xorddos | 76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882

Analysis

max time kernel
149s
max time network
147s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
25/11/2024, 18:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
Size

549KB
MD5

455b46bf3f93b8853137de2b99ef0f4c
SHA1

99387d92aee1ad50c8af0a5192f651ad8021d1d4
SHA256

76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
SHA512

a43cc62e55da2d23f2f57bffc3e2f3e406e41b0e1ba24b38d274a12e25d87d005f89f03e98c4fbf91622b75a4009c38033ea9d74316696469d26f9ea3a3237fa
SSDEEP

12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx6:VIv/qiVNHNDEfJKHZ8mG9QeeO6

Score

10^/10

xorddos botnet discovery downloader execution persistence privilege_escalatio

Malware Config

Extracted

Family

xorddos

bb.markerbio.com:13307

bb.myserv012.com:13307

http://qq.com/lib.asp

Attributes

crc_polynomial
CDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-3.dat	family_xorddos

Xorddos family
xorddos

Deletes itself 64 IoCs

pid	Process
1425	uyekwwmwesz
1428	spixfm
1431	qbnmpuai
1434	ovhhuxagiv
1437	xwnzoe
1480	kwraxeom
1485	iucwymkiibi
1486	pwpfrwoluouemf
1489	iztjopytixiv
1492	ypxkub
1495	nhzwxowqwt
1500	jiwhjbr
1501	smzhkjeleuq
1506	daoqeiizssy
1507	qyrmxglneeqyrp
1510	czsuqsleptr
1513	awuapliumyks
1516	uuznscpruljo
1519	qduhhufeuupfqd
1522	aymvsn
1525	kpbdlmpzkfceom
1530	qpbrumdjmqqq
1531	uqxqhehnjjlwgf
1534	fczbuwr
1537	carlkcjq
1542	wwunuz
1543	vhywaskg
1548	tamruqtuhhglsx
1549	nguliowo
1552	umnhho
1555	crnwldrhmy
1558	ztnvgvrudf
1561	uakgnupbvssi
1564	fnhnbidc
1567	qzhnqbsxtmx
1587	vmakqx
1590	ifuqucdvkizlay
1593	nqyfntun
1596	pzbzpyeafaqzev
1599	odxbdv
1604	puihtojaozc
1605	slwxbrrqr
1608	wajbynetlwh
1611	vkapatxpoh
1614	jvhlminhgoshmh
1617	hsjodhygwyzv
1620	pdqaaam
1623	izxppqy
1628	sudjvfjjwtitky
1629	zmjsxzxeadcaf
1632	jblvmfsmczoi
1635	onbhjgsgmb
1638	iuadhypq
1641	cnohhclgqvkekl
1644	wsfcgiuqfu
1647	mukevorjxynjh
1650	grkrezny
1653	renlwsfsgbekx
1658	biqcwbl
1659	kenbinq
1662	uhnjvmeceke
1667	cnclhmyrhmv
1668	vbdylwcjznljra
1671	qhpdcsidee

Executes dropped EXE 64 IoCs

ioc	pid	Process
/usr/bin/uyekwwmwesz	1424	uyekwwmwesz
/usr/bin/spixfm	1427	spixfm
/usr/bin/qbnmpuai	1430	qbnmpuai
/usr/bin/ovhhuxagiv	1433	ovhhuxagiv
/usr/bin/xwnzoe	1436	xwnzoe
/usr/bin/kwraxeom	1479	kwraxeom
/usr/bin/iucwymkiibi	1484	iucwymkiibi
/usr/bin/pwpfrwoluouemf	1482	pwpfrwoluouemf
/usr/bin/iztjopytixiv	1488	iztjopytixiv
/usr/bin/ypxkub	1491	ypxkub
/usr/bin/nhzwxowqwt	1494	nhzwxowqwt
/usr/bin/jiwhjbr	1499	jiwhjbr
/usr/bin/smzhkjeleuq	1497	smzhkjeleuq
/usr/bin/daoqeiizssy	1505	daoqeiizssy
/usr/bin/qyrmxglneeqyrp	1503	qyrmxglneeqyrp
/usr/bin/czsuqsleptr	1509	czsuqsleptr
/usr/bin/awuapliumyks	1512	awuapliumyks
/usr/bin/uuznscpruljo	1515	uuznscpruljo
/usr/bin/qduhhufeuupfqd	1518	qduhhufeuupfqd
/usr/bin/aymvsn	1521	aymvsn
/usr/bin/kpbdlmpzkfceom	1524	kpbdlmpzkfceom
/usr/bin/qpbrumdjmqqq	1529	qpbrumdjmqqq
/usr/bin/uqxqhehnjjlwgf	1527	uqxqhehnjjlwgf
/usr/bin/fczbuwr	1533	fczbuwr
/usr/bin/carlkcjq	1536	carlkcjq
/usr/bin/vhywaskg	1539	vhywaskg
/usr/bin/wwunuz	1541	wwunuz
/usr/bin/tamruqtuhhglsx	1545	tamruqtuhhglsx
/usr/bin/nguliowo	1547	nguliowo
/usr/bin/umnhho	1551	umnhho
/usr/bin/crnwldrhmy	1554	crnwldrhmy
/usr/bin/ztnvgvrudf	1557	ztnvgvrudf
/usr/bin/uakgnupbvssi	1560	uakgnupbvssi
/usr/bin/fnhnbidc	1563	fnhnbidc
/usr/bin/qzhnqbsxtmx	1566	qzhnqbsxtmx
/usr/bin/vmakqx	1586	vmakqx
/usr/bin/ifuqucdvkizlay	1589	ifuqucdvkizlay
/usr/bin/nqyfntun	1592	nqyfntun
/usr/bin/pzbzpyeafaqzev	1595	pzbzpyeafaqzev
/usr/bin/odxbdv	1598	odxbdv
/usr/bin/slwxbrrqr	1601	slwxbrrqr
/usr/bin/puihtojaozc	1603	puihtojaozc
/usr/bin/wajbynetlwh	1607	wajbynetlwh
/usr/bin/vkapatxpoh	1610	vkapatxpoh
/usr/bin/jvhlminhgoshmh	1613	jvhlminhgoshmh
/usr/bin/hsjodhygwyzv	1616	hsjodhygwyzv
/usr/bin/pdqaaam	1619	pdqaaam
/usr/bin/izxppqy	1622	izxppqy
/usr/bin/zmjsxzxeadcaf	1625	zmjsxzxeadcaf
/usr/bin/sudjvfjjwtitky	1627	sudjvfjjwtitky
/usr/bin/jblvmfsmczoi	1631	jblvmfsmczoi
/usr/bin/onbhjgsgmb	1634	onbhjgsgmb
/usr/bin/iuadhypq	1637	iuadhypq
/usr/bin/cnohhclgqvkekl	1640	cnohhclgqvkekl
/usr/bin/wsfcgiuqfu	1643	wsfcgiuqfu
/usr/bin/mukevorjxynjh	1646	mukevorjxynjh
/usr/bin/grkrezny	1649	grkrezny
/usr/bin/renlwsfsgbekx	1652	renlwsfsgbekx
/usr/bin/biqcwbl	1655	biqcwbl
/usr/bin/kenbinq	1657	kenbinq
/usr/bin/uhnjvmeceke	1661	uhnjvmeceke
/usr/bin/cnclhmyrhmv	1666	cnclhmyrhmv
/usr/bin/vbdylwcjznljra	1664	vbdylwcjznljra
/usr/bin/qhpdcsidee	1670	qhpdcsidee

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/etc/cron.hourly/2889f726aa72b00c75477abe399a814f7cc943dd5ad87a9d5e68edea12714767.sh	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 2 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/2889f726aa72b00c75477abe399a814f7cc943dd5ad87a9d5e68edea12714767	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882

Write file to user bin folder 64 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/iuadhypq	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/kcldomuuutbqm	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/zuqwou	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/krgfvl	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/ovhhuxagiv	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/wwunuz	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/zmjsxzxeadcaf	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/carlkcjq	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/fczbuwr	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/nqyfntun	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/uuugkt	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/zfbzwablrfrlx	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/fgtxtrae	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/uyekwwmwesz	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/ybpenl	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/pzmbynaeqovhtb	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/iztjopytixiv	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/daoqeiizssy	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/wajbynetlwh	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/uqnyjtozkxzs	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/hqccjkup	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/npywkfqlkomlug	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/iucwymkiibi	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/grkrezny	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/geozlcgfjyh	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/sjdutmxyxgdop	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/jblvmfsmczoi	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/czsuqsleptr	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/pzbzpyeafaqzev	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/camtrc	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/pkivalnjrnpjy	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/jiwhjbr	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/huvokycwxenhy	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/dlqwmwou	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/imwrfanabozely	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/cnclhmyrhmv	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/nguliowo	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/renlwsfsgbekx	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/ryvkop	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/ermrhdzusba	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/omgzgo	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/yluccbkqzu	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/pwpfrwoluouemf	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/jxgmczuffbmuh	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/obsrxvaysqzz	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/wsfcgiuqfu	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/ondhdjvg	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/tzgpgoleiqdcf	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/mukevorjxynjh	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/izxppqy	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/sudjvfjjwtitky	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/nmntmmhkwa	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/tufeupckhbdk	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/kpbdlmpzkfceom	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/brggwhutqeqq	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/bfdbhoik	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/zzvpcz	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/avhcsmvblanej	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/vqsxtbgxeyi	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/ppqqvhgqqasssn	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/pdqaaam	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/xdtfdccak	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/cuvbzwcxz	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/usr/bin/gekszkxmgigsmb	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1872/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1891/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1081/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1548/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1713/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1740/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/395/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/441/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1078/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1969/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1923/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/506/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/617/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1111/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1118/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/485/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1207/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1667/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1869/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/896/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1534/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1821/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1842/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1501/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1641/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1772/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/692/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/989/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1701/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1782/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1900/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1963/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/636/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/639/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1105/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1933/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1779/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/455/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/688/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1671/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1696/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1845/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1582/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1638/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1650/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1733/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/979/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1581/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1903/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1608/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1628/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1683/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1752/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/522/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1668/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1938/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1972/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/914/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1689/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1803/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1951/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1857/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/1/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for reading	/proc/497/fd	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882

Writes file to shm directory 2 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

description	ioc	Process
File opened for modification	/dev/shm/sem.poplax	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/dev/shm/sem.fLEvIk	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/2889f726aa72b00c75477abe399a814f7cc943dd5ad87a9d5e68edea12714767	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
File opened for modification	/tmp/2889f726aa72b00c75477abe399a814f7cc943dd5ad87a9d5e68edea12714767.sh	76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882

/tmp/76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
/tmp/76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
1⤵
- Creates/modifies Cron job
- Enumerates active TCP sockets
- Modifies init.d
- Write file to user bin folder
- Reads system network configuration
- Reads runtime system information
- Writes file to shm directory
- Writes file to tmp directory
PID:1419

/usr/bin/uyekwwmwesz
/usr/bin/uyekwwmwesz -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1424

/usr/bin/spixfm
/usr/bin/spixfm -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1427

/usr/bin/qbnmpuai
/usr/bin/qbnmpuai -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1430

/usr/bin/ovhhuxagiv
/usr/bin/ovhhuxagiv -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1433

/usr/bin/xwnzoe
/usr/bin/xwnzoe -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1436

/usr/bin/kwraxeom
/usr/bin/kwraxeom -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1479

/usr/bin/iucwymkiibi
/usr/bin/iucwymkiibi -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1484

/usr/bin/pwpfrwoluouemf
/usr/bin/pwpfrwoluouemf -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1482

/usr/bin/iztjopytixiv
/usr/bin/iztjopytixiv -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1488

/usr/bin/ypxkub
/usr/bin/ypxkub -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1491

/usr/bin/nhzwxowqwt
/usr/bin/nhzwxowqwt -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1494

/usr/bin/jiwhjbr
/usr/bin/jiwhjbr -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1499

/usr/bin/smzhkjeleuq
/usr/bin/smzhkjeleuq -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1497

/usr/bin/daoqeiizssy
/usr/bin/daoqeiizssy -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1505

/usr/bin/qyrmxglneeqyrp
/usr/bin/qyrmxglneeqyrp -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1503

/usr/bin/czsuqsleptr
/usr/bin/czsuqsleptr -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1509

/usr/bin/awuapliumyks
/usr/bin/awuapliumyks -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1512

/usr/bin/uuznscpruljo
/usr/bin/uuznscpruljo -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1515

/usr/bin/qduhhufeuupfqd
/usr/bin/qduhhufeuupfqd -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1518

/usr/bin/aymvsn
/usr/bin/aymvsn -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1521

/usr/bin/kpbdlmpzkfceom
/usr/bin/kpbdlmpzkfceom -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1524

/usr/bin/qpbrumdjmqqq
/usr/bin/qpbrumdjmqqq -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1529

/usr/bin/uqxqhehnjjlwgf
/usr/bin/uqxqhehnjjlwgf -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1527

/usr/bin/fczbuwr
/usr/bin/fczbuwr -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1533

/usr/bin/carlkcjq
/usr/bin/carlkcjq -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1536

/usr/bin/vhywaskg
/usr/bin/vhywaskg -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1539

/usr/bin/wwunuz
/usr/bin/wwunuz -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1541

/usr/bin/tamruqtuhhglsx
/usr/bin/tamruqtuhhglsx -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1545

/usr/bin/nguliowo
/usr/bin/nguliowo -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1547

/usr/bin/umnhho
/usr/bin/umnhho -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1551

/usr/bin/crnwldrhmy
/usr/bin/crnwldrhmy -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1554

/usr/bin/ztnvgvrudf
/usr/bin/ztnvgvrudf -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1557

/usr/bin/uakgnupbvssi
/usr/bin/uakgnupbvssi -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1560

/usr/bin/fnhnbidc
/usr/bin/fnhnbidc -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1563

/usr/bin/qzhnqbsxtmx
/usr/bin/qzhnqbsxtmx -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1566

/usr/bin/vmakqx
/usr/bin/vmakqx -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1586

/usr/bin/ifuqucdvkizlay
/usr/bin/ifuqucdvkizlay -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1589

/usr/bin/nqyfntun
/usr/bin/nqyfntun -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1592

/usr/bin/pzbzpyeafaqzev
/usr/bin/pzbzpyeafaqzev -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1595

/usr/bin/odxbdv
/usr/bin/odxbdv -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1598

/usr/bin/slwxbrrqr
/usr/bin/slwxbrrqr -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1601

/usr/bin/puihtojaozc
/usr/bin/puihtojaozc -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1603

/usr/bin/wajbynetlwh
/usr/bin/wajbynetlwh -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1607

/usr/bin/vkapatxpoh
/usr/bin/vkapatxpoh -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1610

/usr/bin/jvhlminhgoshmh
/usr/bin/jvhlminhgoshmh -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1613

/usr/bin/hsjodhygwyzv
/usr/bin/hsjodhygwyzv -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1616

/usr/bin/pdqaaam
/usr/bin/pdqaaam -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1619

/usr/bin/izxppqy
/usr/bin/izxppqy -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1622

/usr/bin/zmjsxzxeadcaf
/usr/bin/zmjsxzxeadcaf -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1625

/usr/bin/sudjvfjjwtitky
/usr/bin/sudjvfjjwtitky -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1627

/usr/bin/jblvmfsmczoi
/usr/bin/jblvmfsmczoi -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1631

/usr/bin/onbhjgsgmb
/usr/bin/onbhjgsgmb -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1634

/usr/bin/iuadhypq
/usr/bin/iuadhypq -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1637

/usr/bin/cnohhclgqvkekl
/usr/bin/cnohhclgqvkekl -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1640

/usr/bin/wsfcgiuqfu
/usr/bin/wsfcgiuqfu -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1643

/usr/bin/mukevorjxynjh
/usr/bin/mukevorjxynjh -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1646

/usr/bin/grkrezny
/usr/bin/grkrezny -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1649

/usr/bin/renlwsfsgbekx
/usr/bin/renlwsfsgbekx -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1652

/usr/bin/biqcwbl
/usr/bin/biqcwbl -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1655

/usr/bin/kenbinq
/usr/bin/kenbinq -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1657

/usr/bin/uhnjvmeceke
/usr/bin/uhnjvmeceke -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1661

/usr/bin/cnclhmyrhmv
/usr/bin/cnclhmyrhmv -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1666

/usr/bin/vbdylwcjznljra
/usr/bin/vbdylwcjznljra -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1664

/usr/bin/qhpdcsidee
/usr/bin/qhpdcsidee -d 1420
1⤵
- Deletes itself
- Executes dropped EXE
PID:1670

/usr/bin/pgvarobeqqid
/usr/bin/pgvarobeqqid -d 1420
1⤵
PID:1673

/usr/bin/werfqo
/usr/bin/werfqo -d 1420
1⤵
PID:1676

/usr/bin/jxgmczuffbmuh
/usr/bin/jxgmczuffbmuh -d 1420
1⤵
PID:1679

/usr/bin/xayagqq
/usr/bin/xayagqq -d 1420
1⤵
PID:1682

/usr/bin/uqnyjtozkxzs
/usr/bin/uqnyjtozkxzs -d 1420
1⤵
PID:1685

/usr/bin/brggwhutqeqq
/usr/bin/brggwhutqeqq -d 1420
1⤵
PID:1688

/usr/bin/qxuiqozdmkyd
/usr/bin/qxuiqozdmkyd -d 1420
1⤵
PID:1691

/usr/bin/kcldomuuutbqm
/usr/bin/kcldomuuutbqm -d 1420
1⤵
PID:1694

/usr/bin/ucjyui
/usr/bin/ucjyui -d 1420
1⤵
PID:1697

/usr/bin/cyhdewq
/usr/bin/cyhdewq -d 1420
1⤵
PID:1700

/usr/bin/zcndnqrbm
/usr/bin/zcndnqrbm -d 1420
1⤵
PID:1703

/usr/bin/xfonrhivtipd
/usr/bin/xfonrhivtipd -d 1420
1⤵
PID:1706

/usr/bin/uclxihnmip
/usr/bin/uclxihnmip -d 1420
1⤵
PID:1709

/usr/bin/lerdhgqenh
/usr/bin/lerdhgqenh -d 1420
1⤵
PID:1712

/usr/bin/hqccjkup
/usr/bin/hqccjkup -d 1420
1⤵
PID:1715

/usr/bin/orzlbgbnqqpbx
/usr/bin/orzlbgbnqqpbx -d 1420
1⤵
PID:1718

/usr/bin/geozlcgfjyh
/usr/bin/geozlcgfjyh -d 1420
1⤵
PID:1721

/usr/bin/ithxhxqgjtokg
/usr/bin/ithxhxqgjtokg -d 1420
1⤵
PID:1724

/usr/bin/cxgbgogwn
/usr/bin/cxgbgogwn -d 1420
1⤵
PID:1727

/usr/bin/avylufz
/usr/bin/avylufz -d 1420
1⤵
PID:1730

/usr/bin/aidigvqpofbw
/usr/bin/aidigvqpofbw -d 1420
1⤵
PID:1732

/usr/bin/furhaipyxiztg
/usr/bin/furhaipyxiztg -d 1420
1⤵
PID:1736

/usr/bin/pnjtpuwx
/usr/bin/pnjtpuwx -d 1420
1⤵
PID:1739

/usr/bin/rqrfxs
/usr/bin/rqrfxs -d 1420
1⤵
PID:1742

/usr/bin/ixxcezkvyhdxcl
/usr/bin/ixxcezkvyhdxcl -d 1420
1⤵
PID:1745

/usr/bin/ryvkop
/usr/bin/ryvkop -d 1420
1⤵
PID:1748

/usr/bin/npbfggcak
/usr/bin/npbfggcak -d 1420
1⤵
PID:1751

/usr/bin/zhpehzzhifglq
/usr/bin/zhpehzzhifglq -d 1420
1⤵
PID:1754

/usr/bin/ermrhdzusba
/usr/bin/ermrhdzusba -d 1420
1⤵
PID:1756

/usr/bin/jecvrcfgiofjvq
/usr/bin/jecvrcfgiofjvq -d 1420
1⤵
PID:1760

/usr/bin/bdhshyhafk
/usr/bin/bdhshyhafk -d 1420
1⤵
PID:1763

/usr/bin/bfdbhoik
/usr/bin/bfdbhoik -d 1420
1⤵
PID:1766

/usr/bin/bxqzeqgp
/usr/bin/bxqzeqgp -d 1420
1⤵
PID:1771

/usr/bin/zmpgudndadud
/usr/bin/zmpgudndadud -d 1420
1⤵
PID:1769

/usr/bin/hwvldktnwsbnax
/usr/bin/hwvldktnwsbnax -d 1420
1⤵
PID:1775

/usr/bin/obsrxvaysqzz
/usr/bin/obsrxvaysqzz -d 1420
1⤵
PID:1778

/usr/bin/hqbomyzpiufg
/usr/bin/hqbomyzpiufg -d 1420
1⤵
PID:1781

/usr/bin/huvokycwxenhy
/usr/bin/huvokycwxenhy -d 1420
1⤵
PID:1786

/usr/bin/gtneldhdvgaxgt
/usr/bin/gtneldhdvgaxgt -d 1420
1⤵
PID:1784

/usr/bin/ondhdjvg
/usr/bin/ondhdjvg -d 1420
1⤵
PID:1790

/usr/bin/ydyzaeunl
/usr/bin/ydyzaeunl -d 1420
1⤵
PID:1793

/usr/bin/lzaldyihnqiig
/usr/bin/lzaldyihnqiig -d 1420
1⤵
PID:1796

/usr/bin/npywkfqlkomlug
/usr/bin/npywkfqlkomlug -d 1420
1⤵
PID:1799

/usr/bin/fwlgyzlyht
/usr/bin/fwlgyzlyht -d 1420
1⤵
PID:1802

/usr/bin/zbvhyixxgjew
/usr/bin/zbvhyixxgjew -d 1420
1⤵
PID:1805

/usr/bin/omgzgo
/usr/bin/omgzgo -d 1420
1⤵
PID:1808

/usr/bin/nmntmmhkwa
/usr/bin/nmntmmhkwa -d 1420
1⤵
PID:1811

/usr/bin/gjixvqyeha
/usr/bin/gjixvqyeha -d 1420
1⤵
PID:1816

/usr/bin/xdtfdccak
/usr/bin/xdtfdccak -d 1420
1⤵
PID:1814

/usr/bin/tqngeuqaw
/usr/bin/tqngeuqaw -d 1420
1⤵
PID:1820

/usr/bin/ybidemhhyunh
/usr/bin/ybidemhhyunh -d 1420
1⤵
PID:1823

/usr/bin/mfvljcncxdpf
/usr/bin/mfvljcncxdpf -d 1420
1⤵
PID:1826

/usr/bin/lyijmikwnpiuwj
/usr/bin/lyijmikwnpiuwj -d 1420
1⤵
PID:1829

/usr/bin/lqvyxsli
/usr/bin/lqvyxsli -d 1420
1⤵
PID:1832

/usr/bin/yluccbkqzu
/usr/bin/yluccbkqzu -d 1420
1⤵
PID:1835

/usr/bin/ofkksb
/usr/bin/ofkksb -d 1420
1⤵
PID:1838

/usr/bin/pxeiiw
/usr/bin/pxeiiw -d 1420
1⤵
PID:1841

/usr/bin/iuytcwsp
/usr/bin/iuytcwsp -d 1420
1⤵
PID:1844

/usr/bin/uuugkt
/usr/bin/uuugkt -d 1420
1⤵
PID:1847

/usr/bin/lhhvucwpr
/usr/bin/lhhvucwpr -d 1420
1⤵
PID:1850

/usr/bin/tzgpgoleiqdcf
/usr/bin/tzgpgoleiqdcf -d 1420
1⤵
PID:1852

/usr/bin/ybpenl
/usr/bin/ybpenl -d 1420
1⤵
PID:1856

/usr/bin/zuqwou
/usr/bin/zuqwou -d 1420
1⤵
PID:1859

/usr/bin/dlqwmwou
/usr/bin/dlqwmwou -d 1420
1⤵
PID:1862

/usr/bin/zzvpcz
/usr/bin/zzvpcz -d 1420
1⤵
PID:1865

/usr/bin/zxypdmcnlwd
/usr/bin/zxypdmcnlwd -d 1420
1⤵
PID:1868

/usr/bin/lzcomvnarbv
/usr/bin/lzcomvnarbv -d 1420
1⤵
PID:1871

/usr/bin/cubsyarzzpqed
/usr/bin/cubsyarzzpqed -d 1420
1⤵
PID:1874

/usr/bin/sqpxacxeqjz
/usr/bin/sqpxacxeqjz -d 1420
1⤵
PID:1877

/usr/bin/krgfvl
/usr/bin/krgfvl -d 1420
1⤵
PID:1880

/usr/bin/zfbzwablrfrlx
/usr/bin/zfbzwablrfrlx -d 1420
1⤵
PID:1883

/usr/bin/avhcsmvblanej
/usr/bin/avhcsmvblanej -d 1420
1⤵
PID:1887

/usr/bin/cuvbzwcxz
/usr/bin/cuvbzwcxz -d 1420
1⤵
PID:1890

/usr/bin/iqjzbg
/usr/bin/iqjzbg -d 1420
1⤵
PID:1893

/usr/bin/ebqivefz
/usr/bin/ebqivefz -d 1420
1⤵
PID:1896

/usr/bin/imwrfanabozely
/usr/bin/imwrfanabozely -d 1420
1⤵
PID:1899

/usr/bin/vqsxtbgxeyi
/usr/bin/vqsxtbgxeyi -d 1420
1⤵
PID:1902

/usr/bin/tufeupckhbdk
/usr/bin/tufeupckhbdk -d 1420
1⤵
PID:1907

/usr/bin/fnzxvlvoswdv
/usr/bin/fnzxvlvoswdv -d 1420
1⤵
PID:1905

/usr/bin/dpjnroaq
/usr/bin/dpjnroaq -d 1420
1⤵
PID:1911

/usr/bin/ydloyhstilp
/usr/bin/ydloyhstilp -d 1420
1⤵
PID:1913

/usr/bin/sjdutmxyxgdop
/usr/bin/sjdutmxyxgdop -d 1420
1⤵
PID:1917

/usr/bin/ynztwlikd
/usr/bin/ynztwlikd -d 1420
1⤵
PID:1922

/usr/bin/fgtxtrae
/usr/bin/fgtxtrae -d 1420
1⤵
PID:1920

/usr/bin/pzmbynaeqovhtb
/usr/bin/pzmbynaeqovhtb -d 1420
1⤵
PID:1926

/usr/bin/qvttba
/usr/bin/qvttba -d 1420
1⤵
PID:1929

/usr/bin/panllvxqpmr
/usr/bin/panllvxqpmr -d 1420
1⤵
PID:1932

/usr/bin/nolhfnusy
/usr/bin/nolhfnusy -d 1420
1⤵
PID:1937

/usr/bin/ppqqvhgqqasssn
/usr/bin/ppqqvhgqqasssn -d 1420
1⤵
PID:1935

/usr/bin/pqidjmvycnvlt
/usr/bin/pqidjmvycnvlt -d 1420
1⤵
PID:1941

/usr/bin/btevotgb
/usr/bin/btevotgb -d 1420
1⤵
PID:1944

/usr/bin/uiphehiyz
/usr/bin/uiphehiyz -d 1420
1⤵
PID:1947

/usr/bin/gekszkxmgigsmb
/usr/bin/gekszkxmgigsmb -d 1420
1⤵
PID:1950

/usr/bin/hprqtamdpv
/usr/bin/hprqtamdpv -d 1420
1⤵
PID:1953

/usr/bin/zdiyeo
/usr/bin/zdiyeo -d 1420
1⤵
PID:1956

/usr/bin/qjeagsioyc
/usr/bin/qjeagsioyc -d 1420
1⤵
PID:1959

/usr/bin/camtrc
/usr/bin/camtrc -d 1420
1⤵
PID:1962

/usr/bin/uqsjlc
/usr/bin/uqsjlc -d 1420
1⤵
PID:1965

/usr/bin/pkivalnjrnpjy
/usr/bin/pkivalnjrnpjy -d 1420
1⤵
PID:1968

/usr/bin/kaimbufuyuoo
/usr/bin/kaimbufuyuoo -d 1420
1⤵
PID:1971

/usr/bin/aaqiraro
/usr/bin/aaqiraro -d 1420
1⤵
PID:1974

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/dev/shm/sem.fLEvIk

Filesize
16B

MD5
076933ff9904d1110d896e2c525e39e5

SHA1
4188442577fa77f25820d9b2d01cc446e30684ac

SHA256
4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

SHA512
6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

Download Submit
/etc/cron.hourly/2889f726aa72b00c75477abe399a814f7cc943dd5ad87a9d5e68edea12714767.sh

Filesize
201B

MD5
8f7f9f6b3671e68cba58e77e5b30b440

SHA1
f8ed95be9dd20364ba4fe4adc36a5ac647190f3f

SHA256
43b42679317f0d9289515e553cffc2a2d4ce0bb5c45ef9a510baad66fe017f25

SHA512
035ee43adf8365167b35a8530a50f30a94cc125d5ce94c543cf8c83260a1b48ffbe4aca6a94b120c07ebdf56cb53b1ca1ef2d81b4cbd9234c4fa1f0093c87bf6

Download Submit
/etc/daemon.cfg

Filesize
32B

MD5
9fceeae25cb5ce4f7fed19fb3a570067

SHA1
18816113fc1bda6bfd937887ef5840aab7a969ff

SHA256
d51c77417825dea23ffbc7dc2f0ebbdf1458bf89ef325d550415c6a5aa1a9c8e

SHA512
06e5a95abdfac5867b4577dbd92962d3a0daa1ed8e14e0c0a9f1f36a26b09d44f1b61d86ceb0e298f172e4ff6b150aadc0353f0cc3ba0801a947259dc4ba18da

Download Submit
/etc/init.d/2889f726aa72b00c75477abe399a814f7cc943dd5ad87a9d5e68edea12714767

Filesize
608B

MD5
b86ff315de0c613bbc802342c88784c1

SHA1
06eccff30fef037a1414dfc244bc505b6c295b1f

SHA256
40b34263ef65937d2ca42263b43b13bf0cbee10ebe3a52da7706350c0811065e

SHA512
68d9ca4b359e3c50e7e0dd99e9caef4345255178e074d3c8e8826fee1054be96f867256dde928d8ae1e7735292e876f434f1831d05045f424d858d10ad50a179

Download Submit
/tmp/2889f726aa72b00c75477abe399a814f7cc943dd5ad87a9d5e68edea12714767

Filesize
549KB

MD5
455b46bf3f93b8853137de2b99ef0f4c

SHA1
99387d92aee1ad50c8af0a5192f651ad8021d1d4

SHA256
76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882

SHA512
a43cc62e55da2d23f2f57bffc3e2f3e406e41b0e1ba24b38d274a12e25d87d005f89f03e98c4fbf91622b75a4009c38033ea9d74316696469d26f9ea3a3237fa

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads