Analysis
-
max time kernel
146s -
max time network
154s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
-
submitted
22-12-2023 07:43
General
-
Target
7a891a96d6af45865e5fe6142b40eb77
-
Size
610KB
-
MD5
7a891a96d6af45865e5fe6142b40eb77
-
SHA1
674ad6a918d4dc38c4c03860da2fddcd5da61b57
-
SHA256
cfa4c887555c315182f2a4dc290633fdec3140a10e4480e877ff1a7627d89878
-
SHA512
9d4900c38200643b15320dbbeec6b06b3597398abe2fd31e1965e1d224baa008edbfa4b5dbc9cab00e33a70f5a0b1892fc6d540fd440779f69df08d99248da37
-
SSDEEP
12288:WBmHsnhar0nJ7FGY5HRYxC1mqiL40qFCWU7k/VU6yZNnXgW4UlUuTh1AG:WBmHgaUVFGAR11mTL40q/7GpXgUl/91h
Malware Config
Extracted
xorddos
http://www1.gggatat456.com/dd.rar
ppp.gggatat456.com:1520
ppp.xxxatat456.com:1520
-
crc_polynomial
EDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 9 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 22 IoCs
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
-
Write file to user bin folder 1 TTPs 5 IoCs
-
Reads runtime system information 10 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/7a891a96d6af45865e5fe6142b40eb77/tmp/7a891a96d6af45865e5fe6142b40eb771⤵
-
/bin/shsh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"1⤵
- Creates/modifies Cron job
-
/bin/sedsed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab2⤵
- Reads runtime system information
-
-
/bin/chkconfigchkconfig --add 7a891a96d6af45865e5fe6142b40eb771⤵
-
/sbin/chkconfigchkconfig --add 7a891a96d6af45865e5fe6142b40eb771⤵
-
/usr/bin/chkconfigchkconfig --add 7a891a96d6af45865e5fe6142b40eb771⤵
-
/usr/sbin/chkconfigchkconfig --add 7a891a96d6af45865e5fe6142b40eb771⤵
-
/usr/local/bin/chkconfigchkconfig --add 7a891a96d6af45865e5fe6142b40eb771⤵
-
/usr/local/sbin/chkconfigchkconfig --add 7a891a96d6af45865e5fe6142b40eb771⤵
-
/usr/X11R6/bin/chkconfigchkconfig --add 7a891a96d6af45865e5fe6142b40eb771⤵
-
/bin/update-rc.dupdate-rc.d 7a891a96d6af45865e5fe6142b40eb77 defaults1⤵
-
/sbin/update-rc.dupdate-rc.d 7a891a96d6af45865e5fe6142b40eb77 defaults1⤵
-
/usr/bin/update-rc.dupdate-rc.d 7a891a96d6af45865e5fe6142b40eb77 defaults1⤵
-
/usr/sbin/update-rc.dupdate-rc.d 7a891a96d6af45865e5fe6142b40eb77 defaults1⤵
-
/bin/systemctlsystemctl daemon-reload2⤵
- Reads runtime system information
-
-
/usr/bin/rrptlpticz/usr/bin/rrptlpticz id 15341⤵
- Executes dropped EXE
-
/usr/bin/rrptlpticz/usr/bin/rrptlpticz id 15341⤵
- Executes dropped EXE
-
/usr/bin/rrptlpticz/usr/bin/rrptlpticz uptime 15341⤵
- Executes dropped EXE
-
/usr/bin/rrptlpticz/usr/bin/rrptlpticz who 15341⤵
- Executes dropped EXE
-
/usr/bin/rrptlpticz/usr/bin/rrptlpticz who 15341⤵
- Executes dropped EXE
-
/usr/bin/sglxebuzzc/usr/bin/sglxebuzzc "ifconfig eth0" 15341⤵
- Executes dropped EXE
-
/usr/bin/sglxebuzzc/usr/bin/sglxebuzzc ls 15341⤵
- Executes dropped EXE
-
/usr/bin/sglxebuzzc/usr/bin/sglxebuzzc "route -n" 15341⤵
- Executes dropped EXE
-
/usr/bin/sglxebuzzc/usr/bin/sglxebuzzc "sleep 1" 15341⤵
- Executes dropped EXE
-
/usr/bin/sglxebuzzc/usr/bin/sglxebuzzc pwd 15341⤵
- Executes dropped EXE
-
/usr/bin/bohnrnrdil/usr/bin/bohnrnrdil uptime 15341⤵
- Executes dropped EXE
-
/usr/bin/bohnrnrdil/usr/bin/bohnrnrdil who 15341⤵
- Executes dropped EXE
-
/usr/bin/bohnrnrdil/usr/bin/bohnrnrdil sh 15341⤵
- Executes dropped EXE
-
/usr/bin/bohnrnrdil/usr/bin/bohnrnrdil su 15341⤵
- Executes dropped EXE
-
/usr/bin/bohnrnrdil/usr/bin/bohnrnrdil "ls -la" 15341⤵
- Executes dropped EXE
-
/usr/bin/motfhugycv/usr/bin/motfhugycv "ls -la" 15341⤵
- Executes dropped EXE
-
/usr/bin/motfhugycv/usr/bin/motfhugycv ls 15341⤵
- Executes dropped EXE
-
/usr/bin/motfhugycv/usr/bin/motfhugycv id 15341⤵
- Executes dropped EXE
-
/usr/bin/motfhugycv/usr/bin/motfhugycv top 15341⤵
- Executes dropped EXE
-
/usr/bin/motfhugycv/usr/bin/motfhugycv pwd 15341⤵
- Executes dropped EXE
-
/usr/bin/aidaoafyig/usr/bin/aidaoafyig "echo \"find\"" 15341⤵
- Executes dropped EXE
-
/usr/bin/aidaoafyig/usr/bin/aidaoafyig "ps -ef" 15341⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228B
MD53bab747cedc5f0ebe86aaa7f982470cd
SHA13c7d1c6931c2b3dae39d38346b780ea57c8e6142
SHA25674d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5
SHA51221e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42
-
Filesize
425B
MD531790cd5239426f2690c21f268933808
SHA16b559bfa78c81908940e19b6cd2c547eb06e4c5e
SHA256a58c0b94ffee53c9e727b8c4dc6956e6f27d78b927d2d63369a8cf1f31a152bd
SHA51296cb62a4293b4c2cc64bc221e46feccb82143b425866a522067a63ca27ce886354b18853d5b535c1845be32b97ed1a64ddd2dba279d17f8c4598e14f7c020729
-
Filesize
722B
MD58f111d100ea459f68d333d63a8ef2205
SHA1077ca9c46a964de67c0f7765745d5c6f9e2065c3
SHA2560e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354
SHA512d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb
-
Filesize
328KB
MD58c74d06631c4a42e2faca39ad379a3f7
SHA1d5559ace2d056096076dc25b18a69349099ceeef
SHA25661e7c265f6bea9e0e5963b72ed016851cf9f6f43e7c24ea6824c1dc1e01cfec8
SHA5125cabe33042a06ba9e6c82ba772f3ab612e23da09cc3c2dedb0f0ec92a5b5ac5de08b6e1c2aa40a828c5936da6b56b48d34d06a050938332790f3dedd93fc583c
-
Filesize
431KB
MD5b56ae8866ba4e22c906dd18edd521e30
SHA1f29e51ba1582eb453e1a9374eb4869371cc83042
SHA256c9cd02ec4a4b8da9594f5b2ebc4d09605364cadf67de7df4b2264b3eb47605f0
SHA512d477f58ac82d1d9c849e5d972cb89392957d45719056f6620034409a7af1dd1ed9c4528d5d6c773be915f48e0c0090f2cd616d0145ea1ea14f8638fe6995aa96
-
Filesize
610KB
MD501e3509480fa02a31787680f35dddc4d
SHA1f888bdfcef0fb55ed3a3c2da84a21cdc37d0a3b1
SHA256fc54791db5a7a6e098b9df504625a83d49794b4ff0b4b42f2f27e5b52ecb8a92
SHA5126467c62ccb7d817777497341019dfed8407304d6d34a8da33e5ca23eea8a146e672612156c8e81be5be163f46d28d29f270f3232e2aad491e4e268920d51e5a2
-
Filesize
610KB
MD564691bfed67c54d57db5e82b0771c85c
SHA1652e7d97ebc5aa63dfd6be91627e540392362611
SHA2563ee02221d6c820550651b474e3e2396b4d74f99753ad0d1eb338ef771de41203
SHA512579f2386fad59abf54ad25da8edbfdf1d53dd868306af5d9299b53804a4226543193f6797c9c709f3822bba4cd138933a97127558fa1b2a09a490e463dc6db03
-
Filesize
610KB
MD55ba967174732564e2ab55f3b27d3d5ca
SHA12873de242ee072e06466944ade6da5ec062ed9e3
SHA256f4cbbdbfbeea715d42ffdfd14d104c331a825a3ffc02560e2035c8a5fa6fc802
SHA512e0dac9b9c366526880e3481c6ae46c8b38ee382f7ab44e3aeded208710117e9ee41eafe956bdaa95a24341142687a5e09dedcbef077601525259d5c0248d8066
-
Filesize
610KB
MD5da87f99d5e14309f99e51897d7ea9cb3
SHA10b8b0392c440bb1c1497f0316491e2a79be8bde5
SHA2560b8b56448313bf5180f5c3ce379f6bfcb7de4ca6ccf028616d3ada534a27a05d
SHA512dcd1466de07ba1edd0b5d2d60f895f49a2de0bf9b500a68f5b616e2a94d263d94d44ad7cfc8eb5d44e4c27368c0f4691feb332ed3d0c8ae033c9acb7fcbb045c
-
Filesize
610KB
MD57a891a96d6af45865e5fe6142b40eb77
SHA1674ad6a918d4dc38c4c03860da2fddcd5da61b57
SHA256cfa4c887555c315182f2a4dc290633fdec3140a10e4480e877ff1a7627d89878
SHA5129d4900c38200643b15320dbbeec6b06b3597398abe2fd31e1965e1d224baa008edbfa4b5dbc9cab00e33a70f5a0b1892fc6d540fd440779f69df08d99248da37
-
Filesize
610KB
MD599100ab32b295567a427a7759d074077
SHA15ef47019bb0a257cf3f2816d98d0143a9ef11f1f
SHA2561516c741a3f664fd9d6c2e25617b11caaf472cb0005f42bf0b07058b399a4276
SHA51263dc559ffed32e45c459d0cfb4cee4d2e6ec53234735f2427aed809a4ae67e66280f96b29c37fbd20e00433f0bd7d7f86cba491e38d4583d663b9440516a1549
-
Filesize
610KB
MD535faf2acc2d5cb5b2871b78c484477b6
SHA12a403db25a67b92c77ba809cd53bc8a4d7b6ce50
SHA25608481b9d2834eed0b7449c777e3795c00788229363655f3ca94894b631c0be0a
SHA5123ad882c322cefe1b647dd6c8298823db2f9fa761c6041e8f62647aeb905c4574edb53d743743a52e4f9e8c9e24f861485a29de0d070f7aed7e734841dedee56e