xorddos | 1dc964938e1e3401092f6872bd053a99b2154b8ca481ea8dcd5f9d23781f5a11

Analysis

max time kernel
119s
max time network
123s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
26-08-2024 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00e7122e581622802dab4d3e4ac463b8
Size

596KB
MD5

00e7122e581622802dab4d3e4ac463b8
SHA1

430442cc603d4a6fb331bf165c2e507aef2bb03e
SHA256

1dc964938e1e3401092f6872bd053a99b2154b8ca481ea8dcd5f9d23781f5a11
SHA512

4e421c59008ccccc67cada14800bc885f138fdaebe0f0cbd9ae7d398bc1babd1831807752e290ff410993e890d265e14e6867e4040aedc6cd5f54f6692a10557
SSDEEP

12288:vPTJS+naeW9kclFEcMWbHdxZ7GkR2fh/6y9P/YAh7Dxu9hc78:nTJfrW99q4bHdxZ7G1fhFND4Xc4

Score

10^/10

xorddos botnet downloader rootkit

Malware Config

Extracted

Family

xorddos

http://full.dsaj2a.org/b/u.php

v8602.xffer.pw:60002

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 24 IoCs

Processes:

resource	yara_rule
/usr/lib/libudev4.so	family_xorddos
/usr/bin/zqigzoytci	family_xorddos
/usr/bin/daxqtpvfzn	family_xorddos
/usr/bin/nlycusdjib	family_xorddos
/usr/bin/hjdkgpgjhx	family_xorddos
/usr/bin/bmmeguruzr	family_xorddos
/usr/bin/zttsbirfyo	family_xorddos
/usr/bin/jotiinmkko	family_xorddos
/usr/bin/xzchngngyr	family_xorddos
/usr/bin/txhlrctezm	family_xorddos
/usr/bin/ncmwaqdcmn	family_xorddos
/usr/bin/dpafbwnhmd	family_xorddos
/usr/bin/eyikivxtpl	family_xorddos
/usr/bin/czkzuaburw	family_xorddos
/usr/bin/cochggbnbp	family_xorddos
/usr/bin/xgmztbrhev	family_xorddos
/usr/bin/tsbuzktjvv	family_xorddos
/usr/bin/algmlysfld	family_xorddos
/usr/bin/xawhwcvuvh	family_xorddos
/usr/bin/pbydpxdxpc	family_xorddos
/usr/bin/bmejaztrwd	family_xorddos
/usr/bin/hvairgvvdm	family_xorddos
/usr/bin/fribetdtfw	family_xorddos
/usr/bin/oaufblrmbd	family_xorddos

Writes memory of remote process 2 IoCs

Processes:

00e7122e581622802dab4d3e4ac463b8

pid process

4066 00e7122e581622802dab4d3e4ac463b8
4078

Loads a kernel module 64 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

Processes:

00e7122e581622802dab4d3e4ac463b8

pid	process
4066	00e7122e581622802dab4d3e4ac463b8
4067
4073
4067
4067
4081
4078
4067
4067
4078
4078
4078
4078
4078
4078
4078
4078
4067
4078
4078
4067
4088
4086
4090
4092
4094
4095
4096
4097
4098
4099
4078
4078
4067
4067
4095
4095
4096
4096
4097
4097
4098
4098
4099
4099
4078
4078
4095
4095
4096
4096
4097
4097
4098
4098
4099
4099
4078
4078
4095
4095
4096
4096
4097

Unexpected DNS network traffic destination 12 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

/tmp/00e7122e581622802dab4d3e4ac463b8
/tmp/00e7122e581622802dab4d3e4ac463b8
1⤵
- Writes memory of remote process
- Loads a kernel module
PID:4066

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc4.sh

Filesize
149B

MD5
4bc702c21d7b2bbb32638e37ec6c3943

SHA1
6b097d447b57c10f10f67ccd5efac4e4d39ddd38

SHA256
f702b3fd1837f30a23c74d5605e0c9cf79a480b942ef7d3bb9f79d448101a8b3

SHA512
19523b3e006eaa41a22a6af5ad1d0b23adf7eb5c653e367229b2d6bf69066a7630d637ae4131e5ae98e63434b00f6af5bef4ece54d7ad66d5c92b8f549f5b3f8

Download Submit
/etc/init.d/00e7122e581622802dab4d3e4ac463b8

Filesize
425B

MD5
50f239739bd9c70f91e987d34aaeb90e

SHA1
91856c463997ad41f440b78c937659ff20bf8bfe

SHA256
4fbb0a818bbda58c3d51810377292251b6e5581735eecca103bbedb452bc69b1

SHA512
a53eae1478fa778df574a8a34177a3ab4844d14254aafb67648a114cb60de8a073fb0c86b05b4058196b81479a91960bf6f8a36ed2f30aef7716b02600055f7f

Download Submit
/run/gcc4.pid

Filesize
32B

MD5
9171d0148e06717e0a138db6894206c2

SHA1
a3cff74031362e1957573acf3888dc09f0eec14c

SHA256
d1a3ff3f88fe00162fc1789770c4c777a18141c29ef8c7e24b45085ef84cdf3c

SHA512
ff26f683f8acd6662ad3ab58b4dd85d3d65e0e9f12b29fb94a05f0b9ab8f1ef16a6e629de0e389a0df3aee20c701616a0e0703fd96edc4af6b1566dae3c33389

Download Submit
/usr/bin/algmlysfld

Filesize
596KB

MD5
236eb2223f3a03734a41c7fd524a29fd

SHA1
0868f16f67dbe6e899210f4484cfbadb9b7463c3

SHA256
23a9dec0162067f05f5168189d57dc6fdbcdf987cc4c825e1491a0cdad0fe3b2

SHA512
6eaf5d083dd7ddaa21ed5c5241aa575f138f30b3ba22fa113a986d9879a90f3b38f28303ceeaa4ff89b76e1c3b4abeeb2905229ba283c7f26c0747af569d9369

Download Submit
/usr/bin/bmejaztrwd

Filesize
596KB

MD5
6e75e2b9e76256da0a81fef877c1f522

SHA1
f4740ff4c1d7a6ced9e4e31c3e8be31f3730b63e

SHA256
088b7ce1344e2aebc2ab89aa18131a9200d23a07127d50b03e989c79d9f7ad8e

SHA512
c0f125ef7722f0bac713d09197fe11bffe70d9edd646c0963dcd49dfc0205d76c281c958882fe72272864250e2a41cdae742f38fadfd1701bef99bee645d23cc

Download Submit
/usr/bin/bmmeguruzr

Filesize
596KB

MD5
40b5fd0ea5ab4ffb0f5889e7ec177c3d

SHA1
2f5d91849410e2c9a5ff5f5496ea6618b91d5720

SHA256
467638c76f7ef6223fc0227b05ebf43278f964b25ff12a8288f99cd6804b71de

SHA512
6877e163d05499950aad2d9615739a40c1eb4e3b2c46939f4f640c41aedb2f137ccb6c8261bc3e9031bdb687cbd7d4073881ab6794e26467ea507733dd56a3f9

Download Submit
/usr/bin/cochggbnbp

Filesize
596KB

MD5
13154d2893b332adfd85f26a51627f70

SHA1
425ff187df3c951d87046fb8a11684a7064ab2bf

SHA256
0afb3ee999b0970ad41913eed7afaa35a61e7e32abb62d578dbc56cb4f0e73d3

SHA512
644827a70a33aa85b0a614f7a13f83554f258a09fd909b3c45f52006bda38c631ee1d661c8a5d3f19f2ac92a03f9fff25dd880e2b3b328dfa0bdd7c4cb119525

Download Submit
/usr/bin/czkzuaburw

Filesize
596KB

MD5
a7c9e34f5f4424a63f875cdec0c7cdc4

SHA1
e602c4ec725620966b96e02cb38da2af8fcd140e

SHA256
c3ffe712cf62d3c9f7eb6b616993d0e486fbfcf027e1431d0c2388413cec9db0

SHA512
6ab29a08efda5f68f602099bd0fcf5715373b69e2e69de8b1f4e40531713603a2de15df5ca35f1be1c414d16fa120a680778142497d2369c220fb1fa0d65b43d

Download Submit
/usr/bin/daxqtpvfzn

Filesize
596KB

MD5
e37255b3208a4e9e4d9e130ca3959761

SHA1
3176a5fac6b12187d8ba1ecd539ce8bf903ce3bf

SHA256
f059d278f05189b72e1b372a1ef8a53d583e19933f03218627e1cc04d3df0658

SHA512
1266e5df3de9e6837114f604038df02159bd751cf10a6f5175f799036e62c7f8518aacafad54966bc6a3d0bc9ef5a3fca40f99bfbe59670394b964842245e3d6

Download Submit
/usr/bin/dpafbwnhmd

Filesize
596KB

MD5
efe1f7d9f5209b7858179344a37970b5

SHA1
75283dad90902b1e18b6131e233d8e43e3940523

SHA256
8d36da9654bb61d452ab6953f92457c5372525a95cd898c9e13a6c09bb3efd65

SHA512
f9c8b2781a7c84cab1a984c764e62b522f468f1dab32c2d9aadc763102e5ce0a014dc0fb3ecd4df4685429e6a0f38bbced275ece79b93f2c6153989c56bd5477

Download Submit
/usr/bin/eyikivxtpl

Filesize
596KB

MD5
3728432aa1f9973a275b69a56b440f67

SHA1
b0d00cd82f40caac5de72467e6d9366b8400ebd1

SHA256
4e0b29b66b1f73ff7c81937fa662f306f45b807a6f608fd268b003a531f64674

SHA512
ab708b3c8d475c7ae4adfaed6d8ef18c05fb8985768d6ca56ce3f7dd9d940ed89aaac18e0607af323d634edaf74f6475566387cebbdf8fa4e977ce267b10369b

Download Submit
/usr/bin/fribetdtfw

Filesize
596KB

MD5
b90bb24aa10eac87fe622d8985375b8c

SHA1
1f1af813ea8955a0fa8bb71fe072f95f647d8c28

SHA256
116acecd720a06de6966cf22b1bbcb977a27e7ceb5b27ff243d168c011df073b

SHA512
b7b19daa34986e274e178bd49d6558a23ea1c6ec9858ac23ec81b2ffc4fedf32549d0b92fdfdc2c56b498bd588fa6fe564be8f1719c22b6d87ab664bd9e16d68

Download Submit
/usr/bin/hjdkgpgjhx

Filesize
596KB

MD5
4ce3c73f6ab09a9f650e6ae543070b67

SHA1
8949d49a1bd11723c99c6e2e0b063d3bb00b723a

SHA256
f226bfcdaa4b78b2090538c972b6f46b65698c3f117295491af2076ff40fa717

SHA512
f1ae70e02d9aeba43ec6f42e859c4ee284d33c5e7967f8cd14aee0f8d4962b060d4c30961189985d5ba024cb172805c9694b27588a55c97dc660afcab46d1474

Download Submit
/usr/bin/hvairgvvdm

Filesize
596KB

MD5
115d3a81ce73395204ab098a77816916

SHA1
b0efff03b752da7250b40b6e34ea91b4e125b3d5

SHA256
eae7c6ba97ff08bb9073b404cbaa2eee2c06815186cd97f3c95c8afd5ec292ff

SHA512
75589b906245f23c36a9ce2edd16112cef3e0595c848f139edf101a33c528e22bade0284adb02cfac099b07c97e568a88e7560280597a91b70197adb1d11dc3a

Download Submit
/usr/bin/jotiinmkko

Filesize
596KB

MD5
09c924ca6f331009d335c35973716900

SHA1
4c7c53964ac4b65f760190c0cc3b152918f68ded

SHA256
1f235f43fa66da4d2d72a8b07ac66e58d45475bc6a16d86be9a1dcc1844a7ea2

SHA512
5786e617ffe1792ac2e400025086a9de1cba83446aec56da1ed7082899d5765801741bca164731c00722b2385d6828d8cbd437e79fce900c84e5154a68301dda

Download Submit
/usr/bin/ncmwaqdcmn

Filesize
596KB

MD5
3104b9f69bfb0d15737d504e5553e97e

SHA1
c5410cd6f121f1a2b5402ccf2a467edb387d3e38

SHA256
9c2aa7654093eb8af9309903d21ce11704854a2184854c4ed166a429259bc134

SHA512
2891ac556824a20295451a438d69dbb700bb8821bc2d86ec22419c4a37f978fd72597938ba6a3fc49b8ee8659764f684a0474ed98886548eaa2089e0659d79fc

Download Submit
/usr/bin/nlycusdjib

Filesize
596KB

MD5
1d627b500180db9b9672f18fab2f5b57

SHA1
89455f2e5e4779943f6e43c551de770a630f1241

SHA256
2df913a3801f6ede3d5cc324d9ca4639ded05c26d72020a473b51f1cfee9c45f

SHA512
9ec061d8e79ff4150d2855e1f0bac40d7640c18f6ac9a98a36bd908a36f3bd8d88b3935c335f11c43961204772ac61f991ab7d3b3e282e0be84bb6d6b562bd5b

Download Submit
/usr/bin/oaufblrmbd

Filesize
596KB

MD5
5452a63412607beb5e02960085891307

SHA1
e925f7f1b3b7debc17963f52aff13ba00777186f

SHA256
cfad878057679929743033c467c7d5e9f15d3ee167a6f2d2b32db71afbf738d7

SHA512
99f4c456b5e7bd3997382d6925d9ba571238cd1c7e8454f6920c021c0d98695ec7d2886240b53728f849a53a113981089e23ff94d5082b0df10fd7c12476a8fc

Download Submit
/usr/bin/pbydpxdxpc

Filesize
596KB

MD5
c5890b072b165d101219b0989bc1b554

SHA1
292262463f9cb992754e6a57d647d76181b12fda

SHA256
38559b5e6fb467bb60f80b162370cbfb09561e92450b68b88fbbafa79e62910a

SHA512
99104edc01bb41bcf77fe49fe7c488d8b3a225c9565c800f2edfe23f5eac5eb2cb1f71bae0709029ca53d77250a1d764d9c8b166664755e3ae7e47f91b06ae18

Download Submit
/usr/bin/tsbuzktjvv

Filesize
596KB

MD5
c2a10b9736ef2dbe73e75103f7daf204

SHA1
7bbe40f3486534124efe04db22205bda968167c0

SHA256
bbbb88982e2e600ebb708955402f8262066cfca6ac942956c70413111cf3b008

SHA512
ae60884d489e2bf2b33b153c036afe0d5b75fb6d5ca6678e7e129e93a8486ec591eb10a59ecf1c0b46bb7a54a519c96cf6fdc5ce0d0ce5a1bda749058ea471eb

Download Submit
/usr/bin/txhlrctezm

Filesize
596KB

MD5
85cebfaf725fd315b334b22047da2d0a

SHA1
9feb90f4d35c29ef07877139e7d3f8fb76fe2152

SHA256
958d38ae9418e406ba843286deb9b5fc03c2b612dd6527a871bf2fc794c2d932

SHA512
58ecbdadded7839596234b2028e90e0e0b44dbb986c64ef549c4eb8e998cadb359a50595f827c80a479018bf05cc2f340f9205db7106184c0d7f162753cd4e7a

Download Submit
/usr/bin/xawhwcvuvh

Filesize
596KB

MD5
7783f066d7850bbbd1136fb738d643c7

SHA1
af99cc2de91517da4c3bc10334d0311a4979751f

SHA256
2c8685ef6317db5b638da99e7677d62f63ff1f03b18709a46711f80e29d1842f

SHA512
6b29097d6074cef02dc2ad5588ddc945bc5a2b0d72e01a0c3718faed3c3021abd0f35c422cb59ad45cc035cac5bff1210b580299bc2b1e3ed095e43c31577fb7

Download Submit
/usr/bin/xgmztbrhev

Filesize
596KB

MD5
f03a16b8db84017c3060c3ffff0f7da3

SHA1
8512699bd298a3ab0287c207ee379778854333c2

SHA256
bbc1e237e82f3219957df8da25b308216e6a57fc843a4fc394b86f46228131d1

SHA512
1aeae106718439b85fb24ec26ec1ef90f49e74675b6430a6fbc4a127821ec9b3bd8b383d67adb5fc000abe93db9090d2ef81287bce2d7c66300da2fc6afe76ac

Download Submit
/usr/bin/xzchngngyr

Filesize
596KB

MD5
d12c20d85df052457089f1d4fa76f90f

SHA1
d8a5c31be7d0eacc899a693059b1347f23d83d55

SHA256
2898955f2920dfd3d43c1f69c377a41c0f33c8a139f014d3c1519509392ab8f6

SHA512
e9f552615e5d6e56364545e83b70f5645c644fab296df7eca846c02c3e4c1a47d81aefe6cd040cc419fcd732bf21bf82bd1d9529f4c16876a7a9067ae327d787

Download Submit
/usr/bin/zqigzoytci

Filesize
596KB

MD5
d5a754c7ee7f6d3ba9598dabc368f34a

SHA1
1a9a75398a260f47a509a3c6edf664bfaed8bfc2

SHA256
59512820b6a3c6dd25e98d7019161fe9d5250a855306e8a2b09d3449456cc9c8

SHA512
244c590951db46ed03202d774357d4d2246fb338584d4a81ed9694c11e50e86270568600b838912260a16886b8480d64e2d140b163d808721262c1e4caa30ac0

Download Submit
/usr/bin/zttsbirfyo

Filesize
596KB

MD5
cf054626adabeb6c95fa556d0047dc8d

SHA1
65e66438983ad0b6d97bd6f3ff713f08a66a14e1

SHA256
1c7bbb129303420c90ab888efa827d24e65a450e2f737da9d57b1f61afe92355

SHA512
c0d0213ddc9bcd85d4ea795a908a644a48ffe729b536c3661ddda19ae54ed9a4a1a87968caeed6ce5a6b6a54fd97ed005af89bc1b86b635170549306f3b3d498

Download Submit
/usr/lib/libudev4.so

Filesize
596KB

MD5
00e7122e581622802dab4d3e4ac463b8

SHA1
430442cc603d4a6fb331bf165c2e507aef2bb03e

SHA256
1dc964938e1e3401092f6872bd053a99b2154b8ca481ea8dcd5f9d23781f5a11

SHA512
4e421c59008ccccc67cada14800bc885f138fdaebe0f0cbd9ae7d398bc1babd1831807752e290ff410993e890d265e14e6867e4040aedc6cd5f54f6692a10557

Download Submit