xorddos | f17b59caed6d1c06938854996cd6064308f31ec88a39ff2553b52368f9a12384

Analysis

max time kernel
149s
max time network
147s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
29-07-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4354ecf6edd10d7625b429d765308ee2_JaffaCakes118
Size

543KB
MD5

4354ecf6edd10d7625b429d765308ee2
SHA1

a936a99d2fbcb2666dbf4dcadd9e89ceadacb971
SHA256

f17b59caed6d1c06938854996cd6064308f31ec88a39ff2553b52368f9a12384
SHA512

c561361f8d1f9a211cc2e08662ff88b99c53700d77da6603d227379f122525171ced92d00edb1c7b5cfc9825b02cd24a1a060367e775e9ed630f853a2bbb5f79
SSDEEP

12288:1p+duTlNbCIn53vlJU0VkW3C3jyiXcsPl3D2KSKqfj6y1mC:r+ITlNblJ3UHW3CuiXcsPZDmKqfx7

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

topbannersun.com:5616

wowapplecar.com:5616

Attributes

crc_polynomial
CDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-2.dat	family_xorddos

Deletes itself 64 IoCs

pid
1516
1525
1528
1533
1534
1537
1544
1547
1550
1553
1556
1562
1561
1565
1568
1571
1575
1577
1580
1583
1586
1589
1592
1595
1598
1601
1606
1607
1612
1613
1616
1621
1622
1625
1628
1631
1638
1639
1642
1645
1648
1653
1654
1657
1660
1663
1666
1669
1674
1675
1678
1681
1684
1689
1690
1693
1696
1700
1702
1705
1708
1713
1714
1719

Executes dropped EXE 64 IoCs

ioc	pid	Process
/usr/bin/dxogiiqhcogg	1519	dxogiiqhcogg
/usr/bin/qamptojbqr	1524	qamptojbqr
/usr/bin/fzqcbja	1527	fzqcbja
/usr/bin/diptfodpqvrsai	1530	diptfodpqvrsai
/usr/bin/ingcfegmfwqjit	1532	ingcfegmfwqjit
/usr/bin/bzejpjyhfqa	1536	bzejpjyhfqa
/usr/bin/mkpbqnkncyoyd	1543	mkpbqnkncyoyd
/usr/bin/hackhhhesrtrqu	1546	hackhhhesrtrqu
/usr/bin/nkrxzvn	1549	nkrxzvn
/usr/bin/fdtfrrltalwku	1552	fdtfrrltalwku
/usr/bin/rzxjup	1555	rzxjup
/usr/bin/kkwscbhqwd	1558	kkwscbhqwd
/usr/bin/wykekipx	1560	wykekipx
/usr/bin/qrsmulaony	1564	qrsmulaony
/usr/bin/xlppnqyepe	1567	xlppnqyepe
/usr/bin/lemrou	1570	lemrou
/usr/bin/ttyxhhqntvrrxw	1573	ttyxhhqntvrrxw
/usr/bin/blzayg	1576	blzayg
/usr/bin/htvcmabzuwss	1579	htvcmabzuwss
/usr/bin/clrvgkoeglhtkj	1582	clrvgkoeglhtkj
/usr/bin/rnamiez	1585	rnamiez
/usr/bin/msvdoxzo	1588	msvdoxzo
/usr/bin/jbdtdoe	1591	jbdtdoe
/usr/bin/yoxqpx	1594	yoxqpx
/usr/bin/ctxtwvxi	1597	ctxtwvxi
/usr/bin/smerluqxy	1600	smerluqxy
/usr/bin/glkbjfzrvtfblt	1603	glkbjfzrvtfblt
/usr/bin/dqvwiw	1605	dqvwiw
/usr/bin/dsjyamltko	1611	dsjyamltko
/usr/bin/erotlmudxaqjez	1609	erotlmudxaqjez
/usr/bin/flterxvi	1615	flterxvi
/usr/bin/ikumduklktiz	1620	ikumduklktiz
/usr/bin/exvriqbz	1618	exvriqbz
/usr/bin/dpjgkmzjjdifws	1624	dpjgkmzjjdifws
/usr/bin/xrxgdtujn	1627	xrxgdtujn
/usr/bin/uazezeiqpqb	1630	uazezeiqpqb
/usr/bin/axrzuhzjklsiq	1637	axrzuhzjklsiq
/usr/bin/htipodlpuisr	1635	htipodlpuisr
/usr/bin/xlqsvj	1641	xlqsvj
/usr/bin/mxgxpaght	1644	mxgxpaght
/usr/bin/hsegnmgyytqgjo	1647	hsegnmgyytqgjo
/usr/bin/uxlrbwsgd	1652	uxlrbwsgd
/usr/bin/ekypfbtoif	1650	ekypfbtoif
/usr/bin/shyvwrtnnn	1656	shyvwrtnnn
/usr/bin/xnhcpcsxjetgq	1659	xnhcpcsxjetgq
/usr/bin/hoeprwhbx	1662	hoeprwhbx
/usr/bin/slmhlw	1665	slmhlw
/usr/bin/haxkkysurgdh	1668	haxkkysurgdh
/usr/bin/zunrtdefm	1671	zunrtdefm
/usr/bin/wgekpqgwx	1673	wgekpqgwx
/usr/bin/ujvudpm	1677	ujvudpm
/usr/bin/hhpygcbuknho	1680	hhpygcbuknho
/usr/bin/oezqugfw	1683	oezqugfw
/usr/bin/qjitus	1686	qjitus
/usr/bin/kwrtnr	1688	kwrtnr
/usr/bin/qswcifqsuurmrz	1692	qswcifqsuurmrz
/usr/bin/vtmozhbqnmxmlw	1695	vtmozhbqnmxmlw
/usr/bin/aqltqp	1698	aqltqp
/usr/bin/mwdwxt	1701	mwdwxt
/usr/bin/svxrjahwtal	1704	svxrjahwtal
/usr/bin/ankdztm	1707	ankdztm
/usr/bin/lwtsrtycqpyfn	1712	lwtsrtycqpyfn
/usr/bin/stwnbphfz	1710	stwnbphfz
/usr/bin/pfsnameukikzi	1718	pfsnameukikzi

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/ggochqiigoxd.sh	dxogiiqhcogg

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/init.d/ggochqiigoxd	dxogiiqhcogg

Write file to user bin folder 1 TTPs 64 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/usr/bin/jsgjvzfdnw	dxogiiqhcogg
File opened for modification	/usr/bin/svzfdgyx	dxogiiqhcogg
File opened for modification	/usr/bin/bbspkpeoppfl	dxogiiqhcogg
File opened for modification	/usr/bin/ggochqiigoxd.sh	dxogiiqhcogg
File opened for modification	/usr/bin/kwrtnr	dxogiiqhcogg
File opened for modification	/usr/bin/wciazrrxf	dxogiiqhcogg
File opened for modification	/usr/bin/zgptwzamgbpkv	dxogiiqhcogg
File opened for modification	/usr/bin/dniwpnobqeudiq	dxogiiqhcogg
File opened for modification	/usr/bin/dpjgkmzjjdifws	dxogiiqhcogg
File opened for modification	/usr/bin/xrxgdtujn	dxogiiqhcogg
File opened for modification	/usr/bin/vlvuvdlptxai	dxogiiqhcogg
File opened for modification	/usr/bin/oihassfdrsztze	dxogiiqhcogg
File opened for modification	/usr/bin/hackhhhesrtrqu	dxogiiqhcogg
File opened for modification	/usr/bin/blzayg	dxogiiqhcogg
File opened for modification	/usr/bin/erotlmudxaqjez	dxogiiqhcogg
File opened for modification	/usr/bin/ktplrrjwri	dxogiiqhcogg
File opened for modification	/usr/bin/zktpqbdfhab	dxogiiqhcogg
File opened for modification	/usr/bin/kkcwnfua	dxogiiqhcogg
File opened for modification	/usr/bin/aqltqp	dxogiiqhcogg
File opened for modification	/usr/bin/ggmadxg	dxogiiqhcogg
File opened for modification	/usr/bin/oprrdhsdmtl	dxogiiqhcogg
File opened for modification	/usr/bin/dpiddrerehisr	dxogiiqhcogg
File opened for modification	/usr/bin/ttyxhhqntvrrxw	dxogiiqhcogg
File opened for modification	/usr/bin/msvdoxzo	dxogiiqhcogg
File opened for modification	/usr/bin/axrzuhzjklsiq	dxogiiqhcogg
File opened for modification	/usr/bin/pvupxm	dxogiiqhcogg
File opened for modification	/usr/bin/yljtfvm	dxogiiqhcogg
File opened for modification	/usr/bin/wykekipx	dxogiiqhcogg
File opened for modification	/usr/bin/lemrou	dxogiiqhcogg
File opened for modification	/usr/bin/svxrjahwtal	dxogiiqhcogg
File opened for modification	/usr/bin/hshauvzfo	dxogiiqhcogg
File opened for modification	/usr/bin/rfxzhtwi	dxogiiqhcogg
File opened for modification	/usr/bin/kqmlabihhevwm	dxogiiqhcogg
File opened for modification	/usr/bin/alwnbyntq	dxogiiqhcogg
File opened for modification	/usr/bin/fdvnxlpuqhucdj	dxogiiqhcogg
File opened for modification	/usr/bin/getxqwjfnaap	dxogiiqhcogg
File opened for modification	/usr/bin/mmunykdpdiyy	dxogiiqhcogg
File opened for modification	/usr/bin/seeqgh	dxogiiqhcogg
File opened for modification	/usr/bin/cintjribxznpng	dxogiiqhcogg
File opened for modification	/usr/bin/vnexlowdadpe	dxogiiqhcogg
File opened for modification	/usr/bin/uggtbqhpwalhr	dxogiiqhcogg
File opened for modification	/usr/bin/etxwzvy	dxogiiqhcogg
File opened for modification	/usr/bin/diptfodpqvrsai	dxogiiqhcogg
File opened for modification	/usr/bin/exvriqbz	dxogiiqhcogg
File opened for modification	/usr/bin/goiaxrvh	dxogiiqhcogg
File opened for modification	/usr/bin/qswcifqsuurmrz	dxogiiqhcogg
File opened for modification	/usr/bin/urnnsqkfwaoe	dxogiiqhcogg
File opened for modification	/usr/bin/vwfblqqktthlrk	dxogiiqhcogg
File opened for modification	/usr/bin/vwakgzztncmry	dxogiiqhcogg
File opened for modification	/usr/bin/dzujlgszvkren	dxogiiqhcogg
File opened for modification	/usr/bin/xlqsvj	dxogiiqhcogg
File opened for modification	/usr/bin/hhpygcbuknho	dxogiiqhcogg
File opened for modification	/usr/bin/rtxobpfasimq	dxogiiqhcogg
File opened for modification	/usr/bin/ujnlpbnm	dxogiiqhcogg
File opened for modification	/usr/bin/cdejktklmimxo	dxogiiqhcogg
File opened for modification	/usr/bin/bzejpjyhfqa	dxogiiqhcogg
File opened for modification	/usr/bin/htvcmabzuwss	dxogiiqhcogg
File opened for modification	/usr/bin/uazezeiqpqb	dxogiiqhcogg
File opened for modification	/usr/bin/udnomm	dxogiiqhcogg
File opened for modification	/usr/bin/judokieim	dxogiiqhcogg
File opened for modification	/usr/bin/sxpnypaa	dxogiiqhcogg
File opened for modification	/usr/bin/frlloiylcvo	dxogiiqhcogg
File opened for modification	/usr/bin/qexfwalcjlf	dxogiiqhcogg
File opened for modification	/usr/bin/ybuqvtzcqycf	dxogiiqhcogg

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/meminfo	4354ecf6edd10d7625b429d765308ee2_JaffaCakes118
File opened for reading	/proc/meminfo	dxogiiqhcogg

Writes file to shm directory 2 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

description	ioc	Process
File opened for modification	/dev/shm/sem.pciycy	dxogiiqhcogg
File opened for modification	/dev/shm/sem.Jvh4rg	dxogiiqhcogg

/tmp/4354ecf6edd10d7625b429d765308ee2_JaffaCakes118
/tmp/4354ecf6edd10d7625b429d765308ee2_JaffaCakes118
1⤵
- Reads runtime system information
PID:1515

/usr/bin/dxogiiqhcogg
/usr/bin/dxogiiqhcogg
1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Modifies init.d
- Write file to user bin folder
- Reads runtime system information
- Writes file to shm directory
PID:1519

/usr/bin/qamptojbqr
/usr/bin/qamptojbqr -d 1520
1⤵
- Executes dropped EXE
PID:1524

/usr/bin/fzqcbja
/usr/bin/fzqcbja -d 1520
1⤵
- Executes dropped EXE
PID:1527

/usr/bin/diptfodpqvrsai
/usr/bin/diptfodpqvrsai -d 1520
1⤵
- Executes dropped EXE
PID:1530

/usr/bin/ingcfegmfwqjit
/usr/bin/ingcfegmfwqjit -d 1520
1⤵
- Executes dropped EXE
PID:1532

/usr/bin/bzejpjyhfqa
/usr/bin/bzejpjyhfqa -d 1520
1⤵
- Executes dropped EXE
PID:1536

/usr/bin/mkpbqnkncyoyd
/usr/bin/mkpbqnkncyoyd -d 1520
1⤵
- Executes dropped EXE
PID:1543

/usr/bin/hackhhhesrtrqu
/usr/bin/hackhhhesrtrqu -d 1520
1⤵
- Executes dropped EXE
PID:1546

/usr/bin/nkrxzvn
/usr/bin/nkrxzvn -d 1520
1⤵
- Executes dropped EXE
PID:1549

/usr/bin/fdtfrrltalwku
/usr/bin/fdtfrrltalwku -d 1520
1⤵
- Executes dropped EXE
PID:1552

/usr/bin/rzxjup
/usr/bin/rzxjup -d 1520
1⤵
- Executes dropped EXE
PID:1555

/usr/bin/kkwscbhqwd
/usr/bin/kkwscbhqwd -d 1520
1⤵
- Executes dropped EXE
PID:1558

/usr/bin/wykekipx
/usr/bin/wykekipx -d 1520
1⤵
- Executes dropped EXE
PID:1560

/usr/bin/qrsmulaony
/usr/bin/qrsmulaony -d 1520
1⤵
- Executes dropped EXE
PID:1564

/usr/bin/xlppnqyepe
/usr/bin/xlppnqyepe -d 1520
1⤵
- Executes dropped EXE
PID:1567

/usr/bin/lemrou
/usr/bin/lemrou -d 1520
1⤵
- Executes dropped EXE
PID:1570

/usr/bin/ttyxhhqntvrrxw
/usr/bin/ttyxhhqntvrrxw -d 1520
1⤵
- Executes dropped EXE
PID:1573

/usr/bin/blzayg
/usr/bin/blzayg -d 1520
1⤵
- Executes dropped EXE
PID:1576

/usr/bin/htvcmabzuwss
/usr/bin/htvcmabzuwss -d 1520
1⤵
- Executes dropped EXE
PID:1579

/usr/bin/clrvgkoeglhtkj
/usr/bin/clrvgkoeglhtkj -d 1520
1⤵
- Executes dropped EXE
PID:1582

/usr/bin/rnamiez
/usr/bin/rnamiez -d 1520
1⤵
- Executes dropped EXE
PID:1585

/usr/bin/msvdoxzo
/usr/bin/msvdoxzo -d 1520
1⤵
- Executes dropped EXE
PID:1588

/usr/bin/jbdtdoe
/usr/bin/jbdtdoe -d 1520
1⤵
- Executes dropped EXE
PID:1591

/usr/bin/yoxqpx
/usr/bin/yoxqpx -d 1520
1⤵
- Executes dropped EXE
PID:1594

/usr/bin/ctxtwvxi
/usr/bin/ctxtwvxi -d 1520
1⤵
- Executes dropped EXE
PID:1597

/usr/bin/smerluqxy
/usr/bin/smerluqxy -d 1520
1⤵
- Executes dropped EXE
PID:1600

/usr/bin/glkbjfzrvtfblt
/usr/bin/glkbjfzrvtfblt -d 1520
1⤵
- Executes dropped EXE
PID:1603

/usr/bin/dqvwiw
/usr/bin/dqvwiw -d 1520
1⤵
- Executes dropped EXE
PID:1605

/usr/bin/dsjyamltko
/usr/bin/dsjyamltko -d 1520
1⤵
- Executes dropped EXE
PID:1611

/usr/bin/erotlmudxaqjez
/usr/bin/erotlmudxaqjez -d 1520
1⤵
- Executes dropped EXE
PID:1609

/usr/bin/flterxvi
/usr/bin/flterxvi -d 1520
1⤵
- Executes dropped EXE
PID:1615

/usr/bin/ikumduklktiz
/usr/bin/ikumduklktiz -d 1520
1⤵
- Executes dropped EXE
PID:1620

/usr/bin/exvriqbz
/usr/bin/exvriqbz -d 1520
1⤵
- Executes dropped EXE
PID:1618

/usr/bin/dpjgkmzjjdifws
/usr/bin/dpjgkmzjjdifws -d 1520
1⤵
- Executes dropped EXE
PID:1624

/usr/bin/xrxgdtujn
/usr/bin/xrxgdtujn -d 1520
1⤵
- Executes dropped EXE
PID:1627

/usr/bin/uazezeiqpqb
/usr/bin/uazezeiqpqb -d 1520
1⤵
- Executes dropped EXE
PID:1630

/usr/bin/axrzuhzjklsiq
/usr/bin/axrzuhzjklsiq -d 1520
1⤵
- Executes dropped EXE
PID:1637

/usr/bin/htipodlpuisr
/usr/bin/htipodlpuisr -d 1520
1⤵
- Executes dropped EXE
PID:1635

/usr/bin/xlqsvj
/usr/bin/xlqsvj -d 1520
1⤵
- Executes dropped EXE
PID:1641

/usr/bin/mxgxpaght
/usr/bin/mxgxpaght -d 1520
1⤵
- Executes dropped EXE
PID:1644

/usr/bin/hsegnmgyytqgjo
/usr/bin/hsegnmgyytqgjo -d 1520
1⤵
- Executes dropped EXE
PID:1647

/usr/bin/uxlrbwsgd
/usr/bin/uxlrbwsgd -d 1520
1⤵
- Executes dropped EXE
PID:1652

/usr/bin/ekypfbtoif
/usr/bin/ekypfbtoif -d 1520
1⤵
- Executes dropped EXE
PID:1650

/usr/bin/shyvwrtnnn
/usr/bin/shyvwrtnnn -d 1520
1⤵
- Executes dropped EXE
PID:1656

/usr/bin/xnhcpcsxjetgq
/usr/bin/xnhcpcsxjetgq -d 1520
1⤵
- Executes dropped EXE
PID:1659

/usr/bin/hoeprwhbx
/usr/bin/hoeprwhbx -d 1520
1⤵
- Executes dropped EXE
PID:1662

/usr/bin/slmhlw
/usr/bin/slmhlw -d 1520
1⤵
- Executes dropped EXE
PID:1665

/usr/bin/haxkkysurgdh
/usr/bin/haxkkysurgdh -d 1520
1⤵
- Executes dropped EXE
PID:1668

/usr/bin/zunrtdefm
/usr/bin/zunrtdefm -d 1520
1⤵
- Executes dropped EXE
PID:1671

/usr/bin/wgekpqgwx
/usr/bin/wgekpqgwx -d 1520
1⤵
- Executes dropped EXE
PID:1673

/usr/bin/ujvudpm
/usr/bin/ujvudpm -d 1520
1⤵
- Executes dropped EXE
PID:1677

/usr/bin/hhpygcbuknho
/usr/bin/hhpygcbuknho -d 1520
1⤵
- Executes dropped EXE
PID:1680

/usr/bin/oezqugfw
/usr/bin/oezqugfw -d 1520
1⤵
- Executes dropped EXE
PID:1683

/usr/bin/qjitus
/usr/bin/qjitus -d 1520
1⤵
- Executes dropped EXE
PID:1686

/usr/bin/kwrtnr
/usr/bin/kwrtnr -d 1520
1⤵
- Executes dropped EXE
PID:1688

/usr/bin/qswcifqsuurmrz
/usr/bin/qswcifqsuurmrz -d 1520
1⤵
- Executes dropped EXE
PID:1692

/usr/bin/vtmozhbqnmxmlw
/usr/bin/vtmozhbqnmxmlw -d 1520
1⤵
- Executes dropped EXE
PID:1695

/usr/bin/aqltqp
/usr/bin/aqltqp -d 1520
1⤵
- Executes dropped EXE
PID:1698

/usr/bin/mwdwxt
/usr/bin/mwdwxt -d 1520
1⤵
- Executes dropped EXE
PID:1701

/usr/bin/svxrjahwtal
/usr/bin/svxrjahwtal -d 1520
1⤵
- Executes dropped EXE
PID:1704

/usr/bin/ankdztm
/usr/bin/ankdztm -d 1520
1⤵
- Executes dropped EXE
PID:1707

/usr/bin/lwtsrtycqpyfn
/usr/bin/lwtsrtycqpyfn -d 1520
1⤵
- Executes dropped EXE
PID:1712

/usr/bin/stwnbphfz
/usr/bin/stwnbphfz -d 1520
1⤵
- Executes dropped EXE
PID:1710

/usr/bin/pfsnameukikzi
/usr/bin/pfsnameukikzi -d 1520
1⤵
- Executes dropped EXE
PID:1718

/usr/bin/awhujccbvyqzqz
/usr/bin/awhujccbvyqzqz -d 1520
1⤵
PID:1716

/usr/bin/ogslomwq
/usr/bin/ogslomwq -d 1520
1⤵
PID:1722

/usr/bin/qcwmwuveedoy
/usr/bin/qcwmwuveedoy -d 1520
1⤵
PID:1725

/usr/bin/bculeohgqhyp
/usr/bin/bculeohgqhyp -d 1520
1⤵
PID:1728

/usr/bin/wjpwohbmvzhqd
/usr/bin/wjpwohbmvzhqd -d 1520
1⤵
PID:1731

/usr/bin/urnnsqkfwaoe
/usr/bin/urnnsqkfwaoe -d 1520
1⤵
PID:1734

/usr/bin/wciazrrxf
/usr/bin/wciazrrxf -d 1520
1⤵
PID:1737

/usr/bin/ktplrrjwri
/usr/bin/ktplrrjwri -d 1520
1⤵
PID:1740

/usr/bin/kjbnmtxkqaalk
/usr/bin/kjbnmtxkqaalk -d 1520
1⤵
PID:1743

/usr/bin/yzkinrugifzao
/usr/bin/yzkinrugifzao -d 1520
1⤵
PID:1746

/usr/bin/rzwckxrwq
/usr/bin/rzwckxrwq -d 1520
1⤵
PID:1749

/usr/bin/ijqjwawubie
/usr/bin/ijqjwawubie -d 1520
1⤵
PID:1752

/usr/bin/jsgjvzfdnw
/usr/bin/jsgjvzfdnw -d 1520
1⤵
PID:1755

/usr/bin/ggmadxg
/usr/bin/ggmadxg -d 1520
1⤵
PID:1758

/usr/bin/iepebbetnidyc
/usr/bin/iepebbetnidyc -d 1520
1⤵
PID:1760

/usr/bin/ixlnaalvhu
/usr/bin/ixlnaalvhu -d 1520
1⤵
PID:1764

/usr/bin/zgptwzamgbpkv
/usr/bin/zgptwzamgbpkv -d 1520
1⤵
PID:1767

/usr/bin/lffsswnyy
/usr/bin/lffsswnyy -d 1520
1⤵
PID:1770

/usr/bin/goiaxrvh
/usr/bin/goiaxrvh -d 1520
1⤵
PID:1773

/usr/bin/sxpnypaa
/usr/bin/sxpnypaa -d 1520
1⤵
PID:1776

/usr/bin/svzfdgyx
/usr/bin/svzfdgyx -d 1520
1⤵
PID:1779

/usr/bin/nxdddrnf
/usr/bin/nxdddrnf -d 1520
1⤵
PID:1782

/usr/bin/uqjjnabqvm
/usr/bin/uqjjnabqvm -d 1520
1⤵
PID:1785

/usr/bin/vnexlowdadpe
/usr/bin/vnexlowdadpe -d 1520
1⤵
PID:1788

/usr/bin/vlvuvdlptxai
/usr/bin/vlvuvdlptxai -d 1520
1⤵
PID:1790

/usr/bin/bbspkpeoppfl
/usr/bin/bbspkpeoppfl -d 1520
1⤵
PID:1794

/usr/bin/frlloiylcvo
/usr/bin/frlloiylcvo -d 1520
1⤵
PID:1797

/usr/bin/getxqwjfnaap
/usr/bin/getxqwjfnaap -d 1520
1⤵
PID:1800

/usr/bin/naohboozyeb
/usr/bin/naohboozyeb -d 1520
1⤵
PID:1803

/usr/bin/ixvuabbuz
/usr/bin/ixvuabbuz -d 1520
1⤵
PID:1806

/usr/bin/siyfkzun
/usr/bin/siyfkzun -d 1520
1⤵
PID:1809

/usr/bin/oprrdhsdmtl
/usr/bin/oprrdhsdmtl -d 1520
1⤵
PID:1812

/usr/bin/mmunykdpdiyy
/usr/bin/mmunykdpdiyy -d 1520
1⤵
PID:1815

/usr/bin/krxemfv
/usr/bin/krxemfv -d 1520
1⤵
PID:1818

/usr/bin/qozbdjvqbcenz
/usr/bin/qozbdjvqbcenz -d 1520
1⤵
PID:1820

/usr/bin/njwenfclrne
/usr/bin/njwenfclrne -d 1520
1⤵
PID:1824

/usr/bin/rtxobpfasimq
/usr/bin/rtxobpfasimq -d 1520
1⤵
PID:1827

/usr/bin/fjznwbgdthso
/usr/bin/fjznwbgdthso -d 1520
1⤵
PID:1832

/usr/bin/pqbuavekk
/usr/bin/pqbuavekk -d 1520
1⤵
PID:1830

/usr/bin/iubmlrukgml
/usr/bin/iubmlrukgml -d 1520
1⤵
PID:1836

/usr/bin/oihassfdrsztze
/usr/bin/oihassfdrsztze -d 1520
1⤵
PID:1839

/usr/bin/ixcmfwpt
/usr/bin/ixcmfwpt -d 1520
1⤵
PID:1842

/usr/bin/jiccwdtsc
/usr/bin/jiccwdtsc -d 1520
1⤵
PID:1845

/usr/bin/dniwpnobqeudiq
/usr/bin/dniwpnobqeudiq -d 1520
1⤵
PID:1848

/usr/bin/pjhzxlkhnndtg
/usr/bin/pjhzxlkhnndtg -d 1520
1⤵
PID:1851

/usr/bin/vwakgzztncmry
/usr/bin/vwakgzztncmry -d 1520
1⤵
PID:1854

/usr/bin/cpctyluxw
/usr/bin/cpctyluxw -d 1520
1⤵
PID:1857

/usr/bin/zktpqbdfhab
/usr/bin/zktpqbdfhab -d 1520
1⤵
PID:1860

/usr/bin/fjrhcmaocy
/usr/bin/fjrhcmaocy -d 1520
1⤵
PID:1863

/usr/bin/zochos
/usr/bin/zochos -d 1520
1⤵
PID:1866

/usr/bin/qexfwalcjlf
/usr/bin/qexfwalcjlf -d 1520
1⤵
PID:1869

/usr/bin/otztfzhhzgkz
/usr/bin/otztfzhhzgkz -d 1520
1⤵
PID:1872

/usr/bin/xxvsmooc
/usr/bin/xxvsmooc -d 1520
1⤵
PID:1877

/usr/bin/ynnqeaqelcx
/usr/bin/ynnqeaqelcx -d 1520
1⤵
PID:1875

/usr/bin/ybuqvtzcqycf
/usr/bin/ybuqvtzcqycf -d 1520
1⤵
PID:1881

/usr/bin/ujnlpbnm
/usr/bin/ujnlpbnm -d 1520
1⤵
PID:1884

/usr/bin/mjwhxlxzc
/usr/bin/mjwhxlxzc -d 1520
1⤵
PID:1887

/usr/bin/iaaameh
/usr/bin/iaaameh -d 1520
1⤵
PID:1890

/usr/bin/uggtbqhpwalhr
/usr/bin/uggtbqhpwalhr -d 1520
1⤵
PID:1893

/usr/bin/qptzwsyic
/usr/bin/qptzwsyic -d 1520
1⤵
PID:1896

/usr/bin/kdmpkblsjhuzo
/usr/bin/kdmpkblsjhuzo -d 1520
1⤵
PID:1899

/usr/bin/yqyfkmzc
/usr/bin/yqyfkmzc -d 1520
1⤵
PID:1902

/usr/bin/cdejktklmimxo
/usr/bin/cdejktklmimxo -d 1520
1⤵
PID:1907

/usr/bin/bgmktbb
/usr/bin/bgmktbb -d 1520
1⤵
PID:1905

/usr/bin/gczfslptoqzd
/usr/bin/gczfslptoqzd -d 1520
1⤵
PID:1911

/usr/bin/seeqgh
/usr/bin/seeqgh -d 1520
1⤵
PID:1914

/usr/bin/rtqcecm
/usr/bin/rtqcecm -d 1520
1⤵
PID:1917

/usr/bin/nemkhop
/usr/bin/nemkhop -d 1520
1⤵
PID:1920

/usr/bin/gafaezpexct
/usr/bin/gafaezpexct -d 1520
1⤵
PID:1923

/usr/bin/opmnmao
/usr/bin/opmnmao -d 1520
1⤵
PID:1925

/usr/bin/dzujlgszvkren
/usr/bin/dzujlgszvkren -d 1520
1⤵
PID:1929

/usr/bin/etxwzvy
/usr/bin/etxwzvy -d 1520
1⤵
PID:1932

/usr/bin/udnomm
/usr/bin/udnomm -d 1520
1⤵
PID:1938

/usr/bin/ausowuy
/usr/bin/ausowuy -d 1520
1⤵
PID:1941

/usr/bin/oqqomyvidk
/usr/bin/oqqomyvidk -d 1520
1⤵
PID:1946

/usr/bin/kkcwnfua
/usr/bin/kkcwnfua -d 1520
1⤵
PID:1944

/usr/bin/wnsshhpdhdqri
/usr/bin/wnsshhpdhdqri -d 1520
1⤵
PID:1950

/usr/bin/pvupxm
/usr/bin/pvupxm -d 1520
1⤵
PID:1953

/usr/bin/dpiddrerehisr
/usr/bin/dpiddrerehisr -d 1520
1⤵
PID:1956

/usr/bin/ajinomlmrpbmjs
/usr/bin/ajinomlmrpbmjs -d 1520
1⤵
PID:1959

/usr/bin/xboplsscw
/usr/bin/xboplsscw -d 1520
1⤵
PID:1962

/usr/bin/ieudxxdghrwtei
/usr/bin/ieudxxdghrwtei -d 1520
1⤵
PID:1965

/usr/bin/hshauvzfo
/usr/bin/hshauvzfo -d 1520
1⤵
PID:1968

/usr/bin/ozipxgeumo
/usr/bin/ozipxgeumo -d 1520
1⤵
PID:1970

/usr/bin/csmgxlty
/usr/bin/csmgxlty -d 1520
1⤵
PID:1974

/usr/bin/rfxzhtwi
/usr/bin/rfxzhtwi -d 1520
1⤵
PID:1977

/usr/bin/kqmlabihhevwm
/usr/bin/kqmlabihhevwm -d 1520
1⤵
PID:1980

/usr/bin/hdxndffnip
/usr/bin/hdxndffnip -d 1520
1⤵
PID:1983

/usr/bin/bdvswd
/usr/bin/bdvswd -d 1520
1⤵
PID:1985

/usr/bin/yljtfvm
/usr/bin/yljtfvm -d 1520
1⤵
PID:1989

/usr/bin/qqzodgr
/usr/bin/qqzodgr -d 1520
1⤵
PID:1992

/usr/bin/vwfblqqktthlrk
/usr/bin/vwfblqqktthlrk -d 1520
1⤵
PID:1995

/usr/bin/alwnbyntq
/usr/bin/alwnbyntq -d 1520
1⤵
PID:1998

/usr/bin/judokieim
/usr/bin/judokieim -d 1520
1⤵
PID:2001

/usr/bin/fdvnxlpuqhucdj
/usr/bin/fdvnxlpuqhucdj -d 1520
1⤵
PID:2004

/usr/bin/eyyuxkqbyalfi
/usr/bin/eyyuxkqbyalfi -d 1520
1⤵
PID:2007

/usr/bin/qzdvvtuii
/usr/bin/qzdvvtuii -d 1520
1⤵
PID:2010

/usr/bin/hdvvzxyfdbj
/usr/bin/hdvvzxyfdbj -d 1520
1⤵
PID:2013

/usr/bin/eplrorqhyt
/usr/bin/eplrorqhyt -d 1520
1⤵
PID:2018

/usr/bin/cembrzpaep
/usr/bin/cembrzpaep -d 1520
1⤵
PID:2016

/usr/bin/ttctahwjzbp
/usr/bin/ttctahwjzbp -d 1520
1⤵
PID:2022

/usr/bin/cintjribxznpng
/usr/bin/cintjribxznpng -d 1520
1⤵
PID:2025

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/dev/shm/sem.Jvh4rg

Filesize
16B

MD5
076933ff9904d1110d896e2c525e39e5

SHA1
4188442577fa77f25820d9b2d01cc446e30684ac

SHA256
4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

SHA512
6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

Download Submit
/etc/cron.hourly/ggochqiigoxd.sh

Filesize
161B

MD5
fe9b51be8a2b273603625ff89bda7a17

SHA1
4dbb6d3c8b1be97d3c1d291c1c6393cd2442ffa8

SHA256
a9247884037693b635bb441e1779cb5abd80bdc92a50a27923bda8af90a907f2

SHA512
522ce528d4b0c984ba31d5e4302075889a027678cd91fa45e96a25b494e533ed85e4e36162efb9e57de38e7d7633bce253fa9005867871b3962ded262891bed2

Download Submit
/etc/daemon.cfg

Filesize
32B

MD5
30e8d8a54bcf1cb649f5c52ac4f92281

SHA1
51141717770309bae774ec692156f539239e8435

SHA256
d044079a15dc81c1584d432389a886c653d9787f030b6a712f139286cf707a61

SHA512
d564687455eebdd2d472e36005bfd4d60ee60ebd58754c5458311e86467a63830ed38180eeb853485bd870463ce77f2b0080aa015ecc0df575232d14fe5e71f9

Download Submit
/etc/init.d/ggochqiigoxd

Filesize
356B

MD5
247b23dce4cdc44d9e3e32d7ccab8d7f

SHA1
ff7235501faeb780388cde0e3fd67906a746e390

SHA256
f6943da58c575d56ddc798269f7f9516296d3f78b84cee3f088b347368d0e8b8

SHA512
17e9708c9d9d0e23f3a431b028ad8327508bd2d6c5291bf705805441d8b8d756bf1e27610c117acab206ba392f3f3d94ada05a0e03db47a6af0ca1f597396660

Download Submit
/usr/bin/dxogiiqhcogg

Filesize
543KB

MD5
949ccdf51fa04a2ea64f227a5ef119d4

SHA1
e86f6f2a9e0db19d80e5dee6afc135c1b2279e79

SHA256
3e8a47fa7ac1a3ddc76e2c308e01963ae8e4ba39cc89dd55f6e7d98b35efd600

SHA512
d00011d9fd3f2165dd3b1b6a5fa560381ac0f1c083e76e88eaa276484e34c5c7316588a87a50fcd450d7a41551d6b557061abd066942548b3c3a73d4198e0947

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads