Overview

overview

10

Static

static

10

fb18a78ab3...9d.elf

ubuntu-18.04-amd64

10

fb18a78ab3...9d.elf

ubuntu-20.04-amd64

10

Analysis

  • max time kernel
    29s
  • max time network
    30s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240226-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    27-04-2024 19:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf

  • Size

    549KB

  • MD5

    450cea21132fad13be77c7030d2a9e9d

  • SHA1

    e0fdfb05fb79f5ba1cafc69b78a50a0eed6eeedb

  • SHA256

    fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d

  • SHA512

    6d282ecf3df15592a2e000906e5aca9665421309a35b31d7aed3cedcc0f46b2f7b6db2426afa7a02f49173b59b9be5c6089dbd0f8a4da8e962ca254e00854f49

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Score
10/10
xorddosbotnetdownloaderpersistence

Malware Config

Extracted

Family

xorddos

C2

user.myserv012.com:123

user.search2c.com:123

http://qq.com/lib.asp
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 1 IoCs
  • Deletes itself 36 IoCs
  • Executes dropped EXE 36 IoCs
  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Writes file to system bin folder 1 TTPs 38 IoCs
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to shm directory 2 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes

  • /tmp/fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf
    /tmp/fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf
    1⤵
    • Writes file to system bin folder
    PID:1547
  • /bin/lfcuipuyjxe
    /bin/lfcuipuyjxe
    1⤵
    • Executes dropped EXE
    • Creates/modifies Cron job
    • Modifies init.d
    • Writes file to system bin folder
    • Reads runtime system information
    • Writes file to shm directory
    PID:1551
  • /bin/pzagsfrhmaug
    /bin/pzagsfrhmaug -d 1552
    1⤵
    • Executes dropped EXE
    PID:1556
  • /bin/bmuemqah
    /bin/bmuemqah -d 1552
    1⤵
    • Executes dropped EXE
    PID:1559
  • /bin/hfiguljbomnk
    /bin/hfiguljbomnk -d 1552
    1⤵
    • Executes dropped EXE
    PID:1562
  • /bin/tqszqxye
    /bin/tqszqxye -d 1552
    1⤵
    • Executes dropped EXE
    PID:1565
  • /bin/zsygeqgnw
    /bin/zsygeqgnw -d 1552
    1⤵
    • Executes dropped EXE
    PID:1568
  • /bin/pufqitgsrzlly
    /bin/pufqitgsrzlly -d 1552
    1⤵
    • Executes dropped EXE
    PID:1575
  • /bin/jyfpzznfffo
    /bin/jyfpzznfffo -d 1552
    1⤵
    • Executes dropped EXE
    PID:1578
  • /bin/bdqjzfdgynb
    /bin/bdqjzfdgynb -d 1552
    1⤵
    • Executes dropped EXE
    PID:1581
  • /bin/isftefupdcec
    /bin/isftefupdcec -d 1552
    1⤵
    • Executes dropped EXE
    PID:1584
  • /bin/tkjyaebdumfbqn
    /bin/tkjyaebdumfbqn -d 1552
    1⤵
    • Executes dropped EXE
    PID:1587
  • /bin/wfibibnrbn
    /bin/wfibibnrbn -d 1552
    1⤵
    • Executes dropped EXE
    PID:1590
  • /bin/cqrpxthlumac
    /bin/cqrpxthlumac -d 1552
    1⤵
    • Executes dropped EXE
    PID:1593
  • /bin/joixilbgqkjzl
    /bin/joixilbgqkjzl -d 1552
    1⤵
    • Executes dropped EXE
    PID:1596
  • /bin/splotehk
    /bin/splotehk -d 1552
    1⤵
    • Executes dropped EXE
    PID:1599
  • /bin/arovgoziapsx
    /bin/arovgoziapsx -d 1552
    1⤵
    • Executes dropped EXE
    PID:1602
  • /bin/begflrj
    /bin/begflrj -d 1552
    1⤵
    • Executes dropped EXE
    PID:1605
  • /bin/kxlsokaoztnzzn
    /bin/kxlsokaoztnzzn -d 1552
    1⤵
    • Executes dropped EXE
    PID:1608
  • /bin/vyytwqjls
    /bin/vyytwqjls -d 1552
    1⤵
    • Executes dropped EXE
    PID:1611
  • /bin/tzamioxgbpulsi
    /bin/tzamioxgbpulsi -d 1552
    1⤵
    • Executes dropped EXE
    PID:1614
  • /bin/nvmokvjivcg
    /bin/nvmokvjivcg -d 1552
    1⤵
    • Executes dropped EXE
    PID:1617
  • /bin/eanfdzo
    /bin/eanfdzo -d 1552
    1⤵
    • Executes dropped EXE
    PID:1621
  • /bin/yuvqqgi
    /bin/yuvqqgi -d 1552
    1⤵
    • Executes dropped EXE
    PID:1624
  • /bin/txvhlhewqab
    /bin/txvhlhewqab -d 1552
    1⤵
    • Executes dropped EXE
    PID:1627
  • /bin/oosurfzugn
    /bin/oosurfzugn -d 1552
    1⤵
    • Executes dropped EXE
    PID:1630
  • /bin/fjkvztfzoewype
    /bin/fjkvztfzoewype -d 1552
    1⤵
    • Executes dropped EXE
    PID:1633
  • /bin/mqczfhjsekllk
    /bin/mqczfhjsekllk -d 1552
    1⤵
    • Executes dropped EXE
    PID:1636
  • /bin/pizgmctigid
    /bin/pizgmctigid -d 1552
    1⤵
    • Executes dropped EXE
    PID:1639
  • /bin/nrnjnz
    /bin/nrnjnz -d 1552
    1⤵
    • Executes dropped EXE
    PID:1642
  • /bin/rbgamy
    /bin/rbgamy -d 1552
    1⤵
    • Executes dropped EXE
    PID:1645
  • /bin/wlpinerokdqf
    /bin/wlpinerokdqf -d 1552
    1⤵
    • Executes dropped EXE
    PID:1648
  • /bin/ntaamnlzpksqt
    /bin/ntaamnlzpksqt -d 1552
    1⤵
    • Executes dropped EXE
    PID:1651
  • /bin/etwafnluteifh
    /bin/etwafnluteifh -d 1552
    1⤵
    • Executes dropped EXE
    PID:1654
  • /bin/lxcaqeddroe
    /bin/lxcaqeddroe -d 1552
    1⤵
    • Executes dropped EXE
    PID:1657
  • /bin/bxyupepo
    /bin/bxyupepo -d 1552
    1⤵
    • Executes dropped EXE
    PID:1660
  • /bin/wdsqxwbefepdgs
    /bin/wdsqxwbefepdgs -d 1552
    1⤵
    • Executes dropped EXE
    PID:1663

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /bin/lfcuipuyjxe
    Filesize

    549KB

    MD5

    c307cfc61461f72de2b87da48650eeed

    SHA1

    28197afc5ccd05719e514fa2479e4d4996ff0c78

    SHA256

    9a300e130f31ceb45c91586630832de3ca488767477d40cdba6f3f7ee8716227

    SHA512

    ae30dfb29f62d3a5294bb111360a9a7887cd16e225e1a871221eff186da6cee0471b6da18d39905855794ade4883232f2615af60fce0308857527f85b1f4dcdd

    Download Submit

  • /dev/shm/sem.n9wdqg
    Filesize

    16B

    MD5

    076933ff9904d1110d896e2c525e39e5

    SHA1

    4188442577fa77f25820d9b2d01cc446e30684ac

    SHA256

    4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

    SHA512

    6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

    Download Submit

  • /etc/cron.hourly/exjyupiucfl.sh
    Filesize

    148B

    MD5

    c1087a221e2f767f2294447268fc36ba

    SHA1

    2abbf4f80bb84b02e0655564973b4c4b87940cd8

    SHA256

    c74892adfcbb7577a2a73451695a77e7cffef6f4409469749e991c5cfa8a561a

    SHA512

    9124d423cad2fb0181941e4fec5665d9ce490052688e8ee86d067e158772459823e29cea4431dcc61408e40aa585ffc06e227b7b8c93d5406d00e49230e64c42

    Download Submit

  • /etc/daemon.cfg
    Filesize

    32B

    MD5

    f2b7f6a8cfb4a5f7c0a6e70db920e57e

    SHA1

    ccf14d7309bdb65aedd1794e813741f1d05a0d8a

    SHA256

    fd9ae889aa8a3699e5a21571a73fa3b45c3dac8fe27a3f5be0e2a8567fc9cff0

    SHA512

    c1037aadb6105b33236f20c2deebdcfbd722923c2dadbd5c2553ec2bf49cd3a1b0b6e029481cd3ecb7b6c7f46cf115d1e80a0ddd2a03020dfe800ae46e20922b

    Download Submit

  • /etc/init.d/exjyupiucfl
    Filesize

    343B

    MD5

    8daecf445d19fd940079db4be4fc4feb

    SHA1

    0529145795ffa70eb30a2baa41fc711005336935

    SHA256

    ae64666ad5e1a73371cf66cf29f1fff2407fd9fc3f60f87067b00331dbd6afd9

    SHA512

    eb66e12c08fafd93260264b1c2bf7583101bcd6479f5480fd0c4696042849c26f8931661b7568170d921e48d9fe92044ffa67db256cf88d179a2e65eb602cd20

    Download Submit