xorddos | b81e95eb2f1fd0deaa4c1873d306003148928bcf5b9394e99c56974d80817f5d

Analysis

max time kernel
149s
max time network
153s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240729-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
17-08-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a37bf50d53fb2409c16d7007d018cc8d_JaffaCakes118
Size

611KB
MD5

a37bf50d53fb2409c16d7007d018cc8d
SHA1

4fa2128dd1d4fce1266de321c94fc8d3b353a956
SHA256

b81e95eb2f1fd0deaa4c1873d306003148928bcf5b9394e99c56974d80817f5d
SHA512

b757f859f7d42ac0a30abcfeb1fea990194fc4dd8894275151d594319332e3e63a19fcf20493dee1380df6a4d0123eca4f6dc303180aed100e83ba38fe30ee0c
SSDEEP

12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6Ti2x6yB1/aGK4UlUuTh1AS:UB1BVpmExDYp38X8LYTWh2fNaGQl/91v

Score

10^/10

xorddos botnet downloader rootkit

Malware Config

Extracted

Family

xorddos

http://cf.gddos.com:8080

www.baidu.com:2800

59.188.242.190:2800

8uc.gddos.com:2800

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 31 IoCs

Processes:

resource	yara_rule
/usr/lib/libudev.so	family_xorddos
/usr/bin/guvfmaaelr	family_xorddos
/usr/bin/lljsuutijp	family_xorddos
/usr/bin/rnhrxhyaea	family_xorddos
/usr/bin/dkcnylzcsz	family_xorddos
/usr/bin/rgwlutfdzs	family_xorddos
/usr/bin/jiqrolevtr	family_xorddos
/usr/bin/harqtiaikw	family_xorddos
/usr/bin/hjmgctbfyx	family_xorddos
/usr/bin/fvpkbxdnyv	family_xorddos
/usr/bin/povtnkatps	family_xorddos
/usr/bin/stvevawumi	family_xorddos
/usr/bin/ijqlcevizr	family_xorddos
/usr/bin/bvbyyslyob	family_xorddos
/usr/bin/qjfecmhhom	family_xorddos
/usr/bin/cjzyzeyavt	family_xorddos
/usr/bin/gejwopajwy	family_xorddos
/usr/bin/jdclpvtfee	family_xorddos
/usr/bin/khjvpahkxb	family_xorddos
/usr/bin/yzhitaewrm	family_xorddos
/usr/bin/yanknvlrwr	family_xorddos
/usr/bin/ipczcezqpu	family_xorddos
/usr/bin/eicyazbmal	family_xorddos
/usr/bin/zxefgwmlof	family_xorddos
/usr/bin/jgldragnel	family_xorddos
/usr/bin/njlgavubnh	family_xorddos
/usr/bin/gcxhopgslc	family_xorddos
/usr/bin/jrfrvynnnc	family_xorddos
/usr/bin/htaovzgvlc	family_xorddos
/usr/bin/qjknjiwjkq	family_xorddos
/usr/bin/yrjlkyfwvf	family_xorddos

Writes memory of remote process 2 IoCs

Processes:

a37bf50d53fb2409c16d7007d018cc8d_JaffaCakes118

pid process

2454 a37bf50d53fb2409c16d7007d018cc8d_JaffaCakes118
2467

Loads a kernel module 64 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

Processes:

a37bf50d53fb2409c16d7007d018cc8d_JaffaCakes118

pid	process
2454	a37bf50d53fb2409c16d7007d018cc8d_JaffaCakes118
2455
2460
2455
2469
2467
2455
2473
2475
2479
2484
2485
2481
2483
2486
2487
2488
2467
2467
2455
2455
2484
2484
2485
2485
2486
2486
2487
2487
2488
2488
2467
2467
2484
2484
2485
2485
2486
2486
2487
2487
2488
2488
2467
2467
2484
2484
2485
2485
2486
2486
2487
2487
2488
2488
2467
2467
2484
2484
2485
2485
2486
2486
2487

Unexpected DNS network traffic destination 16 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	59.188.237.12
Destination IP	59.188.237.12
Destination IP	59.188.237.12
Destination IP	59.188.237.12
Destination IP	59.188.237.12
Destination IP	59.188.237.12
Destination IP	59.188.237.12
Destination IP	59.188.237.12
Destination IP	59.188.237.12
Destination IP	59.188.237.12
Destination IP	59.188.237.12
Destination IP	59.188.237.12
Destination IP	59.188.237.12
Destination IP	59.188.237.12
Destination IP	59.188.237.12
Destination IP	59.188.237.12

/tmp/a37bf50d53fb2409c16d7007d018cc8d_JaffaCakes118
/tmp/a37bf50d53fb2409c16d7007d018cc8d_JaffaCakes118
1⤵
- Writes memory of remote process
- Loads a kernel module
PID:2454

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/a37bf50d53fb2409c16d7007d018cc8d_JaffaCakes118

Filesize
495B

MD5
ea9fd5b246e6a92d397cd03f887dfd56

SHA1
2c38cd01f9ec4b2da751546340cfed8b1c685d6c

SHA256
941c07ad146b28682c74662a3a90ac2965e0806b5a5f658cc8b5068aafb4af4f

SHA512
a271e13723b109406b86ea05d42e7b92abe556c58833231372b49b8a73fe49177fa84993ffe386c4c73993d321d3eaca273d0bdb3561c5e37dcc8369c35a1cda

Download Submit
/run/gcc.pid

Filesize
32B

MD5
5c34251503198cad006c6bd4798c1df3

SHA1
10cf62acc42a9c72fec1073a057f8b513bfa3455

SHA256
028855058a1ae469123d9489378ec5e9545353cd9d0a40b5a3912fc43cd24713

SHA512
504059265aebf7d96fbad0bbe48461305c65cd0343755f58765ba23232c1c608c481ae477ce7206fbb5720bf21a5ce6fc6f5c5df303077c6e33938866a295bd0

Download Submit
/usr/bin/bvbyyslyob

Filesize
611KB

MD5
be5497d64e984ebd95380201d69b1c12

SHA1
4fbf5af7b00bed6b72a40d9166b304d284893456

SHA256
cacbe96859b77ae7f7d7cd670e9d484af68176e91ea027ed266f7bc196920867

SHA512
124fffb46193bce09589a119e49585a3d5e562817dde77bad213cdb373be0d9be9ce6d4b740ec68a5bdf8c24d8fc2cff9e385934a9e50aa6b11814a85b52a73e

Download Submit
/usr/bin/cjzyzeyavt

Filesize
611KB

MD5
3a82c77d7d53ee33fe506eb0cc24ad71

SHA1
2e7da1055320da8fc91dc0571738b149c9c52cff

SHA256
bc2fbd6fce0b8acc3dcdb9004ac4efc713da5d42fc0a0254779af5e2b77e1fc6

SHA512
db46e6898cdb2e60fc1bf997e2cfe5d6c6c16866ca20f25454d8d25a132145634356b788979f1ea089a57eb4a544aba40a30f57f01c5672f4d9b652f8842d857

Download Submit
/usr/bin/dkcnylzcsz

Filesize
611KB

MD5
f32c2c172f13dde812e2544d2cf4eb53

SHA1
d827b8cd2f86474586823131dea8e565a8d22cec

SHA256
e1a5f0450042cf707a1d30fed1c379ce93960f43678875cb85823b5a16e1ce04

SHA512
804f2703054497f6cde3007670b024959b14b2be2b23970d94d4852bf7859b0367fef82bdd4696981e1cce8bfaf50343ab062388a277984a450577eb32846a3c

Download Submit
/usr/bin/eicyazbmal

Filesize
611KB

MD5
8047f9c0cd37af36957f13f0e020c4b6

SHA1
bddeadfc16b6d666aad394847f1f47ebc8d96585

SHA256
1a1cacae158babd585d9e1d19b58f1cd47dddba7752711d01b675fb0ad8ccdbe

SHA512
1be8a5d2a833e3964271e637e4f73c1973d5a113590a0bf912ef7385c4db85c8ad281d2c3640a4a80289c404f50830f9c0ef756b51c7ecca5fca9aa5d4bb8e16

Download Submit
/usr/bin/fvpkbxdnyv

Filesize
611KB

MD5
87004006f75397986be50ea342616ef1

SHA1
c77d77bcbf912c421da63b457a6983196a802712

SHA256
985017cebc0ca96387a66d3b70bb5abdb8b21ee0894d07168dfe8ea8b5bc5edf

SHA512
1c49fdc7f639fe148ade5c5276d01a7809a33c8d58f007e80677586343141af982dc0fb8bd642f177fc2e9409b35f46bc7af5fcd6006aff5f9d8af5b7ee44228

Download Submit
/usr/bin/gcxhopgslc

Filesize
611KB

MD5
b25bf1f15de44dbafac2be10206b3c65

SHA1
2c28ba8cb4b0fb04fb3a85601482b505c84228e3

SHA256
29a737effc7294be2a7cc9981462a1483d03b9b6c9496c4581ec3bf7cd958888

SHA512
caf528e2212aa84ab1e69570ad2bed15b08059ca27ee1c349ae0ca51a472fc954f18d4424de19b4bcef58022e060d55bb4dca3bc655f31106b59801ef6d5b63b

Download Submit
/usr/bin/gejwopajwy

Filesize
611KB

MD5
4476f889b0a2704080791db08ddf5af3

SHA1
9d243d80678108f371e61e1c59422ae10391cea8

SHA256
d2213ec6225bd7c4811e8e770051e9290d23484b076f1579c36eaca4b2f34459

SHA512
2fb9c411bf2fd77551b7a360ad4393332253d3d275db8dcd6b750b18a719fc551865a04e0fb37a0d615dcea507ac1736cdd33c92a338cfa7fb6cb9bc89621770

Download Submit
/usr/bin/guvfmaaelr

Filesize
611KB

MD5
91b93e4ef0e8ce0a48f5af5e7a0f06e4

SHA1
e98a041556ed325bdd686a7cc5d2cfe04e6a90c7

SHA256
fc102b0312b4fd5385d7f6ec76c20c6717d1f758ad3ea1841651b65c8d0b7f7e

SHA512
9c1bcb50fb25fa16b438ea5ca14240f41e3972f233d15d8c228fd109a26e1e8702305d1401788a9c444eac3af01f4978289f1cbeff30143a2174b51f99d00064

Download Submit
/usr/bin/harqtiaikw

Filesize
611KB

MD5
3df2bb3c5c131383b830ade3415a6b48

SHA1
097ac2432f9dc123dca329d010dc28e986b362b2

SHA256
fc6ba8c3ea8de44be2a49fe9edf4a8d6382b34b536767b9a67ccc205a6b81318

SHA512
c161c7cb5c5945fd55b8c1d75bf683f8c7a568bbfedce84b14c48379279831c02d77c3445b76da21a8d49722b4cfc17a3f7c6700793822e130a93b11cd25f933

Download Submit
/usr/bin/hjmgctbfyx

Filesize
611KB

MD5
d2d7901bdbe2214d232d18e57ae2235e

SHA1
28a7eba4e2d0e209cdcc525f06d60b0f1e64f71f

SHA256
50ab950b870f56306d7f3f8fd6c933775bd3193733becee15102d6ddc2e48560

SHA512
f5887088d5f9d4bf75b8b8a6cfa850080191e3eaadf7092b56041378e11a3160804fbd0b167d249f84f4b6c075c25bcd03bdc9776f37125bc42deedf3b1bc23a

Download Submit
/usr/bin/htaovzgvlc

Filesize
611KB

MD5
f960b94580359c4158f2fbe7a67689b0

SHA1
a3fe49070e2abd65484c72ca4df7bcb53786f573

SHA256
5df6ce75a4fd8c2dffd2bfcf658998ae5bf5275afd2e02f3e1543e933f1f95ab

SHA512
8acac081bde942b79dbdc1fb1afb1f1492cc9b2a6aa91926b577a8c8347de025b2952f1413e4cbc7003867aa9e90eaf16f47a63bfff638e7746e4718223b95b3

Download Submit
/usr/bin/ijqlcevizr

Filesize
611KB

MD5
fb0d83b9fa9fdd04a28765bb8459be31

SHA1
985a7fbefe9a266f93846a2ced867fab6584fd36

SHA256
bb225dfc390a1986edf1b8f7ca4cac3bd78ac25f423351754216390dce3e60cd

SHA512
92be13673f951b1a22db1719c64e83937627d5967e08722480a90ac04fc600ada76f1b380518071d176e72d885eddbd7fcc1e041cfe1d2bc82d25a61424d24ae

Download Submit
/usr/bin/ipczcezqpu

Filesize
611KB

MD5
23345e3562619e16dc3d01e18e7aa7f6

SHA1
4a1360f4917f578df87293d0b210d8e41da62d4a

SHA256
d1782b995e43446e0c15207c2924fff388b1f4607fdd919be46c0d5425bf021c

SHA512
e1e2a9c05ba93dd4d37ffcb7f863119a69bb1374a534eae2c3d09ad4c687d9806ff719c8687a57c96f85eb664b588dc4cbfcfe9da3684fc8dd02f0e41d7aef2f

Download Submit
/usr/bin/jdclpvtfee

Filesize
611KB

MD5
e2e56ae4859996f95ee203048abf529f

SHA1
49d9423b37feda2c77fd1b8440f224fc0e6f8711

SHA256
79e77eb00c07c8acb3539aab038544020e766a69371baea7a58cb1c1374914a2

SHA512
ea0c9151880fd4b193542da1d7c5d59234e3291086d08ea3ed4fbb8ce85fc01a9cdc27b34ffc0cacf39567a89f3b3fc426d8bd3df63f3804a720f5cf41fa71d3

Download Submit
/usr/bin/jgldragnel

Filesize
611KB

MD5
8cb62d4fd509e3ed9540107f8fef0b6c

SHA1
cdd7b948b44f1366f1c3b70d5f02d450d12b8889

SHA256
6c5f6bf60d5333489661e97a1f83dc7c671ca11a5cebf91aec5fb258db287d39

SHA512
80c0eaf755fdbaaf3d54277e4576b5e62169bf80cb3e2235b48d5ec71411d29faaaf9ae6479589695b350afd9f26588c8533b5a585af14a327aa89be83d8637f

Download Submit
/usr/bin/jiqrolevtr

Filesize
611KB

MD5
a353f2d882e8e9b7b6b3585d33e37a38

SHA1
b44118ca9f0bfb75a7723d73bfa7e2402bb8d3d2

SHA256
d57dfd221a56093a8341cb12e58f06395444996587d3d574fcb1665450628083

SHA512
748ea0e3a4601933a913409f5243d60cafec04aa9ff7ef6dc3079f29baa8ec783624ccad4a8c60f19458684d56286684da5bef9c95789670ccb090a12df93f3f

Download Submit
/usr/bin/jrfrvynnnc

Filesize
611KB

MD5
b59772ab0d845d41518f56b0567fd4e3

SHA1
ad20ce06e243517fb86ecf571a292483b7f1ed94

SHA256
05a92017ae967af2ddecebabc96011c485812ca0c55255902e633a66ccf0a292

SHA512
d092c8ccf97a1edb29b8eabf960e5e9a372626c9920dde31cd8de00c3ae920d893a635356f5075705c6f2f5d9cf9cb007a8e8e68a4e144527e0cc54a29d5cadf

Download Submit
/usr/bin/khjvpahkxb

Filesize
611KB

MD5
b72385b36dfbdaf04b6db73b4f43e282

SHA1
085f70f55ffe932bd47197246060d0c3a1b217e7

SHA256
434c7f6870fc5fbdb26d28486410cf4b2411246af3717f172e8228333e441578

SHA512
20a533c665130fb8fd7b2b705e1bd8e14cb06e5b2787bbddc8a82a1cae1a7966d5413e49ea7e328d7f737e17679b57808c25c703928d4a0e54c5c7f6ef1aa42e

Download Submit
/usr/bin/lljsuutijp

Filesize
611KB

MD5
10ad3ce496d360b44d7b619ed00b9d82

SHA1
231c4ab66b756353a46520db09bcad267aafdab8

SHA256
23f546db0b80a98783f1a4de731ca100e260d92d1c1e1c54968f9044eefe0213

SHA512
5d1063304441a3535a11a593d518d67118be5c1a249c44f6d2eb697981e5b6b9aa339d17710410ccff8209a91c73099f038590c3f2427e72bf5228d4e65bc037

Download Submit
/usr/bin/njlgavubnh

Filesize
611KB

MD5
3d2c012d7deb3b670efbae173ef74d5b

SHA1
08dca9f1a4829f2c50017e1f99606072f31d1fe4

SHA256
f372c9e8387af9c32b8e634099e91e79c8da71e11493fdad3898c8070b660a0d

SHA512
3a6be74378f3973c28708f3790343a3e22437e960a2a31de4e753ed40bdae96aec983acbf1c58fd4c3d1d21187cd34a98e41324d1c825f9a2090d3834a4c95e2

Download Submit
/usr/bin/povtnkatps

Filesize
611KB

MD5
45f531adf5f798da4ba759f37d94d50a

SHA1
5eead9fece827a24083bfa8c13efad8ef588e790

SHA256
f660aaf2e9ca6b3b03b073ca5857385c6bf6e2b1c6be13d8f2c739c60325ae4a

SHA512
39a1dd0de28b5f27f6b59278593e336eb59aeb96cbac5559c75adb99650efa9a11be510e7f3b775fa97c042572e25895595afa404815fd91f1979657764c2d34

Download Submit
/usr/bin/qjfecmhhom

Filesize
611KB

MD5
0eeaa2d7db9b077cca851e68608a5e7f

SHA1
385c5fd8e1376ec72e0a21af769b6a1f38860e9a

SHA256
0e02bc8c45a0ed0bc31f743a410b3204658260ce03c26a3fe4acf47b10f9df30

SHA512
1c2fe387bd2a9e4ab2dc3a8c00491f10767968dcf8e99c0c1097e9e35d29f6330db23dbb7d091a303a64f27a7a459bab8f16298fb5573214d8e55f419fd597bb

Download Submit
/usr/bin/qjknjiwjkq

Filesize
611KB

MD5
56de7844a78eb219dcbe32f0e8b64c9e

SHA1
efdc703dd8e5fe4c9136dcfdbc240e1453c45f39

SHA256
e22b0f833a76ce9138f58c45e1fa986dc20f25b092c529abc954fffe5f0d80e7

SHA512
01f57b400486aa6c608145f8bf631731a900b32e0fc9e74c1f7cddfa471e90cbb936a98cb8652e4a2371261634d108736ac178d78758f8067ef7867b10b3e90a

Download Submit
/usr/bin/rgwlutfdzs

Filesize
611KB

MD5
ce154c26c30c0acfe992bff33cd76255

SHA1
60d6635c93b269a158b9f1734457545cf2412a22

SHA256
2f687665e893ee1cf5cb0943bd334728720da5641ee8b0eec87edb578155b285

SHA512
f4821a755138675bbd8f2f61bc260cf5f820b26807dfc5f83e9d386936d562c0fa0dd0d6fb8458fbf853d3f62239e32a193785526d48f3a26f93d950b09b8c25

Download Submit
/usr/bin/rnhrxhyaea

Filesize
611KB

MD5
2814cdadd0dc2ad9d02807cc78a41a7d

SHA1
5f413f3bb9a97bfa2fa45c7c669378d6914b874e

SHA256
e722810ff2539c8ad7a4b36af73d1c2437b2a3c504104b242e45963b3f3ea164

SHA512
2832a5fc58c0a831b43d1ffb7795aa5121a0f7a76e1434fc6e807f872099187521d0c53013c7b74d64bd235eb27f879cd27d6ffb7769c49db4e4bb64613a46a7

Download Submit
/usr/bin/stvevawumi

Filesize
611KB

MD5
f28d39b0270cdde8c37c7c9ad35f6bb3

SHA1
2d3ed67f112ce237ab82ee61be43ea89884b270d

SHA256
5e13e4f4cd63e0604490857925243fb1ba331d48c69693ae23bd74bdbc29a214

SHA512
0464fdb2e10268d6725c5d972ee55a322262d744aa19d73285e9bc9ba365e3cd687ba7e70524fc03f19e0ac7f55f7a4b2bf263776a7fc80507da3bbd934ae768

Download Submit
/usr/bin/yanknvlrwr

Filesize
611KB

MD5
5d5094c219ccd694ab3188d286ead59f

SHA1
3842c5d786510d5bd8279f55c69e2d28c04563e4

SHA256
c383092b4a454225f9f9486adabf271429e15e5c5ceb2a1340d35f4f3a7a44a1

SHA512
a66b5dbbb72b3d5b38c4843282a2057796324359d8be9a231ab6918d14d222f1e3d1dc7e4c6eed70f34df3f962483339ab21deecde8349f09f41a316cbb7d076

Download Submit
/usr/bin/yrjlkyfwvf

Filesize
611KB

MD5
d5187cf91a41ad1f62a26cb76a93d10a

SHA1
6289bddf275fe49364beed45691bf2a67da9deac

SHA256
1e1089e78c63521643fd6337600e9d0d61a2e47cb5e38c7a5931079b729f55b2

SHA512
ce18b42f8c0fdf369d03faf5e283f94cfaf190e6742dba349525dd492def5f72fa63d1f964b675d3a441e0df865dac8e84a89fb70ef5a2c2024c2e717b8547f0

Download Submit
/usr/bin/yzhitaewrm

Filesize
611KB

MD5
0511277bbd3f984480d5e2cbab0c8382

SHA1
64568ff0c21b343dac115072e00f625204d55e3b

SHA256
8944f74562702abde3adc9848cb2e85ecf85e8010c0908935ae843e4597d244f

SHA512
0437a1b3c9b5a7be2efe34aa4991b943adbf4eac437ff413bb35797e70640ae3af10623bcbc41179a98b52313b7194b587349cae85d40725f1049bea49056f14

Download Submit
/usr/bin/zxefgwmlof

Filesize
611KB

MD5
0e3c833a1419106c3e5ccc7c59cd0895

SHA1
04e5143bc8729a671bdb681e2b4e050ca9b5a091

SHA256
cdfa444bf55aad3a6873fffee6447296450168fe4297ad35e85c9be29e0f9da2

SHA512
7d25fc1d91d0378ac3faaf6425317304f04ba7c7fa37594b53b2de4585b22f1b77d8524f90d05bed49b38e01271e5122d53e235ceb20997783d705ba2d5475b7

Download Submit
/usr/lib/libudev.so

Filesize
611KB

MD5
a37bf50d53fb2409c16d7007d018cc8d

SHA1
4fa2128dd1d4fce1266de321c94fc8d3b353a956

SHA256
b81e95eb2f1fd0deaa4c1873d306003148928bcf5b9394e99c56974d80817f5d

SHA512
b757f859f7d42ac0a30abcfeb1fea990194fc4dd8894275151d594319332e3e63a19fcf20493dee1380df6a4d0123eca4f6dc303180aed100e83ba38fe30ee0c

Download Submit