Overview

overview

10

Static

static

10

112s

ubuntu-18.04-amd64

10

Analysis

  • max time kernel
    51s
  • max time network
    160s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231215-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    03-01-2024 22:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    112s

  • Size

    549KB

  • MD5

    f9191bab1e834d4aef3380700639cee9

  • SHA1

    9c20269df6694260a24ac783de2e30d627a6928a

  • SHA256

    ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73

  • SHA512

    3d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Score
10/10
xorddosbotnetdownloaderpersistence

Malware Config

Extracted

Family

xorddos

C2

api.markerbio.com:112

api.enoan2107.com:112

http://qq.com/lib.asp
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 2 IoCs
  • Deletes itself 28 IoCs
  • Executes dropped EXE 28 IoCs
  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Writes file to system bin folder 1 TTPs 31 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Writes file to shm directory 2 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes

  • /tmp/112s
    /tmp/112s
    1⤵
      PID:1541
    • /bin/tdhxjggrmezmk
      /bin/tdhxjggrmezmk
      1⤵
      • Executes dropped EXE
      PID:1545
    • /bin/vbtdqeqfghitjy
      /bin/vbtdqeqfghitjy -d 1546
      1⤵
      • Executes dropped EXE
      PID:1550
    • /bin/lpeejim
      /bin/lpeejim -d 1546
      1⤵
      • Executes dropped EXE
      PID:1556
    • /bin/gutsjlh
      /bin/gutsjlh -d 1546
      1⤵
      • Executes dropped EXE
      PID:1559
    • /bin/gljuvg
      /bin/gljuvg -d 1546
      1⤵
      • Executes dropped EXE
      PID:1562
    • /bin/sxsmwozkdf
      /bin/sxsmwozkdf -d 1546
      1⤵
      • Executes dropped EXE
      PID:1564
    • /bin/mocoojijdtu
      /bin/mocoojijdtu -d 1546
      1⤵
      • Executes dropped EXE
      PID:1568
    • /bin/mbyxvvelobea
      /bin/mbyxvvelobea -d 1546
      1⤵
      • Executes dropped EXE
      PID:1571
    • /bin/ubjygcm
      /bin/ubjygcm -d 1546
      1⤵
      • Executes dropped EXE
      PID:1574
    • /bin/eclpkuvdrirug
      /bin/eclpkuvdrirug -d 1546
      1⤵
      • Executes dropped EXE
      PID:1577
    • /bin/rbtcpwirvdshd
      /bin/rbtcpwirvdshd -d 1546
      1⤵
      • Executes dropped EXE
      PID:1580
    • /bin/mbqsshtnlljuch
      /bin/mbqsshtnlljuch -d 1546
      1⤵
      • Executes dropped EXE
      PID:1583
    • /bin/xqcybtv
      /bin/xqcybtv -d 1546
      1⤵
      • Executes dropped EXE
      PID:1586
    • /bin/pgbwlfgjrjbjck
      /bin/pgbwlfgjrjbjck -d 1546
      1⤵
      • Executes dropped EXE
      PID:1589
    • /bin/pvqbpuioraqpb
      /bin/pvqbpuioraqpb -d 1546
      1⤵
      • Executes dropped EXE
      PID:1592
    • /bin/nvbtxxgefpwps
      /bin/nvbtxxgefpwps -d 1546
      1⤵
      • Executes dropped EXE
      PID:1595
    • /bin/ukwixsjs
      /bin/ukwixsjs -d 1546
      1⤵
      • Executes dropped EXE
      PID:1602
    • /bin/jyvqptfhdyjr
      /bin/jyvqptfhdyjr -d 1546
      1⤵
      • Executes dropped EXE
      PID:1605
    • /bin/dawoupzsmqjgxs
      /bin/dawoupzsmqjgxs -d 1546
      1⤵
      • Executes dropped EXE
      PID:1607
    • /bin/wdcfmaxhzj
      /bin/wdcfmaxhzj -d 1546
      1⤵
      • Executes dropped EXE
      PID:1613
    • /bin/tpfwtkzr
      /bin/tpfwtkzr -d 1546
      1⤵
      • Executes dropped EXE
      PID:1616
    • /bin/mvothqqrscbl
      /bin/mvothqqrscbl -d 1546
      1⤵
      • Executes dropped EXE
      PID:1620
    • /bin/hjmrkdse
      /bin/hjmrkdse -d 1546
      1⤵
      • Executes dropped EXE
      PID:1623
    • /bin/vudntcdlnrjdmq
      /bin/vudntcdlnrjdmq -d 1546
      1⤵
      • Executes dropped EXE
      PID:1626
    • /bin/djoflz
      /bin/djoflz -d 1546
      1⤵
      • Executes dropped EXE
      PID:1629
    • /bin/ukmnvr
      /bin/ukmnvr -d 1546
      1⤵
      • Executes dropped EXE
      PID:1632
    • /bin/bcdvfqqjw
      /bin/bcdvfqqjw -d 1546
      1⤵
      • Executes dropped EXE
      PID:1635
    • /bin/zpnecfy
      /bin/zpnecfy -d 1546
      1⤵
      • Executes dropped EXE
      PID:1638

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /bin/eclpkuvdrirug
      Filesize

      201KB

      MD5

      572a666207d357f1107068a156a29857

      SHA1

      cd4da4776d8be85f048cf71df1777e4a97fe8b53

      SHA256

      3786c1960b4caee9223c71d1e6544014dbe4908d1c1415ef83fc314a8b841848

      SHA512

      95c846e1799b31384d57cc869a48815bed0df19090992cdbd4c8ec23584a3e0c7186375f7aa701bb3fc14efff36723b54620a7be7f37a85a99ac985a5c28888d

      Download Submit

    • /bin/tdhxjggrmezmk
      Filesize

      549KB

      MD5

      e6430d8d0ba4672e6871a070a35ddbcd

      SHA1

      c4284586c2b26d43d460a440dcddd2060e2eccd2

      SHA256

      ec2ae23e4f7fb4327590c324ca2928b72d30752036f1b189b3d4a311d6c04cf7

      SHA512

      3e4f29f61fceb4735fd6defe05e540bec63f4b75e3cb374330715221eca2825e04b029449056d42b80e966bc61302a8669b974b7132ceb347fd4de4cb1c3c52a

      Download Submit

    • /etc/cron.hourly/kmzemrggjxhdt.sh
      Filesize

      150B

      MD5

      c86316d798424eb97a6dcaa1df434d3b

      SHA1

      e08a9517970d8ff4dba179918e840fe717699eba

      SHA256

      0c63805a20c9f69c81a2b5687b134bb9b63520b037013c868b092a45b4a91276

      SHA512

      a61ae9d337896444b736025ae62e77049e147ce75d1c06ff214a679cf8ebf09e2aa2137aae85075711dabefe3680c8ee18cc2eee72d5c8cf78ce9ce527469eba

      Download Submit

    • /etc/daemon.cfg
      Filesize

      32B

      MD5

      8e18c417f8be5ef8956722b1c947d38e

      SHA1

      7f97561ec2e6fa4013b640114730c8a68f6d45a4

      SHA256

      d68ac2f7af921b4c5892066439e0569a351bdb19e93b94bbbbc4562503894bd0

      SHA512

      22a7aa17953cd460b127eefd823295b6f8cbea53e5aa92daeefd062e8ee8436854878585f0079c524c24ffc8817cdf9854ea45d4bfe3c6524b0701ebf1ad2efd

      Download Submit

    • /etc/init.d/kmzemrggjxhdt
      Filesize

      353B

      MD5

      267f35e0280730cd5e20f0fcdcdeeb0e

      SHA1

      dcf0cdb3b39ba9958758ed7f54ec9756d47e772f

      SHA256

      7ae13d8f82b59797ff78c868ada78d65164f80fe3fea143553ce1f811709e785

      SHA512

      e471371ae83b72e7fa52065e08b0fb717549d7ccca6405765f8abdc13cea1e449accd36614f99b5d382233f347e5a78d163b844c0a439ce7f9502a4f03fe976c

      Download Submit