Overview

overview

10

Static

static

10

2a91a3170a...9120de

ubuntu-18.04-amd64

10

Analysis

  • max time kernel
    44s
  • max time network
    70s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231215-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    31/12/2023, 05:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2a91a3170a5fd4fb3e30f3d63b9120de

  • Size

    546KB

  • MD5

    2a91a3170a5fd4fb3e30f3d63b9120de

  • SHA1

    1a7a226833f43fdaee71cb6f84914f9a1e87de81

  • SHA256

    c9bd6d01eb7258fef88ec5c9276431c1db45f063b316f83943e45b6a40a76783

  • SHA512

    2d396f7fd0e661a2f15a1f0dc51341b89d9b28f6742a4bdfb7fe9115c5c7b44d9b8ac6e1c5e492f5971c2f9595f17c4154d979f7183df23d8f52ab0e24834d3f

  • SSDEEP

    12288:D3P1A0+Kvdnd4Asvhc27/ao+PzENGtkZg0/CedRlZRqR6ysen:Dfm0+KlZsJc27io2zYGtk20/LdF0+8

Score
10/10
xorddosbotnetdownloaderpersistence

Malware Config

Extracted

Family

xorddos

C2

topbannersun.com:5993

wowapplecar.com:5993
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 4 IoCs
  • Deletes itself 34 IoCs
  • Executes dropped EXE 34 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Writes file to system bin folder 1 TTPs 35 IoCs
  • Writes file to shm directory 2 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

  • Writes file to tmp directory 2 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/2a91a3170a5fd4fb3e30f3d63b9120de
    /tmp/2a91a3170a5fd4fb3e30f3d63b9120de
    1⤵
      PID:1571
    • /bin/qaifsncvy
      /bin/qaifsncvy -d 1572
      1⤵
      • Executes dropped EXE
      PID:1576
    • /bin/drszqdetl
      /bin/drszqdetl -d 1572
      1⤵
      • Executes dropped EXE
      PID:1582
    • /bin/puceawkxv
      /bin/puceawkxv -d 1572
      1⤵
      • Executes dropped EXE
      PID:1585
    • /bin/bkdjyevmsazwts
      /bin/bkdjyevmsazwts -d 1572
      1⤵
      • Executes dropped EXE
      PID:1588
    • /bin/lxcfkjwflafjne
      /bin/lxcfkjwflafjne -d 1572
      1⤵
      • Executes dropped EXE
      PID:1591
    • /bin/iigzmsijeefr
      /bin/iigzmsijeefr -d 1572
      1⤵
      • Executes dropped EXE
      PID:1604
    • /bin/lqezzdsusruuyk
      /bin/lqezzdsusruuyk -d 1572
      1⤵
      • Executes dropped EXE
      PID:1607
    • /bin/urdfbkeneoy
      /bin/urdfbkeneoy -d 1572
      1⤵
      • Executes dropped EXE
      PID:1610
    • /bin/sdczpsfqt
      /bin/sdczpsfqt -d 1572
      1⤵
      • Executes dropped EXE
      PID:1613
    • /bin/iodbixaum
      /bin/iodbixaum -d 1572
      1⤵
      • Executes dropped EXE
      PID:1616
    • /bin/owoijyymag
      /bin/owoijyymag -d 1572
      1⤵
      • Executes dropped EXE
      PID:1619
    • /bin/aessvanoadkpl
      /bin/aessvanoadkpl -d 1572
      1⤵
      • Executes dropped EXE
      PID:1622
    • /bin/njhprutvt
      /bin/njhprutvt -d 1572
      1⤵
      • Executes dropped EXE
      PID:1625
    • /bin/mhwvzgkzkcsie
      /bin/mhwvzgkzkcsie -d 1572
      1⤵
      • Executes dropped EXE
      PID:1628
    • /bin/wfkiwydlhmd
      /bin/wfkiwydlhmd -d 1572
      1⤵
      • Executes dropped EXE
      PID:1631
    • /bin/zslioiiuujhxb
      /bin/zslioiiuujhxb -d 1572
      1⤵
      • Executes dropped EXE
      PID:1634
    • /bin/dknkvxita
      /bin/dknkvxita -d 1572
      1⤵
      • Executes dropped EXE
      PID:1637
    • /bin/cmzduxevq
      /bin/cmzduxevq -d 1572
      1⤵
      • Executes dropped EXE
      PID:1640
    • /bin/dgznduxmtadyl
      /bin/dgznduxmtadyl -d 1572
      1⤵
      • Executes dropped EXE
      PID:1643
    • /bin/liptbp
      /bin/liptbp -d 1572
      1⤵
      • Executes dropped EXE
      PID:1646
    • /bin/lnbizwk
      /bin/lnbizwk -d 1572
      1⤵
      • Executes dropped EXE
      PID:1649
    • /bin/vvugdjz
      /bin/vvugdjz -d 1572
      1⤵
      • Executes dropped EXE
      PID:1652
    • /bin/yrmdfxarmutss
      /bin/yrmdfxarmutss -d 1572
      1⤵
      • Executes dropped EXE
      PID:1655
    • /bin/zdrbntzxv
      /bin/zdrbntzxv -d 1572
      1⤵
      • Executes dropped EXE
      PID:1658
    • /bin/vqcyzehavtd
      /bin/vqcyzehavtd -d 1572
      1⤵
      • Executes dropped EXE
      PID:1660
    • /bin/ambuhtzh
      /bin/ambuhtzh -d 1572
      1⤵
      • Executes dropped EXE
      PID:1666
    • /bin/dqxyjaa
      /bin/dqxyjaa -d 1572
      1⤵
      • Executes dropped EXE
      PID:1669
    • /bin/iuhlkdhddhsdv
      /bin/iuhlkdhddhsdv -d 1572
      1⤵
      • Executes dropped EXE
      PID:1672
    • /bin/djcasx
      /bin/djcasx -d 1572
      1⤵
      • Executes dropped EXE
      PID:1675
    • /bin/csespee
      /bin/csespee -d 1572
      1⤵
      • Executes dropped EXE
      PID:1678
    • /bin/wnrzcf
      /bin/wnrzcf -d 1572
      1⤵
      • Executes dropped EXE
      PID:1681
    • /bin/vaasej
      /bin/vaasej -d 1572
      1⤵
      • Executes dropped EXE
      PID:1684
    • /bin/ftcsgiytshzdj
      /bin/ftcsgiytshzdj -d 1572
      1⤵
      • Executes dropped EXE
      PID:1687
    • /bin/xpltfcshheejez
      /bin/xpltfcshheejez -d 1572
      1⤵
      • Executes dropped EXE
      PID:1690

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /bin/ftcsgiytshzdj
            Filesize

            172KB

            MD5

            cd2d418518c0079d67208edd0d19486e

            SHA1

            9529bccf87fb7a5d71a9f68fb80ddcd658df47c0

            SHA256

            86d48d84d9e059f370acebbcdd6ea07fb3a09e2f576aa679e3dcc61ba22d1fe5

            SHA512

            7292ff19773ec5b2556cc9b9465fa91f212d89945f0cc2d0c98d0d6dae37cabe4c70b166e710f729f7a84d50d826a884bd6d4a136e5739107aec32883afb51d2

            Download Submit

          • /bin/iigzmsijeefr
            Filesize

            3KB

            MD5

            4c929c0a88a23ed32fde904d1c9a609c

            SHA1

            3c7a6df6f16677425a6f10fa7da07d587ddb9758

            SHA256

            fec04f59985d0f108e14c339fcb1aa6174d04cc6c9850aa311be3e9501713981

            SHA512

            3a0d08aa10f617d7b2bd7597cfacb2b1ae450d20e986238ac20d8bab7cf83b496816e84b225f0e2f765e4d4ee0847dc79f2e14ecbed91404ef2ef1e12becc3f6

            Download Submit

          • /bin/owoijyymag
            Filesize

            68KB

            MD5

            6e079084758750272be4b280314972b7

            SHA1

            5d3ca1dfdf83a471a745244ed5742571075ba59d

            SHA256

            c9907ff14a50d4f1bf9dae0615c997e932b618f1b9f387d461fdb65a55348f68

            SHA512

            8d71c689d9b7dcdfff627bb221ca5d917b7f2f1e4f34ea20e2cbabf1dfcc577e66d4eeb337860e5654ac6c709bd64a4514800163bbaea2e2f056fa406cc47b38

            Download Submit

          • /dev/shm/sem.8xQc0N
            Filesize

            16B

            MD5

            076933ff9904d1110d896e2c525e39e5

            SHA1

            4188442577fa77f25820d9b2d01cc446e30684ac

            SHA256

            4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

            SHA512

            6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

            Download Submit

          • /etc/cron.hourly/ed0219b36d3f03e3bf4df5a0713a19a2.sh
            Filesize

            169B

            MD5

            587f5ef1cda1d56140b1219f58615dd7

            SHA1

            6223c708ca00614ddd1493b9b5c27dd45f5821f4

            SHA256

            6c38a750a954676f68a53934773775260207feb363a4baf98e3092153d611bc1

            SHA512

            a24536f90e12981fc35e12613a37430e8b14b1c38e2ecabd0d80aaac21220dc93b7d83f7cbe77dbb4ecedc2168f215637b056252da22d40ce31f7327eec5de32

            Download Submit

          • /etc/daemon.cfg
            Filesize

            32B

            MD5

            58aa00d2d03e609d2be4500364e22a97

            SHA1

            03bf04f147c3a45ae5c415c42d0d407cd29767bb

            SHA256

            588f4dddf3049936d0e0d343c2cc6e0179d19745ee9b8819abcb869d14673cf2

            SHA512

            3b12d81240d87e23a170f73a580d13130ec09b8f7cb6a852e26c9c9d07dfa110d5fd7d5fcff8e1bdb47237521cbeb752d6c3561e328cd59852bfc4223d9710da

            Download Submit

          • /etc/init.d/ed0219b36d3f03e3bf4df5a0713a19a2
            Filesize

            448B

            MD5

            63786e169c94538975e45c139599d816

            SHA1

            d71443c31708add02f323523884b7d0e42e6b1cc

            SHA256

            113aaf92371586816c7e770ae3ee3d6a151f7ccc652f09a38f84c9b0f2edd69b

            SHA512

            fcc8ba9769022fc994eb64bb5a1e7676efc679f13984927680ebf690bb80900dd6f42bb9e3405f0be53fa58678ecb22044759731ae092be19909e0aa23536aae

            Download Submit

          • /tmp/ed0219b36d3f03e3bf4df5a0713a19a2
            Filesize

            546KB

            MD5

            2a91a3170a5fd4fb3e30f3d63b9120de

            SHA1

            1a7a226833f43fdaee71cb6f84914f9a1e87de81

            SHA256

            c9bd6d01eb7258fef88ec5c9276431c1db45f063b316f83943e45b6a40a76783

            SHA512

            2d396f7fd0e661a2f15a1f0dc51341b89d9b28f6742a4bdfb7fe9115c5c7b44d9b8ac6e1c5e492f5971c2f9595f17c4154d979f7183df23d8f52ab0e24834d3f

            Download Submit