Overview

overview

10

Static

static

10

5a5fbd54bc...7ff543

ubuntu-18.04-amd64

10

Analysis

  • max time kernel
    154s
  • max time network
    152s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231215-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    22-12-2023 03:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a5fbd54bcfacae5b6b7ba089e7ff543

  • Size

    537KB

  • MD5

    5a5fbd54bcfacae5b6b7ba089e7ff543

  • SHA1

    b92b3bf25c0a8246355177bfac4aba5831893827

  • SHA256

    8990c690ba23b4aa59e900084dd27c71b59728857dc30626892d495487791cb3

  • SHA512

    53c36bdd8f2d228e4a4014eb42e982cc32047ea8651912c7dc7926c697df0fbe9fd54df3b9c80a445f0c786d46f3a33b976c21c1ff109b34233035971a5a0b80

  • SSDEEP

    12288:ISraVbNYn/gpq5xnFeEu1eZ1gVcxfwbuHvh3u6yp5k:Im8bKEWt0EucZ1gVcxfwa53U

Score
10/10
xorddosbotnetdownloaderpersistence

Malware Config

Extracted

Family

xorddos

C2

topbannersun.com:5414

wowapplecar.com:5414
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 1 IoCs
  • Deletes itself 40 IoCs
  • Executes dropped EXE 40 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Writes file to system bin folder 1 TTPs 47 IoCs
  • Writes file to shm directory 2 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes

  • /tmp/5a5fbd54bcfacae5b6b7ba089e7ff543
    /tmp/5a5fbd54bcfacae5b6b7ba089e7ff543
    1⤵
      PID:1543
    • /bin/nclqbux
      /bin/nclqbux
      1⤵
      • Executes dropped EXE
      PID:1546
    • /bin/qcortrhiangq
      /bin/qcortrhiangq -d 1547
      1⤵
      • Executes dropped EXE
      PID:1550
    • /bin/zxvfipd
      /bin/zxvfipd -d 1547
      1⤵
      • Executes dropped EXE
      PID:1553
    • /bin/ovodpm
      /bin/ovodpm -d 1547
      1⤵
      • Executes dropped EXE
      PID:1559
    • /bin/znxcjwopt
      /bin/znxcjwopt -d 1547
      1⤵
      • Executes dropped EXE
      PID:1562
    • /bin/bidjleiijraow
      /bin/bidjleiijraow -d 1547
      1⤵
      • Executes dropped EXE
      PID:1565
    • /bin/esahjmckb
      /bin/esahjmckb -d 1547
      1⤵
      • Executes dropped EXE
      PID:1568
    • /bin/okxcbqrfawol
      /bin/okxcbqrfawol -d 1547
      1⤵
      • Executes dropped EXE
      PID:1571
    • /bin/xwmqwaoifii
      /bin/xwmqwaoifii -d 1547
      1⤵
      • Executes dropped EXE
      PID:1574
    • /bin/rurbwsp
      /bin/rurbwsp -d 1547
      1⤵
      • Executes dropped EXE
      PID:1577
    • /bin/qtkikrjifwjes
      /bin/qtkikrjifwjes -d 1547
      1⤵
      • Executes dropped EXE
      PID:1580
    • /bin/woxlwctgrnbk
      /bin/woxlwctgrnbk -d 1547
      1⤵
      • Executes dropped EXE
      PID:1583
    • /bin/zcghuzt
      /bin/zcghuzt -d 1547
      1⤵
      • Executes dropped EXE
      PID:1586
    • /bin/mkouskfwfcvvag
      /bin/mkouskfwfcvvag -d 1547
      1⤵
      • Executes dropped EXE
      PID:1589
    • /bin/ezaxmdhdc
      /bin/ezaxmdhdc -d 1547
      1⤵
      • Executes dropped EXE
      PID:1592
    • /bin/lmikhlysz
      /bin/lmikhlysz -d 1547
      1⤵
      • Executes dropped EXE
      PID:1595
    • /bin/mmcktffqhl
      /bin/mmcktffqhl -d 1547
      1⤵
      • Executes dropped EXE
      PID:1598
    • /bin/nnlbqu
      /bin/nnlbqu -d 1547
      1⤵
      • Executes dropped EXE
      PID:1601
    • /bin/virhreo
      /bin/virhreo -d 1547
      1⤵
      • Executes dropped EXE
      PID:1604
    • /bin/cigzuscfnh
      /bin/cigzuscfnh -d 1547
      1⤵
      • Executes dropped EXE
      PID:1607
    • /bin/dqyqdnd
      /bin/dqyqdnd -d 1547
      1⤵
      • Executes dropped EXE
      PID:1610
    • /bin/ovnvqvmzmsq
      /bin/ovnvqvmzmsq -d 1547
      1⤵
      • Executes dropped EXE
      PID:1613
    • /bin/vazuvrycg
      /bin/vazuvrycg -d 1547
      1⤵
      • Executes dropped EXE
      PID:1616
    • /bin/ojxmbdzetq
      /bin/ojxmbdzetq -d 1547
      1⤵
      • Executes dropped EXE
      PID:1619
    • /bin/gluezussml
      /bin/gluezussml -d 1547
      1⤵
      • Executes dropped EXE
      PID:1622
    • /bin/ujzpqpwta
      /bin/ujzpqpwta -d 1547
      1⤵
      • Executes dropped EXE
      PID:1643
    • /bin/bdxqeug
      /bin/bdxqeug -d 1547
      1⤵
      • Executes dropped EXE
      PID:1646
    • /bin/jwlmwuvravu
      /bin/jwlmwuvravu -d 1547
      1⤵
      • Executes dropped EXE
      PID:1649
    • /bin/yqoafepe
      /bin/yqoafepe -d 1547
      1⤵
      • Executes dropped EXE
      PID:1652
    • /bin/ryaxvqbpynava
      /bin/ryaxvqbpynava -d 1547
      1⤵
      • Executes dropped EXE
      PID:1655
    • /bin/tukkxghz
      /bin/tukkxghz -d 1547
      1⤵
      • Executes dropped EXE
      PID:1658
    • /bin/znghrxlqpjsmgi
      /bin/znghrxlqpjsmgi -d 1547
      1⤵
      • Executes dropped EXE
      PID:1661
    • /bin/yjeygen
      /bin/yjeygen -d 1547
      1⤵
      • Executes dropped EXE
      PID:1664
    • /bin/balyiuxou
      /bin/balyiuxou -d 1547
      1⤵
      • Executes dropped EXE
      PID:1667
    • /bin/beumxlxpzfa
      /bin/beumxlxpzfa -d 1547
      1⤵
      • Executes dropped EXE
      PID:1670
    • /bin/lteryrs
      /bin/lteryrs -d 1547
      1⤵
      • Executes dropped EXE
      PID:1673
    • /bin/tdxbywsuhp
      /bin/tdxbywsuhp -d 1547
      1⤵
      • Executes dropped EXE
      PID:1676
    • /bin/ojllvicupe
      /bin/ojllvicupe -d 1547
      1⤵
      • Executes dropped EXE
      PID:1679
    • /bin/tphxgfqagk
      /bin/tphxgfqagk -d 1547
      1⤵
      • Executes dropped EXE
      PID:1682
    • /bin/vzgqdxkulipz
      /bin/vzgqdxkulipz -d 1547
      1⤵
      • Executes dropped EXE
      PID:1735

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /bin/nclqbux
      Filesize

      537KB

      MD5

      6250df4efd0199f8f1cc71e2fa9d57bf

      SHA1

      1a7053b1dab667c745ce302ae9092a02c549d235

      SHA256

      fdfd5621d81893d41a6ab9f78291f8b3891461ad274a58c1d6de8ac10ca83c53

      SHA512

      5071a67acfbad3778c71220aeea3971a7cfc80547e30de3c8bc9086ec0523fe437a74c756faa55ce552495c9d36729519a919955e7d543fa64ac311c62990e51

      Download Submit

    • /etc/cron.hourly/xubqlcn.sh
      Filesize

      144B

      MD5

      58a29c287a7486b516896b77fb21a93d

      SHA1

      96ecc54043eab94fe3c52dd61ac341af02c77579

      SHA256

      c1a19f0a7ea40729a46674f918f0788fc06ac50c7c286614ae7551093aa8d88a

      SHA512

      181395498f3e6d8d4c877d524f1365779d5f115785707ceff146fba7cd86e35faca579821e391771f2ab79ee7649080df9a5f925fd10890b7b13dbffd84f6ce1

      Download Submit

    • /etc/daemon.cfg
      Filesize

      32B

      MD5

      e7a22522f2b9169d1d06bf98f3b15ad3

      SHA1

      d26eec2b6247f62df6eb3082164e0b9d5d4a59dd

      SHA256

      76d6778b3b21ce607b0222a6c3b4a7638cb345f5b2def2b622f087e9c4cb282a

      SHA512

      4f3f472fa6a9499cfc341fd84d16d0454dc17bff2c023b5c2b0fce855006664c196c7708d8adb06d36d901954fc7976c40d7755ffc7a05661f3de39e814eaa65

      Download Submit

    • /etc/init.d/xubqlcn
      Filesize

      323B

      MD5

      3a8792e73510af4c3cfa198bea91ff0c

      SHA1

      3b1ec7b88c3cae1fe63898f9199490bf44d93d22

      SHA256

      725249a8fc6b000e432485f58fe14537b30c335cd483283bd7ab3e1eaa98d7da

      SHA512

      1a28ebb761736fdabc904c29072f54654a7bb30a49e58e2033f84db5071bf4304bee7e7572035c686e7235157cd19f5f58c6f26194aa390cbc0b76dd3f047d8c

      Download Submit