xorddos | 891b01d92d0366fbb4af44135cfb9b4b9f9d2b28cc052f70cb9724ef30545608

Analysis

max time kernel
149s
max time network
147s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
29-07-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

616b7d37976b466c6c4ca41909d35f6d_JaffaCakes118
Size

611KB
MD5

616b7d37976b466c6c4ca41909d35f6d
SHA1

87cb885c92d7d0ba78b21cf474637cedbdcbd155
SHA256

891b01d92d0366fbb4af44135cfb9b4b9f9d2b28cc052f70cb9724ef30545608
SHA512

b3feb38b198a5574f317f18736dc653034689e177deca12278dcb8330fa6eb08281cd1b69183f5da2d15d84faa33711dd18f002da851bb52bed6d2941fa00154
SSDEEP

12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrLT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNLBVEBl/91h

Score

10^/10

xorddos botnet downloader rootkit

Malware Config

Extracted

Family

xorddos

http://www1.gggatat456.com/dd.rar

ppp.gggatat456.com:1524

ppp.xxxatat456.com:1524

ddd.dddgata789.com:1524

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 30 IoCs

Processes:

resource	yara_rule
/usr/lib/libudev.so	family_xorddos
/usr/bin/xfknelbiqx	family_xorddos
/usr/bin/tgtgxxfxbr	family_xorddos
/usr/bin/kjgaydowed	family_xorddos
/usr/bin/rfcufsptkv	family_xorddos
/usr/bin/ovmlltrzgf	family_xorddos
/usr/bin/gwqcnltycx	family_xorddos
/usr/bin/cbjjgtguca	family_xorddos
/usr/bin/vphcxiqkji	family_xorddos
/usr/bin/rjnctgokle	family_xorddos
/usr/bin/gpsunqactu	family_xorddos
/usr/bin/jmznxeofiy	family_xorddos
/usr/bin/pndsxfhaib	family_xorddos
/usr/bin/pikdpziyhd	family_xorddos
/usr/bin/njesegodts	family_xorddos
/usr/bin/ctbmphzahq	family_xorddos
/usr/bin/hexdxncdqp	family_xorddos
/usr/bin/uwbtztfkqp	family_xorddos
/usr/bin/uznxysdrip	family_xorddos
/usr/bin/cuevmqnsko	family_xorddos
/usr/bin/ldopiugxxo	family_xorddos
/usr/bin/vvexxgrsig	family_xorddos
/usr/bin/drkfrlzjxe	family_xorddos
/usr/bin/owfgxtgufr	family_xorddos
/usr/bin/htugkdfkfc	family_xorddos
/usr/bin/erbnlusrjs	family_xorddos
/usr/bin/ywjrwhoqke	family_xorddos
/usr/bin/dwwzlahhaz	family_xorddos
/usr/bin/nckibqmdnz	family_xorddos
/usr/bin/qpoobexfau	family_xorddos

Writes memory of remote process 2 IoCs

Processes:

616b7d37976b466c6c4ca41909d35f6d_JaffaCakes118

pid process

2471 616b7d37976b466c6c4ca41909d35f6d_JaffaCakes118
2483

Loads a kernel module 64 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

Processes:

616b7d37976b466c6c4ca41909d35f6d_JaffaCakes118

pid	process
2471	616b7d37976b466c6c4ca41909d35f6d_JaffaCakes118
2472
2477
2472
2472
2485
2483
2486
2485
2472
2472
2483
2483
2485
2483
2483
2483
2483
2483
2483
2472
2483
2483
2472
2510
2514
2516
2512
2519
2518
2522
2520
2523
2521
2483
2483
2472
2472
2519
2519
2522
2522
2520
2520
2523
2523
2521
2521
2483
2483
2519
2519
2522
2522
2520
2520
2523
2523
2521
2521
2483
2483
2519
2519

/tmp/616b7d37976b466c6c4ca41909d35f6d_JaffaCakes118
/tmp/616b7d37976b466c6c4ca41909d35f6d_JaffaCakes118
1⤵
- Writes memory of remote process
- Loads a kernel module
PID:2471

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/616b7d37976b466c6c4ca41909d35f6d_JaffaCakes118

Filesize
495B

MD5
be4cf11a2e1d500816c0ae44897392e6

SHA1
bfd28d00928c4f7553cf25c46f49eb0e96918355

SHA256
74113189a5b38072d361c2749ab4eb28ffb548150bcf6af77fd2e485fb33d8b8

SHA512
108cd2878707b2cb0d5f1db83a8b9b9c44a8db5cbc3a0352604a4eb797f594fe213352c2cb36aa46e71a5f70f636c9e17d5a52a19a2e1982b64e4d361c25df7b

Download Submit
/run/gcc.pid

Filesize
32B

MD5
ce76644ac657238fb45abe32b076721e

SHA1
4351bb3008811459831164b1f0dd24e5e4bc5995

SHA256
657873a2f800d66860ef654ba3c692729d433114f5ed5f7ed95d648369c8c823

SHA512
5189c6b12ad1d2c3577a1e8c02ccb1fa754307bb666bc4a0005026e334907a68c73324e7683222209fe0ecac02177adba03043cbbbfa7f50f31f80520d2d18ec

Download Submit
/usr/bin/cbjjgtguca

Filesize
611KB

MD5
5ab2d1bf79e2980558d7b1dd6ade09e1

SHA1
5ce46f083baa8019ff8410d82cccd8b136bc048b

SHA256
27d501cc3b3f649285faa4e5df7f132be2b144d7ffed77fc5f0aa7a4fc392edb

SHA512
9a6499713a4887fbb99f9857b0f06af67b6080d11352a4dfbef9a7da195872c4f56d068aea178a3d92988431924b540d485712859172aee60ea6c5200ff3e54c

Download Submit
/usr/bin/ctbmphzahq

Filesize
611KB

MD5
7b1de9007c89b25aebdcea492bace8c7

SHA1
49916723aeb8a88b7890e328f0cec2bf8f772e22

SHA256
94622f730b2fdf9f83c10dd0f4ed6aff76ae5c90b803fd2e6014b2b907f732e4

SHA512
e4769b622454bd66e168e09aefb24d6c9b9342c4873336169a5e4a91bf369bf6bff10ca6c3db26735f7bc61bc3ec1ee0d560c749b39934c021940edef329c7f8

Download Submit
/usr/bin/cuevmqnsko

Filesize
611KB

MD5
c35f27befd0ed8406eee6c68b9bee055

SHA1
de6b911c89bff570e54ff499587da6d3b4f2b519

SHA256
2643d3b2446a1b8e97a763623d4dbc92e5959e9ed83043036b78b40f6487321f

SHA512
bc4fa94c28e6818faebbd1e13567690de5f1a7af34ffdf1871a3136d13a7a81070dbf8fd903bda28d4c0981226eece349276050d3fd01c21ae928878e0ef9ab2

Download Submit
/usr/bin/drkfrlzjxe

Filesize
611KB

MD5
3947924b46200e69102d07fc58b5b66a

SHA1
91a2ea9c6614db687baad56b8273b7b8ce302eb5

SHA256
d021a83995d8eb8742812e84067d974d23ec360832fc25275bad293b904355f9

SHA512
8e3c34925b667ce1ab0d22b9b2b902726e77de7f8e63fd5dbe305dd452d8eff5cc43b322048e235a3b9d125fdf2b2b56dca1dc23ddcaecc4c04937c9bb5f7129

Download Submit
/usr/bin/dwwzlahhaz

Filesize
611KB

MD5
30677f1024e8fd60e9c92a0bea9f60bf

SHA1
6003a8c767be35366510db9196578c0fbb01c8cf

SHA256
6d02cd867c794792f63395107e7de3dd79b7c35c99094c2f5f5abd8f5b0cae3d

SHA512
9a6a18d08ef377c06405c13b28146860641dac5a46329b012b4cfa91a2425b192f1092bd98a015b8968b897423ba52b0918e0093856f61ad686e6ef5027229ed

Download Submit
/usr/bin/erbnlusrjs

Filesize
611KB

MD5
d073bb9741e96473f0ead7a360b07356

SHA1
832c05bef100ea385d887d354e7b73a8e648a39d

SHA256
1dad23a9a8556a869b6511a285324de078b246a77367652391726cea6744a982

SHA512
e8d0a1da66f5767e901b5a9ac0f21cd26348d00c8d043b92b56c48f30a8709c5fac4b5ebe709b73e2a6851e6fbfd7b525a5106137c0d8a0c695f600785c720be

Download Submit
/usr/bin/gpsunqactu

Filesize
611KB

MD5
505be21e8d6556b29be82a719245984c

SHA1
d8e916b3a3acb3b561690bfe19c28cb9d0a2d8a1

SHA256
8207b895eb67ec3fda85382d0d64c376895a9224fa77eef2029b6705bd375186

SHA512
4fff623c40f1c960800c4791b91d569687944d5216b2b7417e82305def487fa0ba7031bb204258650cb8db001235b8d980056b6524eb8babc272ed631755e4cb

Download Submit
/usr/bin/gwqcnltycx

Filesize
611KB

MD5
154befd323431fd837de5dd90b7903c3

SHA1
c262e492d490da73609d6316ba06be20605f3151

SHA256
fbec30de788d8c3ba63a4a61182fb43f2e53daeaa8f0cad9f1bf363048b5e661

SHA512
e1b40c8372db98379c542add2fa2aa24a424b908611067b37b7224badc1f814b41cd0599fd62a0f02ecb4cdb8b4bfb34677cb6ab08552388d01e88b60a58c007

Download Submit
/usr/bin/hexdxncdqp

Filesize
611KB

MD5
31a6d9b09e22228618799a78dc2bced4

SHA1
e956de7620a702b6eb414f1d3628f13cbbdd3d28

SHA256
9a4c81fae3a5ad158a77f60754e7ac5d48e9eefb601c2550ba8382e407464715

SHA512
f6ddac35e0a35c4c2dc824ad0d3a45a5ca54444e5103c3ea503c24e69788c42353f59351bc615a84065c4d59e3234631ed53cf174a0647060be76591b5cff43f

Download Submit
/usr/bin/htugkdfkfc

Filesize
611KB

MD5
6eb1cf5e3081676fd5e93356127ab928

SHA1
97ff6e978e7c2e4d0d29724200c89d3236579cae

SHA256
6a4d5712a86d10ce4d651fe53bd5cd30f18210c43013c92d35dca3f6af385d75

SHA512
366f1015793a360fbb62506ad88b14888ad2daee596994a5e734168aa8083733bc1728b940ebb6b06961de565881751b95778b11c8d583d79d4c56a946333626

Download Submit
/usr/bin/jmznxeofiy

Filesize
611KB

MD5
24b9e5825f2e326c235cd75d07c6d63b

SHA1
102a17ad4508ecc7722b5b959ccde892e878089d

SHA256
2a74cad4a2ebaa8901899fb95942376e038f2064637ed46bc1d7479d033ec5a6

SHA512
ffab3dab45c5c7ae99ae608a84016269901716c0c30b05fbc2c3bf3a5c125bec950f965211e7de8447149154bebc51d24ccb343fb9817032ac1edf7791596753

Download Submit
/usr/bin/kjgaydowed

Filesize
611KB

MD5
a3faeb9c0ec9a736b8be322e91ab9f52

SHA1
449970916b05714c83347887e68936808fd17d7d

SHA256
8b85154147e1e7999d138fc6f19945e81c415fbd3889905a8371d19ecfb3f39f

SHA512
38bcab46865a60d41102b4acc6bc9b69f065fd2b03c6aa9bb335aa956183e90c069d7d355e01ea2a6fb7f31d04c009ff2ed22af14a05423aa1807795026a8f7a

Download Submit
/usr/bin/ldopiugxxo

Filesize
611KB

MD5
2a07f154f2a379587aa09ac41fcf22d8

SHA1
6df460acbc18f8ce259150e49727d3105ce95679

SHA256
7efa0a0c70e268830bd3c6181167bab04342fdd1c306c15fdf5e8cedafacc52e

SHA512
6daeff2e6f5db5e2f4ff692b8bc5ceb3c7cc9943f5cc93167b79952e86214069a6e4d7b670e47e143a883799d2bb0595304084b143b105690e43608217eba635

Download Submit
/usr/bin/nckibqmdnz

Filesize
611KB

MD5
5d4ae114ca33462a165a94b17d6d2747

SHA1
b54c88317319455315a08ebaf64cc24d0dc62393

SHA256
9edc78cfb652e788aac192e826bb8f703478b1055c5a6c4c225cb8f9d52d3acc

SHA512
3846dc272ad5a32f8b600e724af68bfa5d1f4f1e74cea80f0a1234275fc05c119b43f2c515c7b42064b031d136983ed191e6d25c510815c0dc4851e180aacf54

Download Submit
/usr/bin/njesegodts

Filesize
611KB

MD5
52929fd57dcbb475972cd85bce9bb400

SHA1
98703f18b6fb8584f6c25ca0e6e6a12b11b9ff50

SHA256
becfeb2866d209a462de16111e4ddb00814e20bd2a4d9c15b24c3464ff4a5b26

SHA512
213b5bd84237358ee7c6214f26d06e27462b2852ebc73a90ba12f130557e5922ca09f0ba0008584161029fe6b693a7e944bcc6fff05000a1f066555a003e3118

Download Submit
/usr/bin/ovmlltrzgf

Filesize
611KB

MD5
c916b61c33014b978072c8eaab4532f3

SHA1
cb66fa4f18f5184f49aac9836329c7697c53d99f

SHA256
d46a87fab2e820abdcc39d3924230ed2af4b5f02c7a5cd15409e04b395cd1924

SHA512
5e810e2ba6f86939a6dd82226328092e0d2eee1181d8f7175521b678e8a32f43836a7108deacea109ec7652277048793518e4e0f0bd6b59e714ad93646751a52

Download Submit
/usr/bin/owfgxtgufr

Filesize
611KB

MD5
2572021b36cec580b013e4e75c337e8c

SHA1
b05d053f2c80629867bbe9f98005ac5843a45a91

SHA256
642e929893fddc98e8ced9550d67967b6434e58869c8edc3de27cbad5c23119e

SHA512
79246a322cc27298b9c2dcf83c1868680ce1a6a8169f903f78860692c72f5beaa79e88500be34079a73a3d87e536e54554b301a3eeb7553bba6fc9f0ce9d5520

Download Submit
/usr/bin/pikdpziyhd

Filesize
611KB

MD5
68749605147b9c0836e1a30fff0c2c12

SHA1
d566850b5f11a199f89e7547c5fa8a798e595eee

SHA256
1eceecb3887a4b15f6efbd7cab869498ca552c16e207e17e076efb35bc7ba7da

SHA512
fa8faa75f1685688f52a99eaa08a3aa9cc86ab973cb9216186b939a50b3f93ac463569bfb989333c0944abd60904d1beb10c8c35302b2e88031e621c2fe749b7

Download Submit
/usr/bin/pndsxfhaib

Filesize
611KB

MD5
f8754a03438a905225249ce48219f0c3

SHA1
566c6207d8e3b7cfcaed597190885ff61f9f1db1

SHA256
c8610f1059ef11fc70c190ae5badbed5d466f130d3d4611c94170400db82e439

SHA512
bb237509d04174e3adff538871dac3e21e53ec382c2ff13e186acb09ea47889f538cb6767d3fa37a89801c7ff6f45b080bf4ef01b4909fc714e2546a3a588670

Download Submit
/usr/bin/qpoobexfau

Filesize
611KB

MD5
2b5409be21f539996fd52d2bba61b824

SHA1
06e8681ab65b7163c1e41502fa52caddd4dfb147

SHA256
e93df7ebf02a12fd029f206fb3c0c810d2e7500fd791bdc9778d7f37b33001b9

SHA512
ee941cf0f43b5385a7fc7a0f65fba16c03d180ab8ffe691e4d0cc8285bc591731785970ac33549e1fa1ffcfe6800722b4a9cd8949528f91519c307f8612ce926

Download Submit
/usr/bin/rfcufsptkv

Filesize
611KB

MD5
22599456f9b2462061f0b05ff1503600

SHA1
3f910f62cf8bd412dd0f709c40447809dad6c8bb

SHA256
552fae190057117f87f41ece1893fb444fc1b909a5fa4c779374762f1aa76645

SHA512
a0017b698b64e00bbc4dd4f7ed2a9eb022c966199f17febdf8206a42b61322fa108e6501d0442d64304bc3f03822d5b2d21021d1b299d7dac9f41d41b09c04c3

Download Submit
/usr/bin/rjnctgokle

Filesize
611KB

MD5
44b948afe3b197ae3bd8c819d477f0b9

SHA1
a301493910b4ad27e267f9ae6d2852aa60e791bd

SHA256
eac23975f0122394e98d47507cb9d9f2abe13e4db7b249760432e6ab8a9c1bd0

SHA512
454c14f351a7052f6c617b2b3e49c658b159d670a2218550b4c949798b951eacc27d00e64aea6262d8cd5bee0c5d032b93bcaa19f09d488af3859a46427fe09a

Download Submit
/usr/bin/tgtgxxfxbr

Filesize
611KB

MD5
e58aff0077c4c00e1c8d6c48b4d08c8c

SHA1
d68bf3c40770735d2d4da38d31332c4173a207a5

SHA256
025ed841e702ee6de238d9344e528122d5e650267553d320b6e8e27eb899a9a8

SHA512
062e247aaf43e4607d10767465e4a5ac8cf125828a147228fa81111ddf308b31b8ce0d0904064aef03e9e47a0130061441788698799f51fafa7bbc898b61ac31

Download Submit
/usr/bin/uwbtztfkqp

Filesize
611KB

MD5
563e1d67fc35d0dbbb843b1952026e46

SHA1
e4f756a739a4bb2d898a146e98d4957c98e28b68

SHA256
39957f3cacdbc96de97759709af318751674cd6d5b1de196667da51571c9e9e0

SHA512
0c8bf2987eb1afa0927e439f09b9d2651295424fe9bcbbf0300e28f2dfa651cf349263050004e14f6a4abb7238d0e72b9cc95799eacaee7d24bc23a5b60fc862

Download Submit
/usr/bin/uznxysdrip

Filesize
611KB

MD5
e42b232d98ef80f66231d5df3efa9ecd

SHA1
93f9d88a47e10c46dd5d63793002565d81dbcb0e

SHA256
d7b73f9b51532dd7b4f5464c2afeae0d3c5ad56f19cf7577df8f7e11bae6b286

SHA512
da39349e6cff076ecf3a8a6fbf1ee6ce000f231437b323dc0893c785f69460dcf3fa22c2d26ea5d3730957f206fa1d94aa3cb3fbfe5484e9a79a7d790c728e13

Download Submit
/usr/bin/vphcxiqkji

Filesize
611KB

MD5
f84b012310d82c940a91730dd4a7fd34

SHA1
8a6724e2c8938e6f4a801e48f4fac85b2faa3b75

SHA256
0d5bb72f37069670b06727d9df97521c96d134eeb43d7f1cdd284029af83c5ff

SHA512
a9b7d6a4fe122f59ec32730985903a7d13b816710b6b7563cc93494a6b5a005f75ae1c5b8d9a72ce2fede1ed8d1032373263ca55011f911be3bd9eb4ab5a3434

Download Submit
/usr/bin/vvexxgrsig

Filesize
611KB

MD5
89992e485da21aa5fc3e939034a169fa

SHA1
a68debdadbe35d9ac876080e50ac50927d57797c

SHA256
1165e22d362afbca31137ce45998ba47b40105f96472b38ec71758e9eaf6813d

SHA512
c9f51df063577959df49434213b2571d3c9ea4674b49df09ab2bc67acc51d06cee3edbbe77248fb7a1aedac178f950eba76d1ca971d9d906df87ec7239c2c8bf

Download Submit
/usr/bin/xfknelbiqx

Filesize
611KB

MD5
8013788de7edc1d170e45b55937918a7

SHA1
db97a219c49debe91d7e9b570b6775d7b9dbcf05

SHA256
8bdb58d40e609609377908b01af001fede543e6172a70dc3ee685c35da588eab

SHA512
0d74be5365ebb78417c1ef6f6cb2ca57160390493902867a4b61a78f351e85a3ac5fb14ce1026efe57d22dfa063395c63686fde4c315bcc01cab04b4c022e65a

Download Submit
/usr/bin/ywjrwhoqke

Filesize
611KB

MD5
bb70fd08d24e139ff7cb05fee3aac5c8

SHA1
56fae55ac6e05d63a01311b9a860aa2222285b75

SHA256
8f06c6667018b8371c219a187546aa11e9a0bdbed9ed531fdca0ba5f7c064c26

SHA512
783e1a268ed38565f687b80e2218eb01d7dae6581b3b913b43f7eacddd6dfff74453b0f200ba48a828cfa49d397fbef3e501ebb076bfd5d24ac91dc3c995a2a5

Download Submit
/usr/lib/libudev.so

Filesize
611KB

MD5
616b7d37976b466c6c4ca41909d35f6d

SHA1
87cb885c92d7d0ba78b21cf474637cedbdcbd155

SHA256
891b01d92d0366fbb4af44135cfb9b4b9f9d2b28cc052f70cb9724ef30545608

SHA512
b3feb38b198a5574f317f18736dc653034689e177deca12278dcb8330fa6eb08281cd1b69183f5da2d15d84faa33711dd18f002da851bb52bed6d2941fa00154

Download Submit