Analysis

  • max time kernel
    29s
  • max time network
    30s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240418-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240418-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    27-04-2024 19:55

General

  • Target

    fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf

  • Size

    549KB

  • MD5

    450cea21132fad13be77c7030d2a9e9d

  • SHA1

    e0fdfb05fb79f5ba1cafc69b78a50a0eed6eeedb

  • SHA256

    fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d

  • SHA512

    6d282ecf3df15592a2e000906e5aca9665421309a35b31d7aed3cedcc0f46b2f7b6db2426afa7a02f49173b59b9be5c6089dbd0f8a4da8e962ca254e00854f49

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Malware Config

Extracted

Family

xorddos

C2

user.myserv012.com:123

user.search2c.com:123

http://qq.com/lib.asp

Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

  • XorDDoS payload 1 IoCs
  • Deletes itself 36 IoCs
  • Executes dropped EXE 36 IoCs
  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

  • Write file to user bin folder 1 TTPs 38 IoCs
  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to shm directory 2 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes

  • /tmp/fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf
    /tmp/fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf
    1⤵
    • Write file to user bin folder
    • Reads runtime system information
    PID:1505
  • /usr/bin/uhwpmurnplssko
    /usr/bin/uhwpmurnplssko
    1⤵
    • Executes dropped EXE
    • Creates/modifies Cron job
    • Modifies init.d
    • Write file to user bin folder
    • Reads runtime system information
    • Writes file to shm directory
    PID:1511
  • /usr/bin/nmhfwi
    /usr/bin/nmhfwi -d 1512
    1⤵
    • Executes dropped EXE
    PID:1516
  • /usr/bin/tmpzakco
    /usr/bin/tmpzakco -d 1512
    1⤵
    • Executes dropped EXE
    PID:1519
  • /usr/bin/xpnjuvtsxqdp
    /usr/bin/xpnjuvtsxqdp -d 1512
    1⤵
    • Executes dropped EXE
    PID:1522
  • /usr/bin/essjuhtbrmng
    /usr/bin/essjuhtbrmng -d 1512
    1⤵
    • Executes dropped EXE
    PID:1525
  • /usr/bin/ptpehm
    /usr/bin/ptpehm -d 1512
    1⤵
    • Executes dropped EXE
    PID:1528
  • /usr/bin/vypsthpknfyr
    /usr/bin/vypsthpknfyr -d 1512
    1⤵
    • Executes dropped EXE
    PID:1534
  • /usr/bin/qatzwuri
    /usr/bin/qatzwuri -d 1512
    1⤵
    • Executes dropped EXE
    PID:1537
  • /usr/bin/zwzuldcay
    /usr/bin/zwzuldcay -d 1512
    1⤵
    • Executes dropped EXE
    PID:1540
  • /usr/bin/anpvxhhkofdny
    /usr/bin/anpvxhhkofdny -d 1512
    1⤵
    • Executes dropped EXE
    PID:1543
  • /usr/bin/jzbdqmnsimmvr
    /usr/bin/jzbdqmnsimmvr -d 1512
    1⤵
    • Executes dropped EXE
    PID:1546
  • /usr/bin/nzefxdoenemst
    /usr/bin/nzefxdoenemst -d 1512
    1⤵
    • Executes dropped EXE
    PID:1549
  • /usr/bin/wclzgc
    /usr/bin/wclzgc -d 1512
    1⤵
    • Executes dropped EXE
    PID:1552
  • /usr/bin/vwvhitazsro
    /usr/bin/vwvhitazsro -d 1512
    1⤵
    • Executes dropped EXE
    PID:1555
  • /usr/bin/vvpbltqpfjj
    /usr/bin/vvpbltqpfjj -d 1512
    1⤵
    • Executes dropped EXE
    PID:1558
  • /usr/bin/hldgth
    /usr/bin/hldgth -d 1512
    1⤵
    • Executes dropped EXE
    PID:1560
  • /usr/bin/cvswmxllnu
    /usr/bin/cvswmxllnu -d 1512
    1⤵
    • Executes dropped EXE
    PID:1581
  • /usr/bin/ockpoffdnooevc
    /usr/bin/ockpoffdnooevc -d 1512
    1⤵
    • Executes dropped EXE
    PID:1579
  • /usr/bin/ibhoeuevbaxke
    /usr/bin/ibhoeuevbaxke -d 1512
    1⤵
    • Executes dropped EXE
    PID:1587
  • /usr/bin/dvdiqrn
    /usr/bin/dvdiqrn -d 1512
    1⤵
    • Executes dropped EXE
    PID:1585
  • /usr/bin/fcgcnu
    /usr/bin/fcgcnu -d 1512
    1⤵
    • Executes dropped EXE
    PID:1591
  • /usr/bin/vekfueswmtea
    /usr/bin/vekfueswmtea -d 1512
    1⤵
    • Executes dropped EXE
    PID:1594
  • /usr/bin/txepnowksip
    /usr/bin/txepnowksip -d 1512
    1⤵
    • Executes dropped EXE
    PID:1599
  • /usr/bin/yhvbhsmnmt
    /usr/bin/yhvbhsmnmt -d 1512
    1⤵
    • Executes dropped EXE
    PID:1597
  • /usr/bin/minzbrbbsiy
    /usr/bin/minzbrbbsiy -d 1512
    1⤵
    • Executes dropped EXE
    PID:1603
  • /usr/bin/rqhgdcxyacn
    /usr/bin/rqhgdcxyacn -d 1512
    1⤵
    • Executes dropped EXE
    PID:1606
  • /usr/bin/iidctcwmsftvis
    /usr/bin/iidctcwmsftvis -d 1512
    1⤵
    • Executes dropped EXE
    PID:1624
  • /usr/bin/iuizmr
    /usr/bin/iuizmr -d 1512
    1⤵
    • Executes dropped EXE
    PID:1627
  • /usr/bin/zlmatlralakoc
    /usr/bin/zlmatlralakoc -d 1512
    1⤵
    • Executes dropped EXE
    PID:1630
  • /usr/bin/qaqjilgsdccak
    /usr/bin/qaqjilgsdccak -d 1512
    1⤵
    • Executes dropped EXE
    PID:1632
  • /usr/bin/oezprnskyjkllu
    /usr/bin/oezprnskyjkllu -d 1512
    1⤵
    • Executes dropped EXE
    PID:1636
  • /usr/bin/sqqdad
    /usr/bin/sqqdad -d 1512
    1⤵
    • Executes dropped EXE
    PID:1640
  • /usr/bin/sioukyvb
    /usr/bin/sioukyvb -d 1512
    1⤵
    • Executes dropped EXE
    PID:1643
  • /usr/bin/wqvkifk
    /usr/bin/wqvkifk -d 1512
    1⤵
    • Executes dropped EXE
    PID:1646
  • /usr/bin/pwfmwvmqmeu
    /usr/bin/pwfmwvmqmeu -d 1512
    1⤵
    • Executes dropped EXE
    PID:1649
  • /usr/bin/jghrubeuzfz
    /usr/bin/jghrubeuzfz -d 1512
    1⤵
    • Executes dropped EXE
    PID:1652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /dev/shm/sem.SKmPA2

    Filesize

    16B

    MD5

    076933ff9904d1110d896e2c525e39e5

    SHA1

    4188442577fa77f25820d9b2d01cc446e30684ac

    SHA256

    4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

    SHA512

    6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

  • /etc/cron.hourly/oksslpnrumpwhu.sh

    Filesize

    163B

    MD5

    d6a3b78619436dc773ee4451f3a21fc2

    SHA1

    92a19093f82af017b3483af64a974a72f33417dd

    SHA256

    2fdc32f8e36c9b0805301426d73a5a06f206661802457e4d1fc7caa0023678c2

    SHA512

    488838bcd7e28668b1a90d800063e307d2ea683e577e3463942a97eee137c805cce2b6447973c373b20dc295dec8438c6950463073f8c0ed75b87470d1972887

  • /etc/daemon.cfg

    Filesize

    32B

    MD5

    8a10bd1360718b1c0e69a3cb535a4a25

    SHA1

    ce0bed42d08e7c557a4cbe74067db78f8e50c4b4

    SHA256

    60a33fc90537af196c496e66382c8671a80e473fa7692bf551ce05c3801ec509

    SHA512

    fc56e49a3f3c3dd9e9607ff0e100dcff9c8196fed86a49434e9b5b7b9be6906d7e004a310c07350cfd486c4c2cac344918254d5873ee9cebbce5edbe39613a86

  • /etc/init.d/oksslpnrumpwhu

    Filesize

    366B

    MD5

    dd03c8556558a8980a54ce02ac2ffa3c

    SHA1

    52cee2d8df235bbff2d6e813d440bc43e5ec2918

    SHA256

    76ddf6ce8c265e690fc4ec525ed32ce40de891a9343e45d1c2972e4356ce02e4

    SHA512

    58b48bf6427c0e3324efc35e448496c1495d3457fe408ff83973cc3a9b59c1a7f8aacfed423b59bbe79068011a4ccd378e97b946f54df1618802934e1c851788

  • /usr/bin/uhwpmurnplssko

    Filesize

    549KB

    MD5

    d9e513c7911ed42c11b06a8d18012b01

    SHA1

    bddab69faf0378d3de9b1a07842475deed6832ea

    SHA256

    b1b68062065099b26864432d8a9fa4e964851f3297a0abbd1ad697eb77321659

    SHA512

    13414e822cafde9b5d5eace5b0c1a7c0de88b2ad471e3e53153461f4e0452e180b3f69fef0e459e3a1ef8f8882102e10375fe7778ee2cbde024d193312bfdc7a