xorddos | 9b406407b0987f4d6eb84e8dc3ed65cc27e36626729db7d6e9e5899df11a9b22

General

Target

d5c672e7727b4e57143b3f2032d159c5_JaffaCakes118
Size

544KB
MD5

d5c672e7727b4e57143b3f2032d159c5
SHA1

66fb6f627f9da433a851d4c782bfcc5486bfc881
SHA256

9b406407b0987f4d6eb84e8dc3ed65cc27e36626729db7d6e9e5899df11a9b22
SHA512

8e14a9fc159dfb0c2a2afb7373be35b2cf45a1c576d8ab7fc4db444984b6d05c7059239b3bbf7315cbeb2399a79fdc605488bacfb0b26f187be1f93ec72f1be4
SSDEEP

12288:JbinNy0Y1nvEtXBx6DkkJmAGyPexU279WnjVZ6ySWK:1iNy0evmxvkJmApPexUm9cVE

Score

10^/10

xorddos botnet discovery downloader execution persistence privilege_escalatio

Malware Config

Extracted

Family

xorddos

C2

topbannersun.com:3306

wowapplecar.com:3306

Attributes

crc_polynomial
CDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

Processes:

resource	yara_rule
/usr/bin/mhbrqjdxdppot	family_xorddos

Deletes itself 64 IoCs

Processes:

pid
1559
1569
1573
1574
1577
1580
1606
1611
1614
1617
1621
1626
1629
1635
1634
1638
1641
1644
1647
1650
1653
1656
1659
1662
1665
1668
1671
1674
1679
1680
1683
1688
1689
1693
1695
1698
1703
1706
1709
1712
1715
1718
1721
1726
1727
1730
1733
1736
1739
1743
1745
1748
1751
1754
1757
1760
1763
1766
1769
1772
1775
1778
1781
1786

Executes dropped EXE 64 IoCs

Processes:

mhbrqjdxdppotdkowwcypyaplkexrwapwimmwkubafjvptomjacjfqtjnlhxorvyuscvxepcybhjfrsfmempgrgnufznefzlpdjsntxelvfsgzryfpmsltuzdzwdutfoilvnhvedcoyuccfvionkpqjlvgfanrcuvzyanyxraefwubkknjxpcdbpthwhfcsvpzdorknkymunxtczgorywnihinvpmhvugelabaieahgogvcggpnqdjfrqpmqtzqwauazculwmdsrvqzhpuflpftacmtzesgvyvwzcfzwhbzbmmgetavuxtvzpwebsqjzusnqdrjuagfutqqzbiheduwgndtbagvqpuzlugqqjmwyzrxkfagccqsyjjknsuhlwpbwhfljxkwetykvcpbaamlovwmysnbiqjrzwpqkqhakjceesydhubvuviwrwfkxdopsxpcfrliwrqptubuzcqsrrnmhtqqatrtxiklrhbjdvmzwoppgeuannqdplwiftjdebmhgqirhrdrtvophnsnzszkrlsukgouogdfujgqeufnhhuaieydoyerbxphimqayahpgsmbahsjiqngthasissazaqcmsjdyefxdllevitpggewnqtbrwgwsqlz

ioc	pid	process
/usr/bin/mhbrqjdxdppot	1562	mhbrqjdxdppot
/usr/bin/dkowwcypyap	1567	dkowwcypyap
/usr/bin/lkexrwapwimmwk	1570	lkexrwapwimmwk
/usr/bin/ubafjvptom	1572	ubafjvptom
/usr/bin/jacjfqtjnlh	1576	jacjfqtjnlh
/usr/bin/xorvyuscvx	1579	xorvyuscvx
/usr/bin/epcybhjfrs	1605	epcybhjfrs
/usr/bin/fmempgrg	1610	fmempgrg
/usr/bin/nufznef	1613	nufznef
/usr/bin/zlpdjsntxelvfs	1616	zlpdjsntxelvfs
/usr/bin/gzryfpmsltu	1619	gzryfpmsltu
/usr/bin/zdzwdutfoilvnh	1625	zdzwdutfoilvnh
/usr/bin/vedcoyuccf	1628	vedcoyuccf
/usr/bin/vionkpqjlvgfa	1631	vionkpqjlvgfa
/usr/bin/nrcuvzya	1633	nrcuvzya
/usr/bin/nyxraefw	1637	nyxraefw
/usr/bin/ubkknjxpcdbpt	1640	ubkknjxpcdbpt
/usr/bin/hwhfcsv	1643	hwhfcsv
/usr/bin/pzdorkn	1646	pzdorkn
/usr/bin/kymunxtcz	1649	kymunxtcz
/usr/bin/gorywni	1652	gorywni
/usr/bin/hinvpmh	1655	hinvpmh
/usr/bin/vugelabai	1658	vugelabai
/usr/bin/eahgogvc	1661	eahgogvc
/usr/bin/ggpnqdjfrq	1664	ggpnqdjfrq
/usr/bin/pmqtzqwa	1667	pmqtzqwa
/usr/bin/uazculw	1670	uazculw
/usr/bin/mdsrvqzhpuflpf	1673	mdsrvqzhpuflpf
/usr/bin/tacmtzesgv	1678	tacmtzesgv
/usr/bin/yvwzcfzwhbzbm	1676	yvwzcfzwhbzbm
/usr/bin/mgetavuxtvz	1682	mgetavuxtvz
/usr/bin/pwebsqj	1687	pwebsqj
/usr/bin/zusnqdr	1685	zusnqdr
/usr/bin/juagfutqqzb	1691	juagfutqqzb
/usr/bin/iheduwgndt	1694	iheduwgndt
/usr/bin/bagvqpuzlugqq	1697	bagvqpuzlugqq
/usr/bin/jmwyzrxkf	1702	jmwyzrxkf
/usr/bin/agccqsy	1705	agccqsy
/usr/bin/jjknsuhlwpbwh	1708	jjknsuhlwpbwh
/usr/bin/fljxkwetykvc	1711	fljxkwetykvc
/usr/bin/pbaamlo	1714	pbaamlo
/usr/bin/vwmysn	1717	vwmysn
/usr/bin/biqjrzwpqkqhak	1720	biqjrzwpqkqhak
/usr/bin/jceesydhubvuvi	1723	jceesydhubvuvi
/usr/bin/wrwfkxd	1725	wrwfkxd
/usr/bin/opsxpcfrliwr	1729	opsxpcfrliwr
/usr/bin/qptubuzcqsrrnm	1732	qptubuzcqsrrnm
/usr/bin/htqqatrtxik	1735	htqqatrtxik
/usr/bin/lrhbjdvmzwopp	1738	lrhbjdvmzwopp
/usr/bin/geuannqdplw	1741	geuannqdplw
/usr/bin/iftjdebmh	1744	iftjdebmh
/usr/bin/gqirhrdrtvoph	1747	gqirhrdrtvoph
/usr/bin/nsnzszkr	1750	nsnzszkr
/usr/bin/lsukgouogdf	1753	lsukgouogdf
/usr/bin/ujgqeufn	1756	ujgqeufn
/usr/bin/hhuaie	1759	hhuaie
/usr/bin/ydoyerb	1762	ydoyerb
/usr/bin/xphimqayahpgsm	1765	xphimqayahpgsm
/usr/bin/bahsjiqngt	1768	bahsjiqngt
/usr/bin/hasissaza	1771	hasissaza
/usr/bin/qcmsjdye	1774	qcmsjdye
/usr/bin/fxdlle	1777	fxdlle
/usr/bin/vitpgge	1780	vitpgge
/usr/bin/wnqtbrwgwsqlz	1783	wnqtbrwgwsqlz

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

mhbrqjdxdppot

description ioc process

File opened for modification /etc/cron.hourly/toppdxdjqrbhm.sh mhbrqjdxdppot
Modifies init.d 2 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

RC Scripts
T1037.004

Processes:

mhbrqjdxdppot

description ioc process

File opened for modification /etc/init.d/toppdxdjqrbhm mhbrqjdxdppot

description	ioc	process
File opened for modification	/etc/cron.hourly/toppdxdjqrbhm.sh	mhbrqjdxdppot

description	ioc	process
File opened for modification	/etc/init.d/toppdxdjqrbhm	mhbrqjdxdppot

Write file to user bin folder 64 IoCs

persistence

Processes:

mhbrqjdxdppotd5c672e7727b4e57143b3f2032d159c5_JaffaCakes118

description	ioc	process
File opened for modification	/usr/bin/zusnqdr	mhbrqjdxdppot
File opened for modification	/usr/bin/vwmysn	mhbrqjdxdppot
File opened for modification	/usr/bin/hoawedobkybx	mhbrqjdxdppot
File opened for modification	/usr/bin/snrvotdrcgeutw	mhbrqjdxdppot
File opened for modification	/usr/bin/hwhfcsv	mhbrqjdxdppot
File opened for modification	/usr/bin/nujaqthpimftll	mhbrqjdxdppot
File opened for modification	/usr/bin/akvfkrcojc	mhbrqjdxdppot
File opened for modification	/usr/bin/ngnrdzr	mhbrqjdxdppot
File opened for modification	/usr/bin/ubkknjxpcdbpt	mhbrqjdxdppot
File opened for modification	/usr/bin/jceesydhubvuvi	mhbrqjdxdppot
File opened for modification	/usr/bin/agefrqlfnvy	mhbrqjdxdppot
File opened for modification	/usr/bin/kvnadjifslc	mhbrqjdxdppot
File opened for modification	/usr/bin/zfhzwkonlit	mhbrqjdxdppot
File opened for modification	/usr/bin/wqbpcvhxlflg	mhbrqjdxdppot
File opened for modification	/usr/bin/bemkhlxgirfra	mhbrqjdxdppot
File opened for modification	/usr/bin/bagvqpuzlugqq	mhbrqjdxdppot
File opened for modification	/usr/bin/mdsrvqzhpuflpf	mhbrqjdxdppot
File opened for modification	/usr/bin/wnqtbrwgwsqlz	mhbrqjdxdppot
File opened for modification	/usr/bin/yeedsq	mhbrqjdxdppot
File opened for modification	/usr/bin/ajkhsmrfirk	mhbrqjdxdppot
File opened for modification	/usr/bin/lfruyhsuhiw	mhbrqjdxdppot
File opened for modification	/usr/bin/liqclfegoduwp	mhbrqjdxdppot
File opened for modification	/usr/bin/uazculw	mhbrqjdxdppot
File opened for modification	/usr/bin/jmwyzrxkf	mhbrqjdxdppot
File opened for modification	/usr/bin/gqirhrdrtvoph	mhbrqjdxdppot
File opened for modification	/usr/bin/lerywbehn	mhbrqjdxdppot
File opened for modification	/usr/bin/krqmmluhycfxu	mhbrqjdxdppot
File opened for modification	/usr/bin/toppdxdjqrbhm.sh	mhbrqjdxdppot
File opened for modification	/usr/bin/abctsm	mhbrqjdxdppot
File opened for modification	/usr/bin/hxawoe	mhbrqjdxdppot
File opened for modification	/usr/bin/hrcaprkmo	mhbrqjdxdppot
File opened for modification	/usr/bin/xzrguuqvg	mhbrqjdxdppot
File opened for modification	/usr/bin/nyxraefw	mhbrqjdxdppot
File opened for modification	/usr/bin/hkulnxexg	mhbrqjdxdppot
File opened for modification	/usr/bin/kvzzslocgzbchu	mhbrqjdxdppot
File opened for modification	/usr/bin/slgyzssygfcnaw	mhbrqjdxdppot
File opened for modification	/usr/bin/dmgtvmjyawdr	mhbrqjdxdppot
File opened for modification	/usr/bin/kymunxtcz	mhbrqjdxdppot
File opened for modification	/usr/bin/opsxpcfrliwr	mhbrqjdxdppot
File opened for modification	/usr/bin/hasissaza	mhbrqjdxdppot
File opened for modification	/usr/bin/rdcsybkbp	mhbrqjdxdppot
File opened for modification	/usr/bin/lsrvqwmtqbfex	mhbrqjdxdppot
File opened for modification	/usr/bin/xdaqfckofnbf	mhbrqjdxdppot
File opened for modification	/usr/bin/iophxyacpcu	mhbrqjdxdppot
File opened for modification	/usr/bin/pbaamlo	mhbrqjdxdppot
File opened for modification	/usr/bin/lkexrwapwimmwk	mhbrqjdxdppot
File opened for modification	/usr/bin/suywvv	mhbrqjdxdppot
File opened for modification	/usr/bin/bxzntpemcssu	mhbrqjdxdppot
File opened for modification	/usr/bin/hhykjkiniawjjb	mhbrqjdxdppot
File opened for modification	/usr/bin/odzafciblqnrke	mhbrqjdxdppot
File opened for modification	/usr/bin/mhbrqjdxdppot	d5c672e7727b4e57143b3f2032d159c5_JaffaCakes118
File opened for modification	/usr/bin/bllfrnvfwww	mhbrqjdxdppot
File opened for modification	/usr/bin/lrhbjdvmzwopp	mhbrqjdxdppot
File opened for modification	/usr/bin/jlrevjgrvvkhz	mhbrqjdxdppot
File opened for modification	/usr/bin/xxumlcsdcg	mhbrqjdxdppot
File opened for modification	/usr/bin/jgteyitmtpyj	mhbrqjdxdppot
File opened for modification	/usr/bin/jrojeqdnldrrmp	mhbrqjdxdppot
File opened for modification	/usr/bin/fmempgrg	mhbrqjdxdppot
File opened for modification	/usr/bin/bahsjiqngt	mhbrqjdxdppot
File opened for modification	/usr/bin/ttcjhcnlgi	mhbrqjdxdppot
File opened for modification	/usr/bin/nkelxhucuawdv	mhbrqjdxdppot
File opened for modification	/usr/bin/skouqbxcn	mhbrqjdxdppot
File opened for modification	/usr/bin/jhpnvyprzmslz	mhbrqjdxdppot
File opened for modification	/usr/bin/toppdxdjqrbhm	mhbrqjdxdppot

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

d5c672e7727b4e57143b3f2032d159c5_JaffaCakes118mhbrqjdxdppot

description	ioc	process
File opened for reading	/proc/meminfo	d5c672e7727b4e57143b3f2032d159c5_JaffaCakes118
File opened for reading	/proc/meminfo	mhbrqjdxdppot

Writes file to shm directory 2 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

mhbrqjdxdppot

description ioc process

File opened for modification /dev/shm/sem.bemuup mhbrqjdxdppot
File opened for modification /dev/shm/sem.j2PbSl mhbrqjdxdppot

description	ioc	process
File opened for modification	/dev/shm/sem.bemuup	mhbrqjdxdppot
File opened for modification	/dev/shm/sem.j2PbSl	mhbrqjdxdppot

/tmp/d5c672e7727b4e57143b3f2032d159c5_JaffaCakes118
/tmp/d5c672e7727b4e57143b3f2032d159c5_JaffaCakes118
1⤵
- Write file to user bin folder
- Reads runtime system information
PID:1558

/usr/bin/mhbrqjdxdppot
/usr/bin/mhbrqjdxdppot
1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Modifies init.d
- Write file to user bin folder
- Reads runtime system information
- Writes file to shm directory
PID:1562

/usr/bin/dkowwcypyap
/usr/bin/dkowwcypyap -d 1563
1⤵
- Executes dropped EXE
PID:1567

/usr/bin/lkexrwapwimmwk
/usr/bin/lkexrwapwimmwk -d 1563
1⤵
- Executes dropped EXE
PID:1570

/usr/bin/ubafjvptom
/usr/bin/ubafjvptom -d 1563
1⤵
- Executes dropped EXE
PID:1572

/usr/bin/jacjfqtjnlh
/usr/bin/jacjfqtjnlh -d 1563
1⤵
- Executes dropped EXE
PID:1576

/usr/bin/xorvyuscvx
/usr/bin/xorvyuscvx -d 1563
1⤵
- Executes dropped EXE
PID:1579

/usr/bin/epcybhjfrs
/usr/bin/epcybhjfrs -d 1563
1⤵
- Executes dropped EXE
PID:1605

/usr/bin/fmempgrg
/usr/bin/fmempgrg -d 1563
1⤵
- Executes dropped EXE
PID:1610

/usr/bin/nufznef
/usr/bin/nufznef -d 1563
1⤵
- Executes dropped EXE
PID:1613

/usr/bin/zlpdjsntxelvfs
/usr/bin/zlpdjsntxelvfs -d 1563
1⤵
- Executes dropped EXE
PID:1616

/usr/bin/gzryfpmsltu
/usr/bin/gzryfpmsltu -d 1563
1⤵
- Executes dropped EXE
PID:1619

/usr/bin/zdzwdutfoilvnh
/usr/bin/zdzwdutfoilvnh -d 1563
1⤵
- Executes dropped EXE
PID:1625

/usr/bin/vedcoyuccf
/usr/bin/vedcoyuccf -d 1563
1⤵
- Executes dropped EXE
PID:1628

/usr/bin/vionkpqjlvgfa
/usr/bin/vionkpqjlvgfa -d 1563
1⤵
- Executes dropped EXE
PID:1631

/usr/bin/nrcuvzya
/usr/bin/nrcuvzya -d 1563
1⤵
- Executes dropped EXE
PID:1633

/usr/bin/nyxraefw
/usr/bin/nyxraefw -d 1563
1⤵
- Executes dropped EXE
PID:1637

/usr/bin/ubkknjxpcdbpt
/usr/bin/ubkknjxpcdbpt -d 1563
1⤵
- Executes dropped EXE
PID:1640

/usr/bin/hwhfcsv
/usr/bin/hwhfcsv -d 1563
1⤵
- Executes dropped EXE
PID:1643

/usr/bin/pzdorkn
/usr/bin/pzdorkn -d 1563
1⤵
- Executes dropped EXE
PID:1646

/usr/bin/kymunxtcz
/usr/bin/kymunxtcz -d 1563
1⤵
- Executes dropped EXE
PID:1649

/usr/bin/gorywni
/usr/bin/gorywni -d 1563
1⤵
- Executes dropped EXE
PID:1652

/usr/bin/hinvpmh
/usr/bin/hinvpmh -d 1563
1⤵
- Executes dropped EXE
PID:1655

/usr/bin/vugelabai
/usr/bin/vugelabai -d 1563
1⤵
- Executes dropped EXE
PID:1658

/usr/bin/eahgogvc
/usr/bin/eahgogvc -d 1563
1⤵
- Executes dropped EXE
PID:1661

/usr/bin/ggpnqdjfrq
/usr/bin/ggpnqdjfrq -d 1563
1⤵
- Executes dropped EXE
PID:1664

/usr/bin/pmqtzqwa
/usr/bin/pmqtzqwa -d 1563
1⤵
- Executes dropped EXE
PID:1667

/usr/bin/uazculw
/usr/bin/uazculw -d 1563
1⤵
- Executes dropped EXE
PID:1670

/usr/bin/mdsrvqzhpuflpf
/usr/bin/mdsrvqzhpuflpf -d 1563
1⤵
- Executes dropped EXE
PID:1673

/usr/bin/tacmtzesgv
/usr/bin/tacmtzesgv -d 1563
1⤵
- Executes dropped EXE
PID:1678

/usr/bin/yvwzcfzwhbzbm
/usr/bin/yvwzcfzwhbzbm -d 1563
1⤵
- Executes dropped EXE
PID:1676

/usr/bin/mgetavuxtvz
/usr/bin/mgetavuxtvz -d 1563
1⤵
- Executes dropped EXE
PID:1682

/usr/bin/pwebsqj
/usr/bin/pwebsqj -d 1563
1⤵
- Executes dropped EXE
PID:1687

/usr/bin/zusnqdr
/usr/bin/zusnqdr -d 1563
1⤵
- Executes dropped EXE
PID:1685

/usr/bin/juagfutqqzb
/usr/bin/juagfutqqzb -d 1563
1⤵
- Executes dropped EXE
PID:1691

/usr/bin/iheduwgndt
/usr/bin/iheduwgndt -d 1563
1⤵
- Executes dropped EXE
PID:1694

/usr/bin/bagvqpuzlugqq
/usr/bin/bagvqpuzlugqq -d 1563
1⤵
- Executes dropped EXE
PID:1697

/usr/bin/jmwyzrxkf
/usr/bin/jmwyzrxkf -d 1563
1⤵
- Executes dropped EXE
PID:1702

/usr/bin/agccqsy
/usr/bin/agccqsy -d 1563
1⤵
- Executes dropped EXE
PID:1705

/usr/bin/jjknsuhlwpbwh
/usr/bin/jjknsuhlwpbwh -d 1563
1⤵
- Executes dropped EXE
PID:1708

/usr/bin/fljxkwetykvc
/usr/bin/fljxkwetykvc -d 1563
1⤵
- Executes dropped EXE
PID:1711

/usr/bin/pbaamlo
/usr/bin/pbaamlo -d 1563
1⤵
- Executes dropped EXE
PID:1714

/usr/bin/vwmysn
/usr/bin/vwmysn -d 1563
1⤵
- Executes dropped EXE
PID:1717

/usr/bin/biqjrzwpqkqhak
/usr/bin/biqjrzwpqkqhak -d 1563
1⤵
- Executes dropped EXE
PID:1720

/usr/bin/jceesydhubvuvi
/usr/bin/jceesydhubvuvi -d 1563
1⤵
- Executes dropped EXE
PID:1723

/usr/bin/wrwfkxd
/usr/bin/wrwfkxd -d 1563
1⤵
- Executes dropped EXE
PID:1725

/usr/bin/opsxpcfrliwr
/usr/bin/opsxpcfrliwr -d 1563
1⤵
- Executes dropped EXE
PID:1729

/usr/bin/qptubuzcqsrrnm
/usr/bin/qptubuzcqsrrnm -d 1563
1⤵
- Executes dropped EXE
PID:1732

/usr/bin/htqqatrtxik
/usr/bin/htqqatrtxik -d 1563
1⤵
- Executes dropped EXE
PID:1735

/usr/bin/lrhbjdvmzwopp
/usr/bin/lrhbjdvmzwopp -d 1563
1⤵
- Executes dropped EXE
PID:1738

/usr/bin/geuannqdplw
/usr/bin/geuannqdplw -d 1563
1⤵
- Executes dropped EXE
PID:1741

/usr/bin/iftjdebmh
/usr/bin/iftjdebmh -d 1563
1⤵
- Executes dropped EXE
PID:1744

/usr/bin/gqirhrdrtvoph
/usr/bin/gqirhrdrtvoph -d 1563
1⤵
- Executes dropped EXE
PID:1747

/usr/bin/nsnzszkr
/usr/bin/nsnzszkr -d 1563
1⤵
- Executes dropped EXE
PID:1750

/usr/bin/lsukgouogdf
/usr/bin/lsukgouogdf -d 1563
1⤵
- Executes dropped EXE
PID:1753

/usr/bin/ujgqeufn
/usr/bin/ujgqeufn -d 1563
1⤵
- Executes dropped EXE
PID:1756

/usr/bin/hhuaie
/usr/bin/hhuaie -d 1563
1⤵
- Executes dropped EXE
PID:1759

/usr/bin/ydoyerb
/usr/bin/ydoyerb -d 1563
1⤵
- Executes dropped EXE
PID:1762

/usr/bin/xphimqayahpgsm
/usr/bin/xphimqayahpgsm -d 1563
1⤵
- Executes dropped EXE
PID:1765

/usr/bin/bahsjiqngt
/usr/bin/bahsjiqngt -d 1563
1⤵
- Executes dropped EXE
PID:1768

/usr/bin/hasissaza
/usr/bin/hasissaza -d 1563
1⤵
- Executes dropped EXE
PID:1771

/usr/bin/qcmsjdye
/usr/bin/qcmsjdye -d 1563
1⤵
- Executes dropped EXE
PID:1774

/usr/bin/fxdlle
/usr/bin/fxdlle -d 1563
1⤵
- Executes dropped EXE
PID:1777

/usr/bin/vitpgge
/usr/bin/vitpgge -d 1563
1⤵
- Executes dropped EXE
PID:1780

/usr/bin/wnqtbrwgwsqlz
/usr/bin/wnqtbrwgwsqlz -d 1563
1⤵
- Executes dropped EXE
PID:1783

/usr/bin/agefrqlfnvy
/usr/bin/agefrqlfnvy -d 1563
1⤵
PID:1785

/usr/bin/cgjjhfwzyx
/usr/bin/cgjjhfwzyx -d 1563
1⤵
PID:1789

/usr/bin/abctsm
/usr/bin/abctsm -d 1563
1⤵
PID:1792

/usr/bin/yeedsq
/usr/bin/yeedsq -d 1563
1⤵
PID:1795

/usr/bin/hkulnxexg
/usr/bin/hkulnxexg -d 1563
1⤵
PID:1798

/usr/bin/gzqvyly
/usr/bin/gzqvyly -d 1563
1⤵
PID:1801

/usr/bin/ttcjhcnlgi
/usr/bin/ttcjhcnlgi -d 1563
1⤵
PID:1804

/usr/bin/nzeuitdpgrv
/usr/bin/nzeuitdpgrv -d 1563
1⤵
PID:1807

/usr/bin/cjdnet
/usr/bin/cjdnet -d 1563
1⤵
PID:1810

/usr/bin/uuzuupwu
/usr/bin/uuzuupwu -d 1563
1⤵
PID:1813

/usr/bin/oalphhyc
/usr/bin/oalphhyc -d 1563
1⤵
PID:1816

/usr/bin/nkelxhucuawdv
/usr/bin/nkelxhucuawdv -d 1563
1⤵
PID:1819

/usr/bin/tlkvlqlyragwni
/usr/bin/tlkvlqlyragwni -d 1563
1⤵
PID:1824

/usr/bin/kvzzslocgzbchu
/usr/bin/kvzzslocgzbchu -d 1563
1⤵
PID:1822

/usr/bin/zulatf
/usr/bin/zulatf -d 1563
1⤵
PID:1828

/usr/bin/isljwsfbnqlld
/usr/bin/isljwsfbnqlld -d 1563
1⤵
PID:1831

/usr/bin/wbwwks
/usr/bin/wbwwks -d 1563
1⤵
PID:1834

/usr/bin/kvnadjifslc
/usr/bin/kvnadjifslc -d 1563
1⤵
PID:1837

/usr/bin/oikszgysiqcu
/usr/bin/oikszgysiqcu -d 1563
1⤵
PID:1840

/usr/bin/ptkbawynyb
/usr/bin/ptkbawynyb -d 1563
1⤵
PID:1843

/usr/bin/ggqriaszk
/usr/bin/ggqriaszk -d 1563
1⤵
PID:1845

/usr/bin/jlrevjgrvvkhz
/usr/bin/jlrevjgrvvkhz -d 1563
1⤵
PID:1849

/usr/bin/xwfkbdup
/usr/bin/xwfkbdup -d 1563
1⤵
PID:1852

/usr/bin/hxawoe
/usr/bin/hxawoe -d 1563
1⤵
PID:1855

/usr/bin/xxumlcsdcg
/usr/bin/xxumlcsdcg -d 1563
1⤵
PID:1858

/usr/bin/fngdbmxbjtn
/usr/bin/fngdbmxbjtn -d 1563
1⤵
PID:1863

/usr/bin/sfdpeichnyy
/usr/bin/sfdpeichnyy -d 1563
1⤵
PID:1861

/usr/bin/nujaqthpimftll
/usr/bin/nujaqthpimftll -d 1563
1⤵
PID:1867

/usr/bin/lerywbehn
/usr/bin/lerywbehn -d 1563
1⤵
PID:1870

/usr/bin/onfimsc
/usr/bin/onfimsc -d 1563
1⤵
PID:1873

/usr/bin/vuqcjboou
/usr/bin/vuqcjboou -d 1563
1⤵
PID:1876

/usr/bin/icomtm
/usr/bin/icomtm -d 1563
1⤵
PID:1879

/usr/bin/ivqmxhktkbnalu
/usr/bin/ivqmxhktkbnalu -d 1563
1⤵
PID:1882

/usr/bin/seotfozopzyi
/usr/bin/seotfozopzyi -d 1563
1⤵
PID:1885

/usr/bin/npbjfnipzcz
/usr/bin/npbjfnipzcz -d 1563
1⤵
PID:1888

/usr/bin/rzlmkds
/usr/bin/rzlmkds -d 1563
1⤵
PID:1891

/usr/bin/wzpypgzopbeeqf
/usr/bin/wzpypgzopbeeqf -d 1563
1⤵
PID:1893

/usr/bin/hscdarmnsmwcg
/usr/bin/hscdarmnsmwcg -d 1563
1⤵
PID:1897

/usr/bin/ajkhsmrfirk
/usr/bin/ajkhsmrfirk -d 1563
1⤵
PID:1899

/usr/bin/ihvidedghdz
/usr/bin/ihvidedghdz -d 1563
1⤵
PID:1903

/usr/bin/skouqbxcn
/usr/bin/skouqbxcn -d 1563
1⤵
PID:1905

/usr/bin/uaxbkpnuzu
/usr/bin/uaxbkpnuzu -d 1563
1⤵
PID:1909

/usr/bin/jgteyitmtpyj
/usr/bin/jgteyitmtpyj -d 1563
1⤵
PID:1912

/usr/bin/luxgrw
/usr/bin/luxgrw -d 1563
1⤵
PID:1915

/usr/bin/hrcaprkmo
/usr/bin/hrcaprkmo -d 1563
1⤵
PID:1918

/usr/bin/yrccslxgg
/usr/bin/yrccslxgg -d 1563
1⤵
PID:1921

/usr/bin/eraslza
/usr/bin/eraslza -d 1563
1⤵
PID:1924

/usr/bin/rdcsybkbp
/usr/bin/rdcsybkbp -d 1563
1⤵
PID:1927

/usr/bin/vwqjrdi
/usr/bin/vwqjrdi -d 1563
1⤵
PID:1930

/usr/bin/lggkqwsxo
/usr/bin/lggkqwsxo -d 1563
1⤵
PID:1933

/usr/bin/bfrejjclufcjs
/usr/bin/bfrejjclufcjs -d 1563
1⤵
PID:1936

/usr/bin/jjymrxzzdkr
/usr/bin/jjymrxzzdkr -d 1563
1⤵
PID:1939

/usr/bin/slgyzssygfcnaw
/usr/bin/slgyzssygfcnaw -d 1563
1⤵
PID:1942

/usr/bin/nagkbte
/usr/bin/nagkbte -d 1563
1⤵
PID:1945

/usr/bin/krqmmluhycfxu
/usr/bin/krqmmluhycfxu -d 1563
1⤵
PID:1948

/usr/bin/waeapgwwlmy
/usr/bin/waeapgwwlmy -d 1563
1⤵
PID:1951

/usr/bin/bocnzufngqjp
/usr/bin/bocnzufngqjp -d 1563
1⤵
PID:1954

/usr/bin/lfruyhsuhiw
/usr/bin/lfruyhsuhiw -d 1563
1⤵
PID:1957

/usr/bin/mekedfsxbtrqwr
/usr/bin/mekedfsxbtrqwr -d 1563
1⤵
PID:1960

/usr/bin/uaahgsbgbt
/usr/bin/uaahgsbgbt -d 1563
1⤵
PID:1963

/usr/bin/idzmflsrpyxkva
/usr/bin/idzmflsrpyxkva -d 1563
1⤵
PID:1965

/usr/bin/qbgwvgxcop
/usr/bin/qbgwvgxcop -d 1563
1⤵
PID:1969

/usr/bin/zfhzwkonlit
/usr/bin/zfhzwkonlit -d 1563
1⤵
PID:1972

/usr/bin/jxpjstktqocyvt
/usr/bin/jxpjstktqocyvt -d 1563
1⤵
PID:1975

/usr/bin/isyjxhlw
/usr/bin/isyjxhlw -d 1563
1⤵
PID:1978

/usr/bin/suywvv
/usr/bin/suywvv -d 1563
1⤵
PID:1983

/usr/bin/zjfjfgtofizz
/usr/bin/zjfjfgtofizz -d 1563
1⤵
PID:1981

/usr/bin/lsrvqwmtqbfex
/usr/bin/lsrvqwmtqbfex -d 1563
1⤵
PID:1987

/usr/bin/kzyinstnxtgi
/usr/bin/kzyinstnxtgi -d 1563
1⤵
PID:1989

/usr/bin/wqbpcvhxlflg
/usr/bin/wqbpcvhxlflg -d 1563
1⤵
PID:1993

/usr/bin/lbmmolkwyeslbl
/usr/bin/lbmmolkwyeslbl -d 1563
1⤵
PID:1996

/usr/bin/liqclfegoduwp
/usr/bin/liqclfegoduwp -d 1563
1⤵
PID:1999

/usr/bin/xdaqfckofnbf
/usr/bin/xdaqfckofnbf -d 1563
1⤵
PID:2005

/usr/bin/pttjtortn
/usr/bin/pttjtortn -d 1563
1⤵
PID:2008

/usr/bin/sxwatjntm
/usr/bin/sxwatjntm -d 1563
1⤵
PID:2010

/usr/bin/jupvkwjme
/usr/bin/jupvkwjme -d 1563
1⤵
PID:2014

/usr/bin/bxzntpemcssu
/usr/bin/bxzntpemcssu -d 1563
1⤵
PID:2017

/usr/bin/oqmlrxiddnoaqx
/usr/bin/oqmlrxiddnoaqx -d 1563
1⤵
PID:2020

/usr/bin/akvfkrcojc
/usr/bin/akvfkrcojc -d 1563
1⤵
PID:2023

/usr/bin/bxyklryw
/usr/bin/bxyklryw -d 1563
1⤵
PID:2026

/usr/bin/hoawedobkybx
/usr/bin/hoawedobkybx -d 1563
1⤵
PID:2029

/usr/bin/jhpnvyprzmslz
/usr/bin/jhpnvyprzmslz -d 1563
1⤵
PID:2032

/usr/bin/ynzuhtadggyrvq
/usr/bin/ynzuhtadggyrvq -d 1563
1⤵
PID:2035

/usr/bin/bbkyevrhbhf
/usr/bin/bbkyevrhbhf -d 1563
1⤵
PID:2038

/usr/bin/jrojeqdnldrrmp
/usr/bin/jrojeqdnldrrmp -d 1563
1⤵
PID:2040

/usr/bin/hhykjkiniawjjb
/usr/bin/hhykjkiniawjjb -d 1563
1⤵
PID:2044

/usr/bin/dmgtvmjyawdr
/usr/bin/dmgtvmjyawdr -d 1563
1⤵
PID:2047

/usr/bin/cazhin
/usr/bin/cazhin -d 1563
1⤵
PID:2050

/usr/bin/bemkhlxgirfra
/usr/bin/bemkhlxgirfra -d 1563
1⤵
PID:2053

/usr/bin/ngnrdzr
/usr/bin/ngnrdzr -d 1563
1⤵
PID:2055

/usr/bin/iwykfixbqy
/usr/bin/iwykfixbqy -d 1563
1⤵
PID:2059

/usr/bin/iophxyacpcu
/usr/bin/iophxyacpcu -d 1563
1⤵
PID:2062

/usr/bin/gsuvgsufmhwjt
/usr/bin/gsuvgsufmhwjt -d 1563
1⤵
PID:2065

/usr/bin/iakagercg
/usr/bin/iakagercg -d 1563
1⤵
PID:2068

/usr/bin/olharluzgqvml
/usr/bin/olharluzgqvml -d 1563
1⤵
PID:2071

/usr/bin/xzrguuqvg
/usr/bin/xzrguuqvg -d 1563
1⤵
PID:2074

/usr/bin/bllfrnvfwww
/usr/bin/bllfrnvfwww -d 1563
1⤵
PID:2077

/usr/bin/odzafciblqnrke
/usr/bin/odzafciblqnrke -d 1563
1⤵
PID:2080

/usr/bin/gfvtemdeviwn
/usr/bin/gfvtemdeviwn -d 1563
1⤵
PID:2083

/usr/bin/snrvotdrcgeutw
/usr/bin/snrvotdrcgeutw -d 1563
1⤵
PID:2086

/usr/bin/yqldnghzj
/usr/bin/yqldnghzj -d 1563
1⤵
PID:2089

/usr/bin/wrlkgoetfckafd
/usr/bin/wrlkgoetfckafd -d 1563
1⤵
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Persistence

Boot or Logon Autostart Execution

1

T1547

Boot or Logon Initialization Scripts

1

T1037

RC Scripts

1

T1037.004

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Boot or Logon Initialization Scripts

1

T1037

RC Scripts

1

T1037.004

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/dev/shm/sem.j2PbSl

Filesize
16B

MD5
076933ff9904d1110d896e2c525e39e5

SHA1
4188442577fa77f25820d9b2d01cc446e30684ac

SHA256
4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

SHA512
6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

Download Submit
/etc/cron.hourly/toppdxdjqrbhm.sh

Filesize
162B

MD5
f58a0e5e9b3c81b6993aec0624c64d2d

SHA1
19101e140135d987d0cfdc00f32be8d607e91eb9

SHA256
29f584ff3806f0fdadadca5f9191bb95e498819c32ab24032c09abcfa534ce4d

SHA512
2a449e6086c482110fd9f448a925b0a593ba8a57c59be845060dace47218cfad04003d2694b8d651817b011b0fdb78fa698657e169a7b5f1a26126464a278102

Download Submit
/etc/daemon.cfg

Filesize
32B

MD5
f16c262c8187b74e3fd3c796b4458ff5

SHA1
cbdd04f00a0b7287723b602522a94adb65821635

SHA256
29b03009151905ec35ac50f4ddc67f4143994b6fc655ca54e0d8970ae7ff3fb9

SHA512
2ad1bac8d410d8fd776a510e0cae933c6f78e6c306877369b621ba10e19287fc0e788f77a244a13737b0e028ac5ca1deca6e3c83cf259b1d38cbc274840fde1d

Download Submit
/etc/init.d/toppdxdjqrbhm

Filesize
361B

MD5
2e690d9beced0534b437866df327595e

SHA1
eff88299029f2733f2d4bb2671e2ed655def338f

SHA256
6dbdae8af18758e1c9abf5387aa6fbd4a6e92acdbbc26df5f0cff96bddbf88a3

SHA512
295dc358efd026ef8b5a974fcbb8bdc4c2219db15f35deb6d767a06f6f863caa5ab3f9dc057829ed7ed14d4e9118e67e54492ca03ab80f679c23da6fd25c1eb2

Download Submit
/usr/bin/mhbrqjdxdppot

Filesize
544KB

MD5
a13cf6d0147518574769d33139431507

SHA1
dcbe15099c100cc1fb086a67d0712953eb98d051

SHA256
65739306a91ecd654bccf2a56ae51006ccd8eaf0e9faa6143b32d82806105ec6

SHA512
9081a05e7d67b4538f3ebc3bddddaed1fdaed828171977f2c8f1cc72f4c1b52bc2a1753f850b920aba158ad74b7cb52af7f7cd18641fa53f9c2c90503273d680

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads