Analysis

  • max time kernel
    43s
  • max time network
    45s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240508-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    26-01-2025 22:39

General

  • Target

    112s

  • Size

    549KB

  • MD5

    f9191bab1e834d4aef3380700639cee9

  • SHA1

    9c20269df6694260a24ac783de2e30d627a6928a

  • SHA256

    ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73

  • SHA512

    3d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Malware Config

Extracted

Family

xorddos

C2

api.markerbio.com:112

api.enoan2107.com:112

http://qq.com/lib.asp

Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

  • XorDDoS payload 1 IoCs
  • Xorddos family
  • Deletes itself 51 IoCs
  • Executes dropped EXE 51 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies init.d 2 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

  • Write file to user bin folder 53 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to shm directory 2 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes

  • /usr/bin/szzqghtjb
    /usr/bin/szzqghtjb
    1⤵
    • Executes dropped EXE
    • Creates/modifies Cron job
    • Enumerates active TCP sockets
    • Modifies init.d
    • Write file to user bin folder
    • Reads system network configuration
    • Reads runtime system information
    • Writes file to shm directory
    PID:1412
  • /usr/bin/wrvcpbgvgtf
    /usr/bin/wrvcpbgvgtf -d 1413
    1⤵
    • Deletes itself
    PID:1419
  • /usr/bin/cldvsrsles
    /usr/bin/cldvsrsles -d 1413
    1⤵
    • Deletes itself
    PID:1417
  • /usr/bin/caqrmlhjmr
    /usr/bin/caqrmlhjmr -d 1413
    1⤵
    • Deletes itself
    PID:1423
  • /usr/bin/wcgsgrtekrgasn
    /usr/bin/wcgsgrtekrgasn -d 1413
    1⤵
    • Deletes itself
    PID:1425
  • /usr/bin/agefkfvbrii
    /usr/bin/agefkfvbrii -d 1413
    1⤵
    • Deletes itself
    PID:1429
  • /usr/bin/xcceygnqmemr
    /usr/bin/xcceygnqmemr -d 1413
    1⤵
    • Deletes itself
    PID:1477
  • /usr/bin/fzrzmoz
    /usr/bin/fzrzmoz -d 1413
    1⤵
    • Deletes itself
    PID:1480
  • /usr/bin/vggabkrku
    /usr/bin/vggabkrku -d 1413
    1⤵
    • Deletes itself
    PID:1483
  • /usr/bin/hwxnufanuhbny
    /usr/bin/hwxnufanuhbny -d 1413
    1⤵
    • Deletes itself
    PID:1486
  • /usr/bin/mrfbhgvcm
    /usr/bin/mrfbhgvcm -d 1413
    1⤵
    • Deletes itself
    PID:1489
  • /usr/bin/zsuetcm
    /usr/bin/zsuetcm -d 1413
    1⤵
    • Deletes itself
    PID:1496
  • /usr/bin/worfre
    /usr/bin/worfre -d 1413
    1⤵
    • Deletes itself
    PID:1494
  • /usr/bin/eavjojeprxywow
    /usr/bin/eavjojeprxywow -d 1413
    1⤵
    • Deletes itself
    PID:1500
  • /usr/bin/luoeaiifhdao
    /usr/bin/luoeaiifhdao -d 1413
    1⤵
    • Deletes itself
    PID:1502
  • /usr/bin/eankbitrtail
    /usr/bin/eankbitrtail -d 1413
    1⤵
    • Deletes itself
    PID:1506
  • /usr/bin/jsiurrfh
    /usr/bin/jsiurrfh -d 1413
    1⤵
    • Deletes itself
    PID:1515
  • /usr/bin/ogptgdpmgfxhps
    /usr/bin/ogptgdpmgfxhps -d 1413
    1⤵
    • Deletes itself
    PID:1513
  • /usr/bin/pgwrlxzbeqwm
    /usr/bin/pgwrlxzbeqwm -d 1413
    1⤵
    • Deletes itself
    PID:1519
  • /usr/bin/mzatyjisl
    /usr/bin/mzatyjisl -d 1413
    1⤵
    • Deletes itself
    PID:1522
  • /usr/bin/ntngmtn
    /usr/bin/ntngmtn -d 1413
    1⤵
    • Deletes itself
    PID:1525
  • /usr/bin/aovboqzz
    /usr/bin/aovboqzz -d 1413
    1⤵
    • Deletes itself
    PID:1528
  • /usr/bin/ppfxrsjkdjyylp
    /usr/bin/ppfxrsjkdjyylp -d 1413
    1⤵
    • Deletes itself
    PID:1533
  • /usr/bin/skshgfnuabem
    /usr/bin/skshgfnuabem -d 1413
    1⤵
    • Deletes itself
    PID:1531
  • /usr/bin/mqogbgnjobdoe
    /usr/bin/mqogbgnjobdoe -d 1413
    1⤵
    • Deletes itself
    PID:1537
  • /usr/bin/bczqkwkehwhs
    /usr/bin/bczqkwkehwhs -d 1413
    1⤵
    • Deletes itself
    PID:1539
  • /usr/bin/fflvucl
    /usr/bin/fflvucl -d 1413
    1⤵
    • Deletes itself
    PID:1543
  • /usr/bin/fsqoitrwxdzzcs
    /usr/bin/fsqoitrwxdzzcs -d 1413
    1⤵
    • Deletes itself
    PID:1546
  • /usr/bin/acnjyucubj
    /usr/bin/acnjyucubj -d 1413
    1⤵
    • Deletes itself
    PID:1549
  • /usr/bin/ydmmerewhopa
    /usr/bin/ydmmerewhopa -d 1413
    1⤵
    • Deletes itself
    PID:1552
  • /usr/bin/memniezlgo
    /usr/bin/memniezlgo -d 1413
    1⤵
    • Deletes itself
    PID:1555
  • /usr/bin/rnfnwtex
    /usr/bin/rnfnwtex -d 1413
    1⤵
    • Deletes itself
    PID:1558
  • /usr/bin/sdrglvhwbvthg
    /usr/bin/sdrglvhwbvthg -d 1413
    1⤵
    • Deletes itself
    PID:1561
  • /usr/bin/kvbuiprjigoyfj
    /usr/bin/kvbuiprjigoyfj -d 1413
    1⤵
    • Deletes itself
    PID:1564
  • /usr/bin/coxhgfsbmrfh
    /usr/bin/coxhgfsbmrfh -d 1413
    1⤵
    • Deletes itself
    PID:1567
  • /usr/bin/oqfyljvvaoeiw
    /usr/bin/oqfyljvvaoeiw -d 1413
    1⤵
    • Deletes itself
    PID:1570
  • /usr/bin/bbyikm
    /usr/bin/bbyikm -d 1413
    1⤵
    • Deletes itself
    PID:1590
  • /usr/bin/crxncskciql
    /usr/bin/crxncskciql -d 1413
    1⤵
    • Deletes itself
    PID:1593
  • /usr/bin/kvgpilj
    /usr/bin/kvgpilj -d 1413
    1⤵
    • Deletes itself
    PID:1596
  • /usr/bin/aijhlmftxtq
    /usr/bin/aijhlmftxtq -d 1413
    1⤵
    • Deletes itself
    PID:1599
  • /usr/bin/mnpphzrrscv
    /usr/bin/mnpphzrrscv -d 1413
    1⤵
    • Deletes itself
    PID:1602
  • /usr/bin/yduirddrnmyz
    /usr/bin/yduirddrnmyz -d 1413
    1⤵
    • Deletes itself
    PID:1605
  • /usr/bin/fsyykzkz
    /usr/bin/fsyykzkz -d 1413
    1⤵
    • Deletes itself
    PID:1608
  • /usr/bin/ziqrzkvvo
    /usr/bin/ziqrzkvvo -d 1413
    1⤵
    • Deletes itself
    PID:1611
  • /usr/bin/aiernhibvicunw
    /usr/bin/aiernhibvicunw -d 1413
    1⤵
    • Deletes itself
    PID:1614
  • /usr/bin/lhuygkzp
    /usr/bin/lhuygkzp -d 1413
    1⤵
    • Deletes itself
    PID:1617
  • /usr/bin/sqmolblojpfz
    /usr/bin/sqmolblojpfz -d 1413
    1⤵
    • Deletes itself
    PID:1620
  • /usr/bin/qcwyeqoanbjhz
    /usr/bin/qcwyeqoanbjhz -d 1413
    1⤵
    • Deletes itself
    PID:1623
  • /usr/bin/jtbvkiwl
    /usr/bin/jtbvkiwl -d 1413
    1⤵
    • Deletes itself
    PID:1628
  • /usr/bin/rzhwrxih
    /usr/bin/rzhwrxih -d 1413
    1⤵
    • Deletes itself
    PID:1626
  • /usr/bin/yhzezn
    /usr/bin/yhzezn -d 1413
    1⤵
    • Deletes itself
    PID:1632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /dev/shm/sem.Y5oogb

    Filesize

    16B

    MD5

    076933ff9904d1110d896e2c525e39e5

    SHA1

    4188442577fa77f25820d9b2d01cc446e30684ac

    SHA256

    4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

    SHA512

    6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

  • /etc/cron.hourly/bjthgqzzs.sh

    Filesize

    158B

    MD5

    e3916e9ee1cc2551f392c530e34aeecf

    SHA1

    fc54ad4557c196043823ad2df7b1be270b4cca7d

    SHA256

    eea8a72125f027ed09c1c104472544d238bccb53b24607df2306e70dfc084dcd

    SHA512

    2169b7c4d108515dafd43e7c474de11d3677df5f8640592ad4cf2824968f8e69aa81849a870936a98f26ce32a88477fb87fe759874eb1aad735015b30a1de9cd

  • /etc/daemon.cfg

    Filesize

    32B

    MD5

    c9366819b613573366f5154d5991d33b

    SHA1

    3f193b43d04ffa5278310539d2d463fd0b634772

    SHA256

    085ba0af5e571165d0ca51be6e3f07303f36914b7466c24616afe93597a81e8e

    SHA512

    2fc6d807f43b38294f9b9edd4e62bc732852fd13200ccf5a0ec55dd66f745009e71ef6eb32e1fa784eed0501f658cf15cd671c7719be9e007be8cb5197b9cf6c

  • /etc/init.d/bjthgqzzs

    Filesize

    341B

    MD5

    8b539944daa5e2078eafd6268d75600d

    SHA1

    c4f29412995e85941bef2d9d798edb179d232d07

    SHA256

    10d0af234386451b1a3c2d17c4ad845bc19aa2d61d32e89b379f810bb44edff1

    SHA512

    561bcaf446f98ea5e65702161f81ee98406fa7d1515468dbb6fa6c82d2013e7052af9a8f9004dbc8642a5b36b82116a8af42bbab52d46540803b3c813051de93

  • /usr/bin/szzqghtjb

    Filesize

    549KB

    MD5

    77be4eab12e093417b6c335067ece66e

    SHA1

    305c73db222e2a8e2ec2355834d4a6cce4b62c96

    SHA256

    73a0aeb60060a951581f5bcaaaf18c0f6816a3745ac32558758ab79348b81332

    SHA512

    ab6d3dd1ca042f583f069c8897167005159be0a46813ea8539a7b9a6179164e899b7deb1aad3faaa1d053fdb4c9afbd9a62c3115f6617e4300bdf43dc12a9842