Analysis
-
max time kernel
29s -
max time network
30s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240418-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240418-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
27-04-2024 19:55
Behavioral task
behavioral1
Sample
fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral2
Sample
fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf
Resource
ubuntu2004-amd64-20240418-en
General
-
Target
fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf
-
Size
549KB
-
MD5
450cea21132fad13be77c7030d2a9e9d
-
SHA1
e0fdfb05fb79f5ba1cafc69b78a50a0eed6eeedb
-
SHA256
fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d
-
SHA512
6d282ecf3df15592a2e000906e5aca9665421309a35b31d7aed3cedcc0f46b2f7b6db2426afa7a02f49173b59b9be5c6089dbd0f8a4da8e962ca254e00854f49
-
SSDEEP
12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO
Malware Config
Extracted
xorddos
user.myserv012.com:123
user.search2c.com:123
http://qq.com/lib.asp
-
crc_polynomial
CDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 1 IoCs
Processes:
resource yara_rule /usr/bin/uhwpmurnplssko family_xorddos -
Deletes itself 36 IoCs
Processes:
pid 1506 1517 1520 1523 1526 1529 1535 1538 1541 1544 1547 1550 1553 1556 1561 1562 1582 1583 1588 1589 1592 1595 1600 1601 1604 1607 1625 1628 1633 1634 1637 1641 1644 1647 1650 1653 -
Executes dropped EXE 36 IoCs
Processes:
uhwpmurnplsskonmhfwitmpzakcoxpnjuvtsxqdpessjuhtbrmngptpehmvypsthpknfyrqatzwurizwzuldcayanpvxhhkofdnyjzbdqmnsimmvrnzefxdoenemstwclzgcvwvhitazsrovvpbltqpfjjhldgthcvswmxllnuockpoffdnooevcibhoeuevbaxkedvdiqrnfcgcnuvekfueswmteatxepnowksipyhvbhsmnmtminzbrbbsiyrqhgdcxyacniidctcwmsftvisiuizmrzlmatlralakocqaqjilgsdccakoezprnskyjkllusqqdadsioukyvbwqvkifkpwfmwvmqmeujghrubeuzfzioc pid process /usr/bin/uhwpmurnplssko 1511 uhwpmurnplssko /usr/bin/nmhfwi 1516 nmhfwi /usr/bin/tmpzakco 1519 tmpzakco /usr/bin/xpnjuvtsxqdp 1522 xpnjuvtsxqdp /usr/bin/essjuhtbrmng 1525 essjuhtbrmng /usr/bin/ptpehm 1528 ptpehm /usr/bin/vypsthpknfyr 1534 vypsthpknfyr /usr/bin/qatzwuri 1537 qatzwuri /usr/bin/zwzuldcay 1540 zwzuldcay /usr/bin/anpvxhhkofdny 1543 anpvxhhkofdny /usr/bin/jzbdqmnsimmvr 1546 jzbdqmnsimmvr /usr/bin/nzefxdoenemst 1549 nzefxdoenemst /usr/bin/wclzgc 1552 wclzgc /usr/bin/vwvhitazsro 1555 vwvhitazsro /usr/bin/vvpbltqpfjj 1558 vvpbltqpfjj /usr/bin/hldgth 1560 hldgth /usr/bin/cvswmxllnu 1581 cvswmxllnu /usr/bin/ockpoffdnooevc 1579 ockpoffdnooevc /usr/bin/ibhoeuevbaxke 1587 ibhoeuevbaxke /usr/bin/dvdiqrn 1585 dvdiqrn /usr/bin/fcgcnu 1591 fcgcnu /usr/bin/vekfueswmtea 1594 vekfueswmtea /usr/bin/txepnowksip 1599 txepnowksip /usr/bin/yhvbhsmnmt 1597 yhvbhsmnmt /usr/bin/minzbrbbsiy 1603 minzbrbbsiy /usr/bin/rqhgdcxyacn 1606 rqhgdcxyacn /usr/bin/iidctcwmsftvis 1624 iidctcwmsftvis /usr/bin/iuizmr 1627 iuizmr /usr/bin/zlmatlralakoc 1630 zlmatlralakoc /usr/bin/qaqjilgsdccak 1632 qaqjilgsdccak /usr/bin/oezprnskyjkllu 1636 oezprnskyjkllu /usr/bin/sqqdad 1640 sqqdad /usr/bin/sioukyvb 1643 sioukyvb /usr/bin/wqvkifk 1646 wqvkifk /usr/bin/pwfmwvmqmeu 1649 pwfmwvmqmeu /usr/bin/jghrubeuzfz 1652 jghrubeuzfz -
Unexpected DNS network traffic destination 6 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
uhwpmurnplsskodescription ioc process File opened for modification /etc/cron.hourly/oksslpnrumpwhu.sh uhwpmurnplssko -
Processes:
uhwpmurnplsskodescription ioc process File opened for modification /etc/init.d/oksslpnrumpwhu uhwpmurnplssko -
Write file to user bin folder 1 TTPs 38 IoCs
Processes:
uhwpmurnplsskofb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elfdescription ioc process File opened for modification /usr/bin/oksslpnrumpwhu.sh uhwpmurnplssko File opened for modification /usr/bin/qatzwuri uhwpmurnplssko File opened for modification /usr/bin/anpvxhhkofdny uhwpmurnplssko File opened for modification /usr/bin/jzbdqmnsimmvr uhwpmurnplssko File opened for modification /usr/bin/hldgth uhwpmurnplssko File opened for modification /usr/bin/vekfueswmtea uhwpmurnplssko File opened for modification /usr/bin/zlmatlralakoc uhwpmurnplssko File opened for modification /usr/bin/oksslpnrumpwhu uhwpmurnplssko File opened for modification /usr/bin/ockpoffdnooevc uhwpmurnplssko File opened for modification /usr/bin/minzbrbbsiy uhwpmurnplssko File opened for modification /usr/bin/nzefxdoenemst uhwpmurnplssko File opened for modification /usr/bin/xpnjuvtsxqdp uhwpmurnplssko File opened for modification /usr/bin/cvswmxllnu uhwpmurnplssko File opened for modification /usr/bin/qaqjilgsdccak uhwpmurnplssko File opened for modification /usr/bin/tmpzakco uhwpmurnplssko File opened for modification /usr/bin/vypsthpknfyr uhwpmurnplssko File opened for modification /usr/bin/wclzgc uhwpmurnplssko File opened for modification /usr/bin/vwvhitazsro uhwpmurnplssko File opened for modification /usr/bin/iidctcwmsftvis uhwpmurnplssko File opened for modification /usr/bin/sqqdad uhwpmurnplssko File opened for modification /usr/bin/sioukyvb uhwpmurnplssko File opened for modification /usr/bin/pwfmwvmqmeu uhwpmurnplssko File opened for modification /usr/bin/essjuhtbrmng uhwpmurnplssko File opened for modification /usr/bin/jghrubeuzfz uhwpmurnplssko File opened for modification /usr/bin/zwzuldcay uhwpmurnplssko File opened for modification /usr/bin/fcgcnu uhwpmurnplssko File opened for modification /usr/bin/yhvbhsmnmt uhwpmurnplssko File opened for modification /usr/bin/rqhgdcxyacn uhwpmurnplssko File opened for modification /usr/bin/ptpehm uhwpmurnplssko File opened for modification /usr/bin/wqvkifk uhwpmurnplssko File opened for modification /usr/bin/vvpbltqpfjj uhwpmurnplssko File opened for modification /usr/bin/dvdiqrn uhwpmurnplssko File opened for modification /usr/bin/ibhoeuevbaxke uhwpmurnplssko File opened for modification /usr/bin/txepnowksip uhwpmurnplssko File opened for modification /usr/bin/iuizmr uhwpmurnplssko File opened for modification /usr/bin/nmhfwi uhwpmurnplssko File opened for modification /usr/bin/oezprnskyjkllu uhwpmurnplssko File opened for modification /usr/bin/uhwpmurnplssko fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf -
Reads runtime system information 2 IoCs
Reads data from /proc virtual filesystem.
Processes:
fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elfuhwpmurnplsskodescription ioc process File opened for reading /proc/meminfo fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf File opened for reading /proc/meminfo uhwpmurnplssko -
Writes file to shm directory 2 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
Processes:
uhwpmurnplsskodescription ioc process File opened for modification /dev/shm/sem.skbxjm uhwpmurnplssko File opened for modification /dev/shm/sem.SKmPA2 uhwpmurnplssko
Processes
-
/tmp/fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf/tmp/fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf1⤵
- Write file to user bin folder
- Reads runtime system information
PID:1505
-
/usr/bin/uhwpmurnplssko/usr/bin/uhwpmurnplssko1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Modifies init.d
- Write file to user bin folder
- Reads runtime system information
- Writes file to shm directory
PID:1511
-
/usr/bin/nmhfwi/usr/bin/nmhfwi -d 15121⤵
- Executes dropped EXE
PID:1516
-
/usr/bin/tmpzakco/usr/bin/tmpzakco -d 15121⤵
- Executes dropped EXE
PID:1519
-
/usr/bin/xpnjuvtsxqdp/usr/bin/xpnjuvtsxqdp -d 15121⤵
- Executes dropped EXE
PID:1522
-
/usr/bin/essjuhtbrmng/usr/bin/essjuhtbrmng -d 15121⤵
- Executes dropped EXE
PID:1525
-
/usr/bin/ptpehm/usr/bin/ptpehm -d 15121⤵
- Executes dropped EXE
PID:1528
-
/usr/bin/vypsthpknfyr/usr/bin/vypsthpknfyr -d 15121⤵
- Executes dropped EXE
PID:1534
-
/usr/bin/qatzwuri/usr/bin/qatzwuri -d 15121⤵
- Executes dropped EXE
PID:1537
-
/usr/bin/zwzuldcay/usr/bin/zwzuldcay -d 15121⤵
- Executes dropped EXE
PID:1540
-
/usr/bin/anpvxhhkofdny/usr/bin/anpvxhhkofdny -d 15121⤵
- Executes dropped EXE
PID:1543
-
/usr/bin/jzbdqmnsimmvr/usr/bin/jzbdqmnsimmvr -d 15121⤵
- Executes dropped EXE
PID:1546
-
/usr/bin/nzefxdoenemst/usr/bin/nzefxdoenemst -d 15121⤵
- Executes dropped EXE
PID:1549
-
/usr/bin/wclzgc/usr/bin/wclzgc -d 15121⤵
- Executes dropped EXE
PID:1552
-
/usr/bin/vwvhitazsro/usr/bin/vwvhitazsro -d 15121⤵
- Executes dropped EXE
PID:1555
-
/usr/bin/vvpbltqpfjj/usr/bin/vvpbltqpfjj -d 15121⤵
- Executes dropped EXE
PID:1558
-
/usr/bin/hldgth/usr/bin/hldgth -d 15121⤵
- Executes dropped EXE
PID:1560
-
/usr/bin/cvswmxllnu/usr/bin/cvswmxllnu -d 15121⤵
- Executes dropped EXE
PID:1581
-
/usr/bin/ockpoffdnooevc/usr/bin/ockpoffdnooevc -d 15121⤵
- Executes dropped EXE
PID:1579
-
/usr/bin/ibhoeuevbaxke/usr/bin/ibhoeuevbaxke -d 15121⤵
- Executes dropped EXE
PID:1587
-
/usr/bin/dvdiqrn/usr/bin/dvdiqrn -d 15121⤵
- Executes dropped EXE
PID:1585
-
/usr/bin/fcgcnu/usr/bin/fcgcnu -d 15121⤵
- Executes dropped EXE
PID:1591
-
/usr/bin/vekfueswmtea/usr/bin/vekfueswmtea -d 15121⤵
- Executes dropped EXE
PID:1594
-
/usr/bin/txepnowksip/usr/bin/txepnowksip -d 15121⤵
- Executes dropped EXE
PID:1599
-
/usr/bin/yhvbhsmnmt/usr/bin/yhvbhsmnmt -d 15121⤵
- Executes dropped EXE
PID:1597
-
/usr/bin/minzbrbbsiy/usr/bin/minzbrbbsiy -d 15121⤵
- Executes dropped EXE
PID:1603
-
/usr/bin/rqhgdcxyacn/usr/bin/rqhgdcxyacn -d 15121⤵
- Executes dropped EXE
PID:1606
-
/usr/bin/iidctcwmsftvis/usr/bin/iidctcwmsftvis -d 15121⤵
- Executes dropped EXE
PID:1624
-
/usr/bin/iuizmr/usr/bin/iuizmr -d 15121⤵
- Executes dropped EXE
PID:1627
-
/usr/bin/zlmatlralakoc/usr/bin/zlmatlralakoc -d 15121⤵
- Executes dropped EXE
PID:1630
-
/usr/bin/qaqjilgsdccak/usr/bin/qaqjilgsdccak -d 15121⤵
- Executes dropped EXE
PID:1632
-
/usr/bin/oezprnskyjkllu/usr/bin/oezprnskyjkllu -d 15121⤵
- Executes dropped EXE
PID:1636
-
/usr/bin/sqqdad/usr/bin/sqqdad -d 15121⤵
- Executes dropped EXE
PID:1640
-
/usr/bin/sioukyvb/usr/bin/sioukyvb -d 15121⤵
- Executes dropped EXE
PID:1643
-
/usr/bin/wqvkifk/usr/bin/wqvkifk -d 15121⤵
- Executes dropped EXE
PID:1646
-
/usr/bin/pwfmwvmqmeu/usr/bin/pwfmwvmqmeu -d 15121⤵
- Executes dropped EXE
PID:1649
-
/usr/bin/jghrubeuzfz/usr/bin/jghrubeuzfz -d 15121⤵
- Executes dropped EXE
PID:1652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD5076933ff9904d1110d896e2c525e39e5
SHA14188442577fa77f25820d9b2d01cc446e30684ac
SHA2564cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0
SHA5126fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34
-
Filesize
163B
MD5d6a3b78619436dc773ee4451f3a21fc2
SHA192a19093f82af017b3483af64a974a72f33417dd
SHA2562fdc32f8e36c9b0805301426d73a5a06f206661802457e4d1fc7caa0023678c2
SHA512488838bcd7e28668b1a90d800063e307d2ea683e577e3463942a97eee137c805cce2b6447973c373b20dc295dec8438c6950463073f8c0ed75b87470d1972887
-
Filesize
32B
MD58a10bd1360718b1c0e69a3cb535a4a25
SHA1ce0bed42d08e7c557a4cbe74067db78f8e50c4b4
SHA25660a33fc90537af196c496e66382c8671a80e473fa7692bf551ce05c3801ec509
SHA512fc56e49a3f3c3dd9e9607ff0e100dcff9c8196fed86a49434e9b5b7b9be6906d7e004a310c07350cfd486c4c2cac344918254d5873ee9cebbce5edbe39613a86
-
Filesize
366B
MD5dd03c8556558a8980a54ce02ac2ffa3c
SHA152cee2d8df235bbff2d6e813d440bc43e5ec2918
SHA25676ddf6ce8c265e690fc4ec525ed32ce40de891a9343e45d1c2972e4356ce02e4
SHA51258b48bf6427c0e3324efc35e448496c1495d3457fe408ff83973cc3a9b59c1a7f8aacfed423b59bbe79068011a4ccd378e97b946f54df1618802934e1c851788
-
Filesize
549KB
MD5d9e513c7911ed42c11b06a8d18012b01
SHA1bddab69faf0378d3de9b1a07842475deed6832ea
SHA256b1b68062065099b26864432d8a9fa4e964851f3297a0abbd1ad697eb77321659
SHA51213414e822cafde9b5d5eace5b0c1a7c0de88b2ad471e3e53153461f4e0452e180b3f69fef0e459e3a1ef8f8882102e10375fe7778ee2cbde024d193312bfdc7a