Analysis
-
max time kernel
13s -
max time network
146s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231222-en -
resource tags
-
submitted
22-12-2023 00:30
General
-
Target
3765193e92c10eab1dc09a2c89857734
-
Size
610KB
-
MD5
3765193e92c10eab1dc09a2c89857734
-
SHA1
6bb8b7eb78646a88a0bf1a9067ea4998fff4de06
-
SHA256
c3ca04f3ea1f643ec2e04117efbcba263646307732b3ea1a27fa0cdb038651ac
-
SHA512
01f7ad629ef40fd55f47d25ecc969c42297583668967c21a10512cfccfb5e07402a61d56716954ecf8c29e49eb44e7aa69293f0ca5a72b55d87c5dbe39d7141c
-
SSDEEP
12288:WBmHsnhar0nJ7FGY5HRYxC1mqiL40qFCWU7k/gU6yZNnXgW4UlUuTh1AG:WBmHgaUVFGAR11mTL40q/qGpXgUl/91h
Malware Config
Extracted
xorddos
http://www1.gggatat456.com/dd.rar
ppp.gggatat456.com:1523
ppp.xxxatat456.com:1523
-
crc_polynomial
EDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 8 IoCs
-
Executes dropped EXE 14 IoCs
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
-
Write file to user bin folder 1 TTPs 3 IoCs
-
Reads runtime system information 10 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/3765193e92c10eab1dc09a2c89857734/tmp/3765193e92c10eab1dc09a2c898577341⤵
-
/bin/chkconfigchkconfig --add 3765193e92c10eab1dc09a2c898577341⤵
-
/sbin/chkconfigchkconfig --add 3765193e92c10eab1dc09a2c898577341⤵
-
/usr/bin/chkconfigchkconfig --add 3765193e92c10eab1dc09a2c898577341⤵
-
/usr/sbin/chkconfigchkconfig --add 3765193e92c10eab1dc09a2c898577341⤵
-
/usr/local/bin/chkconfigchkconfig --add 3765193e92c10eab1dc09a2c898577341⤵
-
/usr/local/sbin/chkconfigchkconfig --add 3765193e92c10eab1dc09a2c898577341⤵
-
/usr/X11R6/bin/chkconfigchkconfig --add 3765193e92c10eab1dc09a2c898577341⤵
-
/bin/update-rc.dupdate-rc.d 3765193e92c10eab1dc09a2c89857734 defaults1⤵
-
/sbin/update-rc.dupdate-rc.d 3765193e92c10eab1dc09a2c89857734 defaults1⤵
-
/usr/bin/update-rc.dupdate-rc.d 3765193e92c10eab1dc09a2c89857734 defaults1⤵
-
/usr/sbin/update-rc.dupdate-rc.d 3765193e92c10eab1dc09a2c89857734 defaults1⤵
-
/bin/systemctlsystemctl daemon-reload2⤵
- Reads runtime system information
-
-
/bin/shsh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"1⤵
- Creates/modifies Cron job
-
/bin/sedsed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab2⤵
- Reads runtime system information
-
-
/usr/bin/fnjdxcyzaj/usr/bin/fnjdxcyzaj bash 15771⤵
- Executes dropped EXE
-
/usr/bin/fnjdxcyzaj/usr/bin/fnjdxcyzaj whoami 15771⤵
- Executes dropped EXE
-
/usr/bin/fnjdxcyzaj/usr/bin/fnjdxcyzaj "grep \"A\"" 15771⤵
- Executes dropped EXE
-
/usr/bin/fnjdxcyzaj/usr/bin/fnjdxcyzaj pwd 15771⤵
- Executes dropped EXE
-
/usr/bin/fnjdxcyzaj/usr/bin/fnjdxcyzaj su 15771⤵
- Executes dropped EXE
-
/usr/bin/kigpxpghko/usr/bin/kigpxpghko ls 15771⤵
- Executes dropped EXE
-
/usr/bin/kigpxpghko/usr/bin/kigpxpghko uptime 15771⤵
- Executes dropped EXE
-
/usr/bin/kigpxpghko/usr/bin/kigpxpghko uptime 15771⤵
- Executes dropped EXE
-
/usr/bin/kigpxpghko/usr/bin/kigpxpghko who 15771⤵
- Executes dropped EXE
-
/usr/bin/kigpxpghko/usr/bin/kigpxpghko top 15771⤵
- Executes dropped EXE
-
/usr/bin/yeggpzlutb/usr/bin/yeggpzlutb ifconfig 15771⤵
- Executes dropped EXE
-
/usr/bin/yeggpzlutb/usr/bin/yeggpzlutb who 15771⤵
- Executes dropped EXE
-
/usr/bin/yeggpzlutb/usr/bin/yeggpzlutb top 15771⤵
- Executes dropped EXE
-
/usr/bin/yeggpzlutb/usr/bin/yeggpzlutb uptime 15771⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228B
MD53bab747cedc5f0ebe86aaa7f982470cd
SHA13c7d1c6931c2b3dae39d38346b780ea57c8e6142
SHA25674d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5
SHA51221e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42
-
Filesize
425B
MD509998abccf5ee7c749d9e0fd6e4f2e62
SHA16a2043d67bd6b966ef1bdec884061e642907f619
SHA256c964d5f7b71ff1d7ebb88dc40436f0dd415f51acc689fab075dc145e275d6ba3
SHA5124321b8d26cfd03f3243f7065329d7612a97e3da346923af8695db34b28cefe83bf2ba2fd7204598849f7a8b8649c4f5742d9a8b7393430abfa8bb4c74c99cc7e
-
Filesize
722B
MD58f111d100ea459f68d333d63a8ef2205
SHA1077ca9c46a964de67c0f7765745d5c6f9e2065c3
SHA2560e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354
SHA512d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb
-
Filesize
322KB
MD5255af299f61bd79a50c7fb777f6532df
SHA158b86ed26199da08cc16551d3f9214814d82c789
SHA256ffc105c1c876a38c3e80c14653635536ad49595f687cffe873fd76a5f5491f8a
SHA512495868ae5829028bfc88bb447c412bd8b7d66ecef011e6d7de31dddd8e4c427d2bb0b8f280d24f1d8220b766c196246f564497b529ec79ac77b43452429f558d
-
Filesize
32B
MD5293a5b98795a902cb4b87ca312746e6c
SHA17d0fecdbe8c6405e78ec132bd7308db3445ae3e1
SHA2561551865fe38e0c2f117dccfd529ab1d7e1220a5acfe217bc39edd2fb6dc2ea47
SHA51293f03e707a97917f2ab31aeee09ca531069690535d0d08086926c1f88d6f40c19290c33a8a4278a9bed3e513e7cf3f889c665093a3f6c4e1d894c4a0081ddd12
-
Filesize
610KB
MD53765193e92c10eab1dc09a2c89857734
SHA16bb8b7eb78646a88a0bf1a9067ea4998fff4de06
SHA256c3ca04f3ea1f643ec2e04117efbcba263646307732b3ea1a27fa0cdb038651ac
SHA51201f7ad629ef40fd55f47d25ecc969c42297583668967c21a10512cfccfb5e07402a61d56716954ecf8c29e49eb44e7aa69293f0ca5a72b55d87c5dbe39d7141c
-
Filesize
610KB
MD5dacd902503baef1c8000fdb56bbd769c
SHA1d283a8920ac2854c7c519eea4495d5d9f2d6da76
SHA2562992e37dd91a7f50f1237fd94603a9062a079b7089eca45e0fb3292c1941ea4c
SHA512bf7ad63ea6545ea38109bb16000d8e5a9ffeeaa69847008123c86b86e282e8e63e387ccbbe69acfd9bff64a7c77e57e0d9f671df403d393cb443f6e22660a72b
-
Filesize
610KB
MD5a5753206f695fd928e544294781a849e
SHA145fd13efb8124462dbfdcbfcb49af2e37aa7e096
SHA256c74d19112235af72d269212360dba58da0c0905350b42f58ecbe0da9979e5581
SHA5123ff06d84b9f80ae813bc9437042b6165981bc8676564eac27f64a7f532d7372a8a4a2fc05579fe87bdd405b75e53306171c27e360e047424b7e09a9f79c3d602
-
Filesize
610KB
MD56efafe2fa79eae34cf3ab08000ba5f6c
SHA1424b1a1043cd1a0c6f4e15f9bb35521ef327ffcb
SHA2561b82ddb065ee485c51cc51893a7b438c745c51c2a73963b7fe259ddaa0047e49
SHA512ec9bd67bd1f9e26f3880a8d1a0cb2a800e43ae350b33cc3ddb6313a91713ef7615d29474c1fe4067bdaeea0533fd3801f6d7b4234e26c1b407ce9e1b33151849
-
Filesize
610KB
MD5ad34b2923a292c9ec86b44f8d7aceed3
SHA1ad7360a82b063e8b4f6f8e80d1271ef694cb79a2
SHA256620b167dcf31d65ad423abaaf7cf11845acf71d69d6af57914cc5affe4867774
SHA512356881157b371589d7a63db9be9cf71ed1e145a80983ed6221c1c4e561374745ed7237c4efd0b1d15f2ad614ed6693b4e8ae997b4b465336fc104e5d907a396b
-
Filesize
610KB
MD500efb4378acb8fd3a495b9975209fd5a
SHA16bed5d9125e4158b600e61be46353368856c9d6d
SHA25697a52d1b82129d4b925409e906a315d96c0f8599a34d6381d16c1658c9ddaf3b
SHA512bc7234fd6f971d8f6e3d15f53c977ff6d3dc8ed78c8dc6ff02851b22ba4c3a802079ba6f2110a85090b9fa40a5280e665ae0d0a715142a1e0f7845829cec81ec
-
Filesize
610KB
MD55f0442690977c8501beafb46ef54db0a
SHA1d93bcecda9e2ae0b3bbbedda98be08582aa6b7a9
SHA256512ef9948155f0c3b886fe7c98b2161fd608f110d0fcebb97583171a29305764
SHA512b583f69f540f3c277a692d804edf20d818d39bf07682784adbbdc58a014566c6358aae9ce4cc8489e3641c6863d8852d0fca1856cf3b8c6310dce30b46c5c093