Analysis
-
max time kernel
43s -
max time network
45s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
26-01-2025 22:39
Behavioral task
behavioral1
Sample
112s
Resource
ubuntu2004-amd64-20240508-en
General
-
Target
112s
-
Size
549KB
-
MD5
f9191bab1e834d4aef3380700639cee9
-
SHA1
9c20269df6694260a24ac783de2e30d627a6928a
-
SHA256
ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73
-
SHA512
3d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5
-
SSDEEP
12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO
Malware Config
Extracted
xorddos
api.markerbio.com:112
api.enoan2107.com:112
http://qq.com/lib.asp
-
crc_polynomial
CDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 1 IoCs
resource yara_rule behavioral1/files/fstream-2.dat family_xorddos -
Xorddos family
-
Deletes itself 51 IoCs
pid Process 1409 Process not Found 1420 wrvcpbgvgtf 1421 cldvsrsles 1426 wcgsgrtekrgasn 1427 caqrmlhjmr 1430 agefkfvbrii 1478 xcceygnqmemr 1481 fzrzmoz 1484 vggabkrku 1487 hwxnufanuhbny 1490 mrfbhgvcm 1497 zsuetcm 1498 worfre 1504 eavjojeprxywow 1503 luoeaiifhdao 1507 eankbitrtail 1517 ogptgdpmgfxhps 1516 jsiurrfh 1520 pgwrlxzbeqwm 1523 mzatyjisl 1526 ntngmtn 1529 aovboqzz 1534 ppfxrsjkdjyylp 1535 skshgfnuabem 1540 mqogbgnjobdoe 1541 bczqkwkehwhs 1544 fflvucl 1547 fsqoitrwxdzzcs 1550 acnjyucubj 1553 ydmmerewhopa 1556 memniezlgo 1559 rnfnwtex 1562 sdrglvhwbvthg 1565 kvbuiprjigoyfj 1568 coxhgfsbmrfh 1571 oqfyljvvaoeiw 1591 bbyikm 1594 crxncskciql 1597 kvgpilj 1600 aijhlmftxtq 1603 mnpphzrrscv 1606 yduirddrnmyz 1609 fsyykzkz 1612 ziqrzkvvo 1615 aiernhibvicunw 1618 lhuygkzp 1621 sqmolblojpfz 1624 qcwyeqoanbjhz 1629 jtbvkiwl 1630 rzhwrxih 1633 yhzezn -
Executes dropped EXE 51 IoCs
ioc pid Process /usr/bin/szzqghtjb 1412 Process not Found /usr/bin/wrvcpbgvgtf 1419 szzqghtjb /usr/bin/cldvsrsles 1417 szzqghtjb /usr/bin/caqrmlhjmr 1423 szzqghtjb /usr/bin/wcgsgrtekrgasn 1425 szzqghtjb /usr/bin/agefkfvbrii 1429 szzqghtjb /usr/bin/xcceygnqmemr 1477 szzqghtjb /usr/bin/fzrzmoz 1480 szzqghtjb /usr/bin/vggabkrku 1483 szzqghtjb /usr/bin/hwxnufanuhbny 1486 szzqghtjb /usr/bin/mrfbhgvcm 1489 szzqghtjb /usr/bin/zsuetcm 1496 szzqghtjb /usr/bin/worfre 1494 szzqghtjb /usr/bin/eavjojeprxywow 1500 szzqghtjb /usr/bin/luoeaiifhdao 1502 szzqghtjb /usr/bin/eankbitrtail 1506 szzqghtjb /usr/bin/jsiurrfh 1515 szzqghtjb /usr/bin/ogptgdpmgfxhps 1513 szzqghtjb /usr/bin/pgwrlxzbeqwm 1519 szzqghtjb /usr/bin/mzatyjisl 1522 szzqghtjb /usr/bin/ntngmtn 1525 szzqghtjb /usr/bin/aovboqzz 1528 szzqghtjb /usr/bin/ppfxrsjkdjyylp 1533 szzqghtjb /usr/bin/skshgfnuabem 1531 szzqghtjb /usr/bin/mqogbgnjobdoe 1537 szzqghtjb /usr/bin/bczqkwkehwhs 1539 szzqghtjb /usr/bin/fflvucl 1543 szzqghtjb /usr/bin/fsqoitrwxdzzcs 1546 szzqghtjb /usr/bin/acnjyucubj 1549 szzqghtjb /usr/bin/ydmmerewhopa 1552 szzqghtjb /usr/bin/memniezlgo 1555 szzqghtjb /usr/bin/rnfnwtex 1558 szzqghtjb /usr/bin/sdrglvhwbvthg 1561 szzqghtjb /usr/bin/kvbuiprjigoyfj 1564 szzqghtjb /usr/bin/coxhgfsbmrfh 1567 szzqghtjb /usr/bin/oqfyljvvaoeiw 1570 szzqghtjb /usr/bin/bbyikm 1590 szzqghtjb /usr/bin/crxncskciql 1593 szzqghtjb /usr/bin/kvgpilj 1596 szzqghtjb /usr/bin/aijhlmftxtq 1599 szzqghtjb /usr/bin/mnpphzrrscv 1602 szzqghtjb /usr/bin/yduirddrnmyz 1605 szzqghtjb /usr/bin/fsyykzkz 1608 szzqghtjb /usr/bin/ziqrzkvvo 1611 szzqghtjb /usr/bin/aiernhibvicunw 1614 szzqghtjb /usr/bin/lhuygkzp 1617 szzqghtjb /usr/bin/sqmolblojpfz 1620 szzqghtjb /usr/bin/qcwyeqoanbjhz 1623 szzqghtjb /usr/bin/jtbvkiwl 1628 szzqghtjb /usr/bin/rzhwrxih 1626 szzqghtjb /usr/bin/yhzezn 1632 szzqghtjb -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/cron.hourly/bjthgqzzs.sh szzqghtjb -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp szzqghtjb -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for modification /etc/init.d/bjthgqzzs szzqghtjb -
Write file to user bin folder 53 IoCs
description ioc Process File opened for modification /usr/bin/wcgsgrtekrgasn szzqghtjb File opened for modification /usr/bin/eankbitrtail szzqghtjb File opened for modification /usr/bin/rnfnwtex szzqghtjb File opened for modification /usr/bin/bbyikm szzqghtjb File opened for modification /usr/bin/lhuygkzp szzqghtjb File opened for modification /usr/bin/hwxnufanuhbny szzqghtjb File opened for modification /usr/bin/skshgfnuabem szzqghtjb File opened for modification /usr/bin/mqogbgnjobdoe szzqghtjb File opened for modification /usr/bin/jtbvkiwl szzqghtjb File opened for modification /usr/bin/memniezlgo szzqghtjb File opened for modification /usr/bin/kvbuiprjigoyfj szzqghtjb File opened for modification /usr/bin/crxncskciql szzqghtjb File opened for modification /usr/bin/kvgpilj szzqghtjb File opened for modification /usr/bin/bjthgqzzs.sh szzqghtjb File opened for modification /usr/bin/caqrmlhjmr szzqghtjb File opened for modification /usr/bin/ppfxrsjkdjyylp szzqghtjb File opened for modification /usr/bin/aijhlmftxtq szzqghtjb File opened for modification /usr/bin/sdrglvhwbvthg szzqghtjb File opened for modification /usr/bin/bjthgqzzs szzqghtjb File opened for modification /usr/bin/agefkfvbrii szzqghtjb File opened for modification /usr/bin/jsiurrfh szzqghtjb File opened for modification /usr/bin/fflvucl szzqghtjb File opened for modification /usr/bin/xcceygnqmemr szzqghtjb File opened for modification /usr/bin/eavjojeprxywow szzqghtjb File opened for modification /usr/bin/pgwrlxzbeqwm szzqghtjb File opened for modification /usr/bin/aovboqzz szzqghtjb File opened for modification /usr/bin/sqmolblojpfz szzqghtjb File opened for modification /usr/bin/luoeaiifhdao szzqghtjb File opened for modification /usr/bin/mnpphzrrscv szzqghtjb File opened for modification /usr/bin/ziqrzkvvo szzqghtjb File opened for modification /usr/bin/mrfbhgvcm szzqghtjb File opened for modification /usr/bin/mzatyjisl szzqghtjb File opened for modification /usr/bin/oqfyljvvaoeiw szzqghtjb File opened for modification /usr/bin/rzhwrxih szzqghtjb File opened for modification /usr/bin/acnjyucubj szzqghtjb File opened for modification /usr/bin/fsyykzkz szzqghtjb File opened for modification /usr/bin/coxhgfsbmrfh szzqghtjb File opened for modification /usr/bin/szzqghtjb Process not Found File opened for modification /usr/bin/fzrzmoz szzqghtjb File opened for modification /usr/bin/vggabkrku szzqghtjb File opened for modification /usr/bin/ntngmtn szzqghtjb File opened for modification /usr/bin/ydmmerewhopa szzqghtjb File opened for modification /usr/bin/bczqkwkehwhs szzqghtjb File opened for modification /usr/bin/fsqoitrwxdzzcs szzqghtjb File opened for modification /usr/bin/wrvcpbgvgtf szzqghtjb File opened for modification /usr/bin/worfre szzqghtjb File opened for modification /usr/bin/zsuetcm szzqghtjb File opened for modification /usr/bin/qcwyeqoanbjhz szzqghtjb File opened for modification /usr/bin/cldvsrsles szzqghtjb File opened for modification /usr/bin/ogptgdpmgfxhps szzqghtjb File opened for modification /usr/bin/yduirddrnmyz szzqghtjb File opened for modification /usr/bin/yhzezn szzqghtjb File opened for modification /usr/bin/aiernhibvicunw szzqghtjb -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp szzqghtjb -
description ioc Process File opened for reading /proc/447/fd szzqghtjb File opened for reading /proc/932/fd szzqghtjb File opened for reading /proc/1083/fd szzqghtjb File opened for reading /proc/1140/fd szzqghtjb File opened for reading /proc/1224/fd szzqghtjb File opened for reading /proc/1188/fd szzqghtjb File opened for reading /proc/1240/fd szzqghtjb File opened for reading /proc/578/fd szzqghtjb File opened for reading /proc/597/fd szzqghtjb File opened for reading /proc/629/fd szzqghtjb File opened for reading /proc/807/fd szzqghtjb File opened for reading /proc/1099/fd szzqghtjb File opened for reading /proc/1085/fd szzqghtjb File opened for reading /proc/1109/fd szzqghtjb File opened for reading /proc/1606/fd szzqghtjb File opened for reading /proc/645/fd szzqghtjb File opened for reading /proc/928/fd szzqghtjb File opened for reading /proc/935/fd szzqghtjb File opened for reading /proc/1001/fd szzqghtjb File opened for reading /proc/1056/fd szzqghtjb File opened for reading /proc/1621/fd szzqghtjb File opened for reading /proc/974/fd szzqghtjb File opened for reading /proc/1006/fd szzqghtjb File opened for reading /proc/1081/fd szzqghtjb File opened for reading /proc/1615/fd szzqghtjb File opened for reading /proc/1624/fd szzqghtjb File opened for reading /proc/651/fd szzqghtjb File opened for reading /proc/442/fd szzqghtjb File opened for reading /proc/688/fd szzqghtjb File opened for reading /proc/1630/fd szzqghtjb File opened for reading /proc/455/fd szzqghtjb File opened for reading /proc/623/fd szzqghtjb File opened for reading /proc/1044/fd szzqghtjb File opened for reading /proc/1082/fd szzqghtjb File opened for reading /proc/1162/fd szzqghtjb File opened for reading /proc/269/fd szzqghtjb File opened for reading /proc/439/fd szzqghtjb File opened for reading /proc/481/fd szzqghtjb File opened for reading /proc/1603/fd szzqghtjb File opened for reading /proc/meminfo szzqghtjb File opened for reading /proc/1/fd szzqghtjb File opened for reading /proc/533/fd szzqghtjb File opened for reading /proc/781/fd szzqghtjb File opened for reading /proc/1040/fd szzqghtjb File opened for reading /proc/394/fd szzqghtjb File opened for reading /proc/955/fd szzqghtjb File opened for reading /proc/1612/fd szzqghtjb File opened for reading /proc/582/fd szzqghtjb File opened for reading /proc/760/fd szzqghtjb File opened for reading /proc/805/fd szzqghtjb File opened for reading /proc/927/fd szzqghtjb File opened for reading /proc/1080/fd szzqghtjb File opened for reading /proc/649/fd szzqghtjb File opened for reading /proc/1036/fd szzqghtjb File opened for reading /proc/1079/fd szzqghtjb File opened for reading /proc/1120/fd szzqghtjb File opened for reading /proc/596/fd szzqghtjb File opened for reading /proc/973/fd szzqghtjb File opened for reading /proc/1356/fd szzqghtjb File opened for reading /proc/692/fd szzqghtjb File opened for reading /proc/1629/fd szzqghtjb File opened for reading /proc/897/fd szzqghtjb File opened for reading /proc/1005/fd szzqghtjb File opened for reading /proc/1121/fd szzqghtjb -
Writes file to shm directory 2 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
description ioc Process File opened for modification /dev/shm/sem.woiqjz szzqghtjb File opened for modification /dev/shm/sem.Y5oogb szzqghtjb
Processes
-
/usr/bin/szzqghtjb/usr/bin/szzqghtjb1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Enumerates active TCP sockets
- Modifies init.d
- Write file to user bin folder
- Reads system network configuration
- Reads runtime system information
- Writes file to shm directory
PID:1412
-
/usr/bin/wrvcpbgvgtf/usr/bin/wrvcpbgvgtf -d 14131⤵
- Deletes itself
PID:1419
-
/usr/bin/cldvsrsles/usr/bin/cldvsrsles -d 14131⤵
- Deletes itself
PID:1417
-
/usr/bin/caqrmlhjmr/usr/bin/caqrmlhjmr -d 14131⤵
- Deletes itself
PID:1423
-
/usr/bin/wcgsgrtekrgasn/usr/bin/wcgsgrtekrgasn -d 14131⤵
- Deletes itself
PID:1425
-
/usr/bin/agefkfvbrii/usr/bin/agefkfvbrii -d 14131⤵
- Deletes itself
PID:1429
-
/usr/bin/xcceygnqmemr/usr/bin/xcceygnqmemr -d 14131⤵
- Deletes itself
PID:1477
-
/usr/bin/fzrzmoz/usr/bin/fzrzmoz -d 14131⤵
- Deletes itself
PID:1480
-
/usr/bin/vggabkrku/usr/bin/vggabkrku -d 14131⤵
- Deletes itself
PID:1483
-
/usr/bin/hwxnufanuhbny/usr/bin/hwxnufanuhbny -d 14131⤵
- Deletes itself
PID:1486
-
/usr/bin/mrfbhgvcm/usr/bin/mrfbhgvcm -d 14131⤵
- Deletes itself
PID:1489
-
/usr/bin/zsuetcm/usr/bin/zsuetcm -d 14131⤵
- Deletes itself
PID:1496
-
/usr/bin/worfre/usr/bin/worfre -d 14131⤵
- Deletes itself
PID:1494
-
/usr/bin/eavjojeprxywow/usr/bin/eavjojeprxywow -d 14131⤵
- Deletes itself
PID:1500
-
/usr/bin/luoeaiifhdao/usr/bin/luoeaiifhdao -d 14131⤵
- Deletes itself
PID:1502
-
/usr/bin/eankbitrtail/usr/bin/eankbitrtail -d 14131⤵
- Deletes itself
PID:1506
-
/usr/bin/jsiurrfh/usr/bin/jsiurrfh -d 14131⤵
- Deletes itself
PID:1515
-
/usr/bin/ogptgdpmgfxhps/usr/bin/ogptgdpmgfxhps -d 14131⤵
- Deletes itself
PID:1513
-
/usr/bin/pgwrlxzbeqwm/usr/bin/pgwrlxzbeqwm -d 14131⤵
- Deletes itself
PID:1519
-
/usr/bin/mzatyjisl/usr/bin/mzatyjisl -d 14131⤵
- Deletes itself
PID:1522
-
/usr/bin/ntngmtn/usr/bin/ntngmtn -d 14131⤵
- Deletes itself
PID:1525
-
/usr/bin/aovboqzz/usr/bin/aovboqzz -d 14131⤵
- Deletes itself
PID:1528
-
/usr/bin/ppfxrsjkdjyylp/usr/bin/ppfxrsjkdjyylp -d 14131⤵
- Deletes itself
PID:1533
-
/usr/bin/skshgfnuabem/usr/bin/skshgfnuabem -d 14131⤵
- Deletes itself
PID:1531
-
/usr/bin/mqogbgnjobdoe/usr/bin/mqogbgnjobdoe -d 14131⤵
- Deletes itself
PID:1537
-
/usr/bin/bczqkwkehwhs/usr/bin/bczqkwkehwhs -d 14131⤵
- Deletes itself
PID:1539
-
/usr/bin/fflvucl/usr/bin/fflvucl -d 14131⤵
- Deletes itself
PID:1543
-
/usr/bin/fsqoitrwxdzzcs/usr/bin/fsqoitrwxdzzcs -d 14131⤵
- Deletes itself
PID:1546
-
/usr/bin/acnjyucubj/usr/bin/acnjyucubj -d 14131⤵
- Deletes itself
PID:1549
-
/usr/bin/ydmmerewhopa/usr/bin/ydmmerewhopa -d 14131⤵
- Deletes itself
PID:1552
-
/usr/bin/memniezlgo/usr/bin/memniezlgo -d 14131⤵
- Deletes itself
PID:1555
-
/usr/bin/rnfnwtex/usr/bin/rnfnwtex -d 14131⤵
- Deletes itself
PID:1558
-
/usr/bin/sdrglvhwbvthg/usr/bin/sdrglvhwbvthg -d 14131⤵
- Deletes itself
PID:1561
-
/usr/bin/kvbuiprjigoyfj/usr/bin/kvbuiprjigoyfj -d 14131⤵
- Deletes itself
PID:1564
-
/usr/bin/coxhgfsbmrfh/usr/bin/coxhgfsbmrfh -d 14131⤵
- Deletes itself
PID:1567
-
/usr/bin/oqfyljvvaoeiw/usr/bin/oqfyljvvaoeiw -d 14131⤵
- Deletes itself
PID:1570
-
/usr/bin/bbyikm/usr/bin/bbyikm -d 14131⤵
- Deletes itself
PID:1590
-
/usr/bin/crxncskciql/usr/bin/crxncskciql -d 14131⤵
- Deletes itself
PID:1593
-
/usr/bin/kvgpilj/usr/bin/kvgpilj -d 14131⤵
- Deletes itself
PID:1596
-
/usr/bin/aijhlmftxtq/usr/bin/aijhlmftxtq -d 14131⤵
- Deletes itself
PID:1599
-
/usr/bin/mnpphzrrscv/usr/bin/mnpphzrrscv -d 14131⤵
- Deletes itself
PID:1602
-
/usr/bin/yduirddrnmyz/usr/bin/yduirddrnmyz -d 14131⤵
- Deletes itself
PID:1605
-
/usr/bin/fsyykzkz/usr/bin/fsyykzkz -d 14131⤵
- Deletes itself
PID:1608
-
/usr/bin/ziqrzkvvo/usr/bin/ziqrzkvvo -d 14131⤵
- Deletes itself
PID:1611
-
/usr/bin/aiernhibvicunw/usr/bin/aiernhibvicunw -d 14131⤵
- Deletes itself
PID:1614
-
/usr/bin/lhuygkzp/usr/bin/lhuygkzp -d 14131⤵
- Deletes itself
PID:1617
-
/usr/bin/sqmolblojpfz/usr/bin/sqmolblojpfz -d 14131⤵
- Deletes itself
PID:1620
-
/usr/bin/qcwyeqoanbjhz/usr/bin/qcwyeqoanbjhz -d 14131⤵
- Deletes itself
PID:1623
-
/usr/bin/jtbvkiwl/usr/bin/jtbvkiwl -d 14131⤵
- Deletes itself
PID:1628
-
/usr/bin/rzhwrxih/usr/bin/rzhwrxih -d 14131⤵
- Deletes itself
PID:1626
-
/usr/bin/yhzezn/usr/bin/yhzezn -d 14131⤵
- Deletes itself
PID:1632
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Scheduled Task/Job
1Cron
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD5076933ff9904d1110d896e2c525e39e5
SHA14188442577fa77f25820d9b2d01cc446e30684ac
SHA2564cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0
SHA5126fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34
-
Filesize
158B
MD5e3916e9ee1cc2551f392c530e34aeecf
SHA1fc54ad4557c196043823ad2df7b1be270b4cca7d
SHA256eea8a72125f027ed09c1c104472544d238bccb53b24607df2306e70dfc084dcd
SHA5122169b7c4d108515dafd43e7c474de11d3677df5f8640592ad4cf2824968f8e69aa81849a870936a98f26ce32a88477fb87fe759874eb1aad735015b30a1de9cd
-
Filesize
32B
MD5c9366819b613573366f5154d5991d33b
SHA13f193b43d04ffa5278310539d2d463fd0b634772
SHA256085ba0af5e571165d0ca51be6e3f07303f36914b7466c24616afe93597a81e8e
SHA5122fc6d807f43b38294f9b9edd4e62bc732852fd13200ccf5a0ec55dd66f745009e71ef6eb32e1fa784eed0501f658cf15cd671c7719be9e007be8cb5197b9cf6c
-
Filesize
341B
MD58b539944daa5e2078eafd6268d75600d
SHA1c4f29412995e85941bef2d9d798edb179d232d07
SHA25610d0af234386451b1a3c2d17c4ad845bc19aa2d61d32e89b379f810bb44edff1
SHA512561bcaf446f98ea5e65702161f81ee98406fa7d1515468dbb6fa6c82d2013e7052af9a8f9004dbc8642a5b36b82116a8af42bbab52d46540803b3c813051de93
-
Filesize
549KB
MD577be4eab12e093417b6c335067ece66e
SHA1305c73db222e2a8e2ec2355834d4a6cce4b62c96
SHA25673a0aeb60060a951581f5bcaaaf18c0f6816a3745ac32558758ab79348b81332
SHA512ab6d3dd1ca042f583f069c8897167005159be0a46813ea8539a7b9a6179164e899b7deb1aad3faaa1d053fdb4c9afbd9a62c3115f6617e4300bdf43dc12a9842