Overview

overview

10

Static

static

10

4354ecf6ed...308ee2

ubuntu-18.04-amd64

10

Analysis

  • max time kernel
    21s
  • max time network
    151s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231222-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231222-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    22-12-2023 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4354ecf6edd10d7625b429d765308ee2

  • Size

    543KB

  • MD5

    4354ecf6edd10d7625b429d765308ee2

  • SHA1

    a936a99d2fbcb2666dbf4dcadd9e89ceadacb971

  • SHA256

    f17b59caed6d1c06938854996cd6064308f31ec88a39ff2553b52368f9a12384

  • SHA512

    c561361f8d1f9a211cc2e08662ff88b99c53700d77da6603d227379f122525171ced92d00edb1c7b5cfc9825b02cd24a1a060367e775e9ed630f853a2bbb5f79

  • SSDEEP

    12288:1p+duTlNbCIn53vlJU0VkW3C3jyiXcsPl3D2KSKqfj6y1mC:r+ITlNblJ3UHW3CuiXcsPZDmKqfx7

Score
10/10
xorddosbotnetdownloaderpersistence

Malware Config

Extracted

Family

xorddos

C2

topbannersun.com:5616

wowapplecar.com:5616
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 1 IoCs
  • Deletes itself 22 IoCs
  • Executes dropped EXE 22 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Writes file to system bin folder 1 TTPs 25 IoCs
  • Writes file to shm directory 2 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes

  • /tmp/4354ecf6edd10d7625b429d765308ee2
    /tmp/4354ecf6edd10d7625b429d765308ee2
    1⤵
      PID:1586
    • /bin/drammvoplivwh
      /bin/drammvoplivwh
      1⤵
      • Executes dropped EXE
      PID:1599
    • /bin/augzxjgeqn
      /bin/augzxjgeqn -d 1600
      1⤵
      • Executes dropped EXE
      PID:1604
    • /bin/tuzhffiuu
      /bin/tuzhffiuu -d 1600
      1⤵
      • Executes dropped EXE
      PID:1607
    • /bin/yqqgpgdxyuktii
      /bin/yqqgpgdxyuktii -d 1600
      1⤵
      • Executes dropped EXE
      PID:1610
    • /bin/wjhyca
      /bin/wjhyca -d 1600
      1⤵
      • Executes dropped EXE
      PID:1617
    • /bin/eiajsudnswd
      /bin/eiajsudnswd -d 1600
      1⤵
      • Executes dropped EXE
      PID:1620
    • /bin/qeiycnyxrixcb
      /bin/qeiycnyxrixcb -d 1600
      1⤵
      • Executes dropped EXE
      PID:1624
    • /bin/iqoeuprhvbtuyz
      /bin/iqoeuprhvbtuyz -d 1600
      1⤵
      • Executes dropped EXE
      PID:1627
    • /bin/gywkju
      /bin/gywkju -d 1600
      1⤵
      • Executes dropped EXE
      PID:1630
    • /bin/wvopdnr
      /bin/wvopdnr -d 1600
      1⤵
      • Executes dropped EXE
      PID:1633
    • /bin/jzxxftowajave
      /bin/jzxxftowajave -d 1600
      1⤵
      • Executes dropped EXE
      PID:1636
    • /bin/qiurfixasohz
      /bin/qiurfixasohz -d 1600
      1⤵
      • Executes dropped EXE
      PID:1639
    • /bin/jdsdlcqdw
      /bin/jdsdlcqdw -d 1600
      1⤵
      • Executes dropped EXE
      PID:1642
    • /bin/qmuatlmjdud
      /bin/qmuatlmjdud -d 1600
      1⤵
      • Executes dropped EXE
      PID:1645
    • /bin/zlscfgj
      /bin/zlscfgj -d 1600
      1⤵
      • Executes dropped EXE
      PID:1648
    • /bin/dukxzvzpav
      /bin/dukxzvzpav -d 1600
      1⤵
      • Executes dropped EXE
      PID:1651
    • /bin/pdnrpouq
      /bin/pdnrpouq -d 1600
      1⤵
      • Executes dropped EXE
      PID:1654
    • /bin/umifwww
      /bin/umifwww -d 1600
      1⤵
      • Executes dropped EXE
      PID:1657
    • /bin/pecmcujjfmbqcl
      /bin/pecmcujjfmbqcl -d 1600
      1⤵
      • Executes dropped EXE
      PID:1660
    • /bin/fzbwnxnerbmyzj
      /bin/fzbwnxnerbmyzj -d 1600
      1⤵
      • Executes dropped EXE
      PID:1663
    • /bin/iabkmfgw
      /bin/iabkmfgw -d 1600
      1⤵
      • Executes dropped EXE
      PID:1666
    • /bin/emhmug
      /bin/emhmug -d 1600
      1⤵
      • Executes dropped EXE
      PID:1669

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /bin/drammvoplivwh
      Filesize

      543KB

      MD5

      4fedb6043e043dcf4bf3f68c074d2ae3

      SHA1

      b0de474db49b7bcbdec3f4518f0450883c9c7800

      SHA256

      3185bc9e46c9dfea5b2dda15742d3e9b50eab0e2bbe8f3aade442e032afd9b36

      SHA512

      68ff5b4aed237847ce4dbadc7f79cc0efefe21688b782aff7cb2bfb9ecf640cce441cbdfbb0f0bac91b73cd22487ebcf0faf08e1c8b213164fbb052e3c408460

      Download Submit

    • /etc/cron.hourly/hwvilpovmmard.sh
      Filesize

      150B

      MD5

      189fdabcd70190bb50a2b2457de91a8e

      SHA1

      1bda24df7fcd14ad4317841acce593c3f87fece7

      SHA256

      4cc60e3db2bad222c21cc08181eff1ca77300deb8e8f1e2b3f90437ce1db972b

      SHA512

      8cb81d11f9de0c200cb1a393856a2dc35f8547c5007bf48a8f2fec36a5c67bd9519f46ce69141a227560c92e20979a56d6986973bbe1ed89d2e7f9d89ba95dd6

      Download Submit

    • /etc/daemon.cfg
      Filesize

      32B

      MD5

      c6e78b1c7c74bfde524a2ef1c95d1fc3

      SHA1

      37f2e97311ac2956068eeddd42815de282ad019e

      SHA256

      c46fc82e07641d7d77a8bec8871332ed1a918eb8fd130e91bf54c834d6803d34

      SHA512

      65b2f891681555c655da73bf62b5ec3f0b8abe816fefbe6978942ee41b5418b478c0b58ef49b4e0152265f7db7ca5c2efda7e7f9517f9c30bc970ed222131dc6

      Download Submit

    • /etc/init.d/hwvilpovmmard
      Filesize

      353B

      MD5

      157666ba91011cc7eea634c8558cab17

      SHA1

      0a1fe0a4056c93c8564fc501eb7d2bfc5689be43

      SHA256

      cfbb206c0efd2ab9ac6ac53939ca70f09e8e61a9f3e3acd4fe06f41c9dbf68ee

      SHA512

      1cc8df00282450e7f54eaf183c3316d7a6157594aa916e62c3f2c5f967dce739e46236e04bc879bc57e48c3d6c56a87dc9ea29675a4b8c9002c094087b447650

      Download Submit