Resubmissions
10-01-2024 09:22
240110-lb7gysdfd5 1002-01-2024 22:09
240102-1262fabeej 1002-01-2024 20:59
240102-zsqsesebc6 10Analysis
-
max time kernel
383s -
max time network
1801s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231222-en -
resource tags
-
submitted
02-01-2024 20:59
General
-
Target
BFtZ.bin
-
Size
535KB
-
MD5
35793cbfd0a4376ea9380ffed9182334
-
SHA1
31e5d905407966ca953def90eb45df417127cf38
-
SHA256
303bb187a06415eedc0c5ece5692fe05b03e286435472d0e4fd4ca9386d9acf4
-
SHA512
89fc15518e82cb7c7f97acb433a1881612d404585b5228e4554a3f9e58c3db7e9a057f669d98c11c10cf3dd5e73b48a9ebf2b983319eae709d9751f21dfaaf4a
-
SSDEEP
12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36Eoj:/fUywKQ7Fb1pNL/p52fjQn36Eu
Malware Config
Extracted
xorddos
http://aa.hostasa.org/config.rar
ppp.gggatat456.com:1522
ppp.xxxatat456.com:1522
www1.gggatat456.com:1522
-
crc_polynomial
EDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 12 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 21 IoCs
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
-
Write file to user bin folder 1 TTPs 5 IoCs
-
Reads runtime system information 10 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/BFtZ.bin/tmp/BFtZ.bin1⤵
-
/bin/chkconfigchkconfig --add BFtZ.bin1⤵
-
/sbin/chkconfigchkconfig --add BFtZ.bin1⤵
-
/usr/bin/chkconfigchkconfig --add BFtZ.bin1⤵
-
/usr/sbin/chkconfigchkconfig --add BFtZ.bin1⤵
-
/usr/local/bin/chkconfigchkconfig --add BFtZ.bin1⤵
-
/usr/local/sbin/chkconfigchkconfig --add BFtZ.bin1⤵
-
/usr/X11R6/bin/chkconfigchkconfig --add BFtZ.bin1⤵
-
/bin/update-rc.dupdate-rc.d BFtZ.bin defaults1⤵
-
/sbin/update-rc.dupdate-rc.d BFtZ.bin defaults1⤵
-
/usr/bin/update-rc.dupdate-rc.d BFtZ.bin defaults1⤵
-
/usr/sbin/update-rc.dupdate-rc.d BFtZ.bin defaults1⤵
-
/bin/systemctlsystemctl daemon-reload2⤵
- Reads runtime system information
-
-
/bin/shsh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"1⤵
- Creates/modifies Cron job
-
/bin/sedsed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab2⤵
- Reads runtime system information
-
-
/usr/bin/sqodlivvxc/usr/bin/sqodlivvxc id 15551⤵
- Executes dropped EXE
-
/usr/bin/sqodlivvxc/usr/bin/sqodlivvxc id 15551⤵
- Executes dropped EXE
-
/usr/bin/sqodlivvxc/usr/bin/sqodlivvxc id 15551⤵
- Executes dropped EXE
-
/usr/bin/sqodlivvxc/usr/bin/sqodlivvxc "sleep 1" 15551⤵
- Executes dropped EXE
-
/usr/bin/sqodlivvxc/usr/bin/sqodlivvxc "ps -ef" 15551⤵
- Executes dropped EXE
-
/usr/bin/untoyviptv/usr/bin/untoyviptv id 15551⤵
- Executes dropped EXE
-
/usr/bin/untoyviptv/usr/bin/untoyviptv top 15551⤵
- Executes dropped EXE
-
/usr/bin/untoyviptv/usr/bin/untoyviptv su 15551⤵
- Executes dropped EXE
-
/usr/bin/untoyviptv/usr/bin/untoyviptv su 15551⤵
- Executes dropped EXE
-
/usr/bin/untoyviptv/usr/bin/untoyviptv "ifconfig eth0" 15551⤵
- Executes dropped EXE
-
/usr/bin/gcumabeptt/usr/bin/gcumabeptt "ps -ef" 15551⤵
- Executes dropped EXE
-
/usr/bin/gcumabeptt/usr/bin/gcumabeptt pwd 15551⤵
- Executes dropped EXE
-
/usr/bin/gcumabeptt/usr/bin/gcumabeptt top 15551⤵
- Executes dropped EXE
-
/usr/bin/gcumabeptt/usr/bin/gcumabeptt pwd 15551⤵
- Executes dropped EXE
-
/usr/bin/gcumabeptt/usr/bin/gcumabeptt "ifconfig eth0" 15551⤵
- Executes dropped EXE
-
/usr/bin/ypvmosgrwj/usr/bin/ypvmosgrwj "netstat -antop" 15551⤵
- Executes dropped EXE
-
/usr/bin/ypvmosgrwj/usr/bin/ypvmosgrwj top 15551⤵
- Executes dropped EXE
-
/usr/bin/ypvmosgrwj/usr/bin/ypvmosgrwj ifconfig 15551⤵
- Executes dropped EXE
-
/usr/bin/ypvmosgrwj/usr/bin/ypvmosgrwj id 15551⤵
- Executes dropped EXE
-
/usr/bin/ypvmosgrwj/usr/bin/ypvmosgrwj id 15551⤵
- Executes dropped EXE
-
/usr/bin/cnpegqpdiv/usr/bin/cnpegqpdiv "ls -la" 15551⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228B
MD53bab747cedc5f0ebe86aaa7f982470cd
SHA13c7d1c6931c2b3dae39d38346b780ea57c8e6142
SHA25674d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5
SHA51221e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42
-
Filesize
305B
MD50d22b5f635edd1830371ddb142ab4291
SHA1f26bd3ef8886462b311518a6219596c72f33aeeb
SHA2563d0b507735a60157692021de68649fc9a851032b42b57fadcb362e7772511aba
SHA51222b2f21ab5f8ee868530f8a34755a198093725e573ab8b50ecc28ae2cf382e10af78b406dcb37584ee4030f285719fc50cb7a5a28f8f45c41092e46cdcedd288
-
Filesize
722B
MD58f111d100ea459f68d333d63a8ef2205
SHA1077ca9c46a964de67c0f7765745d5c6f9e2065c3
SHA2560e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354
SHA512d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb
-
Filesize
355KB
MD5117d4674fc6dde8d0481f5c39625c653
SHA13e0fda7f55089e527ef0e493e3d0c7c35649d245
SHA256fcc553206b9c554f047993c4f4df11c955726404ad1e09e32d7a4122973c7c00
SHA5129d44a45afed555a1ba28b8f8fbaa690aa52b5c2e0335b923101935b42508037835382be8fd47ebbc8a6353bf95d98fe018404666e02ac1880ceb3620e5c3815d
-
Filesize
535KB
MD524435973e757d2c0634d137e698281a6
SHA197afa47ae00f408123415be8ee6180dfecef48da
SHA25694ebb26b78ebcb55bdbc4644e6f52d4254e8eb69d08535d5117a7a5e857fbc71
SHA512849461fa57eaef029ad68944047f939fe6fcce36d66b940b391d2604f44db6020d29e48b3a8b87ed84037a828da8c939b438e6b362fa682d6155b188b2b57b4f
-
Filesize
535KB
MD588182bae6721172b95ef10aee5412519
SHA14cd53508e57aa86d5889a1629988053554890dac
SHA256eca7990259385e94f090fed46be33ada2a0e84f2c29d5387d76f2161f188c6d9
SHA512b9c5d353fc39a8abd98974869fc746d71d9a9f322778b2638c2ed269f65f1c15e6a8850b3b43fc50e37158075c57b96847fe68359e32c32925efd2b54fd01c15
-
Filesize
535KB
MD5cb9202f7c05c9610eb22160bdd23a5f2
SHA17200aad5870a664f226d54db2ee9f369af12c12b
SHA25662b6ab0aadfd824fb1075f223a30e63bd3bcab0acc271be605c943a84e7d2d06
SHA5125fdbb3a443ee58c5df954c6fd1e3471a57bad17268459e8ed602c5c59c7251bb157438ee5daffee70022b75d084a3795ff9c5a0f9c50a9d5f67023e347f8bac3
-
Filesize
535KB
MD54f4dd1f5daac2ab7515d9b58b6e3932c
SHA19a895bf672e744132e06eb54a1062d0e3ecf1b82
SHA2568210755c45ecad1a32d76e27543522556f978fc17869e6ece5ef5154201fed65
SHA5126a4cd3685b914ef709c1bc33b995ed54f3864c2b8aad7bb9a0477664953b1a874dc889325a8ca23a2815aceb13b6c64d3ed3d730055dbeb4a1c874c2e4711678
-
Filesize
535KB
MD535793cbfd0a4376ea9380ffed9182334
SHA131e5d905407966ca953def90eb45df417127cf38
SHA256303bb187a06415eedc0c5ece5692fe05b03e286435472d0e4fd4ca9386d9acf4
SHA51289fc15518e82cb7c7f97acb433a1881612d404585b5228e4554a3f9e58c3db7e9a057f669d98c11c10cf3dd5e73b48a9ebf2b983319eae709d9751f21dfaaf4a
-
Filesize
535KB
MD5669f4c551b4afc06a233c49e9a32264a
SHA174fc0b9a8fe7a01534e644604aa271d3dffe618a
SHA256c2420a0f14d4562ddf5297cd882fbf50f9a675e94503a50442f68e6f5ca04cee
SHA51262c966a6302ad336a43c151c0c02ecac9f39b4debf905870cae4aa47269bd64d841a8008dc2b2a33d8456d0725ddeb04d23496a9c5c2a7a4c3e4d039863e7984
-
Filesize
535KB
MD5e03308470b02bc21213a917b4eabd87d
SHA1f9f8f78119d41a40de31a0af03c27f0f574bed67
SHA256e201c64ac9278ccd05b039d8408bf5c703681ce9a0b56e431f2f2ad9b568283b
SHA512db90ff2237039665e5c00154e0e8ae5442506fccdebd7bbc48315b1a6b79f7483d985e600a0192531fc193aa142f41d539bee8a5ae8cb31147ce9861e98ad309
-
Filesize
535KB
MD555873f8eec0e23970c6a05b3119f1c4d
SHA13d6f5e4b551498c67d288e3863aec5fb2134d475
SHA2563e2881762edc3656b97641fcf7e80746d237c3848b6e290b2d6b6ccb67576fdd
SHA51213e49c7e78bfed30c59811d7494de50f8ec2c9bef31e78e8358476fba850b56079230741321e73ce1ad20d3f256b817c77fa326c8c936888a34b9e9ed14ef928
-
Filesize
535KB
MD572501fdbe3e55d49ad02d8db8a98fdaf
SHA123380d9e3ecbba891f4f0509353efecbf9934d53
SHA256e6b88cc94c2d8883f7d5f4a3c68f54702661d9cd867d96a3759d8dc8f4f57080
SHA5124f09181d20ee44ad13f5409da2944959b5127e4064fe6df5b324ddbaf92090757690afd6f3f953c60b401ace01161b7c6fc5216b69f77d653a26524c619597c2
-
Filesize
535KB
MD5390cf78a786e224425f9a957f6757ca4
SHA10eb43b8d2848459210a5e4a6ee8fa6d16e466155
SHA2565dbf542dd5a960482e7870b53d55f68a0065e7be887e5c36aa25f1cfd3c3840d
SHA512510deb72ef9421ff383309578ce37401ad6a9bc0d2d64e757cc33632e95358ad7703224b3334a0b1afaa199a69d95624f0ee66498e93326cd3b365ebfcf13015
-
Filesize
535KB
MD5e61cb95169841eddf3da16f2d2e12db7
SHA174e38f9f7d351401b29a8d68a23084ffe9e73f45
SHA2565d6083262639ab217f49f88a123d50850ab1a4f5ed8b31e70584e296972cc14c
SHA5122ab178bd994b1a5b590d7c4a331a9a219b655a9856703f3e8a84d8f7c6c79ec6b72648498a060b57458a26b0c53d58c182fcb4e05a440b5365d1970dbc063140