Analysis
-
max time kernel
149s -
max time network
151s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240611-en -
resource tags
-
submitted
08-02-2025 07:13
General
-
Target
cvckxesujqpz.elf
-
Size
549KB
-
MD5
27e7ff9211cfa5cfa709a199363cddfb
-
SHA1
e26ee39502fb9da0167da2ea0ab833f263fca32f
-
SHA256
5d94a674992e90b629b2399d37a8a749c68b5a1c4dee28c17a6624bf070a163c
-
SHA512
383475f925bf75cd77321f388eedee0bf116ad50204bdea5800e09e164f8a6de82a71a4d1cfef3a066c03748872e252a24de80fa5b0ffb2ad972f9b0f8ee5a33
-
SSDEEP
12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmxV:VIv/qiVNHNDEfJKHZ8mG9QeeOV
Malware Config
Extracted
xorddos
bb.markerbio.com:13307
bb.myserv012.com:13307
http://qq.com/lib.asp
-
crc_polynomial
CDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 1 IoCs
-
Xorddos family
-
Deletes itself 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies init.d 2 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
-
Write file to user bin folder 64 IoCs
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to shm directory 2 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
-
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/usr/bin/octzayhrosx/usr/bin/octzayhrosx -d 13831⤵
- Deletes itself
-
/usr/bin/gfdfmmq/usr/bin/gfdfmmq -d 13831⤵
- Deletes itself
-
/usr/bin/ruzytccgow/usr/bin/ruzytccgow -d 13831⤵
- Deletes itself
-
/usr/bin/vpqdraznhqhmx/usr/bin/vpqdraznhqhmx -d 13831⤵
- Deletes itself
-
/usr/bin/scbgvjxrjwl/usr/bin/scbgvjxrjwl -d 13831⤵
- Deletes itself
-
/usr/bin/atbxqyoibgi/usr/bin/atbxqyoibgi -d 13831⤵
- Deletes itself
-
/usr/bin/trtcfsrxus/usr/bin/trtcfsrxus -d 13831⤵
- Deletes itself
-
/usr/bin/rddjozub/usr/bin/rddjozub -d 13831⤵
- Deletes itself
-
/usr/bin/pcbfdppg/usr/bin/pcbfdppg -d 13831⤵
- Deletes itself
-
/usr/bin/xjroettwkt/usr/bin/xjroettwkt -d 13831⤵
- Deletes itself
-
/usr/bin/xkictw/usr/bin/xkictw -d 13831⤵
- Deletes itself
-
/usr/bin/pygechlfwaou/usr/bin/pygechlfwaou -d 13831⤵
- Deletes itself
-
/usr/bin/xlndeibrbtva/usr/bin/xlndeibrbtva -d 13831⤵
- Deletes itself
-
/usr/bin/fdychncntew/usr/bin/fdychncntew -d 13831⤵
- Deletes itself
-
/usr/bin/mseaodzzsegb/usr/bin/mseaodzzsegb -d 13831⤵
- Deletes itself
-
/usr/bin/yufeak/usr/bin/yufeak -d 13831⤵
- Deletes itself
-
/usr/bin/ersiglocsawycl/usr/bin/ersiglocsawycl -d 13831⤵
- Deletes itself
-
/usr/bin/dkwjsxopcpmj/usr/bin/dkwjsxopcpmj -d 13831⤵
- Deletes itself
-
/usr/bin/otzuktcqfq/usr/bin/otzuktcqfq -d 13831⤵
- Deletes itself
-
/usr/bin/ztqxxbz/usr/bin/ztqxxbz -d 13831⤵
- Deletes itself
-
/usr/bin/owkgvbyzskin/usr/bin/owkgvbyzskin -d 13831⤵
- Deletes itself
-
/usr/bin/bosliwdpmxofo/usr/bin/bosliwdpmxofo -d 13831⤵
- Deletes itself
-
/usr/bin/dpngdl/usr/bin/dpngdl -d 13831⤵
- Deletes itself
-
/usr/bin/kgvignuqcusr/usr/bin/kgvignuqcusr -d 13831⤵
- Deletes itself
-
/usr/bin/fbkjqw/usr/bin/fbkjqw -d 13831⤵
- Deletes itself
-
/usr/bin/gewrjm/usr/bin/gewrjm -d 13831⤵
- Deletes itself
-
/usr/bin/rrrjdahniwh/usr/bin/rrrjdahniwh -d 13831⤵
- Deletes itself
-
/usr/bin/zbqsrytb/usr/bin/zbqsrytb -d 13831⤵
- Deletes itself
-
/usr/bin/jappgmipapgt/usr/bin/jappgmipapgt -d 13831⤵
- Deletes itself
-
/usr/bin/rxkaksxutwxl/usr/bin/rxkaksxutwxl -d 13831⤵
- Deletes itself
-
/usr/bin/hsqssi/usr/bin/hsqssi -d 13831⤵
- Deletes itself
-
/usr/bin/yutpwkvptpmdp/usr/bin/yutpwkvptpmdp -d 13831⤵
- Deletes itself
-
/usr/bin/ymtrkqey/usr/bin/ymtrkqey -d 13831⤵
- Deletes itself
-
/usr/bin/ohagbuomtkgig/usr/bin/ohagbuomtkgig -d 13831⤵
- Deletes itself
-
/usr/bin/gylxkr/usr/bin/gylxkr -d 13831⤵
- Deletes itself
-
/usr/bin/lpbeinxoog/usr/bin/lpbeinxoog -d 13831⤵
- Deletes itself
-
/usr/bin/vglzbb/usr/bin/vglzbb -d 13831⤵
- Deletes itself
-
/usr/bin/worgwk/usr/bin/worgwk -d 13831⤵
- Deletes itself
-
/usr/bin/uvnfmcsdf/usr/bin/uvnfmcsdf -d 13831⤵
- Deletes itself
-
/usr/bin/nswcgcg/usr/bin/nswcgcg -d 13831⤵
- Deletes itself
-
/usr/bin/lrdoto/usr/bin/lrdoto -d 13831⤵
- Deletes itself
-
/usr/bin/jiufujarwh/usr/bin/jiufujarwh -d 13831⤵
- Deletes itself
-
/usr/bin/yzjdyxwubezh/usr/bin/yzjdyxwubezh -d 13831⤵
- Deletes itself
-
/usr/bin/mzlcucod/usr/bin/mzlcucod -d 13831⤵
- Deletes itself
-
/usr/bin/iigtixq/usr/bin/iigtixq -d 13831⤵
- Deletes itself
-
/usr/bin/dqrpwpou/usr/bin/dqrpwpou -d 13831⤵
- Deletes itself
-
/usr/bin/pylwhzxsbtw/usr/bin/pylwhzxsbtw -d 13831⤵
- Deletes itself
-
/usr/bin/yibjovtonltfci/usr/bin/yibjovtonltfci -d 13831⤵
- Deletes itself
-
/usr/bin/rwvdnuqmdrlxu/usr/bin/rwvdnuqmdrlxu -d 13831⤵
- Deletes itself
-
/usr/bin/uldcnotkihxtae/usr/bin/uldcnotkihxtae -d 13831⤵
- Deletes itself
-
/usr/bin/jgohduvxkj/usr/bin/jgohduvxkj -d 13831⤵
- Deletes itself
-
/usr/bin/euayzu/usr/bin/euayzu -d 13831⤵
- Deletes itself
-
/usr/bin/fwbtpl/usr/bin/fwbtpl -d 13831⤵
- Deletes itself
-
/usr/bin/ykwbor/usr/bin/ykwbor -d 13831⤵
- Deletes itself
-
/usr/bin/ugtyaqxmzcq/usr/bin/ugtyaqxmzcq -d 13831⤵
- Deletes itself
-
/usr/bin/crvwda/usr/bin/crvwda -d 13831⤵
- Deletes itself
-
/usr/bin/ewmpzmbwn/usr/bin/ewmpzmbwn -d 13831⤵
- Deletes itself
-
/usr/bin/pzmxtmzll/usr/bin/pzmxtmzll -d 13831⤵
- Deletes itself
-
/usr/bin/lnehrvcnafkedy/usr/bin/lnehrvcnafkedy -d 13831⤵
- Deletes itself
-
/usr/bin/ekwayoszaps/usr/bin/ekwayoszaps -d 13831⤵
- Deletes itself
-
/usr/bin/bftpjaiheyjl/usr/bin/bftpjaiheyjl -d 13831⤵
- Deletes itself
-
/usr/bin/oqijvsgxswps/usr/bin/oqijvsgxswps -d 13831⤵
- Deletes itself
-
/usr/bin/hmmysndneonnxu/usr/bin/hmmysndneonnxu -d 13831⤵
- Deletes itself
-
/usr/bin/hhvxydgvxosq/usr/bin/hhvxydgvxosq -d 13831⤵
- Deletes itself
-
/usr/bin/kkitwwtrmyeqmu/usr/bin/kkitwwtrmyeqmu -d 13831⤵
-
/usr/bin/mosvxpsvsass/usr/bin/mosvxpsvsass -d 13831⤵
-
/usr/bin/lidxsmqqk/usr/bin/lidxsmqqk -d 13831⤵
-
/usr/bin/jwhopviwjyp/usr/bin/jwhopviwjyp -d 13831⤵
-
/usr/bin/veytzblruybx/usr/bin/veytzblruybx -d 13831⤵
-
/usr/bin/vlnnwyx/usr/bin/vlnnwyx -d 13831⤵
-
/usr/bin/hljdvg/usr/bin/hljdvg -d 13831⤵
-
/usr/bin/vxvsdvlcwzv/usr/bin/vxvsdvlcwzv -d 13831⤵
-
/usr/bin/zyqxvdkj/usr/bin/zyqxvdkj -d 13831⤵
-
/usr/bin/liwsvfxslmn/usr/bin/liwsvfxslmn -d 13831⤵
-
/usr/bin/hfoetqbuovtolq/usr/bin/hfoetqbuovtolq -d 13831⤵
-
/usr/bin/rdxsof/usr/bin/rdxsof -d 13831⤵
-
/usr/bin/gcuguhshsbogf/usr/bin/gcuguhshsbogf -d 13831⤵
-
/usr/bin/yiboexf/usr/bin/yiboexf -d 13831⤵
-
/usr/bin/prisod/usr/bin/prisod -d 13831⤵
-
/usr/bin/vrpxnxrxp/usr/bin/vrpxnxrxp -d 13831⤵
-
/usr/bin/psoxzwviz/usr/bin/psoxzwviz -d 13831⤵
-
/usr/bin/oyrfokqgytptm/usr/bin/oyrfokqgytptm -d 13831⤵
-
/usr/bin/sadjxujoo/usr/bin/sadjxujoo -d 13831⤵
-
/usr/bin/lnvivxwjvnrlx/usr/bin/lnvivxwjvnrlx -d 13831⤵
-
/usr/bin/sxcjsorkqwvnq/usr/bin/sxcjsorkqwvnq -d 13831⤵
-
/usr/bin/bgeotbxr/usr/bin/bgeotbxr -d 13831⤵
-
/usr/bin/tcyjtjicb/usr/bin/tcyjtjicb -d 13831⤵
-
/usr/bin/gmaxdnn/usr/bin/gmaxdnn -d 13831⤵
-
/usr/bin/ibrpexvtrysi/usr/bin/ibrpexvtrysi -d 13831⤵
-
/usr/bin/nkxygghkk/usr/bin/nkxygghkk -d 13831⤵
-
/usr/bin/rqceddpg/usr/bin/rqceddpg -d 13831⤵
-
/usr/bin/ensbilzcv/usr/bin/ensbilzcv -d 13831⤵
-
/usr/bin/rixqogz/usr/bin/rixqogz -d 13831⤵
-
/usr/bin/sqtqjluor/usr/bin/sqtqjluor -d 13831⤵
-
/usr/bin/fxtjmnkwblywkq/usr/bin/fxtjmnkwblywkq -d 13831⤵
-
/usr/bin/jguphxjxqageuw/usr/bin/jguphxjxqageuw -d 13831⤵
-
/usr/bin/sdunmh/usr/bin/sdunmh -d 13831⤵
-
/usr/bin/ydekeawuhhcbx/usr/bin/ydekeawuhhcbx -d 13831⤵
-
/usr/bin/agitiqx/usr/bin/agitiqx -d 13831⤵
-
/usr/bin/psxsmnhvqhbu/usr/bin/psxsmnhvqhbu -d 13831⤵
-
/usr/bin/fwpzdxdhwoheya/usr/bin/fwpzdxdhwoheya -d 13831⤵
-
/usr/bin/ozufrrygghdw/usr/bin/ozufrrygghdw -d 13831⤵
-
/usr/bin/esijpzksypzwdj/usr/bin/esijpzksypzwdj -d 13831⤵
-
/usr/bin/blsslmxefxk/usr/bin/blsslmxefxk -d 13831⤵
-
/usr/bin/gqivudfgsgskhi/usr/bin/gqivudfgsgskhi -d 13831⤵
-
/usr/bin/dnxiriajtmgaug/usr/bin/dnxiriajtmgaug -d 13831⤵
-
/usr/bin/gmcqjx/usr/bin/gmcqjx -d 13831⤵
-
/usr/bin/oflxzyejm/usr/bin/oflxzyejm -d 13831⤵
-
/usr/bin/zjsqtuzpjhpd/usr/bin/zjsqtuzpjhpd -d 13831⤵
-
/usr/bin/bjcebldvckib/usr/bin/bjcebldvckib -d 13831⤵
-
/usr/bin/ifvuqufik/usr/bin/ifvuqufik -d 13831⤵
-
/usr/bin/fjoosfrig/usr/bin/fjoosfrig -d 13831⤵
-
/usr/bin/kkdxpabzlclt/usr/bin/kkdxpabzlclt -d 13831⤵
-
/usr/bin/goaavkkupvkdnp/usr/bin/goaavkkupvkdnp -d 13831⤵
-
/usr/bin/xyahigh/usr/bin/xyahigh -d 13831⤵
-
/usr/bin/giztlmnusdwu/usr/bin/giztlmnusdwu -d 13831⤵
-
/usr/bin/hgvybfcrxa/usr/bin/hgvybfcrxa -d 13831⤵
-
/usr/bin/vbyfhffpph/usr/bin/vbyfhffpph -d 13831⤵
-
/usr/bin/ctyzobvibepwds/usr/bin/ctyzobvibepwds -d 13831⤵
-
/usr/bin/hlzhcwkab/usr/bin/hlzhcwkab -d 13831⤵
-
/usr/bin/hhlyqwbjua/usr/bin/hhlyqwbjua -d 13831⤵
-
/usr/bin/xviyaxvdrzmda/usr/bin/xviyaxvdrzmda -d 13831⤵
-
/usr/bin/fwghzzqikoy/usr/bin/fwghzzqikoy -d 13831⤵
-
/usr/bin/pkcrjznrap/usr/bin/pkcrjznrap -d 13831⤵
-
/usr/bin/xuiygnybswhbvh/usr/bin/xuiygnybswhbvh -d 13831⤵
-
/usr/bin/heazqc/usr/bin/heazqc -d 13831⤵
-
/usr/bin/aeftewkb/usr/bin/aeftewkb -d 13831⤵
-
/usr/bin/sbahzczxlc/usr/bin/sbahzczxlc -d 13831⤵
-
/usr/bin/svamehofxqyzu/usr/bin/svamehofxqyzu -d 13831⤵
-
/usr/bin/tacddw/usr/bin/tacddw -d 13831⤵
-
/usr/bin/exefzfc/usr/bin/exefzfc -d 13831⤵
-
/usr/bin/jxfezti/usr/bin/jxfezti -d 13831⤵
-
/usr/bin/hogzmfwryw/usr/bin/hogzmfwryw -d 13831⤵
-
/usr/bin/dascerikspoe/usr/bin/dascerikspoe -d 13831⤵
-
/usr/bin/njcnenvld/usr/bin/njcnenvld -d 13831⤵
-
/usr/bin/lrhhkhfinfarmt/usr/bin/lrhhkhfinfarmt -d 13831⤵
-
/usr/bin/ylpopocbspfhk/usr/bin/ylpopocbspfhk -d 13831⤵
-
/usr/bin/koedxn/usr/bin/koedxn -d 13831⤵
-
/usr/bin/euwtaylor/usr/bin/euwtaylor -d 13831⤵
-
/usr/bin/oecctsgulxas/usr/bin/oecctsgulxas -d 13831⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Scheduled Task/Job
1Cron
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD5076933ff9904d1110d896e2c525e39e5
SHA14188442577fa77f25820d9b2d01cc446e30684ac
SHA2564cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0
SHA5126fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34
-
Filesize
153B
MD5ffd55bdea52fbccc6462dcbb835c93d1
SHA1a2af696e5662915ebe06ab4543b8687f3a3748d8
SHA256e0516de8d19849a5a57aa8ad98ed9024577b5eae28e4d535527bcab875565f73
SHA512111ce2421312f00f6a6932552ef0b78167504fc8e7295b48a4bc0c4ea508dbb05f0db69692836bbd2f9af0a73e2637ae17677e0a1f53cc06fce052eeadac1310
-
Filesize
32B
MD585a5c81c0c8de5143f2ac505ecad9e2d
SHA1e42d9d5405d3dc041e28f40c087d477fe2a4a1eb
SHA256435eb940451ff4c0de6db4aa2c7915f605034ee4f87517464419868640b834e9
SHA512762c613ed515c8d1d61471636e1d340bdcf9fc1aa3ae482e1f19edb2ab00d3852cc0ebf6f45adcff002bdc27eb4ba78965dc025bdfdf80d066d8fad01bb8be3f
-
Filesize
368B
MD51f024cdc3f07bc55a8b512bfa3e14b73
SHA138430538a5c6e4bab4dfd98602b92464f58a523a
SHA2566316409486fcff50b3de98851ca8d5a97b2d0a8ed3fe343ae9d93d77fd902d13
SHA512eface1feec1d0cbae2bc79226693502eeee904037563e3046c83c88c0abbae8862d27d6b7e58e93c35f95097bc3692a29cc25e3e8ac4d8b0fc526b4fbb161864
-
Filesize
549KB
MD527e7ff9211cfa5cfa709a199363cddfb
SHA1e26ee39502fb9da0167da2ea0ab833f263fca32f
SHA2565d94a674992e90b629b2399d37a8a749c68b5a1c4dee28c17a6624bf070a163c
SHA512383475f925bf75cd77321f388eedee0bf116ad50204bdea5800e09e164f8a6de82a71a4d1cfef3a066c03748872e252a24de80fa5b0ffb2ad972f9b0f8ee5a33