Analysis
-
max time kernel
152s -
max time network
156s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
-
submitted
22-12-2023 14:55
General
-
Target
cfde10b9d5468ee167d578bbfe93a0dc
-
Size
596KB
-
MD5
cfde10b9d5468ee167d578bbfe93a0dc
-
SHA1
61646e20beb7f816cea1713f92f1d1da92450e8e
-
SHA256
a7eb1d26c8069a933254341be5b5ebf61818d08d0867d64d48890e0ba80cff87
-
SHA512
0faec1f88a4263c72dc87ce14c31e32ec9f353b27d944a32e0849e4015d7e0d50023ddc122673cd3b12d8614e7a53b49c5cf87758990c21a7e6e8b6d8a8a4596
-
SSDEEP
12288:bfTGy+n69+5rTlFEcMWbHvx5SGEuWdiF6yxm9Ah7Dxu9hc7L:rTG/0+5dq4bHvx5SGodiLTD4XcP
Malware Config
Extracted
xorddos
http://info1.3000uc.com/b/u.php
gh.dsaj2a1.org:2879
iosapp622.ddns.net:2879
173.247.233.62:2879
-
crc_polynomial
EDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 11 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 22 IoCs
-
Unexpected DNS network traffic destination 20 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
-
Write file to user bin folder 1 TTPs 5 IoCs
-
Reads runtime system information 8 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/cfde10b9d5468ee167d578bbfe93a0dc/tmp/cfde10b9d5468ee167d578bbfe93a0dc1⤵
-
/bin/shsh -c "sed -i '/\\/etc\\/cron.hourly\\/udev.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/udev.sh' >> /etc/crontab"1⤵
- Creates/modifies Cron job
-
/bin/sedsed -i "/\\/etc\\/cron.hourly\\/udev.sh/d" /etc/crontab2⤵
- Reads runtime system information
-
-
/bin/chkconfigchkconfig --add cfde10b9d5468ee167d578bbfe93a0dc1⤵
-
/sbin/chkconfigchkconfig --add cfde10b9d5468ee167d578bbfe93a0dc1⤵
-
/usr/bin/chkconfigchkconfig --add cfde10b9d5468ee167d578bbfe93a0dc1⤵
-
/usr/sbin/chkconfigchkconfig --add cfde10b9d5468ee167d578bbfe93a0dc1⤵
-
/usr/local/bin/chkconfigchkconfig --add cfde10b9d5468ee167d578bbfe93a0dc1⤵
-
/usr/local/sbin/chkconfigchkconfig --add cfde10b9d5468ee167d578bbfe93a0dc1⤵
-
/usr/X11R6/bin/chkconfigchkconfig --add cfde10b9d5468ee167d578bbfe93a0dc1⤵
-
/bin/update-rc.dupdate-rc.d cfde10b9d5468ee167d578bbfe93a0dc defaults1⤵
-
/sbin/update-rc.dupdate-rc.d cfde10b9d5468ee167d578bbfe93a0dc defaults1⤵
-
/usr/bin/update-rc.dupdate-rc.d cfde10b9d5468ee167d578bbfe93a0dc defaults1⤵
-
/usr/sbin/update-rc.dupdate-rc.d cfde10b9d5468ee167d578bbfe93a0dc defaults1⤵
-
/bin/systemctlsystemctl daemon-reload2⤵
- Reads runtime system information
-
-
/usr/bin/hamypkpbep/usr/bin/hamypkpbep who 15301⤵
- Executes dropped EXE
-
/usr/bin/hamypkpbep/usr/bin/hamypkpbep id 15301⤵
- Executes dropped EXE
-
/usr/bin/hamypkpbep/usr/bin/hamypkpbep "ls -la" 15301⤵
- Executes dropped EXE
-
/usr/bin/hamypkpbep/usr/bin/hamypkpbep top 15301⤵
- Executes dropped EXE
-
/usr/bin/hamypkpbep/usr/bin/hamypkpbep "grep \"A\"" 15301⤵
- Executes dropped EXE
-
/usr/bin/ncgvlfouch/usr/bin/ncgvlfouch ifconfig 15301⤵
- Executes dropped EXE
-
/usr/bin/ncgvlfouch/usr/bin/ncgvlfouch ifconfig 15301⤵
- Executes dropped EXE
-
/usr/bin/ncgvlfouch/usr/bin/ncgvlfouch who 15301⤵
- Executes dropped EXE
-
/usr/bin/ncgvlfouch/usr/bin/ncgvlfouch whoami 15301⤵
- Executes dropped EXE
-
/usr/bin/ncgvlfouch/usr/bin/ncgvlfouch "ps -ef" 15301⤵
- Executes dropped EXE
-
/usr/bin/xbsnokxptg/usr/bin/xbsnokxptg pwd 15301⤵
- Executes dropped EXE
-
/usr/bin/xbsnokxptg/usr/bin/xbsnokxptg "cat resolv.conf" 15301⤵
- Executes dropped EXE
-
/usr/bin/xbsnokxptg/usr/bin/xbsnokxptg gnome-terminal 15301⤵
- Executes dropped EXE
-
/usr/bin/xbsnokxptg/usr/bin/xbsnokxptg "netstat -an" 15301⤵
- Executes dropped EXE
-
/usr/bin/xbsnokxptg/usr/bin/xbsnokxptg pwd 15301⤵
- Executes dropped EXE
-
/usr/bin/hmprubylnr/usr/bin/hmprubylnr sh 15301⤵
- Executes dropped EXE
-
/usr/bin/hmprubylnr/usr/bin/hmprubylnr bash 15301⤵
- Executes dropped EXE
-
/usr/bin/hmprubylnr/usr/bin/hmprubylnr "sleep 1" 15301⤵
- Executes dropped EXE
-
/usr/bin/hmprubylnr/usr/bin/hmprubylnr ls 15301⤵
- Executes dropped EXE
-
/usr/bin/hmprubylnr/usr/bin/hmprubylnr "grep \"A\"" 15301⤵
- Executes dropped EXE
-
/usr/bin/nzvabqkwpm/usr/bin/nzvabqkwpm "cd /etc" 15301⤵
- Executes dropped EXE
-
/usr/bin/nzvabqkwpm/usr/bin/nzvabqkwpm "cat resolv.conf" 15301⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146B
MD5ddb9a901eadce597284d68ebd9fe9311
SHA11d26318bbe55f2f936ae1015df656535427083c2
SHA2563bb8ebd394bcaea3f083d93daa3c3bcf918a4618f84ab45a1942759d16b070fc
SHA512e94bd51f02c323d2376e666a9c56a87c2f55d1805b44762d4bc6d5d60ca52e85ce996ba51142213ba783ac858660a3ba254988215b0f4d398b1e99bf132a5d1c
-
Filesize
425B
MD541392f2a82b1e26ec262dbb363dbda6d
SHA182b54f4066ec191ce118ded210652a2d2e8d0fe0
SHA256dc00ddc54dedaabfe74735842993b42b1ef478b3fa3803bf06f0bf6e71c16648
SHA5126da752747cf1ef68ac265df39d78b4874fa5c8db08a57df12387c090dd1781b3cf248b5f05e5e8e6ee201557709d3cdda58d5cc579ca1be6a4305524013a88e3
-
Filesize
722B
MD58f111d100ea459f68d333d63a8ef2205
SHA1077ca9c46a964de67c0f7765745d5c6f9e2065c3
SHA2560e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354
SHA512d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb
-
Filesize
596KB
MD5cfde10b9d5468ee167d578bbfe93a0dc
SHA161646e20beb7f816cea1713f92f1d1da92450e8e
SHA256a7eb1d26c8069a933254341be5b5ebf61818d08d0867d64d48890e0ba80cff87
SHA5120faec1f88a4263c72dc87ce14c31e32ec9f353b27d944a32e0849e4015d7e0d50023ddc122673cd3b12d8614e7a53b49c5cf87758990c21a7e6e8b6d8a8a4596
-
Filesize
32B
MD5d873849f8f99db97515b0bec77fc4197
SHA1b0471029000fb2260a86b89eb41e8b7a8cee38ae
SHA25627cd6e1121a0c6154154258454c31ef2382b7c23bd98b171de21d24b75bca301
SHA5129b6d939db2d54c977d4e6654568602313120165f45d402b21268664db8d7c2efbd28666ed36b437c98e01862988639335b0fd0ec5e68cbd821868546fca1c0f0
-
Filesize
596KB
MD567e3cfb2756121930ebc9ca717aa796c
SHA1cfa5bba9eee5e6d065e81b664c812678937dd14b
SHA2562774d1c94f5977bb78e7f11c23cd924560e712a7dc8e4bb5af2a8a941e3830c2
SHA512058ff53c60fac67d7f06a9c18b7066466cee49b9185e8984cbfacee5130bb6c850df401e1176befcb9dc192e63aec1421c3c1a067c0996e61b5e9dedf533148b
-
Filesize
596KB
MD540fbedacb82c48eda675f80acbb31a86
SHA182a0410250494fe67cd70feb3b01f98aee8404b4
SHA2564544960e14985470178feb42c78a129ebb10b5ef373ce697348bca6cfc7cb009
SHA512128bb37c66cc95d8677663c0de493842643b4ddc2f05bbefab221da68a17e8101c28407d80f5e621305c6e770b9cd9f5c32603fe43e7309a7cf13b7fd26856e5
-
Filesize
154KB
MD5511ab46da4e85c82faf3ed60025ad936
SHA1c1d01fa9171658d224629727e70b719645a1d9c5
SHA25673171119ccd23b79d6e197ea12e25453ac8b0ec024c7fda248b2fdd233b072ae
SHA5122dbf5a3cd730793b8c4889e864d1674cac55abc19c7232508f3711ede163503fb4b62716fcfc499bcbbf72f9a140d3ad5a1acb7df8f5a02bfbb26d5b762b8f75
-
Filesize
596KB
MD5ec82c87abda940a41cfea64770ea8bbd
SHA1a33f18f720ed8acbd18367a031c24f924f21b8bf
SHA25624d86bdf6c4a2540c3683871f5044a00cc0e13751501897abbe66dd139e9e8bf
SHA512530cb60114ed34fa581b79c3e1b7502474fc95e22fb216b4fae4007b67bac54d9863bf3ab9d2c30a1c84d75b5184c856c04d2718707c80f83ae0ef08c4190d0b
-
Filesize
596KB
MD52a4b1355221a3b4c306407c1dab1ec26
SHA1f3048b79df4220510eeb017d58ba5ab989a8ac34
SHA256952709d6aeb1777219dcd91743837ebbe52f8a3360c65e836281c1c23055be7e
SHA512b5429789fb8904eccd4430281bd2a9a0c71345501af8703efc38f0fe7756e0364a95439af19e77444cfe56f81385f680ce4692f0a8ea2c1d15cc64c858539b0c
-
Filesize
596KB
MD5724b5411072119735d511f66c00f9935
SHA149dcfb5e484eb3f6456f95db3b5708fcb841c24c
SHA2564d51d989bb8de434af4294a9b908b874d5818af62030b6aadd0556630f668fac
SHA5120f2f08a98f9a5a8731943448c66e6f10a6708c37944cb2b019528d70ebbc18067ce52750a0ea2b8a05ac77b2931ebc4d0d01766248956bc959b2e4b5a73939e3
-
Filesize
596KB
MD56ddd1027a43f10788c69e8a259e1d072
SHA1e38d0005a5a3120e6331cbf0cef5d315164bebf4
SHA2565d6a1b0aec5f889e8aaaa60129dc9e1a0c85fa3dde355a9f9f001f1178dd6ea6
SHA51261d443342636501f4a995b23f443e59c24b8acdabacaaebab50d40190bdf1b78b30cdeb56be52a6338549844540aece9a93520b04f8ccb5fe1cff2dc75fbaac7
-
Filesize
11KB
MD590c6c23b430d118ae7a64030f71e9f94
SHA14c85a43758bb10e47c6777b8c639303181a4822d
SHA2560f5de2b8e954dceddad74ebed7625fccfaa3553fbf0b8afa301ca997c28f4d4f
SHA5123e1fa55a4317ee2de6e50b729a2b401bf80c7924ff65352239760fb505c5406e250b24f6a2d315c44de85f52f9587ebe4c11f0beb99426ba52215286112bbb90
-
Filesize
596KB
MD54a3477ee5a050fcec1ef7aa815a182d8
SHA122fec3a63a6ebcd877958b77e92262c05913b023
SHA2565fb63213774a9a757c676548e37c41d3bd1f86b6a7a4e535dd36c8c05448a54b
SHA512e15ea188a043ae63d12c8bf7efb942218fc34b61757ed797a395f46243c981f1ff79839d972359462ad057450ad4dbd6d6ad91b05d3385cda1566f1c2c5451b4
-
Filesize
596KB
MD587ac535ce9ab0a43d5bdce47350b19ab
SHA1cf78e309fa5759d2de98d8ad670a2f44f7698b76
SHA256171fefbf729995da313ed1f7ad61ea5dc2bd45a55c5998429cf6b84d533467f7
SHA512240f9e69daa63c80a126f3b32f8d030370eb3ae71eed1df3d3387b2532f290ef02f363851879ed1ddb8eb120a5f4542c5a13ae9641561d90620fbd25d607467d