Analysis
-
max time kernel
152s -
max time network
157s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
22-12-2023 04:53
Behavioral task
behavioral1
Sample
696238c4be30b209c5a724c48e51575e
Resource
ubuntu1804-amd64-20231215-en
General
-
Target
696238c4be30b209c5a724c48e51575e
-
Size
537KB
-
MD5
696238c4be30b209c5a724c48e51575e
-
SHA1
f2df00d4f8eca4605f6d5c8b06719fe5c9bd3f20
-
SHA256
b8287196a4a9ca805698ab5dc377f275340552c70fd04bce08dc11ea48230e1c
-
SHA512
ad9543b64653b61d6d0376ea9d16a49ba6b8f1eeea768c6caa5df9bb2546b5d10f3952545e4461f1bae1fff7b562084a1bda90132a3d59e52f48f81d96a75950
-
SSDEEP
12288:ISraVbNYn/gpq5xnFeEu1eZ1gVcxfwbuHvh3u6yp5k:Im8bKEWt0EucZ1gVcxfwa53U
Malware Config
Extracted
xorddos
topbannersun.com:5515
wowapplecar.com:5515
-
crc_polynomial
CDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 6 IoCs
resource yara_rule behavioral1/files/fstream-2.dat family_xorddos behavioral1/files/fstream-21.dat family_xorddos behavioral1/files/fstream-55.dat family_xorddos behavioral1/files/fstream-79.dat family_xorddos behavioral1/files/fstream-107.dat family_xorddos behavioral1/files/fstream-135.dat family_xorddos -
Deletes itself 63 IoCs
pid 1550 1561 1564 1567 1570 1573 1575 1579 1582 1585 1587 1591 1593 1597 1600 1603 1606 1610 1612 1615 1617 1621 1625 1627 1630 1633 1636 1639 1642 1645 1647 1651 1654 1657 1660 1663 1666 1669 1672 1675 1677 1680 1684 1687 1690 1693 1696 1699 1702 1706 1707 1713 1718 1719 1723 1725 1729 1731 1735 1737 1739 1743 1745 -
Executes dropped EXE 63 IoCs
ioc pid Process /bin/mcbkxkfktrjv 1552 mcbkxkfktrjv /bin/pqrimuce 1559 pqrimuce /bin/jykjhqblgdx 1562 jykjhqblgdx /bin/lmdufyvpmenv 1565 lmdufyvpmenv /bin/pccwclwmvgdy 1568 pccwclwmvgdy /bin/lcoptbdywjwr 1571 lcoptbdywjwr /bin/lxpiqem 1574 lxpiqem /bin/boizbffggwr 1577 boizbffggwr /bin/midomcmx 1580 midomcmx /bin/fzlcovu 1583 fzlcovu /bin/hrvwavxha 1586 hrvwavxha /bin/zwxlhbbtf 1589 zwxlhbbtf /bin/shurvyfq 1592 shurvyfq /bin/zykvum 1595 zykvum /bin/twsyjrwjfdk 1598 twsyjrwjfdk /bin/yrwqysj 1601 yrwqysj /bin/rokkokwjglbzh 1604 rokkokwjglbzh /bin/zslxbqdnyb 1607 zslxbqdnyb /bin/wufpdyguksiu 1609 wufpdyguksiu /bin/tabubk 1613 tabubk /bin/cfaaisfw 1616 cfaaisfw /bin/chgiimc 1619 chgiimc /bin/empxhry 1622 empxhry /bin/tlqvqtxylc 1624 tlqvqtxylc /bin/glbwpi 1628 glbwpi /bin/zsrbnxpcuw 1631 zsrbnxpcuw /bin/tzogsmy 1634 tzogsmy /bin/jyyovfbwdqg 1637 jyyovfbwdqg /bin/szytmwlqqhll 1640 szytmwlqqhll /bin/arbmpovqol 1643 arbmpovqol /bin/vmjafrixqgs 1646 vmjafrixqgs /bin/vnigwiazw 1649 vnigwiazw /bin/prhffubrfd 1652 prhffubrfd /bin/xlvpuou 1655 xlvpuou /bin/tqtgacei 1658 tqtgacei /bin/fexuyfadbdwh 1661 fexuyfadbdwh /bin/vesstmg 1664 vesstmg /bin/mcigkikptow 1667 mcigkikptow /bin/lrzstewwbd 1670 lrzstewwbd /bin/yjwqek 1673 yjwqek /bin/wxbeflorc 1676 wxbeflorc /bin/ssinlnjjqo 1679 ssinlnjjqo /bin/oxkedwf 1682 oxkedwf /bin/vgfauurybyzkt 1685 vgfauurybyzkt /bin/tgeirnyfbmensh 1688 tgeirnyfbmensh /bin/yjfgoh 1691 yjfgoh /bin/ibzmzaysst 1694 ibzmzaysst /bin/ybrmzw 1697 ybrmzw /bin/ncegmngvumjcp 1700 ncegmngvumjcp /bin/dogeogxiazjdrv 1703 dogeogxiazjdrv /bin/pmssqagfg 1705 pmssqagfg /bin/ekijaqnq 1711 ekijaqnq /bin/mzzmicff 1714 mzzmicff /bin/utaolauqjxse 1716 utaolauqjxse /bin/yquhqnvgkhh 1720 yquhqnvgkhh /bin/vrnayvxtv 1722 vrnayvxtv /bin/exixihpm 1726 exixihpm /bin/qeqxufsdp 1728 qeqxufsdp /bin/kaxenaeix 1732 kaxenaeix /bin/fkedsblctaxj 1734 fkedsblctaxj /bin/pgbubejdqlc 1738 pgbubejdqlc /bin/cbjzzrkdweh 1741 cbjzzrkdweh /bin/galelstrtqszb 1744 galelstrtqszb -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc File opened for modification /etc/cron.hourly/vjrtkfkxkbcm.sh -
description ioc File opened for modification /etc/init.d/vjrtkfkxkbcm -
Writes file to system bin folder 1 TTPs 64 IoCs
description ioc File opened for modification /bin/dogeogxiazjdrv File opened for modification /bin/mcbkxkfktrjv File opened for modification /bin/zykvum File opened for modification /bin/cfaaisfw File opened for modification /bin/ibzmzaysst File opened for modification /bin/tqtgacei File opened for modification /bin/pmssqagfg File opened for modification /bin/utaolauqjxse File opened for modification /bin/glbwpi File opened for modification /bin/arbmpovqol File opened for modification /bin/ekijaqnq File opened for modification /bin/jyyovfbwdqg File opened for modification /bin/vmjafrixqgs File opened for modification /bin/vjrtkfkxkbcm File opened for modification /bin/vrnayvxtv File opened for modification /bin/xlvpuou File opened for modification /bin/oxkedwf File opened for modification /bin/ncegmngvumjcp File opened for modification /bin/kaxenaeix File opened for modification /bin/lmdufyvpmenv File opened for modification /bin/lxpiqem File opened for modification /bin/midomcmx File opened for modification /bin/tlqvqtxylc File opened for modification /bin/pnamoenzeosq File opened for modification /bin/pccwclwmvgdy File opened for modification /bin/hrvwavxha File opened for modification /bin/wufpdyguksiu File opened for modification /bin/mzzmicff File opened for modification /bin/zwxlhbbtf File opened for modification /bin/chgiimc File opened for modification /bin/tabubk File opened for modification /bin/zsrbnxpcuw File opened for modification /bin/wxbeflorc File opened for modification /bin/pqrimuce File opened for modification /bin/vnigwiazw File opened for modification /bin/fkedsblctaxj File opened for modification /bin/pgbubejdqlc File opened for modification /bin/qeqxufsdp File opened for modification /bin/twsyjrwjfdk File opened for modification /bin/empxhry File opened for modification /bin/vesstmg File opened for modification /bin/mcigkikptow File opened for modification /bin/szytmwlqqhll File opened for modification /bin/cbjzzrkdweh File opened for modification /bin/vjrtkfkxkbcm.sh File opened for modification /bin/lcoptbdywjwr File opened for modification /bin/shurvyfq File opened for modification /bin/yrwqysj File opened for modification /bin/fexuyfadbdwh File opened for modification /bin/yjwqek File opened for modification /bin/exixihpm File opened for modification /bin/fzlcovu File opened for modification /bin/rokkokwjglbzh File opened for modification /bin/zslxbqdnyb File opened for modification /bin/tzogsmy File opened for modification /bin/vgfauurybyzkt File opened for modification /bin/yquhqnvgkhh File opened for modification /bin/galelstrtqszb File opened for modification /bin/ssinlnjjqo File opened for modification /bin/tgeirnyfbmensh File opened for modification /bin/yjfgoh File opened for modification /bin/ybrmzw File opened for modification /bin/jykjhqblgdx File opened for modification /bin/boizbffggwr -
Writes file to shm directory 2 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
description ioc File opened for modification /dev/shm/sem.ky5mET File opened for modification /dev/shm/sem.saqtrs
Processes
-
/tmp/696238c4be30b209c5a724c48e51575e/tmp/696238c4be30b209c5a724c48e51575e1⤵PID:1549
-
/bin/mcbkxkfktrjv/bin/mcbkxkfktrjv1⤵
- Executes dropped EXE
PID:1552
-
/bin/pqrimuce/bin/pqrimuce -d 15531⤵
- Executes dropped EXE
PID:1559
-
/bin/jykjhqblgdx/bin/jykjhqblgdx -d 15531⤵
- Executes dropped EXE
PID:1562
-
/bin/lmdufyvpmenv/bin/lmdufyvpmenv -d 15531⤵
- Executes dropped EXE
PID:1565
-
/bin/pccwclwmvgdy/bin/pccwclwmvgdy -d 15531⤵
- Executes dropped EXE
PID:1568
-
/bin/lcoptbdywjwr/bin/lcoptbdywjwr -d 15531⤵
- Executes dropped EXE
PID:1571
-
/bin/lxpiqem/bin/lxpiqem -d 15531⤵
- Executes dropped EXE
PID:1574
-
/bin/boizbffggwr/bin/boizbffggwr -d 15531⤵
- Executes dropped EXE
PID:1577
-
/bin/midomcmx/bin/midomcmx -d 15531⤵
- Executes dropped EXE
PID:1580
-
/bin/fzlcovu/bin/fzlcovu -d 15531⤵
- Executes dropped EXE
PID:1583
-
/bin/hrvwavxha/bin/hrvwavxha -d 15531⤵
- Executes dropped EXE
PID:1586
-
/bin/zwxlhbbtf/bin/zwxlhbbtf -d 15531⤵
- Executes dropped EXE
PID:1589
-
/bin/shurvyfq/bin/shurvyfq -d 15531⤵
- Executes dropped EXE
PID:1592
-
/bin/zykvum/bin/zykvum -d 15531⤵
- Executes dropped EXE
PID:1595
-
/bin/twsyjrwjfdk/bin/twsyjrwjfdk -d 15531⤵
- Executes dropped EXE
PID:1598
-
/bin/yrwqysj/bin/yrwqysj -d 15531⤵
- Executes dropped EXE
PID:1601
-
/bin/rokkokwjglbzh/bin/rokkokwjglbzh -d 15531⤵
- Executes dropped EXE
PID:1604
-
/bin/zslxbqdnyb/bin/zslxbqdnyb -d 15531⤵
- Executes dropped EXE
PID:1607
-
/bin/wufpdyguksiu/bin/wufpdyguksiu -d 15531⤵
- Executes dropped EXE
PID:1609
-
/bin/tabubk/bin/tabubk -d 15531⤵
- Executes dropped EXE
PID:1613
-
/bin/cfaaisfw/bin/cfaaisfw -d 15531⤵
- Executes dropped EXE
PID:1616
-
/bin/chgiimc/bin/chgiimc -d 15531⤵
- Executes dropped EXE
PID:1619
-
/bin/empxhry/bin/empxhry -d 15531⤵
- Executes dropped EXE
PID:1622
-
/bin/tlqvqtxylc/bin/tlqvqtxylc -d 15531⤵
- Executes dropped EXE
PID:1624
-
/bin/glbwpi/bin/glbwpi -d 15531⤵
- Executes dropped EXE
PID:1628
-
/bin/zsrbnxpcuw/bin/zsrbnxpcuw -d 15531⤵
- Executes dropped EXE
PID:1631
-
/bin/tzogsmy/bin/tzogsmy -d 15531⤵
- Executes dropped EXE
PID:1634
-
/bin/jyyovfbwdqg/bin/jyyovfbwdqg -d 15531⤵
- Executes dropped EXE
PID:1637
-
/bin/szytmwlqqhll/bin/szytmwlqqhll -d 15531⤵
- Executes dropped EXE
PID:1640
-
/bin/arbmpovqol/bin/arbmpovqol -d 15531⤵
- Executes dropped EXE
PID:1643
-
/bin/vmjafrixqgs/bin/vmjafrixqgs -d 15531⤵
- Executes dropped EXE
PID:1646
-
/bin/vnigwiazw/bin/vnigwiazw -d 15531⤵
- Executes dropped EXE
PID:1649
-
/bin/prhffubrfd/bin/prhffubrfd -d 15531⤵
- Executes dropped EXE
PID:1652
-
/bin/xlvpuou/bin/xlvpuou -d 15531⤵
- Executes dropped EXE
PID:1655
-
/bin/tqtgacei/bin/tqtgacei -d 15531⤵
- Executes dropped EXE
PID:1658
-
/bin/fexuyfadbdwh/bin/fexuyfadbdwh -d 15531⤵
- Executes dropped EXE
PID:1661
-
/bin/vesstmg/bin/vesstmg -d 15531⤵
- Executes dropped EXE
PID:1664
-
/bin/mcigkikptow/bin/mcigkikptow -d 15531⤵
- Executes dropped EXE
PID:1667
-
/bin/lrzstewwbd/bin/lrzstewwbd -d 15531⤵
- Executes dropped EXE
PID:1670
-
/bin/yjwqek/bin/yjwqek -d 15531⤵
- Executes dropped EXE
PID:1673
-
/bin/wxbeflorc/bin/wxbeflorc -d 15531⤵
- Executes dropped EXE
PID:1676
-
/bin/ssinlnjjqo/bin/ssinlnjjqo -d 15531⤵
- Executes dropped EXE
PID:1679
-
/bin/oxkedwf/bin/oxkedwf -d 15531⤵
- Executes dropped EXE
PID:1682
-
/bin/vgfauurybyzkt/bin/vgfauurybyzkt -d 15531⤵
- Executes dropped EXE
PID:1685
-
/bin/tgeirnyfbmensh/bin/tgeirnyfbmensh -d 15531⤵
- Executes dropped EXE
PID:1688
-
/bin/yjfgoh/bin/yjfgoh -d 15531⤵
- Executes dropped EXE
PID:1691
-
/bin/ibzmzaysst/bin/ibzmzaysst -d 15531⤵
- Executes dropped EXE
PID:1694
-
/bin/ybrmzw/bin/ybrmzw -d 15531⤵
- Executes dropped EXE
PID:1697
-
/bin/ncegmngvumjcp/bin/ncegmngvumjcp -d 15531⤵
- Executes dropped EXE
PID:1700
-
/bin/dogeogxiazjdrv/bin/dogeogxiazjdrv -d 15531⤵
- Executes dropped EXE
PID:1703
-
/bin/pmssqagfg/bin/pmssqagfg -d 15531⤵
- Executes dropped EXE
PID:1705
-
/bin/ekijaqnq/bin/ekijaqnq -d 15531⤵
- Executes dropped EXE
PID:1711
-
/bin/mzzmicff/bin/mzzmicff -d 15531⤵
- Executes dropped EXE
PID:1714
-
/bin/utaolauqjxse/bin/utaolauqjxse -d 15531⤵
- Executes dropped EXE
PID:1716
-
/bin/yquhqnvgkhh/bin/yquhqnvgkhh -d 15531⤵
- Executes dropped EXE
PID:1720
-
/bin/vrnayvxtv/bin/vrnayvxtv -d 15531⤵
- Executes dropped EXE
PID:1722
-
/bin/exixihpm/bin/exixihpm -d 15531⤵
- Executes dropped EXE
PID:1726
-
/bin/qeqxufsdp/bin/qeqxufsdp -d 15531⤵
- Executes dropped EXE
PID:1728
-
/bin/kaxenaeix/bin/kaxenaeix -d 15531⤵
- Executes dropped EXE
PID:1732
-
/bin/fkedsblctaxj/bin/fkedsblctaxj -d 15531⤵
- Executes dropped EXE
PID:1734
-
/bin/pgbubejdqlc/bin/pgbubejdqlc -d 15531⤵
- Executes dropped EXE
PID:1738
-
/bin/cbjzzrkdweh/bin/cbjzzrkdweh -d 15531⤵
- Executes dropped EXE
PID:1741
-
/bin/galelstrtqszb/bin/galelstrtqszb -d 15531⤵
- Executes dropped EXE
PID:1744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD5f95d9954bae75b1e5a44fa1951ac4ec7
SHA1ad0a9392c8a2353b1081dbe47a34451fadfb1688
SHA256ba633eb754a3bed274fd9eab5680d9cc83c1d36e38f5efd21faa433e92d4aaf4
SHA51275fda67a92f4a618a93b082d9ee5fd9cf0e08e65404b9ff42e38a972ad95f6004f70bdd6f2684567a0f91883f3ab88b7c7f84cdc16d1e992a08d90ede45d5836
-
Filesize
136KB
MD527fe544686880d05b4163f7d55573532
SHA144b16913d9a0d5bc975e242687a5cdc4f565b27d
SHA2565b1f2e9346cc2a96be95ec9eac5968c9876021e7cf65cde6ccdd0b17766dc607
SHA5124db17f6d6656c9ef4ec164dde65e19a412cf1aa5d208edb027935ab41b584b2a4f91630475d825b6aa4b2d4dd4f49e7623c02181717080dd8fe731ad377c88a3
-
Filesize
204KB
MD5b00482f79fbf14830d6886cef371494e
SHA117c728fccf88528be495331ae057e52223be04b3
SHA2561fa359903494dc4e7030491defdb638cf9563eb82d51d8da4d57800bb460ea3b
SHA51259ed77b79cfdfb7cf73b914ede40f7103877209481b174de767ea29aea92d8a58b174d3da4be4d50aa7248890d61a23eabeaba2d22e5e74ef69a966f3341a17c
-
Filesize
537KB
MD52286e5859cf70119b169f62c31db7a8a
SHA1e46eb17821fbae8b16899f1f3702f09002783681
SHA256a2db7d8a25bae4100e2e7407b7fc5927f49594da1fb952607908575c7dc21fda
SHA51292c9622e8e0615c97ffc7f80064e343f3618cb3b9b5407c208f7ce1e099a373d94b157b32742f9c2f295301f39b273c22a7e56a83a080a3c1cd477a31a5c28a4
-
Filesize
424KB
MD592c60e2c068b3a4f3b1b7f610a9b3557
SHA1c2a29e29382d9f129c02be2a419f55f25e7a7e11
SHA2564d94b6a0e0b3a0bb765c7ca144b5b0699e57b242320b5901252cea95f2f08a09
SHA51294f17c4a872c4b4ff821c9426deb5f6eb10bdb426140d0c0c5e1836aba7bf527be352ed0c49f5545cb07ac9df1c2eea02f14a5c48a80eb1e5c400587c11d3198
-
Filesize
537KB
MD5c6f9f1169189166ac9dd3a405c4a50f2
SHA11d37f07956ee8e94eb3748c13e5d215347d41b92
SHA256cd69ac10d99a9b27edd5e0c46cef517399969726f0bb30bfb226d4026c116cc8
SHA5124e7ddf6fb7433edd7f704c0610b8c7990fd9d5ae367ca47161d7bd7bd25f082f486ac28d771eb1f0e71cf7d1216d8f9fc34d22291b66169b49701856f779eba4
-
Filesize
464KB
MD59870ecd4366f8787898e3b7182dd99ed
SHA192c3e0f36b15d80089d646da86e2a09f399be1e6
SHA25668f121979e75a72217010f13585e926c0d962c52570a335315abb1f9d345b9d7
SHA5121d68f738792da7ce74e8e84f971f2519aeb3e17b273f04777358dcbf62f01f0cda78c95bf7bae67568b669f88ce08ab40e5a575e30cedce7b880c0f73f41ec50
-
Filesize
149B
MD56638a87ed2e5ea74e1bec8e04a72d4e8
SHA1c5182784d1cf9f5395ee83b4a64648906f774015
SHA25620fed650ade562a20649f63a10391a9c7fd27affeb3861423d9b26df630eb837
SHA5123661fda9e1d906468ee9b220e8a4180c33c69934bf3da9f382cd80c72cd5d5c4a2c9db027aafcd117d8dc6c48c54fbce391477eeca1b12db4c83c430a899dd6c
-
Filesize
32B
MD56851f2b913485a1f1a778d4bd916b83b
SHA171e81dc48b29cfdcc8fcaf3159053f4e570d468a
SHA256e7950bdfc21bfbf595c099284b75393ac52813a3dfcae6a21d85525a438a2c55
SHA512eb1e0b0a573902d0cd9f72d528fe3fd13bc5822deac6c63f5b9b3d31664d3ad33526552e436cb137ffaf8947618b6f39861daafebaa0e4e156a40e2dfe8d2fd3
-
Filesize
348B
MD55f6a22c394518a6e1fc33ab51bacdee2
SHA109f1d9baeb6f0ee0784175df9b96981cbb283916
SHA25656a130b0e1de72269004b5e57d5f3a97cfd5546c2b681ce477fbb799ba764449
SHA51243fc580243ffaf8d42e94d48ec7c3d13dc0c2b94600573846e12f9693e7f9198ceb9485efac79e0becb0cc77e9de78813629d80d767eb9e7b4fbe4c38f56618a