Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231215-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    22-12-2023 04:53

General

  • Target

    696238c4be30b209c5a724c48e51575e

  • Size

    537KB

  • MD5

    696238c4be30b209c5a724c48e51575e

  • SHA1

    f2df00d4f8eca4605f6d5c8b06719fe5c9bd3f20

  • SHA256

    b8287196a4a9ca805698ab5dc377f275340552c70fd04bce08dc11ea48230e1c

  • SHA512

    ad9543b64653b61d6d0376ea9d16a49ba6b8f1eeea768c6caa5df9bb2546b5d10f3952545e4461f1bae1fff7b562084a1bda90132a3d59e52f48f81d96a75950

  • SSDEEP

    12288:ISraVbNYn/gpq5xnFeEu1eZ1gVcxfwbuHvh3u6yp5k:Im8bKEWt0EucZ1gVcxfwa53U

Malware Config

Extracted

Family

xorddos

C2

topbannersun.com:5515

wowapplecar.com:5515

Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

  • XorDDoS payload 6 IoCs
  • Deletes itself 63 IoCs
  • Executes dropped EXE 63 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

  • Writes file to system bin folder 1 TTPs 64 IoCs
  • Writes file to shm directory 2 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes

  • /tmp/696238c4be30b209c5a724c48e51575e
    /tmp/696238c4be30b209c5a724c48e51575e
    1⤵
      PID:1549
    • /bin/mcbkxkfktrjv
      /bin/mcbkxkfktrjv
      1⤵
      • Executes dropped EXE
      PID:1552
    • /bin/pqrimuce
      /bin/pqrimuce -d 1553
      1⤵
      • Executes dropped EXE
      PID:1559
    • /bin/jykjhqblgdx
      /bin/jykjhqblgdx -d 1553
      1⤵
      • Executes dropped EXE
      PID:1562
    • /bin/lmdufyvpmenv
      /bin/lmdufyvpmenv -d 1553
      1⤵
      • Executes dropped EXE
      PID:1565
    • /bin/pccwclwmvgdy
      /bin/pccwclwmvgdy -d 1553
      1⤵
      • Executes dropped EXE
      PID:1568
    • /bin/lcoptbdywjwr
      /bin/lcoptbdywjwr -d 1553
      1⤵
      • Executes dropped EXE
      PID:1571
    • /bin/lxpiqem
      /bin/lxpiqem -d 1553
      1⤵
      • Executes dropped EXE
      PID:1574
    • /bin/boizbffggwr
      /bin/boizbffggwr -d 1553
      1⤵
      • Executes dropped EXE
      PID:1577
    • /bin/midomcmx
      /bin/midomcmx -d 1553
      1⤵
      • Executes dropped EXE
      PID:1580
    • /bin/fzlcovu
      /bin/fzlcovu -d 1553
      1⤵
      • Executes dropped EXE
      PID:1583
    • /bin/hrvwavxha
      /bin/hrvwavxha -d 1553
      1⤵
      • Executes dropped EXE
      PID:1586
    • /bin/zwxlhbbtf
      /bin/zwxlhbbtf -d 1553
      1⤵
      • Executes dropped EXE
      PID:1589
    • /bin/shurvyfq
      /bin/shurvyfq -d 1553
      1⤵
      • Executes dropped EXE
      PID:1592
    • /bin/zykvum
      /bin/zykvum -d 1553
      1⤵
      • Executes dropped EXE
      PID:1595
    • /bin/twsyjrwjfdk
      /bin/twsyjrwjfdk -d 1553
      1⤵
      • Executes dropped EXE
      PID:1598
    • /bin/yrwqysj
      /bin/yrwqysj -d 1553
      1⤵
      • Executes dropped EXE
      PID:1601
    • /bin/rokkokwjglbzh
      /bin/rokkokwjglbzh -d 1553
      1⤵
      • Executes dropped EXE
      PID:1604
    • /bin/zslxbqdnyb
      /bin/zslxbqdnyb -d 1553
      1⤵
      • Executes dropped EXE
      PID:1607
    • /bin/wufpdyguksiu
      /bin/wufpdyguksiu -d 1553
      1⤵
      • Executes dropped EXE
      PID:1609
    • /bin/tabubk
      /bin/tabubk -d 1553
      1⤵
      • Executes dropped EXE
      PID:1613
    • /bin/cfaaisfw
      /bin/cfaaisfw -d 1553
      1⤵
      • Executes dropped EXE
      PID:1616
    • /bin/chgiimc
      /bin/chgiimc -d 1553
      1⤵
      • Executes dropped EXE
      PID:1619
    • /bin/empxhry
      /bin/empxhry -d 1553
      1⤵
      • Executes dropped EXE
      PID:1622
    • /bin/tlqvqtxylc
      /bin/tlqvqtxylc -d 1553
      1⤵
      • Executes dropped EXE
      PID:1624
    • /bin/glbwpi
      /bin/glbwpi -d 1553
      1⤵
      • Executes dropped EXE
      PID:1628
    • /bin/zsrbnxpcuw
      /bin/zsrbnxpcuw -d 1553
      1⤵
      • Executes dropped EXE
      PID:1631
    • /bin/tzogsmy
      /bin/tzogsmy -d 1553
      1⤵
      • Executes dropped EXE
      PID:1634
    • /bin/jyyovfbwdqg
      /bin/jyyovfbwdqg -d 1553
      1⤵
      • Executes dropped EXE
      PID:1637
    • /bin/szytmwlqqhll
      /bin/szytmwlqqhll -d 1553
      1⤵
      • Executes dropped EXE
      PID:1640
    • /bin/arbmpovqol
      /bin/arbmpovqol -d 1553
      1⤵
      • Executes dropped EXE
      PID:1643
    • /bin/vmjafrixqgs
      /bin/vmjafrixqgs -d 1553
      1⤵
      • Executes dropped EXE
      PID:1646
    • /bin/vnigwiazw
      /bin/vnigwiazw -d 1553
      1⤵
      • Executes dropped EXE
      PID:1649
    • /bin/prhffubrfd
      /bin/prhffubrfd -d 1553
      1⤵
      • Executes dropped EXE
      PID:1652
    • /bin/xlvpuou
      /bin/xlvpuou -d 1553
      1⤵
      • Executes dropped EXE
      PID:1655
    • /bin/tqtgacei
      /bin/tqtgacei -d 1553
      1⤵
      • Executes dropped EXE
      PID:1658
    • /bin/fexuyfadbdwh
      /bin/fexuyfadbdwh -d 1553
      1⤵
      • Executes dropped EXE
      PID:1661
    • /bin/vesstmg
      /bin/vesstmg -d 1553
      1⤵
      • Executes dropped EXE
      PID:1664
    • /bin/mcigkikptow
      /bin/mcigkikptow -d 1553
      1⤵
      • Executes dropped EXE
      PID:1667
    • /bin/lrzstewwbd
      /bin/lrzstewwbd -d 1553
      1⤵
      • Executes dropped EXE
      PID:1670
    • /bin/yjwqek
      /bin/yjwqek -d 1553
      1⤵
      • Executes dropped EXE
      PID:1673
    • /bin/wxbeflorc
      /bin/wxbeflorc -d 1553
      1⤵
      • Executes dropped EXE
      PID:1676
    • /bin/ssinlnjjqo
      /bin/ssinlnjjqo -d 1553
      1⤵
      • Executes dropped EXE
      PID:1679
    • /bin/oxkedwf
      /bin/oxkedwf -d 1553
      1⤵
      • Executes dropped EXE
      PID:1682
    • /bin/vgfauurybyzkt
      /bin/vgfauurybyzkt -d 1553
      1⤵
      • Executes dropped EXE
      PID:1685
    • /bin/tgeirnyfbmensh
      /bin/tgeirnyfbmensh -d 1553
      1⤵
      • Executes dropped EXE
      PID:1688
    • /bin/yjfgoh
      /bin/yjfgoh -d 1553
      1⤵
      • Executes dropped EXE
      PID:1691
    • /bin/ibzmzaysst
      /bin/ibzmzaysst -d 1553
      1⤵
      • Executes dropped EXE
      PID:1694
    • /bin/ybrmzw
      /bin/ybrmzw -d 1553
      1⤵
      • Executes dropped EXE
      PID:1697
    • /bin/ncegmngvumjcp
      /bin/ncegmngvumjcp -d 1553
      1⤵
      • Executes dropped EXE
      PID:1700
    • /bin/dogeogxiazjdrv
      /bin/dogeogxiazjdrv -d 1553
      1⤵
      • Executes dropped EXE
      PID:1703
    • /bin/pmssqagfg
      /bin/pmssqagfg -d 1553
      1⤵
      • Executes dropped EXE
      PID:1705
    • /bin/ekijaqnq
      /bin/ekijaqnq -d 1553
      1⤵
      • Executes dropped EXE
      PID:1711
    • /bin/mzzmicff
      /bin/mzzmicff -d 1553
      1⤵
      • Executes dropped EXE
      PID:1714
    • /bin/utaolauqjxse
      /bin/utaolauqjxse -d 1553
      1⤵
      • Executes dropped EXE
      PID:1716
    • /bin/yquhqnvgkhh
      /bin/yquhqnvgkhh -d 1553
      1⤵
      • Executes dropped EXE
      PID:1720
    • /bin/vrnayvxtv
      /bin/vrnayvxtv -d 1553
      1⤵
      • Executes dropped EXE
      PID:1722
    • /bin/exixihpm
      /bin/exixihpm -d 1553
      1⤵
      • Executes dropped EXE
      PID:1726
    • /bin/qeqxufsdp
      /bin/qeqxufsdp -d 1553
      1⤵
      • Executes dropped EXE
      PID:1728
    • /bin/kaxenaeix
      /bin/kaxenaeix -d 1553
      1⤵
      • Executes dropped EXE
      PID:1732
    • /bin/fkedsblctaxj
      /bin/fkedsblctaxj -d 1553
      1⤵
      • Executes dropped EXE
      PID:1734
    • /bin/pgbubejdqlc
      /bin/pgbubejdqlc -d 1553
      1⤵
      • Executes dropped EXE
      PID:1738
    • /bin/cbjzzrkdweh
      /bin/cbjzzrkdweh -d 1553
      1⤵
      • Executes dropped EXE
      PID:1741
    • /bin/galelstrtqszb
      /bin/galelstrtqszb -d 1553
      1⤵
      • Executes dropped EXE
      PID:1744

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /bin/empxhry

      Filesize

      456KB

      MD5

      f95d9954bae75b1e5a44fa1951ac4ec7

      SHA1

      ad0a9392c8a2353b1081dbe47a34451fadfb1688

      SHA256

      ba633eb754a3bed274fd9eab5680d9cc83c1d36e38f5efd21faa433e92d4aaf4

      SHA512

      75fda67a92f4a618a93b082d9ee5fd9cf0e08e65404b9ff42e38a972ad95f6004f70bdd6f2684567a0f91883f3ab88b7c7f84cdc16d1e992a08d90ede45d5836

    • /bin/galelstrtqszb

      Filesize

      136KB

      MD5

      27fe544686880d05b4163f7d55573532

      SHA1

      44b16913d9a0d5bc975e242687a5cdc4f565b27d

      SHA256

      5b1f2e9346cc2a96be95ec9eac5968c9876021e7cf65cde6ccdd0b17766dc607

      SHA512

      4db17f6d6656c9ef4ec164dde65e19a412cf1aa5d208edb027935ab41b584b2a4f91630475d825b6aa4b2d4dd4f49e7623c02181717080dd8fe731ad377c88a3

    • /bin/lcoptbdywjwr

      Filesize

      204KB

      MD5

      b00482f79fbf14830d6886cef371494e

      SHA1

      17c728fccf88528be495331ae057e52223be04b3

      SHA256

      1fa359903494dc4e7030491defdb638cf9563eb82d51d8da4d57800bb460ea3b

      SHA512

      59ed77b79cfdfb7cf73b914ede40f7103877209481b174de767ea29aea92d8a58b174d3da4be4d50aa7248890d61a23eabeaba2d22e5e74ef69a966f3341a17c

    • /bin/mcbkxkfktrjv

      Filesize

      537KB

      MD5

      2286e5859cf70119b169f62c31db7a8a

      SHA1

      e46eb17821fbae8b16899f1f3702f09002783681

      SHA256

      a2db7d8a25bae4100e2e7407b7fc5927f49594da1fb952607908575c7dc21fda

      SHA512

      92c9622e8e0615c97ffc7f80064e343f3618cb3b9b5407c208f7ce1e099a373d94b157b32742f9c2f295301f39b273c22a7e56a83a080a3c1cd477a31a5c28a4

    • /bin/ncegmngvumjcp

      Filesize

      424KB

      MD5

      92c60e2c068b3a4f3b1b7f610a9b3557

      SHA1

      c2a29e29382d9f129c02be2a419f55f25e7a7e11

      SHA256

      4d94b6a0e0b3a0bb765c7ca144b5b0699e57b242320b5901252cea95f2f08a09

      SHA512

      94f17c4a872c4b4ff821c9426deb5f6eb10bdb426140d0c0c5e1836aba7bf527be352ed0c49f5545cb07ac9df1c2eea02f14a5c48a80eb1e5c400587c11d3198

    • /bin/pnamoenzeosq

      Filesize

      537KB

      MD5

      c6f9f1169189166ac9dd3a405c4a50f2

      SHA1

      1d37f07956ee8e94eb3748c13e5d215347d41b92

      SHA256

      cd69ac10d99a9b27edd5e0c46cef517399969726f0bb30bfb226d4026c116cc8

      SHA512

      4e7ddf6fb7433edd7f704c0610b8c7990fd9d5ae367ca47161d7bd7bd25f082f486ac28d771eb1f0e71cf7d1216d8f9fc34d22291b66169b49701856f779eba4

    • /bin/tqtgacei

      Filesize

      464KB

      MD5

      9870ecd4366f8787898e3b7182dd99ed

      SHA1

      92c3e0f36b15d80089d646da86e2a09f399be1e6

      SHA256

      68f121979e75a72217010f13585e926c0d962c52570a335315abb1f9d345b9d7

      SHA512

      1d68f738792da7ce74e8e84f971f2519aeb3e17b273f04777358dcbf62f01f0cda78c95bf7bae67568b669f88ce08ab40e5a575e30cedce7b880c0f73f41ec50

    • /etc/cron.hourly/vjrtkfkxkbcm.sh

      Filesize

      149B

      MD5

      6638a87ed2e5ea74e1bec8e04a72d4e8

      SHA1

      c5182784d1cf9f5395ee83b4a64648906f774015

      SHA256

      20fed650ade562a20649f63a10391a9c7fd27affeb3861423d9b26df630eb837

      SHA512

      3661fda9e1d906468ee9b220e8a4180c33c69934bf3da9f382cd80c72cd5d5c4a2c9db027aafcd117d8dc6c48c54fbce391477eeca1b12db4c83c430a899dd6c

    • /etc/daemon.cfg

      Filesize

      32B

      MD5

      6851f2b913485a1f1a778d4bd916b83b

      SHA1

      71e81dc48b29cfdcc8fcaf3159053f4e570d468a

      SHA256

      e7950bdfc21bfbf595c099284b75393ac52813a3dfcae6a21d85525a438a2c55

      SHA512

      eb1e0b0a573902d0cd9f72d528fe3fd13bc5822deac6c63f5b9b3d31664d3ad33526552e436cb137ffaf8947618b6f39861daafebaa0e4e156a40e2dfe8d2fd3

    • /etc/init.d/vjrtkfkxkbcm

      Filesize

      348B

      MD5

      5f6a22c394518a6e1fc33ab51bacdee2

      SHA1

      09f1d9baeb6f0ee0784175df9b96981cbb283916

      SHA256

      56a130b0e1de72269004b5e57d5f3a97cfd5546c2b681ce477fbb799ba764449

      SHA512

      43fc580243ffaf8d42e94d48ec7c3d13dc0c2b94600573846e12f9693e7f9198ceb9485efac79e0becb0cc77e9de78813629d80d767eb9e7b4fbe4c38f56618a