"find\"" 15371⤵
- Executes dropped EXE
-
/boot/uzyacawwnt/boot/uzyacawwnt pwd 15371⤵
- Executes dropped EXE
-
/boot/tpmouafshf/boot/tpmouafshf "sleep 1" 15371⤵
- Executes dropped EXE
-
/boot/fexpbuwihy/boot/fexpbuwihy "ps -ef" 15371⤵
- Executes dropped EXE
-
/boot/zmonvskqcd/boot/zmonvskqcd "grep \"A\"" 15371⤵
- Executes dropped EXE
-
/boot/pfkidytegx/boot/pfkidytegx "echo \"find\"" 15371⤵
- Executes dropped EXE
-
/boot/fjuaxhqtem/boot/fjuaxhqtem su 15371⤵
- Executes dropped EXE
-
/boot/gihtxhyccd/boot/gihtxhyccd "grep \"A\"" 15371⤵
- Executes dropped EXE
-
/boot/fxgyrureul/boot/fxgyrureul "netstat -antop" 15371⤵
- Executes dropped EXE
-
/boot/xkmpfcuwxj/boot/xkmpfcuwxj "netstat -an" 15371⤵
- Executes dropped EXE
-
/boot/dnpptmcumt/boot/dnpptmcumt id 15371⤵
- Executes dropped EXE
-
/boot/igqxysaqxr/boot/igqxysaqxr uptime 15371⤵
- Executes dropped EXE
-
/boot/zartfhnbfi/boot/zartfhnbfi uptime 15371⤵
- Executes dropped EXE
-
/boot/yxzfabdhcm/boot/yxzfabdhcm uptime 15371⤵
- Executes dropped EXE
-
/boot/hqlvkomaso/boot/hqlvkomaso "netstat -an" 15371⤵
- Executes dropped EXE
-
/boot/daaqnqrmwj/boot/daaqnqrmwj "netstat -an" 15371⤵
- Executes dropped EXE
-
/boot/lwozuxmalb/boot/lwozuxmalb sh 15371⤵
- Executes dropped EXE
-
/boot/jmubomozop/boot/jmubomozop id 15371⤵
- Executes dropped EXE
-
/boot/saqbvelriv/boot/saqbvelriv who 15371⤵
- Executes dropped EXE
-
/boot/kpedxekjro/boot/kpedxekjro "echo \"find\"" 15371⤵
- Executes dropped EXE
-
/boot/dzpdtwrsxs/boot/dzpdtwrsxs "netstat -an" 15371⤵
- Executes dropped EXE
-
/boot/xdxewtfkui/boot/xdxewtfkui bash 15371⤵
- Executes dropped EXE
-
/boot/fqswgqzcyz/boot/fqswgqzcyz ifconfig 15371⤵
- Executes dropped EXE
-
/boot/uygagcwrtv/boot/uygagcwrtv "ps -ef" 15371⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD5efe4c9f27cf150869445851dac8f37e1
SHA1bf9ae744320a639ab636bd95606db93cf1ab82b0
SHA256679d791dacf9ea61fcf2d6cc90608e77370a28360af01f2439941babb3254729
SHA512f97eb457be8c5329e36dabc8eb457caa2078e98316d73495a4fbd4222eba5c7cd422647b09567c7f7f63e9e4291f09bd61f6a6732b824d5ea0e468788db0fb20
-
Filesize
480KB
MD5872e17d95d7986256b0e57f4eeb39db3
SHA12013b41d59623a0629e89cf7a5cb8eb1951d4450
SHA256a35e8f5ff727170159dc762ea2b2d7c3f929329f203d20293d213e4190473b41
SHA512e07ab8e18241f63ced256b7d07dfefdd727c4dba7408f8bde17a74b0de53ee2c119fc14aef8edcfd98a3830d4df32014b9afcce79500ceed6e0b74b71eaa5e9f
-
Filesize
647KB
MD5f60e7e3d7e68fac8a5a5827974ff78f0
SHA17bc91c75d85097f885ad507d8c6c7d8b6924b22e
SHA256a518b18d18736dbf2f9c75442753dc9489e46cfc7fab169f80bff4b7bf09c625
SHA512b99b7d4d7bb43ad175977fe9aff8d7cc9a3a3aac2258f5a28cb0edf92bf5b28a71c85ba90cb13b961662f1e486fd6a1312ad98af10bd5072533d08537216ee4d
-
Filesize
488KB
MD5ba2b3b3e32d6da7c3d9c73e5a0f7e806
SHA1a2e4ce93703539e6caa7619c9827e04bd22272d4
SHA256e8a406d1622a8d84b68baa19cff80af13fa885b3878779c98475db9bf47f957b
SHA5128834eb84b78ebc33b0730673a6b1e02b29fba34da923b34619a8aa30d266dba7c1dbe1e0192a9656c33e27b7d98de5fd74af44d7cf78c2adc1a51a317f12f9dd