xorddos | f5b098419bdcd2aee198c074b895e113fb7cac9132ad1b592005d31f1394ad3f

Analysis

max time kernel
149s
max time network
147s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240729-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
17-08-2024 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1da9b563db9056c96523a8727a279e3_JaffaCakes118
Size

603KB
MD5

a1da9b563db9056c96523a8727a279e3
SHA1

264124d50c9c25cea15459acb662b750bd7987c5
SHA256

f5b098419bdcd2aee198c074b895e113fb7cac9132ad1b592005d31f1394ad3f
SHA512

1418a5fc3fd23a0b10533a60ab76cfd71cd0894c0bf8fdc859fdc27a3673a4f5fc63320ab4e0aab81eefeaba933266933a74e60021a3985bb5dbe8ca90a93aaf
SSDEEP

12288:R40XBrnlTCbI5ZBP5IePtqLn4yFeC+oT6ygF9b4elMuThmVF:e01tCbqNNPtqLn4yFmoEbdlH9mn

Score

10^/10

xorddos botnet downloader rootkit

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2857

navert0p.com:2857

wangzongfacai.com:2857

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 30 IoCs

Processes:

resource	yara_rule
/usr/lib/libgcc4.so	family_xorddos
/usr/bin/mbldbrrwxz	family_xorddos
/usr/bin/hbaydgyhvt	family_xorddos
/usr/bin/xaetkymvxr	family_xorddos
/usr/bin/cyqgngtkbh	family_xorddos
/usr/bin/nhkxghlkxc	family_xorddos
/usr/bin/aypykurffi	family_xorddos
/usr/bin/quvreytgby	family_xorddos
/usr/bin/zwdegtcehr	family_xorddos
/usr/bin/afksytkotp	family_xorddos
/usr/bin/eesulauykg	family_xorddos
/usr/bin/uuhlvvttuf	family_xorddos
/usr/bin/hhcemtcgka	family_xorddos
/usr/bin/opkejfauqp	family_xorddos
/usr/bin/acadoemepg	family_xorddos
/usr/bin/fniemhlzbc	family_xorddos
/usr/bin/hxmkmhmsvi	family_xorddos
/usr/bin/ccjrvycpeq	family_xorddos
/usr/bin/xogtmpdyqz	family_xorddos
/usr/bin/pycshzlyqb	family_xorddos
/usr/bin/cpowrbogik	family_xorddos
/usr/bin/sfgfuvimll	family_xorddos
/usr/bin/ppcovepyba	family_xorddos
/usr/bin/ijqijukhyo	family_xorddos
/usr/bin/cyfxztydla	family_xorddos
/usr/bin/hfxpkrfnas	family_xorddos
/usr/bin/gyxqkyrfkm	family_xorddos
/usr/bin/eurpendeks	family_xorddos
/usr/bin/muwtysnheu	family_xorddos
/usr/bin/auxhsfaacn	family_xorddos

Writes memory of remote process 2 IoCs

Processes:

a1da9b563db9056c96523a8727a279e3_JaffaCakes118

pid process

2483 a1da9b563db9056c96523a8727a279e3_JaffaCakes118
2495

Loads a kernel module 64 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

Processes:

a1da9b563db9056c96523a8727a279e3_JaffaCakes118

pid	process
2483	a1da9b563db9056c96523a8727a279e3_JaffaCakes118
2484
2489
2484
2484
2496
2497
2498
2495
2484
2484
2495
2495
2495
2495
2495
2495
2495
2495
2484
2495
2495
2522
2484
2524
2531
2526
2532
2528
2530
2533
2534
2535
2495
2495
2484
2484
2531
2531
2532
2532
2533
2533
2534
2534
2535
2535
2495
2495
2531
2531
2532
2532
2533
2533
2534
2534
2535
2535
2495
2495
2531
2531
2532

Unexpected DNS network traffic destination 30 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

/tmp/a1da9b563db9056c96523a8727a279e3_JaffaCakes118
/tmp/a1da9b563db9056c96523a8727a279e3_JaffaCakes118
1⤵
- Writes memory of remote process
- Loads a kernel module
PID:2483

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/udev.sh

Filesize
146B

MD5
ddb9a901eadce597284d68ebd9fe9311

SHA1
1d26318bbe55f2f936ae1015df656535427083c2

SHA256
3bb8ebd394bcaea3f083d93daa3c3bcf918a4618f84ab45a1942759d16b070fc

SHA512
e94bd51f02c323d2376e666a9c56a87c2f55d1805b44762d4bc6d5d60ca52e85ce996ba51142213ba783ac858660a3ba254988215b0f4d398b1e99bf132a5d1c

Download Submit
/etc/init.d/a1da9b563db9056c96523a8727a279e3_JaffaCakes118

Filesize
495B

MD5
7d49d819bbca3670774f74f7374b6aaa

SHA1
53907f359c0bb363c3886b2719cb692fff7ac9dd

SHA256
f22d10d84e2c8bb713d91d3ab87331f6764de3533ae204b2781068f490559724

SHA512
bf37979854ce1db3f847be238bf7a997f261376326f059992c46df7002bc398b2e0ba16aae58be878d8a8cc8f78e6c83580ed67f4bcb4b997a2ddd751a49c5ca

Download Submit
/run/udev.pid

Filesize
32B

MD5
4821f79095077d017edea7332d32b998

SHA1
7dd7dbe87d4a7112ae677f3116b7a942d6f42da1

SHA256
da05aedd91d70ace493dd352f513d13a5598a536360500609059055798995c49

SHA512
20880e091f121220cd4c1d39f320ac05678b637a280feb2ded7f6329c5b8160a79c365bb43b2f259afe285c63827a413a41635b876954b135a13bd29a931c251

Download Submit
/usr/bin/acadoemepg

Filesize
603KB

MD5
6e857305df81facd9605c0a8ce3e3f2b

SHA1
ed7f1e44fa2f5d27c8cc4b81089aace0fe7458a8

SHA256
486f23b1be647c6a0bbbf7c0d035b11a6f99fd3f46a0229619187d67ec3b6277

SHA512
3647ece422faffad598c4d03fa48364cd30f2e2d4849fe818ad88844cb2ad28b89bd04aca4245bca23a3a7077a7ff9fdb338127e859639d275241ab878ca6246

Download Submit
/usr/bin/afksytkotp

Filesize
603KB

MD5
06c450579d0828d9db8a287daf7c6498

SHA1
e15139c020eb5e64ba31b615adac3511be6171ef

SHA256
154edbeaa343ff679719548b8c5561089a021a0e5165e2dc72b44e154326ea7b

SHA512
21a30c05b42257259282656fe62521c47daed5d8848a1a851e3049cb12b440f2da3c0809cbefc07960d4d9bb3d493548120b6a4cb11e87232aabb40baf2284fa

Download Submit
/usr/bin/auxhsfaacn

Filesize
603KB

MD5
31ed4228e0c280017ad5a8767a01383a

SHA1
c3259243690b2fe4e8b9e41c32d98f59eaf634f4

SHA256
0f2ae73cbae7fc32a1ea95851772e99ea5a34abffda98c700b392ece56b63b2c

SHA512
04d06129dc1613b8d267d34fd8552b59e2918d7b343a4a8cd39a1048ff7596108cc07125ae2481691e9e38ba315b86eeb99b7bbbc7e08702dfd652f563ce933b

Download Submit
/usr/bin/aypykurffi

Filesize
603KB

MD5
9abde0b2643f3ad809bb0dea1eb83239

SHA1
a5aab1071d337a4d260609a4a0f828408cd8046d

SHA256
3ba67cb87cf326b404df9aa6b19eeaf6062a78462c250a0b6be97780d09ea4ae

SHA512
cc8dcd1f7ac324684d3898fcf6ebd0eca4dd9ccb6345413afa4c63932a76418f5202c9cf065862e6cfcf6dec5c9965e2b847deb6091679d18315f488344530d3

Download Submit
/usr/bin/ccjrvycpeq

Filesize
603KB

MD5
3cbc7c968e0ebc7d473a2c0671b26898

SHA1
28b28e6748e7a14d1e94fcd7d920753c96991ae0

SHA256
3713e6ef4f4168eca994dc6ca61be9f0d344ef59f59009b7d354c6f91a914fdd

SHA512
a20078c056288b579b2a0ecbd8e7d9cdb6452d2ee2ddc8a9dd8c9cf3488b9d95e39a53b444b4e9be8e88dc166deb9c56dfb968045c736d19fd31d370ad62f6c3

Download Submit
/usr/bin/cpowrbogik

Filesize
603KB

MD5
cb5b23b4198536ed1ab851e82642ed10

SHA1
054a9d7cfc7da320d227c104001d79b384b2b011

SHA256
96422f7ddecb2753d230b981c476d86d01fcf165710a13f4b4c85a7f93dfa3d4

SHA512
177fa71e31ed87a4693d85a90b512685e2aaf1f3577d864f2d5e7090501e92e5092c843f248edb43e10bec89129daa90e9277d5c8da68ff0839218ff7a2415bb

Download Submit
/usr/bin/cyfxztydla

Filesize
603KB

MD5
1a45a63f96de636377abc2b6604dbb5f

SHA1
91fd0a616ffa3e36f7760d4af6577fa911ccf09a

SHA256
03e42c693aa4e504be63980d3e25b0e13f812988b2afc5df64f4a24b5ca99246

SHA512
090ee4bf61d0aa9113d6b7b9c67735d6ebad30db1c0e8d53aeb261822682523e35ae3c52890d67a95690b86811441c59b057af89d784408a55b6205bf843fb3a

Download Submit
/usr/bin/cyqgngtkbh

Filesize
603KB

MD5
a80b758f741156b117127b331385e172

SHA1
ae0fa1b22c274793a31c1a739922e470bc0f5de9

SHA256
07b185f1da8bc8c9f69e60f9b49a4868938cab830509884218cd103194d7bf60

SHA512
5a10cb73a714fd854716dc179c524b713a7ec7a8c3f6ec9871ba299ebe1b5389a1b3cc1ada368b14352f48751a0d15fcaca3a71d3e58c3e3ff1067b46808ae65

Download Submit
/usr/bin/eesulauykg

Filesize
603KB

MD5
eb04fb91920536aea7cbe0e5468b7683

SHA1
e8661f2ddf379c37b85d48ea39df0faae5e8e06c

SHA256
abe23a2a37fa61d88be0e2880b46e2c48e3b1252e9f555f75f6394e50d193d94

SHA512
e539fc67078008b551121212480555b60b05e1263f1f8f6f32b0ebd20b8f9c648cc09d66ec44639f508640b280ecbf0d31b647016f5dcb775b80918a6694a50f

Download Submit
/usr/bin/eurpendeks

Filesize
603KB

MD5
c4a396bc154937c7f81336cc54f3be8f

SHA1
151b41a010d1d068c7ea364fc6faea8dd36855a4

SHA256
341a8dcc8361e7b0f22a340559b20343403c67858a5d6b381badb7f378002fff

SHA512
093673e4b7ae8096212eaa6f3806bf19d00293471cf1d5410fbb6a1645d1e39870a545e8aab455ddb84b78000bd5fe39b981c496fca7bcd89bfe791c5ea10636

Download Submit
/usr/bin/fniemhlzbc

Filesize
603KB

MD5
53c266407288eddb4fbd17eb97aade6f

SHA1
574a6169fbd2f5716900f6fbf401245b983ddc09

SHA256
87db5c5996f5d55446e8d0f7ecaff38511bfe6712476ad08c249e79a7dbb3d94

SHA512
e6e184af75395a1dc1044a3249694d29e90904a0546a6480c321e07c4eb7ff3993c5ffd4dc936ecc324363c7e795645b1ee0b3c70a1a0d3ffba5d37aad66251b

Download Submit
/usr/bin/gyxqkyrfkm

Filesize
603KB

MD5
dd5710fa08644c2fd3be96c29e166535

SHA1
396dedd3c8c93279806412edc991c1b29f416960

SHA256
62e704b5dea2d34d2db41d24137f9e62542251f57a7c7cdedcb4841e4dd5afbc

SHA512
2fff65fb3315abe8eb1e0f82c64badc060cc270261540eb64d61bb2037c6915332ac008d3cd49f7899515e6dcd1c4f1d70e20f522d2ebe74fd8100648c12eee0

Download Submit
/usr/bin/hbaydgyhvt

Filesize
603KB

MD5
ae61f43fa076bb13d2918cb6b317ae53

SHA1
202b84f9a923e0c7f9a87b44dcbfb5649fd5a619

SHA256
75bd4e6b286fc5b0f0b31820b8b0e3b7e63f2fbafdc347f23a46370be4f8e9e6

SHA512
65c9a6f5fc9be153e3cceed95617bd6c17b400eac44b4c3d14d1057d1bc9e6cf1971accd790a4e5237cfb6842304abdc99e2ad8a87f07302d6ae051de40493ee

Download Submit
/usr/bin/hfxpkrfnas

Filesize
603KB

MD5
ada2aff02bc5fc3f3217467c90e477bc

SHA1
289608a25e1f2773680372d078c53903d6a11fa0

SHA256
cda7d3b741468cd6f351a1bd7882484587108e234abd7df80d6e46b939f286a5

SHA512
af1de5ef021f1f12f13bfd7fd41a55cfb6270a15ce9b2acf4546e4c1572a6e4a8d513185ae999bd34f96838514a02197a6dc5498e86ac7ddcc15b90f55f591a8

Download Submit
/usr/bin/hhcemtcgka

Filesize
603KB

MD5
2270e59d0a75c89029e64552259deeea

SHA1
08d262f365450fb728f3dbb5cacb7d9ba8b48ee2

SHA256
7ee26e7aecae8d3613b0dc7401d8ead2d25468b1b683d683e8ef8c254057f885

SHA512
b53f12b3b3909bdb7efbf0489a474b585fc504c7e51019f88b2fdbad59cd6301a29b1651d446cf5c9dba5894b71b5f9e8f97867163f5a5c5c2544b7328001133

Download Submit
/usr/bin/hxmkmhmsvi

Filesize
603KB

MD5
4f6ac318663e025aa2cdbd796990b040

SHA1
6b85795c2d89b485b0b99a3f6d3e6aad32c3668e

SHA256
dec79efddd4bc70bace38e389461e4d822ab3a163b03abde79886649e0a1d993

SHA512
8d7b4b278c275f2bf9a20db8a7a46ee6bf8188c678e3ff48a7b75bd313ae3fc0d4d9c06eb5e0ba74b20a4c40b53d09d504f6c72ddbab538374f256c7c4660eff

Download Submit
/usr/bin/ijqijukhyo

Filesize
603KB

MD5
8e0cae0b1457e785b2792ddca54ca70d

SHA1
3a1ca42664399ec0c87af67feb24035cd8b03402

SHA256
262c5eb900c5c43f8d080279c55c978b70e16a36a7adca86d4521b311be82148

SHA512
805f9cde535dd151f36c2157046069b55aaf9f1cb185073582546766b8423715be11c6ae6fd4243b306b4f961f459b87d17193e56094d6db42d5a47babd458a4

Download Submit
/usr/bin/mbldbrrwxz

Filesize
603KB

MD5
7da73e70a3160bc11253bb950a2254be

SHA1
70d76cfb6373e91b4b3e7a745ab8c3fb205ffaa1

SHA256
8ef74a2bf5928c87dedf42a960e441299c740ec15dc6e8f08b5757a45df54e6b

SHA512
763e4d465d879ded849fc9ef3fcc0eeaf4d8a7509dffa0d034a31331653b85de5ff61cd705018a5d295818edda0a08851cfda218bc7f23642971367380417ec6

Download Submit
/usr/bin/muwtysnheu

Filesize
603KB

MD5
1d66d84ec588f93eb68d7661c3a182c7

SHA1
5f0357787d4636c683d28206e4417607bc4d5b31

SHA256
c8b56edfdba1696cbfc36a6d9b022c75764bcd15d67d93fc00d21f38cbc27a64

SHA512
b866b377d566b82f619e557ba49f2a110689e0b7896cbca7f882c0aa431e6a3685a58f89318f8930d102828ffa7c26e3fffddee73973e298f1861044c965d590

Download Submit
/usr/bin/nhkxghlkxc

Filesize
603KB

MD5
fab5d14cf5edbbb98f72226ef7813efb

SHA1
728663f520dc01ea9853808b82c0c7a22bf93cfc

SHA256
c3cd06dd377a4d1abab30df0ff93383c4c1cc9ad7dcfaeb7a936c7cce8c6cdfe

SHA512
dc9120a75caae8969c93bdd654852e59dcaa008a247c6a28d60a6cdc7e7407b531df25d75c273fef3cc0278b2f5c9c079b53c810ed070722be8b2618f99201d0

Download Submit
/usr/bin/opkejfauqp

Filesize
603KB

MD5
039a85a00129a8210a4ed2cd959e3a01

SHA1
7c6f430ed5499331b5723abe8cc9315a66663fd1

SHA256
acc5d6c6085ba33c89f69e441c962fccdad7ea40c3b4ef5ef988e35a5d177c16

SHA512
21bc0b3af6cbbba89bc54fc50a8cd3e87bf99dbb78aba5f3b6bf7b470b3a51046e7f68eda4ada17268d8c8dc2f1ed5c58747009a417349331172be826bd91ddd

Download Submit
/usr/bin/ppcovepyba

Filesize
603KB

MD5
dd1da8f7faa6a7d207d7f9366c838ede

SHA1
4232852cc383f978be08abeca0d831b1f6a89fa9

SHA256
baee8c1c208e8542d06d62a47be27e520519f8a3448e9c28eea24cab295cccd2

SHA512
8c8652df621fb7d2b14508fad901cfa28087cb7975a25bb5ce4e9992e22b9e0f08a141b94c5a8d60fcb69ccc1b76d1c95c90461c6346b75b01016ecbc45b14e9

Download Submit
/usr/bin/pycshzlyqb

Filesize
603KB

MD5
02219afe56b071212f12088aa16dbd13

SHA1
fdaad6e927263ffd208581e9e26347f027e67a43

SHA256
85a8faf53775d980c3ecf4528a57216b9f888e3d1c6725d91ebbaffbaa45ccbe

SHA512
a6ec421add42dc293cc1dd1931328f4d243236c41e185937c672e24d9b52c720069e3d80a69907600ff0758e1c31b01eddf57cd42b5b3b8b7fc12232ab3c61ad

Download Submit
/usr/bin/quvreytgby

Filesize
603KB

MD5
764088df4b3d145f5762b9a192c2b5b3

SHA1
08786acbb55a958345f19c75ac8d474679f71904

SHA256
fdcd2e0cba018f4e3a9cd3074f87660bafb0b75149d74a1712edee01c2d740fc

SHA512
c0b19bfcbb646f5c01f52a0e35dc7638f38c0d6ff7f830060babf15c7ba6ac4225f533399a4722dddf94615f23483c5b3447da3b0914d066e53970b589d97252

Download Submit
/usr/bin/sfgfuvimll

Filesize
603KB

MD5
19bd98b9514f82c7817953ffdda6435f

SHA1
11b1afd67ce8d5fe7302736d56f0b52d433d7e34

SHA256
3b118230264f8c3aa903cd86a4931b5a847c91f6afc07c5d71b26031057073b6

SHA512
13b3dbcda913729c90f0f3525439fcc9b4489e6823f0622f4d7dcf9d9ad129eeec7eb28bd031d04d282d521260889edf85f94a466d4559cc3d7ea6c581fdf031

Download Submit
/usr/bin/uuhlvvttuf

Filesize
603KB

MD5
ed50689b0101277eb6593f36c87859d6

SHA1
706ae37926854fb478eb9657a005c130622955e5

SHA256
5a2f8338fb057fc2a79a781a2853dd4a808eb37dbd158c08902db8df65b9cc6f

SHA512
6c4d58274fa47e3fcf17d2865f8d30d723d99b177e1eca4d7dfc5ba9b0dc2753559f6cd0f0bf3fbce30ae9486b7615121ef5c6096bb303f546e8a2f920e492d3

Download Submit
/usr/bin/xaetkymvxr

Filesize
603KB

MD5
a40658efda4d2fe61fbb350f607adce6

SHA1
6045b9ba61b6d1933deb533f0087ad7466d1ab3d

SHA256
bac84eed85791c267dd6da2a74371ab3e9a5c87aafc1bb458310086d5ec0ac77

SHA512
a5c68e5759f3b2752145cd642d4e45819497cffbe0d0ac1599b8f5df42e60a78b11532de06df028c3daacabb91b1fac22610a17eb0b68f50996304fdca4569c6

Download Submit
/usr/bin/xogtmpdyqz

Filesize
603KB

MD5
1204113590e2dd1c7cc3c995686fb0b8

SHA1
8e3eef1ae60bdbec5215e33ea3f28c715f63851d

SHA256
962d09fd56376380f2f16acb6a15f5370d4490b32c4a7b094afd79968f4f816d

SHA512
0081f184459d29fa37b5bc9ab056d65f169dadd7ca799c720f4dba7bbc1d7a2f2b33d5f1ea7845f4eba2eb0c5f3243f84fce34be48d83f3de0d106ac1b5bb06a

Download Submit
/usr/bin/zwdegtcehr

Filesize
603KB

MD5
e1c7254751d137a55fa06a23aa0e8d2f

SHA1
ce929061af7aa46a523b65525f62100c5f5215a9

SHA256
aa49fb6edb7410511b9f1ef57e73bfd2013cead7c3762c23a2311f23afcfcd50

SHA512
43cf172c259965b2abe194348b7b509bd5563119758e0ab6c937abe2776ea9dd571f74a1612f37742f53fe120bdadea12ff961829e50bf2a810630616e4272a2

Download Submit
/usr/lib/libgcc4.so

Filesize
603KB

MD5
a1da9b563db9056c96523a8727a279e3

SHA1
264124d50c9c25cea15459acb662b750bd7987c5

SHA256
f5b098419bdcd2aee198c074b895e113fb7cac9132ad1b592005d31f1394ad3f

SHA512
1418a5fc3fd23a0b10533a60ab76cfd71cd0894c0bf8fdc859fdc27a3673a4f5fc63320ab4e0aab81eefeaba933266933a74e60021a3985bb5dbe8ca90a93aaf

Download Submit