Overview

overview

10

Static

static

10

cvckxesujqpz.elf

ubuntu-24.04-amd64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    08-02-2025 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cvckxesujqpz.elf

  • Size

    549KB

  • MD5

    27e7ff9211cfa5cfa709a199363cddfb

  • SHA1

    e26ee39502fb9da0167da2ea0ab833f263fca32f

  • SHA256

    5d94a674992e90b629b2399d37a8a749c68b5a1c4dee28c17a6624bf070a163c

  • SHA512

    383475f925bf75cd77321f388eedee0bf116ad50204bdea5800e09e164f8a6de82a71a4d1cfef3a066c03748872e252a24de80fa5b0ffb2ad972f9b0f8ee5a33

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmxV:VIv/qiVNHNDEfJKHZ8mG9QeeOV

Score
10/10
xorddosbotnetdownloaderrootkit

Malware Config

Extracted

Family

xorddos

C2

bb.markerbio.com:13307

bb.myserv012.com:13307

http://qq.com/lib.asp
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 1 IoCs
  • Xorddos family
    xorddos
  • Writes memory of remote process 2 IoCs
  • Loads a kernel module 64 IoCs

    Loads a Linux kernel module, potentially to achieve persistence

    rootkit

Processes

  • /tmp/cvckxesujqpz.elf
    /tmp/cvckxesujqpz.elf
    1⤵
    • Writes memory of remote process
    • Loads a kernel module
    PID:2434

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /dev/shm/sem.vG5yOv
    Filesize

    16B

    MD5

    076933ff9904d1110d896e2c525e39e5

    SHA1

    4188442577fa77f25820d9b2d01cc446e30684ac

    SHA256

    4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

    SHA512

    6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

    Download Submit

  • /etc/cron.hourly/fle.zpqjusexkcvc.sh
    Filesize

    153B

    MD5

    3ed91888310a35e88d32011ece30db9b

    SHA1

    9ddf2ad1aaad10a0907f05378382d3646e918abb

    SHA256

    202f0312498fb2187b44d64dce52d09af68d62d6d4b14d59f5e1a2bc2a12f5ba

    SHA512

    0a77965689140857a0076f3fedcfe3405a57e40e3ee6ace1f26738f03e9a7866c8a263b5305916f7c87154b31c2f27ee7520788149005cfc8216304abf13e07c

    Download Submit

  • /etc/daemon.cfg
    Filesize

    32B

    MD5

    31cf512a22acd1c6446e4ee40da353bd

    SHA1

    6dee20e8a624ed132d2363b93ef9ccd194518aad

    SHA256

    e8f4ec51d57392185159a4ce935d3c49b9e85ed6fa5d4357cb2cbff6a45e9330

    SHA512

    1b51e83692c41218300cd672ac92fd173e0bcd639d59b7f79d89ded77e83b2ef7cbd45438956fbd2865fd8ecc68dd4154b55cbba75f5087e406a86fe4724c414

    Download Submit

  • /tmp/fle.zpqjusexkcvc
    Filesize

    549KB

    MD5

    27e7ff9211cfa5cfa709a199363cddfb

    SHA1

    e26ee39502fb9da0167da2ea0ab833f263fca32f

    SHA256

    5d94a674992e90b629b2399d37a8a749c68b5a1c4dee28c17a6624bf070a163c

    SHA512

    383475f925bf75cd77321f388eedee0bf116ad50204bdea5800e09e164f8a6de82a71a4d1cfef3a066c03748872e252a24de80fa5b0ffb2ad972f9b0f8ee5a33

    Download Submit