Overview

overview

10

Static

static

10

b90f98a1de...6ce12a

ubuntu-18.04-amd64

10

Analysis

  • max time kernel
    155s
  • max time network
    160s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231215-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    22-12-2023 14:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b90f98a1de56b02687d6b719646ce12a

  • Size

    544KB

  • MD5

    b90f98a1de56b02687d6b719646ce12a

  • SHA1

    e2cd4662a8885a350dcb5c0ea38e7ee377cd3aff

  • SHA256

    6814a4bbe0b6078dc04a4144e8017a50c3a453793e01cb3ae3440c575876ba6a

  • SHA512

    e5fab8a263ec7ed03ee4b5d110aa8e2985dcc81691cb2939830df0b472c2a4b0d4c7e524bccaf0a111211d150eff8711807a9787c4bd23677d4529340fff6db0

  • SSDEEP

    12288:dMt0ECI+AnmBeGHOkVZAG2/2//PXaIWtpm6y92u:atPCIN7G/VZAp/2//fa7po

Score
10/10
xorddosbotnetdownloaderpersistence

Malware Config

Extracted

Family

xorddos

Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 2 IoCs
  • Deletes itself 32 IoCs
  • Executes dropped EXE 32 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Writes file to system bin folder 1 TTPs 35 IoCs
  • Writes file to shm directory 2 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes

  • /tmp/b90f98a1de56b02687d6b719646ce12a
    /tmp/b90f98a1de56b02687d6b719646ce12a
    1⤵
      PID:1556
    • /bin/kchwyvh
      /bin/kchwyvh
      1⤵
      • Executes dropped EXE
      PID:1560
    • /bin/qoezastzyk
      /bin/qoezastzyk -d 1561
      1⤵
      • Executes dropped EXE
      PID:1568
    • /bin/pojbeledr
      /bin/pojbeledr -d 1561
      1⤵
      • Executes dropped EXE
      PID:1571
    • /bin/fmubhelkclub
      /bin/fmubhelkclub -d 1561
      1⤵
      • Executes dropped EXE
      PID:1574
    • /bin/yvnazlayd
      /bin/yvnazlayd -d 1561
      1⤵
      • Executes dropped EXE
      PID:1577
    • /bin/iewvizoogaiki
      /bin/iewvizoogaiki -d 1561
      1⤵
      • Executes dropped EXE
      PID:1580
    • /bin/bmowawdd
      /bin/bmowawdd -d 1561
      1⤵
      • Executes dropped EXE
      PID:1583
    • /bin/slgtispo
      /bin/slgtispo -d 1561
      1⤵
      • Executes dropped EXE
      PID:1586
    • /bin/dpofzwwhtcnd
      /bin/dpofzwwhtcnd -d 1561
      1⤵
      • Executes dropped EXE
      PID:1589
    • /bin/duzxkpupekw
      /bin/duzxkpupekw -d 1561
      1⤵
      • Executes dropped EXE
      PID:1592
    • /bin/umawcdedwg
      /bin/umawcdedwg -d 1561
      1⤵
      • Executes dropped EXE
      PID:1595
    • /bin/trvmddfz
      /bin/trvmddfz -d 1561
      1⤵
      • Executes dropped EXE
      PID:1598
    • /bin/smdrxlxb
      /bin/smdrxlxb -d 1561
      1⤵
      • Executes dropped EXE
      PID:1601
    • /bin/dkqlqbzczeg
      /bin/dkqlqbzczeg -d 1561
      1⤵
      • Executes dropped EXE
      PID:1604
    • /bin/axlmbrrctlrx
      /bin/axlmbrrctlrx -d 1561
      1⤵
      • Executes dropped EXE
      PID:1607
    • /bin/okapwguhwfxyg
      /bin/okapwguhwfxyg -d 1561
      1⤵
      • Executes dropped EXE
      PID:1610
    • /bin/ebkhqv
      /bin/ebkhqv -d 1561
      1⤵
      • Executes dropped EXE
      PID:1613
    • /bin/tqcamhamobmbl
      /bin/tqcamhamobmbl -d 1561
      1⤵
      • Executes dropped EXE
      PID:1616
    • /bin/oqanysg
      /bin/oqanysg -d 1561
      1⤵
      • Executes dropped EXE
      PID:1619
    • /bin/enmoue
      /bin/enmoue -d 1561
      1⤵
      • Executes dropped EXE
      PID:1622
    • /bin/joulcmlrmgywkl
      /bin/joulcmlrmgywkl -d 1561
      1⤵
      • Executes dropped EXE
      PID:1625
    • /bin/nmvuren
      /bin/nmvuren -d 1561
      1⤵
      • Executes dropped EXE
      PID:1628
    • /bin/nezhixk
      /bin/nezhixk -d 1561
      1⤵
      • Executes dropped EXE
      PID:1631
    • /bin/metvgbifyhyq
      /bin/metvgbifyhyq -d 1561
      1⤵
      • Executes dropped EXE
      PID:1634
    • /bin/vxshuobyddlhd
      /bin/vxshuobyddlhd -d 1561
      1⤵
      • Executes dropped EXE
      PID:1637
    • /bin/scftojml
      /bin/scftojml -d 1561
      1⤵
      • Executes dropped EXE
      PID:1640
    • /bin/rxphjdsazwzzzw
      /bin/rxphjdsazwzzzw -d 1561
      1⤵
      • Executes dropped EXE
      PID:1645
    • /bin/euzsdppvy
      /bin/euzsdppvy -d 1561
      1⤵
      • Executes dropped EXE
      PID:1648
    • /bin/wiqshprgfx
      /bin/wiqshprgfx -d 1561
      1⤵
      • Executes dropped EXE
      PID:1651
    • /bin/hphwhdwietz
      /bin/hphwhdwietz -d 1561
      1⤵
      • Executes dropped EXE
      PID:1654
    • /bin/uwdrhhyydipxq
      /bin/uwdrhhyydipxq -d 1561
      1⤵
      • Executes dropped EXE
      PID:1657
    • /bin/jonobk
      /bin/jonobk -d 1561
      1⤵
      • Executes dropped EXE
      PID:1660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /bin/bmowawdd
      Filesize

      544KB

      MD5

      dd75d2ea0e3146317c1805279f3ec54d

      SHA1

      a7844c09dd5ca901bf0f151dff1c56616e6904f9

      SHA256

      89708c816f7498915a7c738387f0f820a7cbfc69d10e78207f398132fca8690e

      SHA512

      a018561a4044c4cac4d39dd2cb60e65d839efdb22c59b13ae7d8cbe77321514d9527bd9c61e7af328d3a7e7f2ffc3f240806f70649217171bf9f3cb238f76e15

      Download Submit

    • /bin/oqanysg
      Filesize

      424KB

      MD5

      86b658c0c7dd02bb95a70472da86c792

      SHA1

      391cf8ba853b37011b2be934f920858cdb7fb7fa

      SHA256

      8bfac8bc3a3102fdcc4d2c0c65751b905212a6804f0142fe2f3577dd73aa2f97

      SHA512

      f858f7bd419613c0c0131dd8207e82b3b736ea589cf7f8c1aa78757d04f027c5f0832a7eaa1816d8fa5c546cc6678bb2237de89659c3ef436cb25d1be5d440df

      Download Submit