xorddos | 26afd8aa5395d48d260804313103452ffe2248d7820d0c688f19b9e2532f86d2

Analysis

max time kernel
149s
max time network
151s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240729-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
10-08-2024 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84d952648c8b04ae92d8ae5c590bb796_JaffaCakes118
Size

549KB
MD5

84d952648c8b04ae92d8ae5c590bb796
SHA1

226678d94699643f98278f12fc75ee2e91cb35ca
SHA256

26afd8aa5395d48d260804313103452ffe2248d7820d0c688f19b9e2532f86d2
SHA512

c5eade8014054e73800aa2776509eef9a851f61c34fca60132f1db534706a7cccbff2ed4a21d10b2a39602a3843f24792a8bf362b1655a88048af740a84b2f60
SSDEEP

12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

p6.2017fly.com:21

p6.2017fly.com:80

p6.2018fly.com:21

p6.2018fly.com:80

p6.sb1024.net:21

p6.sb1024.net:80

http://fuck.2017fly.com/i.php

Attributes

crc_polynomial
CDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-2.dat	family_xorddos

Deletes itself 64 IoCs

pid
1401
1410
1413
1416
1419
1422
1464
1467
1470
1473
1476
1479
1482
1485
1488
1491
1494
1497
1500
1503
1506
1509
1512
1515
1518
1521
1524
1527
1530
1533
1536
1539
1542
1545
1548
1551
1571
1574
1577
1580
1583
1586
1589
1592
1595
1598
1601
1604
1607
1610
1613
1616
1619
1622
1625
1628
1631
1634
1637
1640
1643
1646
1649
1652

Executes dropped EXE 64 IoCs

ioc	pid	Process
/usr/bin/oahonbfexfvdng	1404	oahonbfexfvdng
/usr/bin/zzjfgzununwbg	1409	zzjfgzununwbg
/usr/bin/cpjpax	1412	cpjpax
/usr/bin/kspzlpcrpc	1415	kspzlpcrpc
/usr/bin/nvwkfneqknslr	1418	nvwkfneqknslr
/usr/bin/vhjuhtmyuynwrd	1421	vhjuhtmyuynwrd
/usr/bin/upwzzx	1463	upwzzx
/usr/bin/swkkwtpc	1466	swkkwtpc
/usr/bin/kzdiuakl	1469	kzdiuakl
/usr/bin/lubnjn	1472	lubnjn
/usr/bin/ylizklrgvdfqtj	1475	ylizklrgvdfqtj
/usr/bin/xawpeoqasjct	1478	xawpeoqasjct
/usr/bin/jdmpwuclq	1481	jdmpwuclq
/usr/bin/xzpsswnrtn	1484	xzpsswnrtn
/usr/bin/itdytyky	1487	itdytyky
/usr/bin/qhwfyub	1490	qhwfyub
/usr/bin/fqyfyxgdl	1493	fqyfyxgdl
/usr/bin/rpnfnnalxe	1496	rpnfnnalxe
/usr/bin/xgnrbufbbxhrw	1499	xgnrbufbbxhrw
/usr/bin/pvutiv	1502	pvutiv
/usr/bin/xlrmytywyhtgum	1505	xlrmytywyhtgum
/usr/bin/cqhsfkun	1508	cqhsfkun
/usr/bin/gocwopca	1511	gocwopca
/usr/bin/qhgefjdadyy	1514	qhgefjdadyy
/usr/bin/ecwlvb	1517	ecwlvb
/usr/bin/rpoxfqvthavb	1520	rpoxfqvthavb
/usr/bin/rsnxjqtputmu	1523	rsnxjqtputmu
/usr/bin/rujynhoes	1526	rujynhoes
/usr/bin/ypmractavl	1529	ypmractavl
/usr/bin/twfmmbfyw	1532	twfmmbfyw
/usr/bin/pqepfnfk	1535	pqepfnfk
/usr/bin/ehcgluakrumcwo	1538	ehcgluakrumcwo
/usr/bin/knsfkqrqbcbxe	1541	knsfkqrqbcbxe
/usr/bin/jmqtqyela	1544	jmqtqyela
/usr/bin/cxcetszf	1547	cxcetszf
/usr/bin/tmrjfhk	1550	tmrjfhk
/usr/bin/nixskhoeidb	1570	nixskhoeidb
/usr/bin/bghouygw	1573	bghouygw
/usr/bin/ndmbdbb	1576	ndmbdbb
/usr/bin/hduqapcjdjr	1579	hduqapcjdjr
/usr/bin/mtjsbynbgl	1582	mtjsbynbgl
/usr/bin/aqgmxoe	1585	aqgmxoe
/usr/bin/etbnegttph	1588	etbnegttph
/usr/bin/wtjsgwgfuvd	1591	wtjsgwgfuvd
/usr/bin/xveksso	1594	xveksso
/usr/bin/xiomoxfhmptli	1597	xiomoxfhmptli
/usr/bin/fxiazn	1600	fxiazn
/usr/bin/vrxxtcrol	1603	vrxxtcrol
/usr/bin/azuugducevnxg	1606	azuugducevnxg
/usr/bin/ffffgulc	1609	ffffgulc
/usr/bin/kbhmuxyg	1612	kbhmuxyg
/usr/bin/gocxjaifprfz	1615	gocxjaifprfz
/usr/bin/ltkfixacqtdvhk	1618	ltkfixacqtdvhk
/usr/bin/kbispn	1621	kbispn
/usr/bin/anahctod	1624	anahctod
/usr/bin/zzmfhlhmbarwjc	1627	zzmfhlhmbarwjc
/usr/bin/cpywthewqdzlf	1630	cpywthewqdzlf
/usr/bin/cpfiugvykpk	1633	cpfiugvykpk
/usr/bin/lnllnpbl	1636	lnllnpbl
/usr/bin/uurtmvu	1639	uurtmvu
/usr/bin/clcrrknzfolv	1642	clcrrknzfolv
/usr/bin/knykiwo	1645	knykiwo
/usr/bin/gwwhxnuristbr	1648	gwwhxnuristbr
/usr/bin/fhqcwbgcoqsmaa	1651	fhqcwbgcoqsmaa

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/gndvfxefbnohao.sh	oahonbfexfvdng

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/init.d/gndvfxefbnohao	oahonbfexfvdng

Write file to user bin folder 1 TTPs 64 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/usr/bin/cpywthewqdzlf	oahonbfexfvdng
File opened for modification	/usr/bin/efmsrq	oahonbfexfvdng
File opened for modification	/usr/bin/sngsoxmfvy	oahonbfexfvdng
File opened for modification	/usr/bin/rgzldckmdw	oahonbfexfvdng
File opened for modification	/usr/bin/gndvfxefbnohao.sh	oahonbfexfvdng
File opened for modification	/usr/bin/cqhsfkun	oahonbfexfvdng
File opened for modification	/usr/bin/lejwqgwsuztwe	oahonbfexfvdng
File opened for modification	/usr/bin/ptsmcvt	oahonbfexfvdng
File opened for modification	/usr/bin/grjkrjsfbwut	oahonbfexfvdng
File opened for modification	/usr/bin/txdkhepwdaesdg	oahonbfexfvdng
File opened for modification	/usr/bin/cxcetszf	oahonbfexfvdng
File opened for modification	/usr/bin/xveksso	oahonbfexfvdng
File opened for modification	/usr/bin/fhqcwbgcoqsmaa	oahonbfexfvdng
File opened for modification	/usr/bin/bfpmopfj	oahonbfexfvdng
File opened for modification	/usr/bin/ebcfkpd	oahonbfexfvdng
File opened for modification	/usr/bin/kpjszxrjc	oahonbfexfvdng
File opened for modification	/usr/bin/shtkqn	oahonbfexfvdng
File opened for modification	/usr/bin/vhjuhtmyuynwrd	oahonbfexfvdng
File opened for modification	/usr/bin/xlrmytywyhtgum	oahonbfexfvdng
File opened for modification	/usr/bin/tmrjfhk	oahonbfexfvdng
File opened for modification	/usr/bin/cpfiugvykpk	oahonbfexfvdng
File opened for modification	/usr/bin/sxdxrfzl	oahonbfexfvdng
File opened for modification	/usr/bin/nmeyhdln	oahonbfexfvdng
File opened for modification	/usr/bin/dpapvayy	oahonbfexfvdng
File opened for modification	/usr/bin/tmlpzm	oahonbfexfvdng
File opened for modification	/usr/bin/huuunusd	oahonbfexfvdng
File opened for modification	/usr/bin/qktvdshveafv	oahonbfexfvdng
File opened for modification	/usr/bin/anahctod	oahonbfexfvdng
File opened for modification	/usr/bin/jikhrchdg	oahonbfexfvdng
File opened for modification	/usr/bin/kzfvoyhxqaf	oahonbfexfvdng
File opened for modification	/usr/bin/tbrhdu	oahonbfexfvdng
File opened for modification	/usr/bin/yxxedz	oahonbfexfvdng
File opened for modification	/usr/bin/mzzuqyhansso	oahonbfexfvdng
File opened for modification	/usr/bin/xawpeoqasjct	oahonbfexfvdng
File opened for modification	/usr/bin/ogrkxcvz	oahonbfexfvdng
File opened for modification	/usr/bin/ftauvzdrlk	oahonbfexfvdng
File opened for modification	/usr/bin/kvhnuai	oahonbfexfvdng
File opened for modification	/usr/bin/nhltayoolj	oahonbfexfvdng
File opened for modification	/usr/bin/tvgmlyruka	oahonbfexfvdng
File opened for modification	/usr/bin/xhbktufvz	oahonbfexfvdng
File opened for modification	/usr/bin/zaldkiamvkf	oahonbfexfvdng
File opened for modification	/usr/bin/bzgjwgpifocx	oahonbfexfvdng
File opened for modification	/usr/bin/twfmmbfyw	oahonbfexfvdng
File opened for modification	/usr/bin/clcrrknzfolv	oahonbfexfvdng
File opened for modification	/usr/bin/bxpmaurhija	oahonbfexfvdng
File opened for modification	/usr/bin/hwungj	oahonbfexfvdng
File opened for modification	/usr/bin/jzcnxlipa	oahonbfexfvdng
File opened for modification	/usr/bin/rdrpzamovfwpz	oahonbfexfvdng
File opened for modification	/usr/bin/aymbpnomlnug	oahonbfexfvdng
File opened for modification	/usr/bin/hchxqummackt	oahonbfexfvdng
File opened for modification	/usr/bin/nfqsumipbv	oahonbfexfvdng
File opened for modification	/usr/bin/zcwtls	oahonbfexfvdng
File opened for modification	/usr/bin/cutvwxdvdibu	oahonbfexfvdng
File opened for modification	/usr/bin/pvutiv	oahonbfexfvdng
File opened for modification	/usr/bin/ecwlvb	oahonbfexfvdng
File opened for modification	/usr/bin/mtjsbynbgl	oahonbfexfvdng
File opened for modification	/usr/bin/gocxjaifprfz	oahonbfexfvdng
File opened for modification	/usr/bin/lnllnpbl	oahonbfexfvdng
File opened for modification	/usr/bin/aaimqcpsaklkl	oahonbfexfvdng
File opened for modification	/usr/bin/bihmgper	oahonbfexfvdng
File opened for modification	/usr/bin/zzjfgzununwbg	oahonbfexfvdng
File opened for modification	/usr/bin/ylizklrgvdfqtj	oahonbfexfvdng
File opened for modification	/usr/bin/gocwopca	oahonbfexfvdng
File opened for modification	/usr/bin/fxiazn	oahonbfexfvdng

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/meminfo	84d952648c8b04ae92d8ae5c590bb796_JaffaCakes118
File opened for reading	/proc/meminfo	oahonbfexfvdng

Writes file to shm directory 2 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

description	ioc	Process
File opened for modification	/dev/shm/sem.dgopft	oahonbfexfvdng
File opened for modification	/dev/shm/sem.DGZ3W3	oahonbfexfvdng

/tmp/84d952648c8b04ae92d8ae5c590bb796_JaffaCakes118
/tmp/84d952648c8b04ae92d8ae5c590bb796_JaffaCakes118
1⤵
- Reads runtime system information
PID:1400

/usr/bin/oahonbfexfvdng
/usr/bin/oahonbfexfvdng
1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Modifies init.d
- Write file to user bin folder
- Reads runtime system information
- Writes file to shm directory
PID:1404

/usr/bin/zzjfgzununwbg
/usr/bin/zzjfgzununwbg -d 1405
1⤵
- Executes dropped EXE
PID:1409

/usr/bin/cpjpax
/usr/bin/cpjpax -d 1405
1⤵
- Executes dropped EXE
PID:1412

/usr/bin/kspzlpcrpc
/usr/bin/kspzlpcrpc -d 1405
1⤵
- Executes dropped EXE
PID:1415

/usr/bin/nvwkfneqknslr
/usr/bin/nvwkfneqknslr -d 1405
1⤵
- Executes dropped EXE
PID:1418

/usr/bin/vhjuhtmyuynwrd
/usr/bin/vhjuhtmyuynwrd -d 1405
1⤵
- Executes dropped EXE
PID:1421

/usr/bin/upwzzx
/usr/bin/upwzzx -d 1405
1⤵
- Executes dropped EXE
PID:1463

/usr/bin/swkkwtpc
/usr/bin/swkkwtpc -d 1405
1⤵
- Executes dropped EXE
PID:1466

/usr/bin/kzdiuakl
/usr/bin/kzdiuakl -d 1405
1⤵
- Executes dropped EXE
PID:1469

/usr/bin/lubnjn
/usr/bin/lubnjn -d 1405
1⤵
- Executes dropped EXE
PID:1472

/usr/bin/ylizklrgvdfqtj
/usr/bin/ylizklrgvdfqtj -d 1405
1⤵
- Executes dropped EXE
PID:1475

/usr/bin/xawpeoqasjct
/usr/bin/xawpeoqasjct -d 1405
1⤵
- Executes dropped EXE
PID:1478

/usr/bin/jdmpwuclq
/usr/bin/jdmpwuclq -d 1405
1⤵
- Executes dropped EXE
PID:1481

/usr/bin/xzpsswnrtn
/usr/bin/xzpsswnrtn -d 1405
1⤵
- Executes dropped EXE
PID:1484

/usr/bin/itdytyky
/usr/bin/itdytyky -d 1405
1⤵
- Executes dropped EXE
PID:1487

/usr/bin/qhwfyub
/usr/bin/qhwfyub -d 1405
1⤵
- Executes dropped EXE
PID:1490

/usr/bin/fqyfyxgdl
/usr/bin/fqyfyxgdl -d 1405
1⤵
- Executes dropped EXE
PID:1493

/usr/bin/rpnfnnalxe
/usr/bin/rpnfnnalxe -d 1405
1⤵
- Executes dropped EXE
PID:1496

/usr/bin/xgnrbufbbxhrw
/usr/bin/xgnrbufbbxhrw -d 1405
1⤵
- Executes dropped EXE
PID:1499

/usr/bin/pvutiv
/usr/bin/pvutiv -d 1405
1⤵
- Executes dropped EXE
PID:1502

/usr/bin/xlrmytywyhtgum
/usr/bin/xlrmytywyhtgum -d 1405
1⤵
- Executes dropped EXE
PID:1505

/usr/bin/cqhsfkun
/usr/bin/cqhsfkun -d 1405
1⤵
- Executes dropped EXE
PID:1508

/usr/bin/gocwopca
/usr/bin/gocwopca -d 1405
1⤵
- Executes dropped EXE
PID:1511

/usr/bin/qhgefjdadyy
/usr/bin/qhgefjdadyy -d 1405
1⤵
- Executes dropped EXE
PID:1514

/usr/bin/ecwlvb
/usr/bin/ecwlvb -d 1405
1⤵
- Executes dropped EXE
PID:1517

/usr/bin/rpoxfqvthavb
/usr/bin/rpoxfqvthavb -d 1405
1⤵
- Executes dropped EXE
PID:1520

/usr/bin/rsnxjqtputmu
/usr/bin/rsnxjqtputmu -d 1405
1⤵
- Executes dropped EXE
PID:1523

/usr/bin/rujynhoes
/usr/bin/rujynhoes -d 1405
1⤵
- Executes dropped EXE
PID:1526

/usr/bin/ypmractavl
/usr/bin/ypmractavl -d 1405
1⤵
- Executes dropped EXE
PID:1529

/usr/bin/twfmmbfyw
/usr/bin/twfmmbfyw -d 1405
1⤵
- Executes dropped EXE
PID:1532

/usr/bin/pqepfnfk
/usr/bin/pqepfnfk -d 1405
1⤵
- Executes dropped EXE
PID:1535

/usr/bin/ehcgluakrumcwo
/usr/bin/ehcgluakrumcwo -d 1405
1⤵
- Executes dropped EXE
PID:1538

/usr/bin/knsfkqrqbcbxe
/usr/bin/knsfkqrqbcbxe -d 1405
1⤵
- Executes dropped EXE
PID:1541

/usr/bin/jmqtqyela
/usr/bin/jmqtqyela -d 1405
1⤵
- Executes dropped EXE
PID:1544

/usr/bin/cxcetszf
/usr/bin/cxcetszf -d 1405
1⤵
- Executes dropped EXE
PID:1547

/usr/bin/tmrjfhk
/usr/bin/tmrjfhk -d 1405
1⤵
- Executes dropped EXE
PID:1550

/usr/bin/nixskhoeidb
/usr/bin/nixskhoeidb -d 1405
1⤵
- Executes dropped EXE
PID:1570

/usr/bin/bghouygw
/usr/bin/bghouygw -d 1405
1⤵
- Executes dropped EXE
PID:1573

/usr/bin/ndmbdbb
/usr/bin/ndmbdbb -d 1405
1⤵
- Executes dropped EXE
PID:1576

/usr/bin/hduqapcjdjr
/usr/bin/hduqapcjdjr -d 1405
1⤵
- Executes dropped EXE
PID:1579

/usr/bin/mtjsbynbgl
/usr/bin/mtjsbynbgl -d 1405
1⤵
- Executes dropped EXE
PID:1582

/usr/bin/aqgmxoe
/usr/bin/aqgmxoe -d 1405
1⤵
- Executes dropped EXE
PID:1585

/usr/bin/etbnegttph
/usr/bin/etbnegttph -d 1405
1⤵
- Executes dropped EXE
PID:1588

/usr/bin/wtjsgwgfuvd
/usr/bin/wtjsgwgfuvd -d 1405
1⤵
- Executes dropped EXE
PID:1591

/usr/bin/xveksso
/usr/bin/xveksso -d 1405
1⤵
- Executes dropped EXE
PID:1594

/usr/bin/xiomoxfhmptli
/usr/bin/xiomoxfhmptli -d 1405
1⤵
- Executes dropped EXE
PID:1597

/usr/bin/fxiazn
/usr/bin/fxiazn -d 1405
1⤵
- Executes dropped EXE
PID:1600

/usr/bin/vrxxtcrol
/usr/bin/vrxxtcrol -d 1405
1⤵
- Executes dropped EXE
PID:1603

/usr/bin/azuugducevnxg
/usr/bin/azuugducevnxg -d 1405
1⤵
- Executes dropped EXE
PID:1606

/usr/bin/ffffgulc
/usr/bin/ffffgulc -d 1405
1⤵
- Executes dropped EXE
PID:1609

/usr/bin/kbhmuxyg
/usr/bin/kbhmuxyg -d 1405
1⤵
- Executes dropped EXE
PID:1612

/usr/bin/gocxjaifprfz
/usr/bin/gocxjaifprfz -d 1405
1⤵
- Executes dropped EXE
PID:1615

/usr/bin/ltkfixacqtdvhk
/usr/bin/ltkfixacqtdvhk -d 1405
1⤵
- Executes dropped EXE
PID:1618

/usr/bin/kbispn
/usr/bin/kbispn -d 1405
1⤵
- Executes dropped EXE
PID:1621

/usr/bin/anahctod
/usr/bin/anahctod -d 1405
1⤵
- Executes dropped EXE
PID:1624

/usr/bin/zzmfhlhmbarwjc
/usr/bin/zzmfhlhmbarwjc -d 1405
1⤵
- Executes dropped EXE
PID:1627

/usr/bin/cpywthewqdzlf
/usr/bin/cpywthewqdzlf -d 1405
1⤵
- Executes dropped EXE
PID:1630

/usr/bin/cpfiugvykpk
/usr/bin/cpfiugvykpk -d 1405
1⤵
- Executes dropped EXE
PID:1633

/usr/bin/lnllnpbl
/usr/bin/lnllnpbl -d 1405
1⤵
- Executes dropped EXE
PID:1636

/usr/bin/uurtmvu
/usr/bin/uurtmvu -d 1405
1⤵
- Executes dropped EXE
PID:1639

/usr/bin/clcrrknzfolv
/usr/bin/clcrrknzfolv -d 1405
1⤵
- Executes dropped EXE
PID:1642

/usr/bin/knykiwo
/usr/bin/knykiwo -d 1405
1⤵
- Executes dropped EXE
PID:1645

/usr/bin/gwwhxnuristbr
/usr/bin/gwwhxnuristbr -d 1405
1⤵
- Executes dropped EXE
PID:1648

/usr/bin/fhqcwbgcoqsmaa
/usr/bin/fhqcwbgcoqsmaa -d 1405
1⤵
- Executes dropped EXE
PID:1651

/usr/bin/rdrpzamovfwpz
/usr/bin/rdrpzamovfwpz -d 1405
1⤵
PID:1654

/usr/bin/incpdglem
/usr/bin/incpdglem -d 1405
1⤵
PID:1657

/usr/bin/weqzhuhwj
/usr/bin/weqzhuhwj -d 1405
1⤵
PID:1660

/usr/bin/iigddavdiwhqa
/usr/bin/iigddavdiwhqa -d 1405
1⤵
PID:1663

/usr/bin/dnzexpttu
/usr/bin/dnzexpttu -d 1405
1⤵
PID:1666

/usr/bin/sdgaarukzcof
/usr/bin/sdgaarukzcof -d 1405
1⤵
PID:1669

/usr/bin/jikhrchdg
/usr/bin/jikhrchdg -d 1405
1⤵
PID:1672

/usr/bin/elzdja
/usr/bin/elzdja -d 1405
1⤵
PID:1675

/usr/bin/efmsrq
/usr/bin/efmsrq -d 1405
1⤵
PID:1678

/usr/bin/ezxdfpk
/usr/bin/ezxdfpk -d 1405
1⤵
PID:1681

/usr/bin/ewjwrvdqy
/usr/bin/ewjwrvdqy -d 1405
1⤵
PID:1684

/usr/bin/bxpmaurhija
/usr/bin/bxpmaurhija -d 1405
1⤵
PID:1687

/usr/bin/rsuwijuycoaz
/usr/bin/rsuwijuycoaz -d 1405
1⤵
PID:1690

/usr/bin/fpfhrnr
/usr/bin/fpfhrnr -d 1405
1⤵
PID:1693

/usr/bin/ximniqtwrk
/usr/bin/ximniqtwrk -d 1405
1⤵
PID:1696

/usr/bin/lejwqgwsuztwe
/usr/bin/lejwqgwsuztwe -d 1405
1⤵
PID:1699

/usr/bin/docrhr
/usr/bin/docrhr -d 1405
1⤵
PID:1702

/usr/bin/ducztvv
/usr/bin/ducztvv -d 1405
1⤵
PID:1705

/usr/bin/gzoisvbkmj
/usr/bin/gzoisvbkmj -d 1405
1⤵
PID:1708

/usr/bin/ogrkxcvz
/usr/bin/ogrkxcvz -d 1405
1⤵
PID:1711

/usr/bin/sxdxrfzl
/usr/bin/sxdxrfzl -d 1405
1⤵
PID:1714

/usr/bin/uljvbup
/usr/bin/uljvbup -d 1405
1⤵
PID:1717

/usr/bin/aymbpnomlnug
/usr/bin/aymbpnomlnug -d 1405
1⤵
PID:1720

/usr/bin/wqoxdbfipaxn
/usr/bin/wqoxdbfipaxn -d 1405
1⤵
PID:1723

/usr/bin/avdmffk
/usr/bin/avdmffk -d 1405
1⤵
PID:1726

/usr/bin/hchxqummackt
/usr/bin/hchxqummackt -d 1405
1⤵
PID:1729

/usr/bin/hwungj
/usr/bin/hwungj -d 1405
1⤵
PID:1732

/usr/bin/ubjujepggxtodg
/usr/bin/ubjujepggxtodg -d 1405
1⤵
PID:1735

/usr/bin/hwqoylqtrbecm
/usr/bin/hwqoylqtrbecm -d 1405
1⤵
PID:1738

/usr/bin/dzmelhq
/usr/bin/dzmelhq -d 1405
1⤵
PID:1741

/usr/bin/ywxxpna
/usr/bin/ywxxpna -d 1405
1⤵
PID:1744

/usr/bin/ukumyvyrqr
/usr/bin/ukumyvyrqr -d 1405
1⤵
PID:1747

/usr/bin/ptsmcvt
/usr/bin/ptsmcvt -d 1405
1⤵
PID:1750

/usr/bin/ueqjwd
/usr/bin/ueqjwd -d 1405
1⤵
PID:1753

/usr/bin/ftauvzdrlk
/usr/bin/ftauvzdrlk -d 1405
1⤵
PID:1756

/usr/bin/tqceorziecez
/usr/bin/tqceorziecez -d 1405
1⤵
PID:1759

/usr/bin/dxjccehve
/usr/bin/dxjccehve -d 1405
1⤵
PID:1762

/usr/bin/kzfvoyhxqaf
/usr/bin/kzfvoyhxqaf -d 1405
1⤵
PID:1765

/usr/bin/sjkhye
/usr/bin/sjkhye -d 1405
1⤵
PID:1768

/usr/bin/aaimqcpsaklkl
/usr/bin/aaimqcpsaklkl -d 1405
1⤵
PID:1771

/usr/bin/hzrozhoehtzq
/usr/bin/hzrozhoehtzq -d 1405
1⤵
PID:1774

/usr/bin/grjkrjsfbwut
/usr/bin/grjkrjsfbwut -d 1405
1⤵
PID:1777

/usr/bin/tuxggp
/usr/bin/tuxggp -d 1405
1⤵
PID:1780

/usr/bin/pcivxbnkts
/usr/bin/pcivxbnkts -d 1405
1⤵
PID:1783

/usr/bin/bfpmopfj
/usr/bin/bfpmopfj -d 1405
1⤵
PID:1786

/usr/bin/zztmupjb
/usr/bin/zztmupjb -d 1405
1⤵
PID:1789

/usr/bin/zaldkiamvkf
/usr/bin/zaldkiamvkf -d 1405
1⤵
PID:1792

/usr/bin/wksalifktve
/usr/bin/wksalifktve -d 1405
1⤵
PID:1795

/usr/bin/ltoaeirxgi
/usr/bin/ltoaeirxgi -d 1405
1⤵
PID:1798

/usr/bin/fpzwjsemrrfrcp
/usr/bin/fpzwjsemrrfrcp -d 1405
1⤵
PID:1801

/usr/bin/pkttygoohuw
/usr/bin/pkttygoohuw -d 1405
1⤵
PID:1804

/usr/bin/tcifhxegiymvpd
/usr/bin/tcifhxegiymvpd -d 1405
1⤵
PID:1807

/usr/bin/sjjywwc
/usr/bin/sjjywwc -d 1405
1⤵
PID:1810

/usr/bin/nmeyhdln
/usr/bin/nmeyhdln -d 1405
1⤵
PID:1813

/usr/bin/dowuuv
/usr/bin/dowuuv -d 1405
1⤵
PID:1816

/usr/bin/trejgwfahqyd
/usr/bin/trejgwfahqyd -d 1405
1⤵
PID:1819

/usr/bin/dpapvayy
/usr/bin/dpapvayy -d 1405
1⤵
PID:1822

/usr/bin/ausanrojhdwqt
/usr/bin/ausanrojhdwqt -d 1405
1⤵
PID:1825

/usr/bin/bzgjwgpifocx
/usr/bin/bzgjwgpifocx -d 1405
1⤵
PID:1828

/usr/bin/pramtwgtk
/usr/bin/pramtwgtk -d 1405
1⤵
PID:1831

/usr/bin/kvhnuai
/usr/bin/kvhnuai -d 1405
1⤵
PID:1834

/usr/bin/bihmgper
/usr/bin/bihmgper -d 1405
1⤵
PID:1837

/usr/bin/uvxmuc
/usr/bin/uvxmuc -d 1405
1⤵
PID:1840

/usr/bin/zdfendsnvhvtz
/usr/bin/zdfendsnvhvtz -d 1405
1⤵
PID:1843

/usr/bin/ydnumfmoqajnxx
/usr/bin/ydnumfmoqajnxx -d 1405
1⤵
PID:1846

/usr/bin/ccgfimulfhjoec
/usr/bin/ccgfimulfhjoec -d 1405
1⤵
PID:1849

/usr/bin/taqhwcmktekc
/usr/bin/taqhwcmktekc -d 1405
1⤵
PID:1852

/usr/bin/brmcxtofv
/usr/bin/brmcxtofv -d 1405
1⤵
PID:1855

/usr/bin/jzcnxlipa
/usr/bin/jzcnxlipa -d 1405
1⤵
PID:1858

/usr/bin/shtkqn
/usr/bin/shtkqn -d 1405
1⤵
PID:1861

/usr/bin/szadctpfq
/usr/bin/szadctpfq -d 1405
1⤵
PID:1864

/usr/bin/txdkhepwdaesdg
/usr/bin/txdkhepwdaesdg -d 1405
1⤵
PID:1867

/usr/bin/sngsoxmfvy
/usr/bin/sngsoxmfvy -d 1405
1⤵
PID:1871

/usr/bin/nhltayoolj
/usr/bin/nhltayoolj -d 1405
1⤵
PID:1874

/usr/bin/tmlpzm
/usr/bin/tmlpzm -d 1405
1⤵
PID:1877

/usr/bin/recekxuklaf
/usr/bin/recekxuklaf -d 1405
1⤵
PID:1880

/usr/bin/huuunusd
/usr/bin/huuunusd -d 1405
1⤵
PID:1883

/usr/bin/nfqsumipbv
/usr/bin/nfqsumipbv -d 1405
1⤵
PID:1886

/usr/bin/jlktbpze
/usr/bin/jlktbpze -d 1405
1⤵
PID:1889

/usr/bin/tbrhdu
/usr/bin/tbrhdu -d 1405
1⤵
PID:1892

/usr/bin/nfkdupummivb
/usr/bin/nfkdupummivb -d 1405
1⤵
PID:1895

/usr/bin/saufkogbnmq
/usr/bin/saufkogbnmq -d 1405
1⤵
PID:1898

/usr/bin/sgmvdpyh
/usr/bin/sgmvdpyh -d 1405
1⤵
PID:1901

/usr/bin/gkynhpyaple
/usr/bin/gkynhpyaple -d 1405
1⤵
PID:1904

/usr/bin/juzrqyfmhagqm
/usr/bin/juzrqyfmhagqm -d 1405
1⤵
PID:1907

/usr/bin/ebcfkpd
/usr/bin/ebcfkpd -d 1405
1⤵
PID:1910

/usr/bin/yuxykjfnubolr
/usr/bin/yuxykjfnubolr -d 1405
1⤵
PID:1913

/usr/bin/ikhrwneduvaa
/usr/bin/ikhrwneduvaa -d 1405
1⤵
PID:1916

/usr/bin/xmrldeciuq
/usr/bin/xmrldeciuq -d 1405
1⤵
PID:1919

/usr/bin/tvgmlyruka
/usr/bin/tvgmlyruka -d 1405
1⤵
PID:1922

/usr/bin/horkkokmf
/usr/bin/horkkokmf -d 1405
1⤵
PID:1925

/usr/bin/yxxedz
/usr/bin/yxxedz -d 1405
1⤵
PID:1928

/usr/bin/kpjszxrjc
/usr/bin/kpjszxrjc -d 1405
1⤵
PID:1931

/usr/bin/qpmnbh
/usr/bin/qpmnbh -d 1405
1⤵
PID:1934

/usr/bin/luoocq
/usr/bin/luoocq -d 1405
1⤵
PID:1937

/usr/bin/mzzuqyhansso
/usr/bin/mzzuqyhansso -d 1405
1⤵
PID:1940

/usr/bin/jyueqjrfna
/usr/bin/jyueqjrfna -d 1405
1⤵
PID:1943

/usr/bin/xhbktufvz
/usr/bin/xhbktufvz -d 1405
1⤵
PID:1946

/usr/bin/csfxkqqrcbiyef
/usr/bin/csfxkqqrcbiyef -d 1405
1⤵
PID:1949

/usr/bin/rgzldckmdw
/usr/bin/rgzldckmdw -d 1405
1⤵
PID:1952

/usr/bin/ybaxuerc
/usr/bin/ybaxuerc -d 1405
1⤵
PID:1955

/usr/bin/cutvwxdvdibu
/usr/bin/cutvwxdvdibu -d 1405
1⤵
PID:1958

/usr/bin/pjmsiskiuvl
/usr/bin/pjmsiskiuvl -d 1405
1⤵
PID:1961

/usr/bin/qktvdshveafv
/usr/bin/qktvdshveafv -d 1405
1⤵
PID:1964

/usr/bin/pmvvqgmbuejn
/usr/bin/pmvvqgmbuejn -d 1405
1⤵
PID:1967

/usr/bin/tjmgfe
/usr/bin/tjmgfe -d 1405
1⤵
PID:1970

/usr/bin/zcwtls
/usr/bin/zcwtls -d 1405
1⤵
PID:1973

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/dev/shm/sem.DGZ3W3

Filesize
16B

MD5
076933ff9904d1110d896e2c525e39e5

SHA1
4188442577fa77f25820d9b2d01cc446e30684ac

SHA256
4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

SHA512
6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

Download Submit
/etc/cron.hourly/gndvfxefbnohao.sh

Filesize
163B

MD5
3cc128ecd6cffa2c15182e914ae5bd2a

SHA1
ea2d5d92945a4339235da6e58e1c09223548c62e

SHA256
5b9942bb3804ebf2532ff84f44639b224dbab988f61a529a4a5ef60d5e1c501b

SHA512
001bf8d193e09ad230bc38e4178fd799ad668d1ff2a48f40ef2360b62da536eac46a133e36eef5883071dbaab39674bdb84447c4908a241668c2ec871601b0ee

Download Submit
/etc/daemon.cfg

Filesize
32B

MD5
90bbf3c185366e4821c675aba9c6981f

SHA1
97bb4d31f838662eb449f67229f96e0da51051a6

SHA256
bcb8b97c63be47b989b99196954c4c9eb2c3255241c0e52c76b8dbd1aca1b1ff

SHA512
27c11ff41e2f66e3ef427f32938e6538a6cd03235966b2747b8a3059690125edd1bb0f73a00146f852cd945e6052b8736e35c3271d776f6222361b4d7f9b054a

Download Submit
/etc/init.d/gndvfxefbnohao

Filesize
366B

MD5
8fc94272ed141f90e5447dab8f0d4903

SHA1
86434846ad7a9fd259fe28537e9871cd7a9db2da

SHA256
afe6015791a4f8db6833a54774226452f35f2f210274c275977d7aace2087eee

SHA512
7df107d6351705d8804d77cec7903e33fb54f74231e8d616c82b4a019abd4ee95d624061fd5f1580645798260ffb7e2ec8b24c419f630d9f2f4770b75f287dc6

Download Submit
/usr/bin/oahonbfexfvdng

Filesize
549KB

MD5
71f6e19f1643afedeeba3150831f1419

SHA1
d75cc605c51f1f463f730369f78b4d28fe1f09cc

SHA256
43bb39b7e92df0b0cc13747ce7f95b5b28eafdd0b7325e96243a82b1c9dc9585

SHA512
a24e1dc2ac9cf25b198e3ac9fa9b6d0e6a207aca6067d0fd65011db0882ecf43316bdd62dac4d6e2d49fb248f1763d95bba6b7501735a9bdd7696aadbedb5a1a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads