Overview

overview

10

Static

static

10

clcghvuyu

ubuntu-18.04-amd64

10

Analysis

  • max time kernel
    154s
  • max time network
    159s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231215-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    31-01-2024 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    clcghvuyu

  • Size

    549KB

  • MD5

    c57833b58d55d499ef46663216a196d6

  • SHA1

    f9c5672d95b40c4c4ed68269c3b55035aa29d830

  • SHA256

    ae30644277ee1b1352839d218becb0f4cc18dedc62615600ab8c57a01ba5753c

  • SHA512

    1b9f920ad78813c5aaf1a2345439e8630033582568a2dadf9665c183b7a1c8a7cd08212a86568ab41dcc94c958ee092d76d53836c085ce988c2e4f154cbf9e55

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmxi:VIv/qiVNHNDEfJKHZ8mG9QeeOi

Score
10/10
xorddosbotnetdownloaderpersistence

Malware Config

Extracted

Family

xorddos

C2

p5.2017fly.com:53

p5.2017fly.com:80

p5.2018fly.com:53

p5.2018fly.com:80

p5.sb1024.net:53

p5.sb1024.net:80

http://fuck.2017fly.com/i.php
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 2 IoCs
  • Deletes itself 34 IoCs
  • Executes dropped EXE 35 IoCs
  • Unexpected DNS network traffic destination 64 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Writes file to system bin folder 1 TTPs 35 IoCs
  • Writes file to shm directory 2 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

  • Writes file to tmp directory 2 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/clcghvuyu
    /tmp/clcghvuyu
    1⤵
      PID:1561
    • /bin/wjnwiuzdulthwj
      /bin/wjnwiuzdulthwj -d 1562
      1⤵
      • Executes dropped EXE
      PID:1566
    • /bin/epjwqpiu
      /bin/epjwqpiu -d 1562
      1⤵
      • Executes dropped EXE
      PID:1572
    • /bin/puaheiwx
      /bin/puaheiwx -d 1562
      1⤵
      • Executes dropped EXE
      PID:1575
    • /bin/tkplspneivcoll
      /bin/tkplspneivcoll -d 1562
      1⤵
      • Executes dropped EXE
      PID:1578
    • /bin/ddvxcfowhycqw
      /bin/ddvxcfowhycqw -d 1562
      1⤵
      • Executes dropped EXE
      PID:1581
    • /bin/tslrhisxsks
      /bin/tslrhisxsks -d 1562
      1⤵
      • Executes dropped EXE
      PID:1584
    • /bin/jkggvpweew
      /bin/jkggvpweew -d 1562
      1⤵
      • Executes dropped EXE
      PID:1587
    • /bin/rpngoy
      /bin/rpngoy -d 1562
      1⤵
      • Executes dropped EXE
      PID:1590
    • /bin/gjuptmo
      /bin/gjuptmo -d 1562
      1⤵
      • Executes dropped EXE
      PID:1593
    • /bin/xgozrygy
      /bin/xgozrygy -d 1562
      1⤵
      • Executes dropped EXE
      PID:1596
    • /bin/ygapmbsu
      /bin/ygapmbsu -d 1562
      1⤵
      • Executes dropped EXE
      PID:1600
    • /bin/xfducokinrise
      /bin/xfducokinrise -d 1562
      1⤵
      • Executes dropped EXE
      PID:1603
    • /bin/kiqefydlauzbo
      /bin/kiqefydlauzbo -d 1562
      1⤵
      • Executes dropped EXE
      PID:1606
    • /bin/rlzuibiujxmt
      /bin/rlzuibiujxmt -d 1562
      1⤵
      • Executes dropped EXE
      PID:1609
    • /bin/sxkcnoho
      /bin/sxkcnoho -d 1562
      1⤵
      • Executes dropped EXE
      PID:1612
    • /bin/zfotiu
      /bin/zfotiu -d 1562
      1⤵
      • Executes dropped EXE
      PID:1616
    • /bin/lriludjwre
      /bin/lriludjwre -d 1562
      1⤵
      • Executes dropped EXE
      PID:1619
    • /bin/uesvptaa
      /bin/uesvptaa -d 1562
      1⤵
      • Executes dropped EXE
      PID:1622
    • /bin/krygwjenpdrj
      /bin/krygwjenpdrj -d 1562
      1⤵
      • Executes dropped EXE
      PID:1625
    • /bin/yfhaya
      /bin/yfhaya -d 1562
      1⤵
      • Executes dropped EXE
      PID:1628
    • /bin/yajcgnnhcesp
      /bin/yajcgnnhcesp -d 1562
      1⤵
      • Executes dropped EXE
      PID:1634
    • /bin/jcdjgvht
      /bin/jcdjgvht -d 1562
      1⤵
      • Executes dropped EXE
      PID:1637
    • /bin/dgxmhnghlgqnpf
      /bin/dgxmhnghlgqnpf -d 1562
      1⤵
      • Executes dropped EXE
      PID:1640
    • /bin/jirygadllj
      /bin/jirygadllj -d 1562
      1⤵
      • Executes dropped EXE
      PID:1643
    • /bin/ucntfvstefam
      /bin/ucntfvstefam -d 1562
      1⤵
      • Executes dropped EXE
      PID:1646
    • /bin/hscunrvqx
      /bin/hscunrvqx -d 1562
      1⤵
      • Executes dropped EXE
      PID:1649
    • /bin/smrjjwcm
      /bin/smrjjwcm -d 1562
      1⤵
      • Executes dropped EXE
      PID:1652
    • /bin/rcwrawu
      /bin/rcwrawu -d 1562
      1⤵
      • Executes dropped EXE
      PID:1655
    • /bin/clzgfoxagxeopq
      /bin/clzgfoxagxeopq -d 1562
      1⤵
      • Executes dropped EXE
      PID:1658
    • /bin/agdmabfeyyhwui
      /bin/agdmabfeyyhwui -d 1562
      1⤵
      • Executes dropped EXE
      PID:1661
    • /bin/fymzdhdgvljywt
      /bin/fymzdhdgvljywt -d 1562
      1⤵
      • Executes dropped EXE
      PID:1666
    • /bin/cxizzrjudmp
      /bin/cxizzrjudmp -d 1562
      1⤵
      • Executes dropped EXE
      PID:1669
    • /bin/fgxfuw
      /bin/fgxfuw -d 1562
      1⤵
      • Executes dropped EXE
      PID:1672
    • /bin/bqzmbzjv
      /bin/bqzmbzjv -d 1562
      1⤵
      • Executes dropped EXE
      PID:1675
    • /bin/dndqqkg
      /bin/dndqqkg -d 1562
      1⤵
      • Executes dropped EXE
      PID:1678

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /bin/dndqqkg
      Filesize

      549KB

      MD5

      28b4ebfb4029dd7bcd14760911094992

      SHA1

      2f31b951bb2ccdbccb0be20f8a55522e679d7395

      SHA256

      451c302a6d4b51b299f06bc41f95ac079cf1785fe7c38d0323b2bb9a7b4ab3e7

      SHA512

      65ae367f6bf1620ff945be35e214e9d4a9fa66cc6ea836a304e82112bbf9922793380d3fd053374a5259f11cfb4231b6dbb06883adfc1758f7bc7b83a9e89204

      Download Submit

    • /bin/uesvptaa
      Filesize

      515KB

      MD5

      67c218300b5a57ed0ce04e0157bce84d

      SHA1

      07c3887bbd31ed030ff62c44556da85bd375a095

      SHA256

      2681863e4735ee8df320f4fa3b7d7635daa4c856ef9cdcc98c66c1a0d6e960d4

      SHA512

      2611e900f002b4844f13aad4539e163f12456e03bcce07c0eae3d0bcccaa45a92c5d4951d67144fe1f57686be51646c5c6168eb3a1831a735eacd7b3d06030a1

      Download Submit

    • /etc/cron.hourly/uyuvhgclc.sh
      Filesize

      146B

      MD5

      262c48254a5478bdeaad1b3e74a353ac

      SHA1

      9ba8cd273c367b0828f9a1b84e6d6551e860618c

      SHA256

      301cba26ab4fd0639f803b83587ad66842b2546232b29a78afd03c680b7a4f32

      SHA512

      1a146d3033dbc43288a3692acb18f1661150e775c7b8ecc18a3ed4a130bfa1c6769c82818c97ebb49dde4367de4e3d36a0768a1473384eb4188139e549799976

      Download Submit

    • /etc/daemon.cfg
      Filesize

      32B

      MD5

      c5616ee3e1d98bf4b00f9c74b7756ed4

      SHA1

      d99a26853a3a534c3f1a67bc02a3cbea48c1b0e1

      SHA256

      4040a10324a0b65f81a7116f493bd4b8dea8d39cd13619e095e0aadb25c77c53

      SHA512

      7baaadef0c2f5fdfbe2645bab31601ba53e03f53e0d27e0de51cbe5573f0940948c18f88898d181de935c110a4092aae6e0938824c021818fd89ba7594f188ab

      Download Submit

    • /etc/init.d/uyuvhgclc
      Filesize

      333B

      MD5

      2c2cc298640da2ce7b96929a709436e4

      SHA1

      173284f1c56cf26ea9210503b9f7ceac764dba0b

      SHA256

      9bb1d8774ec3024ba69b11e417005444461571285985a53bddae5eb35ba1e182

      SHA512

      6efabe8d6288ef44b499f5789041f767955cf99e4bad51395f237eadf27e65729be184330bf5fb0fae74dbdfd4cbe86654460d27d09471952733c6ef3517531d

      Download Submit

    • /tmp/uyuvhgclc
      Filesize

      549KB

      MD5

      c57833b58d55d499ef46663216a196d6

      SHA1

      f9c5672d95b40c4c4ed68269c3b55035aa29d830

      SHA256

      ae30644277ee1b1352839d218becb0f4cc18dedc62615600ab8c57a01ba5753c

      SHA512

      1b9f920ad78813c5aaf1a2345439e8630033582568a2dadf9665c183b7a1c8a7cd08212a86568ab41dcc94c958ee092d76d53836c085ce988c2e4f154cbf9e55

      Download Submit