Overview

overview

10

Static

static

10

76741721ae...82.elf

ubuntu-20.04-amd64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240221-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    24-03-2024 02:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882.elf

  • Size

    549KB

  • MD5

    455b46bf3f93b8853137de2b99ef0f4c

  • SHA1

    99387d92aee1ad50c8af0a5192f651ad8021d1d4

  • SHA256

    76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882

  • SHA512

    a43cc62e55da2d23f2f57bffc3e2f3e406e41b0e1ba24b38d274a12e25d87d005f89f03e98c4fbf91622b75a4009c38033ea9d74316696469d26f9ea3a3237fa

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx6:VIv/qiVNHNDEfJKHZ8mG9QeeO6

Score
10/10
xorddosbotnetdownloaderpersistence

Malware Config

Extracted

Family

xorddos

C2

bb.markerbio.com:13307

bb.myserv012.com:13307

http://qq.com/lib.asp
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 1 IoCs
  • Deletes itself 45 IoCs
  • Executes dropped EXE 40 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Write file to user bin folder 1 TTPs 40 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to shm directory 2 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

  • Writes file to tmp directory 2 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882.elf
    /tmp/76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882.elf
    1⤵
      PID:1479
    • /usr/bin/mzjbubxml
      /usr/bin/mzjbubxml -d 1480
      1⤵
      • Executes dropped EXE
      PID:1484
    • /usr/bin/glvimf
      /usr/bin/glvimf -d 1480
      1⤵
      • Executes dropped EXE
      PID:1487
    • /usr/bin/vvoxhceyq
      /usr/bin/vvoxhceyq -d 1480
      1⤵
      • Executes dropped EXE
      PID:1493
    • /usr/bin/cltgpmexcsrsvj
      /usr/bin/cltgpmexcsrsvj -d 1480
      1⤵
      • Executes dropped EXE
      PID:1497
    • /usr/bin/ghiuonrjdq
      /usr/bin/ghiuonrjdq -d 1480
      1⤵
      • Executes dropped EXE
      PID:1500
    • /usr/bin/fuqvavivb
      /usr/bin/fuqvavivb -d 1480
      1⤵
      • Executes dropped EXE
      PID:1718
    • /usr/bin/hhxjzoduadcjn
      /usr/bin/hhxjzoduadcjn -d 1480
      1⤵
      • Executes dropped EXE
      PID:1721
    • /usr/bin/xcoifealbtibq
      /usr/bin/xcoifealbtibq -d 1480
      1⤵
      • Executes dropped EXE
      PID:1724
    • /usr/bin/yrrhyosz
      /usr/bin/yrrhyosz -d 1480
      1⤵
      • Executes dropped EXE
      PID:1727
    • /usr/bin/vuhayqpvpslz
      /usr/bin/vuhayqpvpslz -d 1480
      1⤵
      • Executes dropped EXE
      PID:1730
    • /usr/bin/qusmszk
      /usr/bin/qusmszk -d 1480
      1⤵
      • Executes dropped EXE
      PID:2353
    • /usr/bin/cykhnnjkkcxtr
      /usr/bin/cykhnnjkkcxtr -d 1480
      1⤵
      • Executes dropped EXE
      PID:2356
    • /usr/bin/eoyleeuncljwzb
      /usr/bin/eoyleeuncljwzb -d 1480
      1⤵
      • Executes dropped EXE
      PID:2359
    • /usr/bin/jiajtj
      /usr/bin/jiajtj -d 1480
      1⤵
      • Executes dropped EXE
      PID:2362
    • /usr/bin/ishuxhn
      /usr/bin/ishuxhn -d 1480
      1⤵
      • Executes dropped EXE
      PID:2365
    • /usr/bin/vwajxbf
      /usr/bin/vwajxbf -d 1480
      1⤵
      • Executes dropped EXE
      PID:2398
    • /usr/bin/nsfahwmroxdiue
      /usr/bin/nsfahwmroxdiue -d 1480
      1⤵
      • Executes dropped EXE
      PID:2401
    • /usr/bin/xqowmaq
      /usr/bin/xqowmaq -d 1480
      1⤵
      • Executes dropped EXE
      PID:2404
    • /usr/bin/xobgmdoyqgfso
      /usr/bin/xobgmdoyqgfso -d 1480
      1⤵
      • Executes dropped EXE
      PID:2407
    • /usr/bin/fhrcmaz
      /usr/bin/fhrcmaz -d 1480
      1⤵
      • Executes dropped EXE
      PID:2410
    • /usr/bin/zuelqr
      /usr/bin/zuelqr -d 1480
      1⤵
      • Executes dropped EXE
      PID:2428
    • /usr/bin/ksbdsdchitj
      /usr/bin/ksbdsdchitj -d 1480
      1⤵
      • Executes dropped EXE
      PID:2431
    • /usr/bin/mfmvxlfdg
      /usr/bin/mfmvxlfdg -d 1480
      1⤵
      • Executes dropped EXE
      PID:2434
    • /usr/bin/zsatznlsh
      /usr/bin/zsatznlsh -d 1480
      1⤵
      • Executes dropped EXE
      PID:2437
    • /usr/bin/kiafnem
      /usr/bin/kiafnem -d 1480
      1⤵
      • Executes dropped EXE
      PID:2440
    • /usr/bin/yxemeqjbdo
      /usr/bin/yxemeqjbdo -d 1480
      1⤵
      • Executes dropped EXE
      PID:2443
    • /usr/bin/jpferafelzn
      /usr/bin/jpferafelzn -d 1480
      1⤵
      • Executes dropped EXE
      PID:2446
    • /usr/bin/mxlrnq
      /usr/bin/mxlrnq -d 1480
      1⤵
      • Executes dropped EXE
      PID:2449
    • /usr/bin/locpchflklarw
      /usr/bin/locpchflklarw -d 1480
      1⤵
      • Executes dropped EXE
      PID:2452
    • /usr/bin/yalbhrohfxt
      /usr/bin/yalbhrohfxt -d 1480
      1⤵
      • Executes dropped EXE
      PID:2455
    • /usr/bin/lkrbperttt
      /usr/bin/lkrbperttt -d 1480
      1⤵
      • Executes dropped EXE
      PID:2458
    • /usr/bin/bgpmggkagln
      /usr/bin/bgpmggkagln -d 1480
      1⤵
      • Executes dropped EXE
      PID:2461
    • /usr/bin/ueyblxwqiijlz
      /usr/bin/ueyblxwqiijlz -d 1480
      1⤵
      • Executes dropped EXE
      PID:2464
    • /usr/bin/etjzxkgmyouj
      /usr/bin/etjzxkgmyouj -d 1480
      1⤵
      • Executes dropped EXE
      PID:2467
    • /usr/bin/dwdmqikut
      /usr/bin/dwdmqikut -d 1480
      1⤵
      • Executes dropped EXE
      PID:2470
    • /usr/bin/xihlzglrvnjaqx
      /usr/bin/xihlzglrvnjaqx -d 1480
      1⤵
      • Executes dropped EXE
      PID:2534
    • /usr/bin/xhqfhsnfny
      /usr/bin/xhqfhsnfny -d 1480
      1⤵
      • Executes dropped EXE
      PID:2537
    • /usr/bin/vgdpkaxtnyby
      /usr/bin/vgdpkaxtnyby -d 1480
      1⤵
      • Executes dropped EXE
      PID:2540
    • /usr/bin/xnbxgyqf
      /usr/bin/xnbxgyqf -d 1480
      1⤵
      • Executes dropped EXE
      PID:2543
    • /usr/bin/inocawp
      /usr/bin/inocawp -d 1480
      1⤵
      • Executes dropped EXE
      PID:2546

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Scheduled Task/Job

    1
    T1053

    Boot or Logon Autostart Execution

    1
    T1547

    Hijack Execution Flow

    1
    T1574

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Boot or Logon Autostart Execution

    1
    T1547

    Hijack Execution Flow

    1
    T1574

    Defense Evasion

    Hijack Execution Flow

    1
    T1574

    Credential Access

    Discovery

    System Network Connections Discovery

    1
    T1049

    System Network Configuration Discovery

    1
    T1016

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /etc/cron.hourly/fle.2889f726aa72b00c75477abe399a814f7cc943dd5ad87a9d5e68edea12714767.sh
      Filesize

      205B

      MD5

      88df968a086fa23d75ab76030e9cb303

      SHA1

      50331a4e1cf17a0fb908816f4f97fab6d7f940ee

      SHA256

      4edf60882f160abdc96533c2b4e14dc29bf1413371394dd8f903e0305afa95f0

      SHA512

      461598ec9999711bcafe35a8c635dd619c02931dac6e918277393d3eac414032827cbeda424933f657af32ebb4c86a2aec5fa61dacfce3ee490babb01cd99f11

      Download Submit
    • /etc/daemon.cfg
      Filesize

      32B

      MD5

      b24214956234daf0359941b6f4325e8c

      SHA1

      da01db26b1b98b1d99a60b77d40f7df8a5d7a5b1

      SHA256

      71ee4002076f6dfeb57d40c501543517ee79409615f00978c5bced1519f327a1

      SHA512

      64f5e3035f7616bc84a713e79758ce98ace7b196abb944bee970dad15d2f4feecedc26d6a32d791683124e05d282516573c5a693c12eeecfa4c7b6e6034df087

      Download Submit
    • /etc/init.d/fle.2889f726aa72b00c75477abe399a814f7cc943dd5ad87a9d5e68edea12714767
      Filesize

      628B

      MD5

      f5b2ac46bc80c9ee024db2272cd03764

      SHA1

      44c3f3211ee101ef217cd9d6160b640cd968c538

      SHA256

      d9d0c16a7151fc21c2ab1cfe7438032c61161956601980dc15a42a85aacd431e

      SHA512

      95df75972e8904826c51b7da80abdb7f91da9fc24b8558da4f7e300c0e3e62854696a318cef8b25ed97362186f929c49e9b32647c77a418b68bf2552e566c631

      Download Submit
    • /tmp/fle.2889f726aa72b00c75477abe399a814f7cc943dd5ad87a9d5e68edea12714767
      Filesize

      549KB

      MD5

      455b46bf3f93b8853137de2b99ef0f4c

      SHA1

      99387d92aee1ad50c8af0a5192f651ad8021d1d4

      SHA256

      76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882

      SHA512

      a43cc62e55da2d23f2f57bffc3e2f3e406e41b0e1ba24b38d274a12e25d87d005f89f03e98c4fbf91622b75a4009c38033ea9d74316696469d26f9ea3a3237fa

      Download Submit