xorddos | 42629d9d813e59c3d2b7aac0da644ddb1824a8b286b39393ad50a945d51ab363

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
10-08-2024 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

854f9f0fd26d823d0b678b7228154138_JaffaCakes118
Size

596KB
MD5

854f9f0fd26d823d0b678b7228154138
SHA1

ebaed77107d5ba6ff3d45155232d3c3e9fe34373
SHA256

42629d9d813e59c3d2b7aac0da644ddb1824a8b286b39393ad50a945d51ab363
SHA512

217d5d6d7436c98ea7b89d008fb1fd671ca327ba8b61edd48a5507a15717f105ab4d4ace798a90afffcb8ae0062041005777fd6bfd1f31dc014a7ccf9e9d6497
SSDEEP

12288:bfTGy+n69+5rTlFEcMWbHvx5SGEuWdMF6yxm9Ah7Dxu9hc7L:rTG/0+5dq4bHvx5SGodMLTD4XcP

Score

10^/10

xorddos botnet downloader rootkit

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2849

173.247.233.58:2849

iosapp.servegame.com:2849

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 30 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_xorddos
behavioral1/files/fstream-5.dat	family_xorddos
behavioral1/files/fstream-6.dat	family_xorddos
behavioral1/files/fstream-7.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-10.dat	family_xorddos
behavioral1/files/fstream-11.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-13.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-16.dat	family_xorddos
behavioral1/files/fstream-17.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos
behavioral1/files/fstream-19.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos
behavioral1/files/fstream-21.dat	family_xorddos
behavioral1/files/fstream-22.dat	family_xorddos
behavioral1/files/fstream-23.dat	family_xorddos
behavioral1/files/fstream-24.dat	family_xorddos
behavioral1/files/fstream-25.dat	family_xorddos
behavioral1/files/fstream-26.dat	family_xorddos
behavioral1/files/fstream-27.dat	family_xorddos
behavioral1/files/fstream-28.dat	family_xorddos
behavioral1/files/fstream-29.dat	family_xorddos
behavioral1/files/fstream-30.dat	family_xorddos
behavioral1/files/fstream-31.dat	family_xorddos
behavioral1/files/fstream-32.dat	family_xorddos
behavioral1/files/fstream-33.dat	family_xorddos

Writes memory of remote process 2 IoCs

pid	Process
2443	854f9f0fd26d823d0b678b7228154138_JaffaCakes118
2455	Process not Found

Loads a kernel module 64 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

pid	Process
2443	854f9f0fd26d823d0b678b7228154138_JaffaCakes118
2444	Process not Found
2449	Process not Found
2444	Process not Found
2444	Process not Found
2456	Process not Found
2457	Process not Found
2455	Process not Found
2444	Process not Found
2444	Process not Found
2455	Process not Found
2455	Process not Found
2455	Process not Found
2455	Process not Found
2455	Process not Found
2455	Process not Found
2455	Process not Found
2455	Process not Found
2444	Process not Found
2455	Process not Found
2455	Process not Found
2483	Process not Found
2444	Process not Found
2485	Process not Found
2487	Process not Found
2492	Process not Found
2493	Process not Found
2489	Process not Found
2491	Process not Found
2494	Process not Found
2495	Process not Found
2496	Process not Found
2455	Process not Found
2455	Process not Found
2444	Process not Found
2444	Process not Found
2492	Process not Found
2492	Process not Found
2493	Process not Found
2493	Process not Found
2494	Process not Found
2494	Process not Found
2495	Process not Found
2495	Process not Found
2496	Process not Found
2496	Process not Found
2455	Process not Found
2455	Process not Found
2492	Process not Found
2492	Process not Found
2493	Process not Found
2493	Process not Found
2494	Process not Found
2494	Process not Found
2495	Process not Found
2495	Process not Found
2496	Process not Found
2496	Process not Found
2455	Process not Found
2455	Process not Found
2492	Process not Found
2492	Process not Found
2493	Process not Found
2493	Process not Found

Unexpected DNS network traffic destination 19 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

/tmp/854f9f0fd26d823d0b678b7228154138_JaffaCakes118
/tmp/854f9f0fd26d823d0b678b7228154138_JaffaCakes118
1⤵
- Writes memory of remote process
- Loads a kernel module
PID:2443

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/udev.sh

Filesize
146B

MD5
ddb9a901eadce597284d68ebd9fe9311

SHA1
1d26318bbe55f2f936ae1015df656535427083c2

SHA256
3bb8ebd394bcaea3f083d93daa3c3bcf918a4618f84ab45a1942759d16b070fc

SHA512
e94bd51f02c323d2376e666a9c56a87c2f55d1805b44762d4bc6d5d60ca52e85ce996ba51142213ba783ac858660a3ba254988215b0f4d398b1e99bf132a5d1c

Download Submit
/etc/init.d/854f9f0fd26d823d0b678b7228154138_JaffaCakes118

Filesize
495B

MD5
84444702c5feb55fbf829afc86f17cd0

SHA1
3ec25067adc672fcb6c393cc7554a92b572bfaf7

SHA256
80e738ff488c384e18c3c8a6e2f91beec54e81fb2d48ba3d01ea8b1103d805de

SHA512
a7d4ccf6c2b3f82af2f7fd852d2c33b321cf3bdd755e4b2d968484d8c715a785dda0c90d7d9af399307a71a7bab6534a35d311b18e30e9c50642ca54390bb5cb

Download Submit
/run/udev.pid

Filesize
32B

MD5
f15d857df5957d112c805c92e7d4d1d4

SHA1
9743ef428746e6bbc22eebd16cc83d5b5aba3512

SHA256
f3d5cb8bcaf9066bd460a0fe259fddf72ee92981f60a9df4c938ac45b2e8d7c1

SHA512
911169cf0e5ffd749676007d8ff7852da54af1e395e6ed933b8c836855df0c41f1be8230c2ba93b845cb432d4c7c83bd8f8390ae3ecfd74954f4dde422abe173

Download Submit
/usr/bin/aiykszowvd

Filesize
596KB

MD5
653d17df268fa2f288a00292cc0fbb65

SHA1
91c6091029545ebd337b4ed1242adce43b62dc1f

SHA256
c5025f82ceacccb32686067200feb86ba870185cea33ec87c68de2f981382ae9

SHA512
2f7c7a99f8c7295a490504c2f56b2c45ee1d8627164334146a63051c9d5ded35935044931ae41ae023fb64e5f780b741e91c269f61ec95bd9fba3412eef2621d

Download Submit
/usr/bin/apsjlfvwsq

Filesize
596KB

MD5
0e809ef7671a5e19870543c1f8d8f0b5

SHA1
664f517e221b907da97f6758635c783e0b374d87

SHA256
a717187ad29faad91ae04787552c9e575ec6f6c186daccc0e1d8c56a28135de8

SHA512
777e4a10c7a8b6e4045095797293e7f7a94ce9d3261d993cc9ffabd5e345ec63dc22a55c90b1ad1cfdd6630090a418fbb7f4f9f5a1fa7891c55292110c1251c7

Download Submit
/usr/bin/awdextsvqj

Filesize
596KB

MD5
900f31a709538c3c9dfaf8298ed7798f

SHA1
6eae2dace0b8d9ef28377a3db123745f2c6a5c7f

SHA256
c7c3a7b883182898f21db5c88a08f5d6ccaae2c08a3c90372e2abf10e6f296fd

SHA512
b71c31645b8c520d8080d34f322df7f4c0d9706bc1170733aed2c557946b3c9b2df931d5ac429fc52dab555c29801a705648cd00e73eb91b44c0faac3de7b183

Download Submit
/usr/bin/bdsehawakp

Filesize
596KB

MD5
3646a1b7c9e4fa5fbc91e9558d3f29c5

SHA1
97ff56b2246ac1c35ccd099c447820027de44dc4

SHA256
af5e376f9ac2b74d725f71c9508380300b099cb2ea011c73d399c6b8274b5fc3

SHA512
fa511fd2d8a494a09af700992060e4ab4fde40ac5a661a47f7dc1a620c1266ef469e25992816253f3c21db5b2765c7e69786f7e0a799157cc03341ac315973a5

Download Submit
/usr/bin/celjsktscr

Filesize
596KB

MD5
c5804fc054c7d38e495d776d5be195f8

SHA1
0f7891127404408bfe11c21187e9875bf8398088

SHA256
8182d6ba2aec89b58ff64c54763d586ccd95992f5528696ba218987aa251d105

SHA512
f66472a75fc6e4ed3f2e5d56d3ca9d5a76d462962206c10358cded18262d4d497bd9bef0dddf31f66a569fabf26fe90fc2be884f843d4d45e2b98117e8a62c8b

Download Submit
/usr/bin/earemdhdio

Filesize
596KB

MD5
452f8b4a2d7a1c6dd5a46abd826a85a3

SHA1
fa181e42ab9338fd23c07d48a66ee77c85b7f6b2

SHA256
bbf0d7dacfd14935c1803441cca96f20d33632c42f1bf5315f53ec073fe58520

SHA512
bfaa22a56f3e5b608daf267fbe05bf07a425dcc41cd652bdf056b07fb3ba4c4541f58c15be77f6b34f8c93d5b626d00e5d146a31ca97c8fc40452bc2e2c9be5c

Download Submit
/usr/bin/eberqsbjro

Filesize
596KB

MD5
91f558f5042003b2bd212c99b3235a99

SHA1
007c084a08e07cb038a9b5527ade4e0837e6c890

SHA256
0a0829fc4800d6bf95f99af87ab498311c57913d65a83bc8a94433f71ee5c329

SHA512
79f7be61378c39a1293c7b566d784604855ab89035e58f1a4a4443091dd0da94de63e86906501192d77b3ebb30c40873749f903f209b6379bb911eef8366671c

Download Submit
/usr/bin/egxrwexwao

Filesize
596KB

MD5
0c1d75c484cf4f13c9479ec94b21be11

SHA1
f93da8ba923529dfb28e7035b3254b84a18820b5

SHA256
0b08dca94abd65b280c3266590df63374416346184606c092c2c17e76d64413c

SHA512
af3d2a70609f70c97383ec59ded82aff8d229475df730b9f1c0e8e5f5f021fc1806fd191f2fda41fa36542b7bd6cf968a58a77fe6b6215f20fd0c5ae7b4cd9e6

Download Submit
/usr/bin/jdimftilly

Filesize
596KB

MD5
97e0833907cf071f41a6b6d64afa3db9

SHA1
50eda6371569007b165d2aa5748933d22e2ef8db

SHA256
0c45981182a1fe032fb6176eb20c8ae48c9b82f1790fe2a6aee8763890be76d4

SHA512
2b5d50f265645e4db7ac1b9c5b2d7903bba09ce115a64036ffb552326a650526692a1882d5ab69443f4a0f8d31d1678155e7ee6045407ba3c7915c7de21ff7db

Download Submit
/usr/bin/kecnclrruf

Filesize
596KB

MD5
119006a85a75c02623e99803076b7f62

SHA1
ef79423fae9fcd36ccae8808173dc589d0025afd

SHA256
a8aa5e934e1c41d33057d3a90d5584037937a9b6e073aa8d9972a5aaed492f18

SHA512
080cdde2e16bc445227b890bfb2dedd1943ec92f65ab4ca45f09bd852e87ca7a9e6c66285aa597da830237de7cc237d72a5a4eff98c107903d8f85221f97bc47

Download Submit
/usr/bin/lcqbkqeqos

Filesize
596KB

MD5
2eb85e7ca34e86f064f481e89fed2052

SHA1
6c90d50ec2bc001568a37731dae07589b6b7d52f

SHA256
b056f5d3e22296a92b2b1827b99b63d66f94fa454a8b47648745215741e5c5f3

SHA512
5517c0fb88ea15cbd5b70b0b1c6d318f0ea03b7c8fe19071757972976a5bd49192434cfab91a03ebce80eef9fdbb11cee0bd886a145070768d900d8648ca8b6b

Download Submit
/usr/bin/mkhzlssqhp

Filesize
596KB

MD5
2cfc6046ca787b205bf8dc8efadc52ca

SHA1
03dc52d36465945776097ccf74c848145ce40066

SHA256
e350301a8651a6e63a61632165326c87b686730d378ddd93975c0fb5cccdecb9

SHA512
132daa563a7eba9a31ffdba29323e143c3ea552f8d5c9b84f4f0c4c14ebf4dc31cdbbf83f3c3fe9b9a08ab446eae74c6fe41a92f4c2b14c8a532dc3d5cc43399

Download Submit
/usr/bin/mkuuxeruvn

Filesize
596KB

MD5
93cfdeecefafa869c7fb080bcb246bde

SHA1
1b1f8f5f9d5883ad3e1ad89131d3ede7cfe5db0f

SHA256
b6b424992bf9c71e3922e7a70f0547c2ca89c84ca693b2984030a7f2cc604e38

SHA512
dd932c7b3aa10f4b9ff81d0be575a6d8d2575b0049d7f26cfb00a50f2dab53cd81d64630a64050430e3d512c85ba9462423762bb1dcd75c957fbfccae805ed33

Download Submit
/usr/bin/nafczzhmoi

Filesize
596KB

MD5
d415fc942e9ae7b859c6940307cd6e1a

SHA1
1f3fa7bfca7ddb4b8f02a8b367c722740fb13e97

SHA256
13e0b8ea82c35d54f64dd0eca8279fe90e936d2e555f36d558fb4fb8c15565d1

SHA512
413c195deab55dddce5fd617a49749e633b4c7f831ed9860581eec182ab7ecfc8540d5ee7da49f610746d98db6084b1b920ca5ef07e77f8becd9c810a87b3a40

Download Submit
/usr/bin/ncraprehro

Filesize
596KB

MD5
cd3a1757dc08f35a3aa2fb297b678b99

SHA1
501635f0f6fbb84038fcadc59e46fcc6b52b8f38

SHA256
a50df380fb1fdd503424b485f53650ce26fde14609567170f22f0f5cb140ef79

SHA512
1e11eae7ab0f52d5ff5215b9999761e2e5837760380f1de5691c561d20cd4792cd15a1550e3b91dd6633bef6fc2d601f12ce62876541ffeed33564d5e67cfe80

Download Submit
/usr/bin/nkepnlywie

Filesize
596KB

MD5
b60e5ed45dd6798de89812258fefb513

SHA1
bec57173fcbc115dd15d5087db91d147672e45ec

SHA256
f835bf5740d5e6aa222e57a6bf9dd239f14f767c10db21f64fcaccd43a3f59db

SHA512
05e3650aec4da6e1df89e7c82341e66d9b3173bb070d672e464135926ffd23565c30af0c4fe1e247c1f305e87ad025480cd254c544a56db0799a08b23097103f

Download Submit
/usr/bin/nkyyftkqzi

Filesize
596KB

MD5
0474157c96e5e48ddabde3a3abf0f23c

SHA1
85caa1ed2c329abcb6cc336c8e211312920ef487

SHA256
4355516a1ee5bb2b173619d3177ac595a27a6ee452b6e193fa643360c3e118fd

SHA512
838e0adaec0bc58d76c4d476910105a9601e6cbac85c362cf866dc1d2e8be2f4ec095a6204b1be266ca54c4723eebd05b5c7d674f5968729165ae3d3a2bbb64c

Download Submit
/usr/bin/ridtjrnwtz

Filesize
596KB

MD5
98dc6a746cd39e1c0bf98300e0b184d0

SHA1
2a80436c9a4be1a6c74b750791ddadf6cdd35911

SHA256
e39c309440435a511415e4ea28541032d422c22ed03d8e17c1cb671bd769a8cb

SHA512
2d24c9920887f0142d28421b21810abc7a259550394c5b1efe85334b494b0e6a48f4f81fb62488d6c1299573b561f554f660fc6a973fed45ebb8d4a6711a90fb

Download Submit
/usr/bin/sicpolvvue

Filesize
596KB

MD5
371074aec974c87c952183b9f94bcf89

SHA1
48e2de1d38062e9f72f4da4badffc4c8f34d7d31

SHA256
be20d5a1b3d4eda9f9f7d6e2ec037a8e43c47e5d9475572045aad1199c786328

SHA512
3d99d79d9984ed3ee712ec2257e8ab39aebbac7ce3605e1be7017431e7ed54cc11402010d8320fcd09171e887e64367127cb21316043ef3a47fb466641893aac

Download Submit
/usr/bin/skmdjzpxqm

Filesize
596KB

MD5
dee8e28f885f6b17c47d7c3d10b2e661

SHA1
e1726cfc38898eb517461bad320ef983328083d6

SHA256
9ba9769528665ed699dbac4f3765088885efebc82e4222e5f4864bcaecc3cec3

SHA512
79b9aff17d5e0342672677421f6011effb6ba83571c99cc8ef96f0caa2f34e985e5c5f34dee480911031232dfd0a626f01ae93bf03627bf3bd54360e98c907c1

Download Submit
/usr/bin/slbkvajwsj

Filesize
596KB

MD5
71b0dbe1950ded8b6f54ae9dcf4938ec

SHA1
14ef5a710d82105fddcf6cf2abfd1c035a9eeedc

SHA256
caa001961f14dcc5c884d8e3ef52e709976a8089a5a1300f6629245fb602b527

SHA512
8fcac4094a615e2168ad60d9fb35933fff8ca35ab60ff35e365b01170792a0b137de23753c3f7772d7d5cd000e9494764c9bff5346ab4fc3a7a06a624f4e19a5

Download Submit
/usr/bin/timrlnizlr

Filesize
596KB

MD5
208a6fce16581318b10bf71d3b34befd

SHA1
c9c73bc65ccfcad60a6c65ffd9e84f23224ef97e

SHA256
3791f8b7888aaaf75c16669cfaff37038b530f547ad2832bbcc15fb840634fcf

SHA512
bcba78a71294c7d5fdc73231fd8fbc4ca28d2e9bbace8669aa119828968b90c3356a0b2f1d07196f05e4be2c5a520b292c4c7dff336bf1cb28045979bac41fd7

Download Submit
/usr/bin/usnuqfewaa

Filesize
596KB

MD5
068d068c7e47ed66e3c2b1ac8beb8611

SHA1
0c941b6e8eb28a1d74d0ecba165e0b371b6fc115

SHA256
c478566db9dfb1d55d0be2a3abfea0261367bc2fb40b56f10f7e44c6b219759e

SHA512
a834c908f7603de89f21fd82aca1e22d0da207551738b2469c50e13674f44889561cfde4ad1a565c10454c67aa926aaca5e59a84c793a62429d4c1d779ae7738

Download Submit
/usr/bin/vjmcayzoqc

Filesize
596KB

MD5
02da8419221f2db85f8dd0c05ad359a0

SHA1
2194aa5ee38edea2ac13034e1b0d34b9f2cb4daa

SHA256
221ccdec6987073a923242d1bc643d65c63b5c23d3136d5d170c20c5b42c3975

SHA512
f89ad80ed190ae3cff06fc7a4731d0e0b8f23a028188f4042c1c6a0d9e0b43940c677cb8ca9ce0971f9434effd6136667f4ed8411ddc8992c5d86ef03babab6a

Download Submit
/usr/bin/vspgizayro

Filesize
596KB

MD5
4dbdfdf0db6ca50e11e099484e0b016d

SHA1
553c684456d7a67570eb7b126bfa476417abe35d

SHA256
6b69bafde92041f3d93b24c7a0d162f82e3960b776b1a3103d9810fa4efae97d

SHA512
1ac855ea870954e6a7113723a76162a9a0a72754cec0ae762265dedfcb3cc35d20ea47218220c0d9a502504647799ed61ae9f0773d335ae1075e9490fe718107

Download Submit
/usr/bin/wmdmimijac

Filesize
596KB

MD5
ae88108374eae744f8211d1fc5796b70

SHA1
19fcc9cba26cf38fa8edf1885086310cd7a0343c

SHA256
8a105abaf2870191e93c0c9e200b43687ffb65bd9d8f712b0d90222399898cf4

SHA512
e59cd4996100816b60fc6eca81d91415f71661c125caf8256f0b2e40266edd8a344e2dbcaf339519750a2c5fc38086f59fdb735608328ded9fa483ed8a1a860e

Download Submit
/usr/bin/xasjpfkdtu

Filesize
596KB

MD5
3cc9fc8d7c71de3935e0799832a06db7

SHA1
23fd7f005a05c63181952ea7683f4a3130cafd8b

SHA256
d6af5eeb89fc4b16b449da4a2630b3e8ba83db34e5c8af212097050068a618c3

SHA512
a86bfc80000ae3d267539f30d9d410f7c69aa0688a0ef93bdde0ac26613f4e9c757bbcaa030011c5a106fd0c542f7230c86393f256a5c809a50a952d79762a00

Download Submit
/usr/bin/xworslkxrk

Filesize
596KB

MD5
998bccd5f01b71c908c8be6d1720eceb

SHA1
a6a532325322ffba5ec21caad22c3ad62dcdbfca

SHA256
d879a15a71371631afe873d21483258f50f12c1b809daf8a05fcc92e2891c4cc

SHA512
aeb40ad277957f985a4b4818c1a6105a2d6f26dd0e888e7ad452d52bbfcffe74dab502ca12362cbf6298b466af33c7308f6ac6c5e4d57294098c2c445590c7e4

Download Submit
/usr/bin/ywjkytrncd

Filesize
596KB

MD5
0f351fc3e7bd3c85c94021229e2567ec

SHA1
465348e2d7b2238079c5b20be15fc349f5ae6b10

SHA256
1081323354032d67d6c76cf505f3868677f9efbe8717c3a2d70be7ac345d6cc3

SHA512
17bc28a68a211d98ce04c4ec6981da7461af4e3c8fdf0d05789bfdf78fc4d0fc8d523faf06848200ab8bf1459fd9d1115e1facc441d9c0492740354fb3a3bc21

Download Submit
/usr/lib/libgcc4.so

Filesize
596KB

MD5
854f9f0fd26d823d0b678b7228154138

SHA1
ebaed77107d5ba6ff3d45155232d3c3e9fe34373

SHA256
42629d9d813e59c3d2b7aac0da644ddb1824a8b286b39393ad50a945d51ab363

SHA512
217d5d6d7436c98ea7b89d008fb1fd671ca327ba8b61edd48a5507a15717f105ab4d4ace798a90afffcb8ae0062041005777fd6bfd1f31dc014a7ccf9e9d6497

Download Submit