xorddos | eb8a811dce3dfe9227be55d995d82d362296e5858f4f0ff9d7a9d54e8fe2cc0d

Analysis

max time kernel
149s
max time network
149s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
29-07-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40b099e6bc67aead2daa62163d1e3ba8_JaffaCakes118
Size

596KB
MD5

40b099e6bc67aead2daa62163d1e3ba8
SHA1

ef203a2d1cac02f877a9fb3c37e598333db95da2
SHA256

eb8a811dce3dfe9227be55d995d82d362296e5858f4f0ff9d7a9d54e8fe2cc0d
SHA512

34e626e1af66a49cd6cfa0fddda396aa873fbb7d6fe75c3e91dc528e776c31a95576c03778a902e316f5a93bf48bc6ad3f772c16e75baa5ea26b5b1c525b3d50
SSDEEP

12288:bfTGy+n69+5rTlFEcMWbHvx5SGEuWdeF6yxm9Ah7Dxu9hc7L:rTG/0+5dq4bHvx5SGodeLTD4XcP

Score

10^/10

xorddos botnet downloader rootkit

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2818

103.24.0.162:2818

101.fwq.me:2818

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 30 IoCs

Processes:

resource	yara_rule
/usr/lib/libgcc4.so	family_xorddos
/usr/bin/dfbfmygmne	family_xorddos
/usr/bin/wmosncjlxx	family_xorddos
/usr/bin/olluuynpen	family_xorddos
/usr/bin/onydpjdtkz	family_xorddos
/usr/bin/odudpuciex	family_xorddos
/usr/bin/vqmnfgecvs	family_xorddos
/usr/bin/psmvyicfyn	family_xorddos
/usr/bin/lgroqgvrbj	family_xorddos
/usr/bin/wbafmtxipd	family_xorddos
/usr/bin/svayotrkwo	family_xorddos
/usr/bin/duyxdyhghe	family_xorddos
/usr/bin/ddqcysxdhg	family_xorddos
/usr/bin/rtwrntxrho	family_xorddos
/usr/bin/ezsczhtopp	family_xorddos
/usr/bin/ukrmzszxkr	family_xorddos
/usr/bin/ftkqffaxsj	family_xorddos
/usr/bin/oupsdyucml	family_xorddos
/usr/bin/mfegswltyz	family_xorddos
/usr/bin/wcqxntcpcb	family_xorddos
/usr/bin/wqihpuxlzy	family_xorddos
/usr/bin/kshelnaovd	family_xorddos
/usr/bin/vldwcyvxll	family_xorddos
/usr/bin/jlevfypemx	family_xorddos
/usr/bin/znacxzvqnd	family_xorddos
/usr/bin/kgdizvezxp	family_xorddos
/usr/bin/qzonsnqrvm	family_xorddos
/usr/bin/elozpybafe	family_xorddos
/usr/bin/blsvcfckny	family_xorddos
/usr/bin/pxqghuwnjs	family_xorddos

Writes memory of remote process 2 IoCs

Processes:

40b099e6bc67aead2daa62163d1e3ba8_JaffaCakes118

pid process

4051 40b099e6bc67aead2daa62163d1e3ba8_JaffaCakes118
4069

Loads a kernel module 64 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

Processes:

40b099e6bc67aead2daa62163d1e3ba8_JaffaCakes118

pid	process
4051	40b099e6bc67aead2daa62163d1e3ba8_JaffaCakes118
4053
4061
4053
4053
4070
4072
4069
4053
4053
4069
4069
4069
4069
4069
4069
4069
4069
4053
4069
4069
4053
4087
4089
4093
4091
4096
4097
4095
4098
4099
4100
4069
4069
4053
4053
4096
4096
4097
4097
4098
4098
4099
4099
4100
4100
4069
4069
4096
4096
4097
4097
4098
4098
4099
4099
4100
4100
4069
4069
4096
4096
4097
4097

Unexpected DNS network traffic destination 20 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

/tmp/40b099e6bc67aead2daa62163d1e3ba8_JaffaCakes118
/tmp/40b099e6bc67aead2daa62163d1e3ba8_JaffaCakes118
1⤵
- Writes memory of remote process
- Loads a kernel module
PID:4051

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/udev.sh

Filesize
146B

MD5
ddb9a901eadce597284d68ebd9fe9311

SHA1
1d26318bbe55f2f936ae1015df656535427083c2

SHA256
3bb8ebd394bcaea3f083d93daa3c3bcf918a4618f84ab45a1942759d16b070fc

SHA512
e94bd51f02c323d2376e666a9c56a87c2f55d1805b44762d4bc6d5d60ca52e85ce996ba51142213ba783ac858660a3ba254988215b0f4d398b1e99bf132a5d1c

Download Submit
/etc/init.d/40b099e6bc67aead2daa62163d1e3ba8_JaffaCakes118

Filesize
495B

MD5
7525140398c5f53da4dbcbecd5c04e2d

SHA1
4a8e4399d1c7b54d982fee742caae3cb1b045aa3

SHA256
71171d12efc96f9b6601a117714b442ed1416675b38d5b663cc8ceb3f64bca22

SHA512
1ede75b5f2a365074016b63ed5bee00b4b6c4479802cf9d83415f200ddd6dc33a11665210b228669ac4dd2eb1629d2b18ac1a89c627bdb915caaafbdb65b1ddc

Download Submit
/run/udev.pid

Filesize
32B

MD5
c73937ae33db38e6698872ba3ba9dac0

SHA1
c476beff55e1ca68e963fbff13233223ac91abdf

SHA256
cdaba083da6493d8b5e38d0ee5cef8830c960646f5e1613ce1d45c86eeda7424

SHA512
afa23b6b3346bf0a9abe7e8e084e45e81685cd431b3e092579ffef2f5e2a77057740091f60cac9b720231bf921c500a6e6a28261db897b5cba7943e3d9d1810b

Download Submit
/usr/bin/blsvcfckny

Filesize
596KB

MD5
ecc24d530c6e580e44ecb5963e839070

SHA1
179223239ad529cc7db28aed3abc16b16e238477

SHA256
4c2ef11ea66d42c5ea8f3259480d1e7bce9b8bb13bdaa5ee72de79cd48823494

SHA512
f06cea2a5664c70f61f77f31c328aec18b6a6bbb7beacd788f662da407648f6a2ebc811c8ef68e71bbfb2c748531c04cb3782192455665f62bbec2b0c02a9ac8

Download Submit
/usr/bin/ddqcysxdhg

Filesize
596KB

MD5
799196ab778849a1424bc984d34eedb5

SHA1
954d150ec15504ed1976066fa0edbf9f38ee2df5

SHA256
e29cbb37877d34641e9f4ee8bd32034460e9ebca549b9953e996478f542aca36

SHA512
0091ca3ef6849961eba363e0b5a9589aaac7c9ffdbdd52a3c67fcc2baeeb41f7b448a9fc17fca12e3b98a018910c244550565247d59112f80ea1abb2b9ba9baa

Download Submit
/usr/bin/dfbfmygmne

Filesize
596KB

MD5
2f00b07a7d99281bdb9e518de2919a3d

SHA1
29b6cd0ff1c0f8fef861fb758221c204845451b2

SHA256
e3e91a83ab6d0efce4426c7f3e90dde75d18116054d21c10eeedb6e5681517e8

SHA512
8c2feb519050aae482561f585d40a5dce138f183e3aa3acd23759a07b8a4af800a317c21146636fe35d7087f7d87b7657d6c0a3541796fc440a788acf66f996b

Download Submit
/usr/bin/duyxdyhghe

Filesize
596KB

MD5
7ff19adb429415435698e97d057d82c1

SHA1
17b8fe77c1b48684c805c8b8d84e5c619a83057b

SHA256
37830263d21ed4147e5a7228b1ccd4fe261bd518bec3f973d8fd62459b554cc2

SHA512
7ab073612de2c7a8611327b95812504e1b83c8150c45e9a4c81c9f18a64a7e8780d92f3bc3e16efb2897b34bb739bfd1682f29f0e32f8be6276e701a920655e8

Download Submit
/usr/bin/elozpybafe

Filesize
596KB

MD5
e0740b372a764e5b32da4fee97335143

SHA1
3620530fb4731aa85e3b48ba150b918876814a70

SHA256
9ce345b6d964c9552fed22029605513356504833aa027a0f511fd498417fe859

SHA512
d78437877d98dc1f1bb5c0f0453eea04f1f041e5eadecce1f96939a4569feeab9d0951363f5c9c671a56ea512606008dce82b61ed214b6bd3c07e14517d10bdd

Download Submit
/usr/bin/ezsczhtopp

Filesize
596KB

MD5
4e4d896b715dccdc1a595b5cc16cb38d

SHA1
1554b54b5053574fc3266210e954bcf3ea1c815b

SHA256
760cd68494228aa564ddb57f76a165d66be2c55d0544f8d97cdecfa425e0b6ea

SHA512
870f41f569b7db6a88ebd4927b52225c83a332e371ebcdf26955c2f8e969e8605fdcfbb8175022e00e0bc0ce566b94841989707549b0a7503ab12d761e87b2c1

Download Submit
/usr/bin/ftkqffaxsj

Filesize
596KB

MD5
1e3f2785c6ef4284c69fdaab2f25dc7d

SHA1
e125c9e94518ef14b603ffd141a95509fa6097b0

SHA256
4ebb1349dc7bcd31f1a4ec4c988b53d2d1f2bde4f77ea48dbc0e6db17514bbab

SHA512
982d0b5b75f42674311677a26fb755f3919abe1ed4eb03698fad894dba5a7a59b4b0621f589ad9dc5ca3d47b59866b090953557625e2413924f55c423a93cb73

Download Submit
/usr/bin/jlevfypemx

Filesize
596KB

MD5
8b0f3f783c7269e5f0d48b2759e6634f

SHA1
671f27f13bdd001db75ba3e358a825fa0d33df6d

SHA256
380c314e305d6ee3ac98f2f8da527bcd0db5b269682b54587a2631e3ae072882

SHA512
87392262300e100f336c69a677092932d37c69f912f8d2526194ee9d23267e32d3ea7da403bba17e17b1be8631857aac9b3a5ebc9a10f07e9653da85da688d9a

Download Submit
/usr/bin/kgdizvezxp

Filesize
596KB

MD5
64377a6822167e21570c83aa352891ac

SHA1
0c92f947cb9d537739735071437a0c896eb0ff0c

SHA256
231ec4ac2c7964f0bb53673ff0dc55e31d289198d131e1297ff6e8b85bf341ce

SHA512
ea1c078c5ab36391c8059be26260dc3bad6af633ff1ab2fdc929e778c10d555c99438b605f182c37169e22a785c6149c3a8577b3b749604f13f1aebf1e73337f

Download Submit
/usr/bin/kshelnaovd

Filesize
596KB

MD5
c1c8fc18d1dbf183109a48121541cdf5

SHA1
229961fc370b528d41647ed7cb56a7577ab10066

SHA256
340204a001ee057aac7440209110c676a58ad1516fe5876cbbcbfb2e0c28ac49

SHA512
63cbf9c85b694c1ba2f88a4f01b3d9777106fdfc177c689d78c973a9c55f2ea84b3311fbc7a1948551cd47e7898b5619cd4895f4c5f53df3259feb3012a42ab9

Download Submit
/usr/bin/lgroqgvrbj

Filesize
596KB

MD5
55b3c369e12e8deae310499bc7aa6b04

SHA1
263097f349b8221da09e1c51b9eb126519500569

SHA256
2851f0e499e75b241adb985564c023bc5cf28df4d04601fc94a4ef51f3e69706

SHA512
6c0168cad51c34883d26dc7b12249b9a753ae3b7fc30a3c86e238057cf40b815c06eeffe2d2a6a890fa5aefdc675d79b8c17cbbafddf70716f6723a7bc788785

Download Submit
/usr/bin/mfegswltyz

Filesize
596KB

MD5
8e5ccb88f0a9e175f94b624f6d39bf61

SHA1
676639dc21d661d031c3a96554c8deaa477a5d54

SHA256
3031d01184e7e078f3c0c4e7fb5f6e84fd4f9fa3610d3f3deb12eeaaadd6182c

SHA512
13d402e8ea9c6b9dc324dbabc56cbce222bb581ea939bc85e865a6f5e9a75b2890422540460b3dfbdccde6769683ce537860244abbbad4de8230db0390056eb1

Download Submit
/usr/bin/odudpuciex

Filesize
596KB

MD5
1589c74c0f29d47b08969a13e3955ef8

SHA1
be73ba464f5ec7569a982754e44d6511d651b6dc

SHA256
0c7889f13b7eb33804c645f1631f98bfb252689ad8f2de60b9ff9fb1d513e83b

SHA512
826488878c5738e0296da97d6a5c53d5f6bf74ced4ffed72b9877474945a67f6b78188615534f596be33ec848ad01243a5c007526152353a8f23e36baada0644

Download Submit
/usr/bin/olluuynpen

Filesize
596KB

MD5
02faaa2973f9aa13857b747c320edfcb

SHA1
f18b5c1f027d48ce98476ffa3d3b7809670b4718

SHA256
acac3619a474fa32158ce832b5d103785bfa196525df280d573257a26f39b179

SHA512
b47c446ee33af79e4741530a6bcd4dc2b78449f93a1758b0fa65827ceb0b2776806af60d244835ff34f367d3901c9d11ed720c99d338518bfd37845c8e6050d0

Download Submit
/usr/bin/onydpjdtkz

Filesize
596KB

MD5
ba6caeada5043a37cb557f0134499da8

SHA1
6c8d2a38320bd19cefc1186b77df4c6a848c1202

SHA256
635575dd90fae2b4a67f5d05548100dac35009a8b474cae3d2f40003c24d56df

SHA512
aa61d76f544c90d9743528c6da3b5f0d440e7e807f720ab5f1abac1b757080fd100e30d92fca0940f05cc5238fdcf40236a280d55477c4fc0911ae17eff6b603

Download Submit
/usr/bin/oupsdyucml

Filesize
596KB

MD5
19a0c782c214c8465a9072bf14bee94a

SHA1
6b8f80354beea1a099bfdef44c573e654b960128

SHA256
1d61866252a84c17bb287105c23f38a9aa4199c55394204472961844bbb5a96f

SHA512
8aa6dd4ddf030feba132b726c2c938258bf8cf99211a00731cb951187be10fdd69fa7704d7a63ed41700c501e5e2eb64783c7cb9f6d0b92e7c315fb7dfc121ed

Download Submit
/usr/bin/psmvyicfyn

Filesize
596KB

MD5
cdc284641d7db91a4c8707bbf0be508d

SHA1
5d7fa312820a72016d47d26ebdc38f553876d490

SHA256
1300d6c05625a1ab7b00c07c4cd87ccccb7d4771a28171ba167cc69544376937

SHA512
a2695eb1b8294f4ae62d7dcf5be1dffa731957a2b60f8a1cbe5e2dd477ffc1f7b09c6c6429bf7f0b65e06a3a7757ec6a1237dc97af6d95d1ffd3fe64186a3910

Download Submit
/usr/bin/pxqghuwnjs

Filesize
596KB

MD5
0272ac8767516b64d6c6bd5aa8f317a3

SHA1
bcda6c8623e8238bb2046bc7cc7c342e8423b5d4

SHA256
4188a46802ae1e8f8bc173a973e4eaca481449084c16fd4e8ccb74b24f2c1961

SHA512
37c6f5794ca688f1a4e6454dfa60c479a695681178fb16e29563e3eb000e93c9b2cf55cdeac0142105e1d7ba509bc20dd668f4b6e070765ee88a5351c5b5bc01

Download Submit
/usr/bin/qzonsnqrvm

Filesize
596KB

MD5
e9738e4114aabe266b57eac1aac271c0

SHA1
8d903f69b39570dd44e6d9586e57e42db61b634c

SHA256
647779cf720ecc420f61eff54bdb4414aa719c2e5bebf444772d1164b26fcc4d

SHA512
d2a65e7835192b5d14ec496a74f78b1644ad77fcd72e16c3ab68112cba24b4602c640b8f4339ce3c3d68d7e69a2b4a39341d0a6fb69b631fb21d3ba8dc36faa9

Download Submit
/usr/bin/rtwrntxrho

Filesize
596KB

MD5
7dfd514c288465c88b4edd948f7ea4a0

SHA1
a96f12f19725e1ada02d0fee69f2e2e350a8924b

SHA256
990f4a37772e4ea7137903d1bf25c72bbe0c983729352d3972c2eff5213db115

SHA512
ec16cf8003df47ab4fb3d2c250f8afc0925141bacf47492d216c72aa48b50bf55e14988a68d0028e53642edd88b802cd6827fbefb3f4481a7ada75d66b9ea625

Download Submit
/usr/bin/svayotrkwo

Filesize
596KB

MD5
c55fddb987bf3a4304765a30819f3a73

SHA1
f69a2519aeb3d99788e7a39873e9a24a32b6e87d

SHA256
8245871a4536ff4342aa8f1c32896b44bf017f41612e8ae87e565b3ffefc49e5

SHA512
84835396d06534922ed59c0faabe8cf499222f105ffde0d698e22a3969d17474f352853af144e1b8c7ecce2ecd48b58250b8050b79f011de548dbb6ab44d26e1

Download Submit
/usr/bin/ukrmzszxkr

Filesize
596KB

MD5
f266d08c11755b58ef929df95fd5b22b

SHA1
b35b424d26c20e298fd92ad0ee1a366be5242670

SHA256
8cf5b1648736d451d07af839c1a264285e5b291162844537031a21aad5f972a1

SHA512
36d352258a6281d6cd502a684022eadd867b60f220d0c5bb3c46544443c954378c34e34a7ad0faee71a16d45c88de6ff6e3d13913b81be72ac995ab2c2e70cde

Download Submit
/usr/bin/vldwcyvxll

Filesize
596KB

MD5
d4acfbe36309695d6ba2dfb5cf1b5bb1

SHA1
24c4ec78c4c4bd5cff865eaf6fc95eeea86230c0

SHA256
5e7623aa0b3ff22dccb92ea05d14d843be952611367f2d6067a04cd6cb4ced94

SHA512
50c390f1d0ac18625d4ed6913adad580bf2494d0aeae4efd90fc84f3217608b92cda066f9c484e7d7962292c4ba447bad879327be4029a18453c5a0a85b8a0be

Download Submit
/usr/bin/vqmnfgecvs

Filesize
596KB

MD5
7b7004088f2e02020b1f692ba13f802f

SHA1
9296bc09ace049e7571ee8761f9178f461804ac3

SHA256
50b4730db3541e0839c699e3ab5ca43b69212f823cf7126b9206afd050406e94

SHA512
96fbd15c5810893c0452b4fbcd0fa49d0eb695699cb04cf12674fb6cb9060cb7345ec41739cd163e0b02449722e075d31c742ae635f1ca5e3504c6c6042e8c86

Download Submit
/usr/bin/wbafmtxipd

Filesize
596KB

MD5
e7ee571fc28e6bca721fa3fa4061917d

SHA1
6f07352e6f1b9bb33e3d2f9a256281d0df0abf71

SHA256
49a2b6137d33b410abbbe196e2c74604e9643c39bd45c41b8264d825fc77e192

SHA512
c69c228f3f28b5fbfabf3da4f0577c13d80b1deab2197c5e58b778d32fe83aac430f4c730143f02bebe94c15be5abafd247d75eff72b90bb6f12c800569cfbe6

Download Submit
/usr/bin/wcqxntcpcb

Filesize
596KB

MD5
b7d9c11a7d7f23ac974176fd9883168f

SHA1
21c1ea5ce62691a835fa65e194b09c785d7cc45c

SHA256
0fe8d9900ed16b9d22765aef9e05b4978a2e35e44ced80e5dbe9ea8f997d0341

SHA512
f87593429d085c85827645c8e0176ba788a0b5dfbab5dc5845040d0f62377d24eee33a56035ec139cc1651540cd26dc2293b54274dc42b9f55e630632da8986b

Download Submit
/usr/bin/wmosncjlxx

Filesize
596KB

MD5
19021c22324355b875bbf06de4ef5377

SHA1
4b246b69841378d9cf13a9e51772a0c0988bc56c

SHA256
d99f54d2e0720da1bbd894d4c500f43719696db55b59ba14b2f9054371169ce2

SHA512
ae00275b98a431b4ab38a5aef1e7923ed0c5b3ad3f1e1964cda724aa97b1a3d8ba1ccea88bfc50b46ffb733ab7f0f0f0f112272fd43892e26824225f626a47e7

Download Submit
/usr/bin/wqihpuxlzy

Filesize
596KB

MD5
599aad0f5162da5a024fe3a5d0e8940b

SHA1
1048c2fd4c04e603a9bc73e061810be14f7c1a8b

SHA256
09ff64fc45f89e9dbeb23fde8c617af3fde08c2b4cedf62cb49276ba4b84b34c

SHA512
9bcdb5af257cb847c3e3b903eef024b66db0996fb10715dcf975a766e59f17bdce385643937984a9a66e379a0207b97b8f2d8d525c402f7faeab4fb245e5f0e7

Download Submit
/usr/bin/znacxzvqnd

Filesize
596KB

MD5
4b721279406945e3cc993cd78be6188c

SHA1
d3854bf65f6a4317e3a274be99ce6b95d084246d

SHA256
107349d580ada24dc07491a4aa0209e4c5daff3ee30e0523f33f74ca28fd67fd

SHA512
ced42995260aaab9a226037d87b2bbbd2eaaac2b8a2ef24dd96b27a737391a57014841968ccff27f9e39e3c916ccfd99210742fb285fe8a25b3d590a0c2ecfb4

Download Submit
/usr/lib/libgcc4.so

Filesize
596KB

MD5
40b099e6bc67aead2daa62163d1e3ba8

SHA1
ef203a2d1cac02f877a9fb3c37e598333db95da2

SHA256
eb8a811dce3dfe9227be55d995d82d362296e5858f4f0ff9d7a9d54e8fe2cc0d

SHA512
34e626e1af66a49cd6cfa0fddda396aa873fbb7d6fe75c3e91dc528e776c31a95576c03778a902e316f5a93bf48bc6ad3f772c16e75baa5ea26b5b1c525b3d50

Download Submit