Overview

overview

10

Static

static

10

76741721ae...82.elf

ubuntu-20.04-amd64

10

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240221-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    25-03-2024 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882.elf

  • Size

    549KB

  • MD5

    455b46bf3f93b8853137de2b99ef0f4c

  • SHA1

    99387d92aee1ad50c8af0a5192f651ad8021d1d4

  • SHA256

    76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882

  • SHA512

    a43cc62e55da2d23f2f57bffc3e2f3e406e41b0e1ba24b38d274a12e25d87d005f89f03e98c4fbf91622b75a4009c38033ea9d74316696469d26f9ea3a3237fa

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx6:VIv/qiVNHNDEfJKHZ8mG9QeeO6

Score
10/10
xorddosbotnetdownloaderpersistence

Malware Config

Extracted

Family

xorddos

C2

bb.markerbio.com:13307

bb.myserv012.com:13307

http://qq.com/lib.asp
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 2 IoCs
  • Deletes itself 40 IoCs
  • Executes dropped EXE 36 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Write file to user bin folder 1 TTPs 37 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to shm directory 2 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

  • Writes file to tmp directory 2 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882.elf
    /tmp/76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882.elf
    1⤵
      PID:1478
    • /usr/bin/ofdwrlnduve
      /usr/bin/ofdwrlnduve -d 1479
      1⤵
      • Executes dropped EXE
      PID:1486
    • /usr/bin/mxlgfmpuupmqud
      /usr/bin/mxlgfmpuupmqud -d 1479
      1⤵
      • Executes dropped EXE
      PID:1490
    • /usr/bin/rrivlxqnzqmxw
      /usr/bin/rrivlxqnzqmxw -d 1479
      1⤵
      • Executes dropped EXE
      PID:1493
    • /usr/bin/aggxroedfyzx
      /usr/bin/aggxroedfyzx -d 1479
      1⤵
      • Executes dropped EXE
      PID:1496
    • /usr/bin/rrqkkjufu
      /usr/bin/rrqkkjufu -d 1479
      1⤵
      • Executes dropped EXE
      PID:1499
    • /usr/bin/xkrpyqorquzp
      /usr/bin/xkrpyqorquzp -d 1479
      1⤵
      • Executes dropped EXE
      PID:1714
    • /usr/bin/nuqvurshilztwl
      /usr/bin/nuqvurshilztwl -d 1479
      1⤵
      • Executes dropped EXE
      PID:1717
    • /usr/bin/ffdpwupmihfc
      /usr/bin/ffdpwupmihfc -d 1479
      1⤵
      • Executes dropped EXE
      PID:1720
    • /usr/bin/upwqhtnylu
      /usr/bin/upwqhtnylu -d 1479
      1⤵
      • Executes dropped EXE
      PID:1723
    • /usr/bin/ywauhnaoufgqzv
      /usr/bin/ywauhnaoufgqzv -d 1479
      1⤵
      • Executes dropped EXE
      PID:1726
    • /usr/bin/bmpdpjasn
      /usr/bin/bmpdpjasn -d 1479
      1⤵
      • Executes dropped EXE
      PID:2150
    • /usr/bin/ydncmsstanhmrv
      /usr/bin/ydncmsstanhmrv -d 1479
      1⤵
      • Executes dropped EXE
      PID:2153
    • /usr/bin/gvyxrtbf
      /usr/bin/gvyxrtbf -d 1479
      1⤵
      • Executes dropped EXE
      PID:2156
    • /usr/bin/evsgphxon
      /usr/bin/evsgphxon -d 1479
      1⤵
      • Executes dropped EXE
      PID:2159
    • /usr/bin/szelsgybt
      /usr/bin/szelsgybt -d 1479
      1⤵
      • Executes dropped EXE
      PID:2162
    • /usr/bin/mtisahzfq
      /usr/bin/mtisahzfq -d 1479
      1⤵
      • Executes dropped EXE
      PID:2307
    • /usr/bin/tftxqxn
      /usr/bin/tftxqxn -d 1479
      1⤵
      • Executes dropped EXE
      PID:2310
    • /usr/bin/fjxdkarshmmocy
      /usr/bin/fjxdkarshmmocy -d 1479
      1⤵
      • Executes dropped EXE
      PID:2313
    • /usr/bin/krltsrkb
      /usr/bin/krltsrkb -d 1479
      1⤵
      • Executes dropped EXE
      PID:2316
    • /usr/bin/pwifuxrziqctq
      /usr/bin/pwifuxrziqctq -d 1479
      1⤵
      • Executes dropped EXE
      PID:2319
    • /usr/bin/ugfnyglv
      /usr/bin/ugfnyglv -d 1479
      1⤵
      • Executes dropped EXE
      PID:2391
    • /usr/bin/usokzinhf
      /usr/bin/usokzinhf -d 1479
      1⤵
      • Executes dropped EXE
      PID:2394
    • /usr/bin/zjelnsvhcacwdn
      /usr/bin/zjelnsvhcacwdn -d 1479
      1⤵
      • Executes dropped EXE
      PID:2472
    • /usr/bin/mukpygqzbyhhm
      /usr/bin/mukpygqzbyhhm -d 1479
      1⤵
      • Executes dropped EXE
      PID:2475
    • /usr/bin/vxreberub
      /usr/bin/vxreberub -d 1479
      1⤵
      • Executes dropped EXE
      PID:2478
    • /usr/bin/ybdwer
      /usr/bin/ybdwer -d 1479
      1⤵
      • Executes dropped EXE
      PID:2481
    • /usr/bin/tnzwvijde
      /usr/bin/tnzwvijde -d 1479
      1⤵
      • Executes dropped EXE
      PID:2548
    • /usr/bin/fholsmuy
      /usr/bin/fholsmuy -d 1479
      1⤵
      • Executes dropped EXE
      PID:2551
    • /usr/bin/qarvbbr
      /usr/bin/qarvbbr -d 1479
      1⤵
      • Executes dropped EXE
      PID:2554
    • /usr/bin/shifaxgx
      /usr/bin/shifaxgx -d 1479
      1⤵
      • Executes dropped EXE
      PID:2557
    • /usr/bin/oizthf
      /usr/bin/oizthf -d 1479
      1⤵
      • Executes dropped EXE
      PID:2560
    • /usr/bin/vqwhkwjdwayae
      /usr/bin/vqwhkwjdwayae -d 1479
      1⤵
      • Executes dropped EXE
      PID:2563
    • /usr/bin/ywyidzflyzbiz
      /usr/bin/ywyidzflyzbiz -d 1479
      1⤵
      • Executes dropped EXE
      PID:2566
    • /usr/bin/qeylwwtjse
      /usr/bin/qeylwwtjse -d 1479
      1⤵
      • Executes dropped EXE
      PID:2569
    • /usr/bin/rfmrjdrhbakahx
      /usr/bin/rfmrjdrhbakahx -d 1479
      1⤵
      • Executes dropped EXE
      PID:2572
    • /usr/bin/jyjivbotmksht
      /usr/bin/jyjivbotmksht -d 1479
      1⤵
      • Executes dropped EXE
      PID:2575

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /etc/cron.hourly/fle.2889f726aa72b00c75477abe399a814f7cc943dd5ad87a9d5e68edea12714767.sh
      Filesize

      205B

      MD5

      5013939dd6eedc9cd8f76575349143de

      SHA1

      8acfe8c131707e6214b6a9b533094dea2131bec1

      SHA256

      a7f6416884fcc18e9886cc368c9ef3f337b455f9357cb46a7c1a2d591d1afb20

      SHA512

      7df566f6564ec33441d361495c1fd686d1dfdad9ebc10f419fa9464ba7f94442449fdd2aa5e4d52debb232b5ed646e481e99436dc96d9da240b1e68da1cb2476

      Download Submit

    • /etc/daemon.cfg
      Filesize

      32B

      MD5

      f56e0d51d4b8c98ee1b195a0130465a0

      SHA1

      77a93d7d33c7bfa9d2be0f96d6723b686004e4ca

      SHA256

      5f21b70006387085933cd6b98e139cdd9aebd1b66c39bd698ea296b98212f1f8

      SHA512

      7529a74a6c2eebbfd2ad66d3f08d3af7b6dae613213f09292e86be8d88e78657b75fc1cfa76e849ebdbc3b732f880d3d6e15d65dd4a4c0c41907df6d8cda3426

      Download Submit

    • /etc/init.d/fle.2889f726aa72b00c75477abe399a814f7cc943dd5ad87a9d5e68edea12714767
      Filesize

      628B

      MD5

      f5b2ac46bc80c9ee024db2272cd03764

      SHA1

      44c3f3211ee101ef217cd9d6160b640cd968c538

      SHA256

      d9d0c16a7151fc21c2ab1cfe7438032c61161956601980dc15a42a85aacd431e

      SHA512

      95df75972e8904826c51b7da80abdb7f91da9fc24b8558da4f7e300c0e3e62854696a318cef8b25ed97362186f929c49e9b32647c77a418b68bf2552e566c631

      Download Submit

    • /tmp/fle.2889f726aa72b00c75477abe399a814f7cc943dd5ad87a9d5e68edea12714767
      Filesize

      549KB

      MD5

      455b46bf3f93b8853137de2b99ef0f4c

      SHA1

      99387d92aee1ad50c8af0a5192f651ad8021d1d4

      SHA256

      76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882

      SHA512

      a43cc62e55da2d23f2f57bffc3e2f3e406e41b0e1ba24b38d274a12e25d87d005f89f03e98c4fbf91622b75a4009c38033ea9d74316696469d26f9ea3a3237fa

      Download Submit

    • /usr/bin/ofdwrlnduve
      Filesize

      104KB

      MD5

      0142614308b9bf4d759663d8032f9463

      SHA1

      5ff9ce302aa7a7eadf0cd7af3fa2ce83f77c5cf7

      SHA256

      4b60b30d5fef9c694b9b4ca3d4acd1eb396100146f80c0a5bddbd1fad779c7a1

      SHA512

      4388d9ffd9e3e4137d1f7be319707ae7dd809ca83e26acadafb55d3fb67353e400fdc6cfcab76c98fe0b03e42871f3f288d6b32020dd37c61862d3bfed3b7217

      Download Submit