xorddos | c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc

Analysis

max time kernel
149s
max time network
148s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240729-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
29-07-2024 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c49b5160b981f06bd5242662f8d0a54_JaffaCakes118
Size

611KB
MD5

3c49b5160b981f06bd5242662f8d0a54
SHA1

c50933e1f8a194e608049839707d8d698dd5caa5
SHA256

c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc
SHA512

d947f1ecfb10002bc05bb6d1786758dfecb9000b94140128ccc9a68bd3a032ccb7360f27a3f7f522df856b372691bde46792975f6ac82c6fa0218d38b0d8488e
SSDEEP

12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6Tikx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhkfNiGQl/91h

Score

10^/10

xorddos botnet downloader rootkit

Malware Config

Extracted

Family

xorddos

http://aa.hostasa.org/game.rar

ns3.hostasa.org:3306

ns4.hostasa.org:3306

ns1.hostasa.org:3306

ns2.hostasa.org:3306

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 30 IoCs

Processes:

resource	yara_rule
/usr/lib/libudev.so	family_xorddos
/usr/bin/djptvaoqtp	family_xorddos
/usr/bin/tmscljhhnv	family_xorddos
/usr/bin/aolokgjkgl	family_xorddos
/usr/bin/cwlvnpvtjn	family_xorddos
/usr/bin/fhxvfwcbwe	family_xorddos
/usr/bin/gamqypnfsx	family_xorddos
/usr/bin/tcnccgwawm	family_xorddos
/usr/bin/gfsnayxmnm	family_xorddos
/usr/bin/jgttttdztf	family_xorddos
/usr/bin/bingytdcwk	family_xorddos
/usr/bin/vniabmugbf	family_xorddos
/usr/bin/mdfaxpxqpq	family_xorddos
/usr/bin/gtrhtvoyth	family_xorddos
/usr/bin/yolugjrknh	family_xorddos
/usr/bin/zvvegvshxd	family_xorddos
/usr/bin/vtvgqvrqkj	family_xorddos
/usr/bin/avperdnkpv	family_xorddos
/usr/bin/bxgpveilbq	family_xorddos
/usr/bin/zxhqpqnlcy	family_xorddos
/usr/bin/uzhiriousl	family_xorddos
/usr/bin/mxahjubqrx	family_xorddos
/usr/bin/izibefxjbu	family_xorddos
/usr/bin/emsprffreq	family_xorddos
/usr/bin/orrtjofgkg	family_xorddos
/usr/bin/nazioroqnm	family_xorddos
/usr/bin/xymsingpct	family_xorddos
/usr/bin/vlddwkoojk	family_xorddos
/usr/bin/ixjyvkrydl	family_xorddos
/usr/bin/oeykakcxnh	family_xorddos

Writes memory of remote process 2 IoCs

Processes:

3c49b5160b981f06bd5242662f8d0a54_JaffaCakes118

pid process

2434 3c49b5160b981f06bd5242662f8d0a54_JaffaCakes118
2446

Loads a kernel module 64 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

Processes:

3c49b5160b981f06bd5242662f8d0a54_JaffaCakes118

pid	process
2434	3c49b5160b981f06bd5242662f8d0a54_JaffaCakes118
2435
2441
2435
2435
2447
2446
2448
2435
2435
2446
2446
2446
2446
2446
2446
2446
2446
2435
2446
2446
2435
2467
2469
2471
2476
2477
2473
2475
2478
2479
2480
2446
2446
2435
2435
2477
2477
2476
2476
2478
2478
2479
2479
2480
2480
2446
2446
2477
2477
2476
2476
2478
2478
2479
2479
2480
2480
2446
2446
2477
2477
2476
2476

/tmp/3c49b5160b981f06bd5242662f8d0a54_JaffaCakes118
/tmp/3c49b5160b981f06bd5242662f8d0a54_JaffaCakes118
1⤵
- Writes memory of remote process
- Loads a kernel module
PID:2434

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/3c49b5160b981f06bd5242662f8d0a54_JaffaCakes118

Filesize
495B

MD5
8e320b8b5cc0f527c4453fb6eb1ade23

SHA1
a1ae286985d4af85e4bdd457d1dc392e734781cb

SHA256
84cc9aeddd19aee51599cc121bf8e697ed3f58c8fa89636714023c1ce59199a0

SHA512
32a4bdf34b1f6f2f703265f6bc1c625ead516f69bbdc7bf4ab96cff639dea1eab4cf67139672c72151ca2c39e8334a04dc1897648c5111cb1ab9a52d1b5d1e40

Download Submit
/run/gcc.pid

Filesize
32B

MD5
4c89254cb1fdcd7316e4b64e67b44cd4

SHA1
466b9379ed76300cd97be71f11417e035bfabf09

SHA256
8b1e2c52209c08e56138d0867b71ac2f745af6a5e542018cbc767a034e0e9327

SHA512
6a45f9f7883104fb77a492dda785d9dabdda349f4fc0a61ae7490d170aaa5875da537959035a0ff41ed144a9f72aff152b58da7674eddf4f9905e5269395e8d4

Download Submit
/usr/bin/aolokgjkgl

Filesize
611KB

MD5
181662df3a0b7ac046aaecd87a18ece4

SHA1
bd11a1cb076566b64511b093edaf09c786ba36e2

SHA256
e8f7b94c55c55614d5af8dc725cbc85a3304decf102fa646b566d0236c9e3afd

SHA512
6f401e0414ab7747d9649ac30761399ae3b5a86a18c8b4ad4cc42cd72c4bc85db26020b45cd5b73f812e5fea82b26757e57dab63d0fc511cd1ea2ea251351c7b

Download Submit
/usr/bin/avperdnkpv

Filesize
611KB

MD5
6727ccadec4365195073665efd17936a

SHA1
1543be834b2572663684c5498f8edacb944e07cf

SHA256
7dfc085cef876a6b694dd8f0ba1716d7929464ebb974b0c399e945ddc28c94c2

SHA512
94bbefda0c0483f71838a797a9d9f35dcc37b43c76e595d913a959195d98367eaefec54bff3e052850684dd1a1dfa34c9e94afb7fb542355e7bac83d55093668

Download Submit
/usr/bin/bingytdcwk

Filesize
611KB

MD5
73c9cac50a742e9df7786d18b81033ed

SHA1
f517ce0400f3321104bb4f515eff6929d63891d3

SHA256
15406144a56a98902a0c0bb2032a4953277cce0ec0b47bd1c78b9b3cea7daa5b

SHA512
6fbfcd778556e1bdacb14469b45b0d7f5d81dc668f5130fc9dda505e86b7c91f607d014f51dc6129417d008b823fe56f96423557c3e2608c0fd09fffc7fb7393

Download Submit
/usr/bin/bxgpveilbq

Filesize
611KB

MD5
def4e6eade61b29971fc844972717ded

SHA1
e40b85a282764bca745181df04ac7aaf50649841

SHA256
f42d18a0fcc80309233ef2402af0051f809d45ce93501242df7f434ed23d1c57

SHA512
9319142b91efaf9e467a68d9695203b01be3da135a4a2d9db0c81be0fb20b1789c3a58eacdff3f7357931790c3f274244ff390ca074811962a5a330fbe67b8da

Download Submit
/usr/bin/cwlvnpvtjn

Filesize
611KB

MD5
3f43c84a3e950d098af33e3e8e051627

SHA1
788271beb764f91e5f40c80910aad0f3d8ac9645

SHA256
dfe8adad2bdc15115735314de8a1502c50f8d1ba44745cdcbae94e8963cb353d

SHA512
4cecd67dc363e9032d4bc5a5c384a95b64b6b0a7be532998f44a3de5fa4a46c93d60ce9b7e960d99c6e4f26209b73e05b9f53ca096a2188eb4b762bedd9c038a

Download Submit
/usr/bin/djptvaoqtp

Filesize
611KB

MD5
a77d49211a13d9b9d4aeef2ff5b43788

SHA1
b7be4fa3db1587847f758d4032c00592087794ee

SHA256
03c68fe0e65ebfa16180fc517ca9cced4f98382a71089851f9938029f3536f6a

SHA512
2ed2de5900e5320b0c9be751ce1aeb799f4e11a857d14287977190098f7ce3db00c8fc89be96bbe01e2f65806c962406f5da2172b436d187bd61143efb896044

Download Submit
/usr/bin/emsprffreq

Filesize
611KB

MD5
e4ef03fa86cff09baaa4dc6e23a556ee

SHA1
32bc0cc87a7099bf63e3d9c2395f2915f5248676

SHA256
2bbbde9c0e770c7102280101426af86bc4b73255f4e3514d3f8df0985778a151

SHA512
01f0a018ac4f4b40a5d93d304a05b16be8f4b9acdc07b57ebd637c5bc25fd165ec80da34f9a0e1a375e6b005de20e96a021f54bcbb6bacaae83295d5cad5cebc

Download Submit
/usr/bin/fhxvfwcbwe

Filesize
611KB

MD5
ce504bbd72941702ee10603c2d3eedb1

SHA1
b98c783f75d90e36bf8f466309d24a59365c846d

SHA256
087f92ceccdad880c0b8463b6f8a76ff2952b84c29084ac619c922444314a2cf

SHA512
e6b0ea4b6a88be800f80a09a3773296cdf915dbb10317edd9166539f1a8ca0d8b3e434d8fabef4af07c99aa7e6366cbb2ba07aefc2248f6e7dfa9b390c68901b

Download Submit
/usr/bin/gamqypnfsx

Filesize
611KB

MD5
ae05981711dbc0efb3eb00a66e7fe415

SHA1
deb8c730a08e93a42a266c7fb2efe7015c8f8b2c

SHA256
c28444511e55510a6330736b9e3b22f6997cfe9dcf3f3649aedcd69457471acf

SHA512
66fdf211b1af79cb8c94cef6911bebdb4d6995d422b3c7f4387adbfa637605bd1bb20c69452a5f66825d390e6ffcc2658568b53b086c63f95fd040524a561752

Download Submit
/usr/bin/gfsnayxmnm

Filesize
611KB

MD5
c897cac16a6f2d1f243084010173166c

SHA1
ba554e49fd7ee69e708f4882ad26f0f47b297b29

SHA256
58a0827daa1b15017495384fe09d474de5c7b40cc907fd7dca9f809b7cb7a385

SHA512
5d96669b90a35dc0ed1614d0e196a733f49d78344c196d4b31e1dc3d593230f025d4c25bb975d1b2feb9a6dea8559d15df8cc3ae61e7c6f2aee8262f7b7f5137

Download Submit
/usr/bin/gtrhtvoyth

Filesize
611KB

MD5
0026b0c836059e99e9f4391e143686dd

SHA1
e08412bea197e87fac5f40ee7567fc8de0f914b6

SHA256
5991c6427fd2e95c1bf047785881945a4725981e5a00fa78f0ea8e95cf4c5eaf

SHA512
2847913e7c8e1a088d24ccd2d7f31211ce23f5b18a101fac277a00a12d6d5b30a91945b4ca4f8c4de7ea55e7c157be0c8e02fbe6c23e99d814cd6f4b59f370b5

Download Submit
/usr/bin/ixjyvkrydl

Filesize
611KB

MD5
fcba0c7bbb21cd98d65567978276f222

SHA1
fd69c13e313639aecb263a3631d329ace66389de

SHA256
a770076906d5c80a603cb8209524d7fa6d41a1d7189ee3634f50935173647d75

SHA512
64f89afac1739a01f23643a6844b8e6b817c0c783380fa63ead371f2f2f49ca5821c06e8cf6263b089eaf5dc534b700231402d3a12d13aff4a5a22f8b13c5343

Download Submit
/usr/bin/izibefxjbu

Filesize
611KB

MD5
410caa4a04a472f72d156317e7e97b40

SHA1
ad2d40f2003c746520db668adc75de2a40a1976c

SHA256
092c884934d55d51e17193d2ad8c71ad7d8bb96829fb274ec49d5beaf9bba197

SHA512
ac70d226155519b8fee8a2abd24043ad722db594a15ee5626cebf38e9a541bbb4ab5c2484f2eece4d7414eec9e5c3f16e2cebd2ac819623a127885f38891046b

Download Submit
/usr/bin/jgttttdztf

Filesize
611KB

MD5
6295f1dfa98afcac82d7205c9cb601b2

SHA1
4ae9a4c38215dd15a3c619385b60fda20d35ecc3

SHA256
9f39311ea3b3aaa995c11cde01bad1868e960e61e86430dea2c337770b82b028

SHA512
e7ad8659155a5f43579f2950289823927663b981c09a307883fe274d2baee52fbe920fff10511b0e4d462b88b192411ce45716fdc8c978316e9ae06583c6253f

Download Submit
/usr/bin/mdfaxpxqpq

Filesize
611KB

MD5
a2dae0c648b62fde8331f7e0ddb3dfc2

SHA1
cb3c0a1afb7b138518b24b25ba3aaa8a943fd372

SHA256
59235b3dcb6de25d36f43de15ed3f0cf786ba04fdc076776573023c315dbdbb6

SHA512
df5c504a7bb95db2cbc219f0b2508376811e449f75a3d12e8d56a5c64084e36031b5021b6007a70238e919411795b99fe80b90a5aa6c218a6c50fb689b963ae0

Download Submit
/usr/bin/mxahjubqrx

Filesize
611KB

MD5
123ab5f2376220b6610373485eb1337d

SHA1
361a373fac49cd817d186eb758d93c071a4aa09a

SHA256
e8d8053945211364de2dde631052be5ec8d78889365a88e7a6e4da351f37ea69

SHA512
a83602ad3b08ca6c161939d0fba7d9f8a37278f732e92a65e6e45d591b1a5fe19cfad2c5c04b740592d11e332013eeef53d9f832f3ff5c38e9f6ac2229a1c821

Download Submit
/usr/bin/nazioroqnm

Filesize
611KB

MD5
141623683a70e9e374bce1b07d24fe98

SHA1
c16ba0ae83f5e3d3525c592a998f6f2050b455ab

SHA256
dd8c1591c1bb1d1ec0eb3a2f78953667c840f9717af2398727665f86ed553030

SHA512
df0d419117ddfb37e701de5a791ce55c2468ce7334d7884a095ee3dd1fa6b5d02a60424d10b1cd3872ee70554f712f42489af05d4036469c3a1501fa218df328

Download Submit
/usr/bin/oeykakcxnh

Filesize
611KB

MD5
22188c7cc6157b9a78fa3ee72fe993f7

SHA1
c317219e5101061aa77c163221a299f9118218dd

SHA256
6fcaaad6505ad936343619ca73583f8d24e78750b3c39cf15b5691c7b5f7941e

SHA512
4e0d197c062a560b72079e02551de3a6c29fe64a99552feac8dc7da80045895636652aa788c113b917a10cb975c7c2cd7948a8f3ee0ad57de6435d063c071e90

Download Submit
/usr/bin/orrtjofgkg

Filesize
611KB

MD5
ded4c1e495aa484963832e7c49649a6e

SHA1
d8803f57e0d19daf47efe4e8aaefcfdb5c87bafc

SHA256
adfecc22c0df66335618c1556f3997f8568579242364e0990700c8661b6d528f

SHA512
c9e32e346c24a01b33d9916f04221f9a6c146c31014f20109a8c70c023542356548562a932c5e1963e007fd116a875d616af331d834ae3e13c5e739c4d9f3b17

Download Submit
/usr/bin/tcnccgwawm

Filesize
611KB

MD5
3d49d0d31a8be6e45d025a44b4219cb5

SHA1
d69150e145f1f948fa72325949d69424c8556eca

SHA256
d4c202f2e355ca488a4d1b643c03141ef0b5e4f1dbccae4b778845c6d987503a

SHA512
3102c5eb2f0c6678d3b11ed984b99666954b9e1c68202a6e1d194a1a645c1ce9c100e47abd1da500caa140601ff132b877ff852942018beecd3915ba3192deb3

Download Submit
/usr/bin/tmscljhhnv

Filesize
611KB

MD5
63e12ef688e112cc9214e1640e619683

SHA1
b0fedb5881262450f8e71e580eea402a8c5a39c9

SHA256
b52574f339f788307e64ed947a9d008e252853a344f50064908218fc23414e2c

SHA512
ce22f3e6a4fd36628afae5961e42fc8993cc78083c1dd0b129599dc26bf525d710f730998bc6e33bb37ff190721652d26b964b9bc0d4d09627612429251a3c9d

Download Submit
/usr/bin/uzhiriousl

Filesize
611KB

MD5
a6521e14c796b357d99fc8800f648aa5

SHA1
562ebefaefb4efc861c76cc6cf0a7e333eaedb6c

SHA256
260f586d06713ac46038210259b2ccbd73c1d2c05bbdd53820728786e276c5d7

SHA512
baef30d67c78f051cf2a58a861c2278115e2b40caec63db39d0695225f92cd42ca31aaf9e232122de1dd09b81aad51296532a6568f191bcaf5221903b32020c4

Download Submit
/usr/bin/vlddwkoojk

Filesize
611KB

MD5
0b36e75e3db5627bf8814d0ed8c10e58

SHA1
855b4dcb0ddfcef9344fc46d2346bf31e1f858c5

SHA256
b200f31ec703937007f1971e0db4584df473ea04a0effb77b4fdbe1e6e96234e

SHA512
788361734d8f345bc82d708855dfd096e222c119bc8f80da8bc4be9735f897969cdad86ace64d5e866eae769ee48626067913ce112dd129ef6e82a5bdd8dc710

Download Submit
/usr/bin/vniabmugbf

Filesize
611KB

MD5
48929d4602aaf87306de3ade5dc9e246

SHA1
9c82999e9c37b5bc210b217c28d810bea39d9858

SHA256
dc29ca7ddbb040a850dd79b2a8b7a326c675221a199170b6e6e5d3c78e2f30d3

SHA512
32ff87cce82643731b79680fec580ccc871064359944ae20a4dc9e571f9d18fdd03451aa15bcc9b610db1b49a1fd8ac1a64f369bdf7df92cc5add1b3304e3ea9

Download Submit
/usr/bin/vtvgqvrqkj

Filesize
611KB

MD5
aad295850bee68fb92bfbd3bb2962369

SHA1
abdf29606505ccf75c08895d5c736a962d2d6446

SHA256
39ed073102650b473cfb0180ca92ff2c70813e91e1c621cd1a0796d0eb96093d

SHA512
8f87e2868c6994f91393d8f44fdf3e75e4081c859042392b5b4e87b49cfb52e46ffe89f014647a6455db4950c9bb5dac2f235b8f5ebaafd84c1123fcd42b9abd

Download Submit
/usr/bin/xymsingpct

Filesize
611KB

MD5
8c94bd01394b69d87740891958e449eb

SHA1
93db07d269f85347543eae0e4b4841bb468288d1

SHA256
f17a458acec060689e6f746717c92da62ca4e1e4a075869589291df447547bde

SHA512
11ce0005761daa308f9d7376721ba0c1299db1375319b5976528f063804db111d3ef6b24b3e83f08f601d98cf76d7003ca9ece01ee945323a31fe0b231922b94

Download Submit
/usr/bin/yolugjrknh

Filesize
611KB

MD5
128542dfb55b79db422e47489978c313

SHA1
c19154958b18e92f390f188a89cacf6ab026779c

SHA256
d865441ee5f18a67a74799ea600b0178e782ae730d1a3eb2f1cebe887ee4123c

SHA512
b2943862268905d318045db8a426472fe4aeee15b0ad8f01d3d1513719b05ec56d807c76795c48514aec5f23358d26287d96d1acdb20db922c146a5519aa3c25

Download Submit
/usr/bin/zvvegvshxd

Filesize
611KB

MD5
b2ccfc3e60a509bd594a2d63a8f2892d

SHA1
672ddc55cdda998f5305233bf9ec9585df001a55

SHA256
e8f8e37449420767bd0c7f57f72e05caf6bf2caa79adaddc730a968011476f25

SHA512
dfe73d3e9749fd6795f418bc40f46ce330600ec14a2c7b76bb578e9b7b81bea7ce37779c0b16d8f9366a568a4e141647b0e108e5f50aa72f6acccacbeb13524d

Download Submit
/usr/bin/zxhqpqnlcy

Filesize
611KB

MD5
867956343aa5e138c7b1fd6751d35cce

SHA1
8990be339a2e74387479921c8395eac07ce384cc

SHA256
b99538942a1a187b6f32fde4fe133c5f9f11a8ef3f94df161936bcaea886aee2

SHA512
57580ea23c503127496a637c4ec64de14e8c7f9391bf3cc3b1585fba6cda7f5e51186c5aed26fc02f23493da8d037126cf9c7a5bfb82a0f761af272483152ac4

Download Submit
/usr/lib/libudev.so

Filesize
611KB

MD5
3c49b5160b981f06bd5242662f8d0a54

SHA1
c50933e1f8a194e608049839707d8d698dd5caa5

SHA256
c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc

SHA512
d947f1ecfb10002bc05bb6d1786758dfecb9000b94140128ccc9a68bd3a032ccb7360f27a3f7f522df856b372691bde46792975f6ac82c6fa0218d38b0d8488e

Download Submit