xorddos | c4f2b7e9dceb0cfa4f1c21785d148f748906daa12a0bce084bd766e3627cb397

Analysis

max time kernel
149s
max time network
148s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
22-08-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8a9cafe1f996d706e621486868238a8_JaffaCakes118
Size

596KB
MD5

b8a9cafe1f996d706e621486868238a8
SHA1

6138c9710cb4e6a7587f4090d2bfe42a1d4e2dc8
SHA256

c4f2b7e9dceb0cfa4f1c21785d148f748906daa12a0bce084bd766e3627cb397
SHA512

b3d1c1c195bf117c6c0945327fb86dba81178d206b7c96b4be2c08a6fa7250d52e0e59cb3ceeffdc99b59baf19205ccebae2a02c3954d824207a54e8aebf24fd
SSDEEP

12288:bfTGy+n69+5rTlFEcMWbHvx5SGEuWd5F6yxm9Ah7Dxu9hc7L:rTG/0+5dq4bHvx5SGod5LTD4XcP

Score

10^/10

xorddos botnet downloader rootkit

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2868

183.136.213.96:2868

xlxl.f3322.org:2868

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 30 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_xorddos
behavioral1/files/fstream-5.dat	family_xorddos
behavioral1/files/fstream-6.dat	family_xorddos
behavioral1/files/fstream-7.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-10.dat	family_xorddos
behavioral1/files/fstream-11.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-13.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-16.dat	family_xorddos
behavioral1/files/fstream-17.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos
behavioral1/files/fstream-19.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos
behavioral1/files/fstream-21.dat	family_xorddos
behavioral1/files/fstream-22.dat	family_xorddos
behavioral1/files/fstream-23.dat	family_xorddos
behavioral1/files/fstream-24.dat	family_xorddos
behavioral1/files/fstream-25.dat	family_xorddos
behavioral1/files/fstream-26.dat	family_xorddos
behavioral1/files/fstream-27.dat	family_xorddos
behavioral1/files/fstream-28.dat	family_xorddos
behavioral1/files/fstream-29.dat	family_xorddos
behavioral1/files/fstream-30.dat	family_xorddos
behavioral1/files/fstream-31.dat	family_xorddos
behavioral1/files/fstream-32.dat	family_xorddos
behavioral1/files/fstream-33.dat	family_xorddos

Writes memory of remote process 2 IoCs

pid	Process
2476	b8a9cafe1f996d706e621486868238a8_JaffaCakes118
2488	Process not Found

Loads a kernel module 64 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

pid	Process
2476	b8a9cafe1f996d706e621486868238a8_JaffaCakes118
2477	Process not Found
2483	Process not Found
2477	Process not Found
2477	Process not Found
2489	Process not Found
2490	Process not Found
2488	Process not Found
2477	Process not Found
2477	Process not Found
2488	Process not Found
2488	Process not Found
2488	Process not Found
2488	Process not Found
2488	Process not Found
2488	Process not Found
2488	Process not Found
2488	Process not Found
2477	Process not Found
2488	Process not Found
2488	Process not Found
2477	Process not Found
2514	Process not Found
2516	Process not Found
2518	Process not Found
2523	Process not Found
2520	Process not Found
2524	Process not Found
2522	Process not Found
2525	Process not Found
2526	Process not Found
2527	Process not Found
2488	Process not Found
2488	Process not Found
2477	Process not Found
2477	Process not Found
2523	Process not Found
2523	Process not Found
2524	Process not Found
2524	Process not Found
2525	Process not Found
2525	Process not Found
2526	Process not Found
2526	Process not Found
2527	Process not Found
2527	Process not Found
2488	Process not Found
2488	Process not Found
2523	Process not Found
2523	Process not Found
2524	Process not Found
2524	Process not Found
2525	Process not Found
2525	Process not Found
2526	Process not Found
2526	Process not Found
2527	Process not Found
2527	Process not Found
2488	Process not Found
2488	Process not Found
2523	Process not Found
2523	Process not Found
2524	Process not Found
2524	Process not Found

Unexpected DNS network traffic destination 18 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

/tmp/b8a9cafe1f996d706e621486868238a8_JaffaCakes118
/tmp/b8a9cafe1f996d706e621486868238a8_JaffaCakes118
1⤵
- Writes memory of remote process
- Loads a kernel module
PID:2476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/udev.sh

Filesize
146B

MD5
ddb9a901eadce597284d68ebd9fe9311

SHA1
1d26318bbe55f2f936ae1015df656535427083c2

SHA256
3bb8ebd394bcaea3f083d93daa3c3bcf918a4618f84ab45a1942759d16b070fc

SHA512
e94bd51f02c323d2376e666a9c56a87c2f55d1805b44762d4bc6d5d60ca52e85ce996ba51142213ba783ac858660a3ba254988215b0f4d398b1e99bf132a5d1c

Download Submit
/etc/init.d/b8a9cafe1f996d706e621486868238a8_JaffaCakes118

Filesize
495B

MD5
511a1c363ffe51e66e566a31494a4f91

SHA1
419c4bb7f7827fdb13553faaab37965a3148fb99

SHA256
60907dbc385725fddee1f497a672713082ac1d8c85f55b19e25805142617477c

SHA512
7567b728ccd9399ecd87350cb39000944a1ea2e55b7687497e542d61ab2cd1fdb92c676649f475137ddeee3b7bf0089192d85e8641df089ce01e8ef5fa1e4220

Download Submit
/run/udev.pid

Filesize
32B

MD5
b5c21ef6d3d7706c93f2662d82a91c19

SHA1
722ad1d7d503d9cae3b921fd79b2fede4b8d504c

SHA256
e3393d9b3c72221ef4d94ee096302e1cef193461e53f77de233751fcd3b677f1

SHA512
4c5f9d424a071822012e6ded512c8523c9875097873cf2dce2d771cab0a55f599b5fbdce1b6dd3c0746a5bfe7f6b47c4307545d3d3b8f0d27f7a9ef0d64d3f2e

Download Submit
/usr/bin/atlwlmebqy

Filesize
596KB

MD5
1ccc246cb567292880e1a9a81d56fbf5

SHA1
295634bff90d1322b01670c5f55c39ff8ee3cdc3

SHA256
66b3d8c42db7d84f662b5d9b57dfbbe8f7fa62558294f63575ec1181a93a858a

SHA512
ef0d3e361f62ce5fc9dff63e3b135e9edddf199c22f9b474a71a4372ddbb1bafac9d451902f314784ed4b06335a968b6571ee94f28df70c1074b5d1b9b080fd2

Download Submit
/usr/bin/bivnpkeztx

Filesize
596KB

MD5
790e5786cb6bfb5004097d33a20793d9

SHA1
fe8b02d4404a6ee76931ccd9dc8baf00eeacd558

SHA256
5bb4f738fa8126815839171b1b96a1a0a72384b0fa47eb8a0019031f5d6d9cdb

SHA512
9f3d11ff9509b07b3c3cc4addbc7d22b1b796beaf3d025890ac3b2f0364b7097c70fcea75c11d35672436e385d88b1643fc72189a39e0c7376170869728acecc

Download Submit
/usr/bin/dlolcwazre

Filesize
596KB

MD5
932e1961b888ad97cdb3f93bdf164ecf

SHA1
c4c21fe6ecce41ff63b518b02ad56de847d41181

SHA256
504851e48b740bc19148724193c6d6cfd1976de2ed7d5f3ea3c667ecb81c420b

SHA512
2156020ae734c3ce2139ec47a257950d0cc9654ca33be4f931f4eec1671b303095f586d2ea621db5e2635e3f91d569b57b6819e7d6749f6d8c54a047a4643c83

Download Submit
/usr/bin/fdtkhxgbcq

Filesize
596KB

MD5
058f95ffb6c6889cab69e081958ee0d2

SHA1
8944c589f8223252ac7f059f46df167a30e59afa

SHA256
e41e33c123abb1f0c8eb9ca17a8b5b14591cb8b6b1075e4fa297e8e69c0f7da7

SHA512
1541a39596fd1f9acf48048eaa31888d1ed22ccafd9f4e177fbdb16f23c3430288787018bc68d36bd1c4e62a7ecd6e7c722fe7e23e18f81ffe3bacd439f58b7c

Download Submit
/usr/bin/fxmgkymrkg

Filesize
596KB

MD5
e37babde102365c2f728dfc8e93f4d71

SHA1
d9e8bec105f75c626a3d54b81afa5473dd7e072c

SHA256
9302dc9f9b110ef3774b3fe02e51c352792da7ad2361da6cd10cde46a324558f

SHA512
d023a1624f52c6e3a63bcc90ff7ce321034e18eb2054cc751113e49ef41640ec5ed97631582786c617593c05b47ba7f35b0e71e181bb8669509b2417f16805a8

Download Submit
/usr/bin/higivyniyk

Filesize
596KB

MD5
e5e3b9bb683f718f08ad7aa2b651293f

SHA1
7ca4c6dcacde9423f627bdfd21a1df881bc0a370

SHA256
b327e0b90cd57dc91fe73e9460a4ebe886ab91bf7514816c031fbd4ee944680c

SHA512
246183909a19f17f80caa63ade2d4cf807e810e66d52796244b9b1964467af7f4ce8b4cf89d7938a780ec082e0a5bdc3b014bb7f99ec4e6fecb8701b834431bc

Download Submit
/usr/bin/hswdgswiul

Filesize
596KB

MD5
a3cf436fd721014f61ea8ad93452922e

SHA1
53ab5a70797548f6edf91ff8ed6bf0db91cf56ee

SHA256
7373011fd3b9c902b620e2205711c042a5b44814f16b554d1ae4ce433b034978

SHA512
d88e7b000c755af4edfd1e6cffc797a941346b571ef72ec20a299923e0def7af79dfdbdf59aa30e557c7b9a0b0313d5e5972f7b69fe39cdcb390cf62cdfa38cb

Download Submit
/usr/bin/iuxhndpglm

Filesize
596KB

MD5
1c343380c436e35e1478a8f9c9f86fca

SHA1
f12d0584ec57f9e1f83048dde74ef296a359f3ef

SHA256
fa74dce25354c4f46775c2efada81c1698ddc9197c6057cbb68077794d8807f1

SHA512
2f3f2dacd8333f41f8a0c96dde3e88060f25483d3dcb02ca5d5520ca25a0142d3946f98bafd4d2762286979b6dca45a1ac3c814176bb8e88c0cbaf9e852b5e74

Download Submit
/usr/bin/ivyzrerwyq

Filesize
596KB

MD5
53571d2b18fbd2d343fe2f21972ece0b

SHA1
4a673d031c2fc2abd8a8d16d581a9318e8897375

SHA256
dbc3ae1dfcd93aed670b871e1d442f45d2f4cf9addbb8de9444561dce1a78e5d

SHA512
cd5dfcf03d8e0f05214cb4f984567b752baeecfa71abf79df16efb038f6fc42fa37507512b746a620cafdd145cd2686a774cc9d7aaf3c67f3bb4a08ea5d23a27

Download Submit
/usr/bin/jotiyuezgl

Filesize
596KB

MD5
db0471598c68ea8aa4d1c2825afd8190

SHA1
db165bd024dcd3ae043b40f3b06857a584e541f4

SHA256
85b94afcf87231c956496da35a2eabc4da7241d4adceaeac4d192b4e256cc9a2

SHA512
91e38a94090b1138e0e79407cadf1bda7c44716fbb39611f2e7560dae49a3e61ebc1b30cad08a5aa654f7a7d2f25663542a035b0a14e977bd0b93cc322ffb4d6

Download Submit
/usr/bin/kjglhomebf

Filesize
596KB

MD5
ea8bd53bfe828a57a6708fb53cb79a7f

SHA1
487dc3d256f87c83a926a6e7825a544f9c00b1b5

SHA256
1ec9e134b3c0b99b0f6646123d366903db4e082c1b0d5f5d1a7895a11f963144

SHA512
f0592e5455af51772823cb1f48322d75565ef874b585ea247ef4a44e25c3115df3803f25a42fff7b5bedeaf29fd799275aa52996ecbf96296e84efe7332c499c

Download Submit
/usr/bin/ljdezycfmb

Filesize
596KB

MD5
e99fa593f1dd311ac2dc88b7cc756e86

SHA1
02d0e45e7f16800ab00d7649747ba9807e26a305

SHA256
e8e222c34ed5c6096b9f616aa24a2fae5579484a9d6dfa56754debcb3563ddf7

SHA512
56593471c1279d7822f3c6f9a355bd036224eb3a5e6f0e6654faa172da1dd3932f3829a544216e113a66dd63b596d0222a1fa5186f9d7d30e064e5db60f59f6f

Download Submit
/usr/bin/ltndgrumlq

Filesize
596KB

MD5
c456576d156b53e64f5749d81dbbbb8e

SHA1
969803952d6987ca9586627618e115394cde7e31

SHA256
4fadca95d9e7b362f03483209ece645daecc93dd9faeda2acd613272d460b433

SHA512
7bdcb00868e93cbba4a50e291ea659fb689051e8308948d828ddea1a6bcfd97b46b3d5295c907a4b197297174dc88cb7e64a1d33adeb0426b16780cf5e9fad27

Download Submit
/usr/bin/msrretlwra

Filesize
596KB

MD5
587ec891b0e0b6e5fe93207e60d95a5e

SHA1
bd1be5918b31ae5b4c921097f7c81d7b13821931

SHA256
0905e2d7210a5e52c6d101d59fe5a34f78be84070b7c03327eb6e5ad6648012c

SHA512
1457c3e227e4387ccf348c514d3ab1218f58238d46b934ff1aee7c6916185eda786cb3c25f0fbc9c84be9ab6777f87a454b3096d1473b16061c4462f41b9bff3

Download Submit
/usr/bin/nosgirnwup

Filesize
596KB

MD5
b437fd4986ddfc9066305560f25164a4

SHA1
9b2d125e681116c621d592910c9af097f28a2fd3

SHA256
51a7535642268777fbe8a3168202305c4bf44a265fcb9f9a8d6f83e27f4e2f30

SHA512
f99a5ced40844f38e560598ba8afaa1322acf18fd33a2a7a7b1f428d5d756093f3d2c49306a6caef7c56ec85a1c10a0a44345201e40a0d28df41d57c76299521

Download Submit
/usr/bin/opmkkbfwzl

Filesize
596KB

MD5
f5b6c0b429fcc1b1368812928fe44bda

SHA1
c1f887d8fee6bf211eefb3a0bd4bab9ef05aac52

SHA256
a618fd8400a7c5c07ceae430acb9ad22acd27bb3b011a5742fe0759eb71fbcf7

SHA512
3918650891d908ab9d09050e3afd5e2c8a639539afbcdf14ebdd1e76b10352e6f964dd3c1f5ce66f44118e357cab87e2475dcc93d9a9e553ffff7c38b7d96ac2

Download Submit
/usr/bin/qgoupijhzz

Filesize
596KB

MD5
b1d48f75f0dd8a915f22b0ec29ee2cad

SHA1
4ec464ec87104a84e9259f336e075dc8e7c4f31d

SHA256
cdffcfe3f72a7b450ccdcd538ecd38fb413cd8c1277b285ac6480e8cdd8a488a

SHA512
d70b220e8de9abaefca1eacf207e4e3e6efed4a35316fd3abb4a65e0a43ee1e38594fe87630e1b27ae7cb359b14ec865a29996112ac7e50b1cda18e1ce5395ce

Download Submit
/usr/bin/riyyuoyyff

Filesize
596KB

MD5
c6e8b78cedfb527054e65142e958baa0

SHA1
69695e58d492ffb8912297e4c9b7a014e6cf04e9

SHA256
e730781bc94ab6fc3a1b01827204337f59138b4a7367d1ffe37ab72ff971e375

SHA512
fdeea84b377b4b1523dfc917ac650fd3ee6d4ff9c149b14b469433f2797499034e85719ce3b8876c9150f7b3fe22dc80fd3052838e19f57d373080ab00750798

Download Submit
/usr/bin/seqpibocyb

Filesize
596KB

MD5
63b96f8a31caff91c7cecb542833f53c

SHA1
e1df529d67ca5ee4e40f813c10dcc1aa28717a9f

SHA256
9ab46468c58d8848de127ef1eb1634ace3b781ed4bfbb95438d1b3ef95ea40d4

SHA512
16c2a368853751156c9256b801a3ed374520a4f3b4bbb41b0cec98ebb20f1d3ab83c56efef3f2338588d810ed11dabea8991b2d3d4dbb1b3e42c6772e0a847fa

Download Submit
/usr/bin/suxxgkppii

Filesize
596KB

MD5
9d4b93e43678f008c503f6164e9c9cc8

SHA1
a1d1407d0636a5d87050b71ec7ad5f9c1e8fde64

SHA256
5b4329563fa93196340b4852b17fc419edf08cb3294bedcecebb14beb222a4cc

SHA512
0a06fd945414c0ee531c4e92484f3bbdf0970f88ef0bade174f1fa0b0d5adcfcc25abe63dbe0813b83ecef5d1f086c476d77e4771f1005eeb6a1d6ea94dc8d06

Download Submit
/usr/bin/ukbrysefel

Filesize
596KB

MD5
8e349feca0e3f7061e9b3f849ef4823c

SHA1
e62880db447479eea7a628a3f07a077672cd04c3

SHA256
dd359a0ad481d462de67dfe8b8abaeb4b1e9c30bb72804bde1edc97bf5b8ecc1

SHA512
1ff248846c01a2252243954e6fceb10854687a161696b81a0c9568b534ec7c9876997def9db4483cfaefc2c60d5af708db055ef15347328d906ac9b09d9c7ece

Download Submit
/usr/bin/umergjukas

Filesize
596KB

MD5
7c4f72768370e121fe60348609c4b13a

SHA1
51f721c6c8889f9091dd824505e1f97a461c6949

SHA256
fd7b4c0a0b4b6af606741133d08d6c1eaf6ca7b9280c91d8ed7f516ab3ebaf94

SHA512
a32f055e459a709b4af986453c9cf826fc1042241919df0eb17924de46b78bcb23c57e23c9509bb0160c2ab32e667f95f2abab393935e04eb1ef61236807082a

Download Submit
/usr/bin/uosbwzeras

Filesize
596KB

MD5
6f4874c7427f6c8722b6f50e771c275b

SHA1
24de3952ebce963f6861e34aa5ecfb507aea44d8

SHA256
cd6fb2df0706ea26736352c1846189051c21074bc63acd91e9204ca7c24474c0

SHA512
48b3feffb299dca42c68c5485ad945f385f70d3b4a527f7214d98a5f648639c648ac308f335ac500b722aadce3402ecf2d27bbd2c5bc049e0fce77002bbf3c63

Download Submit
/usr/bin/wwmidjsyen

Filesize
596KB

MD5
366918c8a14d66d1d055fec2d7789682

SHA1
dd7fff803f6a9f51b8cedb7be4e9e50df644b816

SHA256
d5e108779843580a0f5651bb0ad3bb287aecb4d2729ba2e0d9f8eb4ca834a500

SHA512
3fa1dcb2bb95cd58ff0f00f8b2ac9f06f4d5474359ee9fe00f9500f84a988412fa1bd759a9773156829e04c9e4219e8d388bb0aa53778f596f69dd8596ac6d89

Download Submit
/usr/bin/xwfvcubtig

Filesize
596KB

MD5
962bda8ae90dd62238c80a666e31bbba

SHA1
b20330e1563526748189a16c0b7730a3df58926a

SHA256
bf3ed157fecdc5b1bc124d7d730c0479eae4940f7b444df53f9824b06bc4ae66

SHA512
3c6daf3b558ac1faead877652265f0f1a6a7360f41314eb491687de4777c2fdf51bf98503d6f1aa6abde64b700021bdcf38ee2e48267154d202d66c4da4b8cd2

Download Submit
/usr/bin/xykzhibhxa

Filesize
596KB

MD5
df163bb15f2c4a98942da9e450d97e4c

SHA1
34047944be8a75eab485b0c849dbf5a0d9b8ab71

SHA256
f0e94f7f0c302cd6b3208924d3dd85122e788621c2a7539024b41340bff57d57

SHA512
a661c0ea6d819a6376a115d33a6a88f6530e1bbab6df66aaf1938b28b551ae0da63fda105be95649312250f7887ab290143401b65802cb795dbee1b964a5ec5c

Download Submit
/usr/bin/ykokcdkznx

Filesize
596KB

MD5
fd497c4117d3fc092e1febbffbbdb572

SHA1
13f0671049e30c6ee1cad851ce35b2f6e8458c2a

SHA256
21486df9917a7b1f8955a0979ef94c2c5f04f2c6c65bfff6ffb3d23425d1e698

SHA512
4493a3373af30d515b9b78c654edb32fee45e660c9df56a84f0468f207f3e052d4cefdeff88032c7540869c3a45d24a88e22559a155d0bb2f53d6ee29d2409a6

Download Submit
/usr/bin/zcmumcmqzd

Filesize
596KB

MD5
b63cc331f7a12f865ddae48ad521318b

SHA1
5e052136eff6ab0f2db408845c7f7da9eb49e187

SHA256
1c2a9de88baeacf088a8618321bc24c823514c8adb98d08e11ba5c2846064104

SHA512
9ff6ff7d030bf58546ed3c92d79f7211e2f9ac69e88593408192e15a55d9c5c4144c0ed30d2138620979ba988f15f9a4c84b2efb19c656de1a1edde3c3cec80d

Download Submit
/usr/bin/zvlutkfblp

Filesize
596KB

MD5
9e3c503d34f660278fc9d690c66893e2

SHA1
80738fc82afd6ab0ef9cc6c8c40ecf38efda4db1

SHA256
c3d0b7f134d40002f7041b7d81dd8dbbaafd2099372dd98a315075513e103805

SHA512
2547acf2faba6afe198e2002a50a85fcd529a582576dff8b68f632a96eafb02cba7581d012eff16fd68dda490a394eee14b6dd21a787104ca7ab84005fc47b5b

Download Submit
/usr/lib/libgcc4.so

Filesize
596KB

MD5
b8a9cafe1f996d706e621486868238a8

SHA1
6138c9710cb4e6a7587f4090d2bfe42a1d4e2dc8

SHA256
c4f2b7e9dceb0cfa4f1c21785d148f748906daa12a0bce084bd766e3627cb397

SHA512
b3d1c1c195bf117c6c0945327fb86dba81178d206b7c96b4be2c08a6fa7250d52e0e59cb3ceeffdc99b59baf19205ccebae2a02c3954d824207a54e8aebf24fd

Download Submit