Overview

overview

10

Static

static

10

39ffc090c3...d05573

ubuntu-18.04-amd64

10

Analysis

  • max time kernel
    2s
  • max time network
    128s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231222-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231222-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    22-12-2023 00:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39ffc090c3be8b2e3835c5c887d05573

  • Size

    538KB

  • MD5

    39ffc090c3be8b2e3835c5c887d05573

  • SHA1

    70f4f7f0a05b934fe7bd709ab6341d1d7c133105

  • SHA256

    02663b6c8c7738fdc443491983ea3f5d7e7ea91a784a9cb006b0b4ded0a737f4

  • SHA512

    a14cebafb26bb11c242974142bfbcf7bd8308c0ded4dd95e525f8390ab47561a7452b6b1351553eae87c37c630d958ef28321dba7d060eb9ae96bca8cc222f95

  • SSDEEP

    12288:fB+OFJ52snwnBrHnL0iTwseG3vtxaYEM/tiL6yXZ:JzL5ZyrIiTNeG3vtxaYEwiL

Score
10/10
xorddosbotnetdownloaderpersistence

Malware Config

Extracted

Family

xorddos

C2

topbannersun.com:5212

wowapplecar.com:5212
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Writes file to system bin folder 1 TTPs 4 IoCs
  • Writes file to shm directory 2 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes

  • /tmp/39ffc090c3be8b2e3835c5c887d05573
    /tmp/39ffc090c3be8b2e3835c5c887d05573
    1⤵
      PID:1588
    • /bin/axjdumprjvmewz
      /bin/axjdumprjvmewz
      1⤵
      • Executes dropped EXE
      PID:1600

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /bin/axjdumprjvmewz
      Filesize

      442KB

      MD5

      03116c7df5765baea6533e063ad36cee

      SHA1

      82fb127381ad3a61d22e4ffffe7e30a4c0998e10

      SHA256

      fd715d0f4aa657093324210bfbb4a8e834d62eb13f9c20da231f2b0f445d82cc

      SHA512

      aaf052d73bda54118a78f4c1756dcfc92e91b2d8234a36a6ffbe07ee9fd8f30f668ee274015ca72a659d2fcad79d108036621022dbddb62196517797d1739b5e

      Download Submit

    • /bin/zwemvjrpmudjxa
      Filesize

      538KB

      MD5

      d93b8d869e5023dabb4504a61eebb4e8

      SHA1

      574b5c00d6c7b44d6b49e0322c725600fad737eb

      SHA256

      33bbb56e2c4322db22456ba8c2800979ad1eb34182d576467e2c4dbebe8e44c7

      SHA512

      9f9f1054b9a49c0e2e74381fdb197aa0de8c1f5a8ea0ba8261fa007eba654728856e75a22f98e32f734ff59dba60915d639144b6bb8cb2a350e1761ffb6e66ad

      Download Submit

    • /etc/cron.hourly/zwemvjrpmudjxa.sh
      Filesize

      151B

      MD5

      52112589bffbccb9c3819aaa96219e82

      SHA1

      47074a290a755a8f4deec6305684e3a8cd8432fa

      SHA256

      10d54f96be44adb29e21901a2fdf45f86baaf83c32335f0ef5d0c65b6ac6143f

      SHA512

      1f61ed4f5310dfd05e3866ce90ec60509e61722b804e31ee2a0ca5cb363e589d358c4867d9db79458d98bc45bf0ed30a3158fc6e9ede732b68f1f9ff71d3f9f7

      Download Submit

    • /etc/init.d/zwemvjrpmudjxa
      Filesize

      358B

      MD5

      6286f8e758b3e29074ce1f9f9c5c23a8

      SHA1

      25f3606ae52b4ab0de203df546df1e0209e4ac1d

      SHA256

      3338e1b3160380213cb7f490f00ac9c3c48a1a6074ee60bde06d77b9be9e83e7

      SHA512

      81195614a5038bc66da88f1adae1a2d01249cd4c02f49808b0518f1bb3e747a870ceecf042646dc92b23494f93047dbc5c51b0d1b7c73b5a9948366c8d999027

      Download Submit