xorddos | 5d94a674992e90b629b2399d37a8a749c68b5a1c4dee28c17a6624bf070a163c

Analysis

max time kernel
149s
max time network
146s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
09-02-2025 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d94a674992e90b629b2399d37a8a749c68b5a1c4dee28c17a6624bf070a163c.elf
Size

549KB
MD5

27e7ff9211cfa5cfa709a199363cddfb
SHA1

e26ee39502fb9da0167da2ea0ab833f263fca32f
SHA256

5d94a674992e90b629b2399d37a8a749c68b5a1c4dee28c17a6624bf070a163c
SHA512

383475f925bf75cd77321f388eedee0bf116ad50204bdea5800e09e164f8a6de82a71a4d1cfef3a066c03748872e252a24de80fa5b0ffb2ad972f9b0f8ee5a33
SSDEEP

12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmxV:VIv/qiVNHNDEfJKHZ8mG9QeeOV

Score

10^/10

xorddos botnet discovery downloader execution persistence privilege_escalation

Malware Config

Extracted

Family

xorddos

bb.markerbio.com:13307

bb.myserv012.com:13307

http://qq.com/lib.asp

Attributes

crc_polynomial
CDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-3.dat	family_xorddos

Xorddos family
xorddos

Deletes itself 64 IoCs

pid	Process
1576	zzqnorptgr
1579	yglrnfiidhcv
1584	vitedmqqqqvmm
1585	bogwmmkgbp
1588	juvnraiato
1603	heyyvvmjdnz
1602	loxvuami
1607	ifzafkcbyhi
1609	hicculhjksvy
1612	sssfcen
1617	pwnmxeerwluabd
1618	pprsqbaxijzlfm
1623	quxkmplnmvyn
1624	dzdsyqgv
1627	lmryitz
1631	tnuwiumopgb
1635	zaovbcwtkxvhqk
1637	xxdrqtnmdh
1640	tygveixsdyu
1643	ugzpqrclo
1646	lfjtcbydxaxfb
1651	xusjktcrkmondt
1652	laerjxvmy
1655	laxsdmqxgbh
1658	dakrpaukqh
1661	avwwhu
1664	swwmzkc
1670	qffqifdbwdvgvf
1669	sfnobwkaqgydfi
1673	dalitvpwzmb
1678	uwbnqhagizqkpw
1679	sdsagtlqm
1684	iihwjeqhfdamgg
1685	fxjwvupbm
1688	hfcarmkbwg
1695	dgnzaeaptjuxl
1697	kvrgdgiacre
1701	poekhkrujtzli
1702	wfsivef
1705	mjuulynpadfhnm
1710	iacjnk
1711	jrytme
1716	bqkxmxwzowct
1717	shuarwcbl
1720	hxghqvlry
1723	dvpatoqq
1726	jvlssnkqqnchu
1731	pbpmojkroi
1732	pbyhttr
1735	glhuxzmkbtec
1740	rryitzqmsjdzwm
1741	huxxdh
1744	umfenalskumhs
1747	piiijtbijq
1750	utzqismuz
1755	jzebkynrqe
1756	zptiiustmsn
1759	ufqosmol
1762	ppzznote
1765	dfiwpqt
1770	lfbynvffkzrykp
1771	zorpcmvxpc
1774	orxhai
1777	biexqljpd

Executes dropped EXE 64 IoCs

ioc	pid
/usr/bin/zzqnorptgr	1575
/usr/bin/yglrnfiidhcv	1578
/usr/bin/vitedmqqqqvmm	1581
/usr/bin/bogwmmkgbp	1583
/usr/bin/juvnraiato	1587
/usr/bin/heyyvvmjdnz	1599
/usr/bin/loxvuami	1601
/usr/bin/ifzafkcbyhi	1605
/usr/bin/hicculhjksvy	1608
/usr/bin/sssfcen	1611
/usr/bin/pwnmxeerwluabd	1616
/usr/bin/pprsqbaxijzlfm	1614
/usr/bin/quxkmplnmvyn	1620
/usr/bin/dzdsyqgv	1622
/usr/bin/lmryitz	1626
/usr/bin/tnuwiumopgb	1630
/usr/bin/zaovbcwtkxvhqk	1633
/usr/bin/xxdrqtnmdh	1636
/usr/bin/tygveixsdyu	1639
/usr/bin/ugzpqrclo	1642
/usr/bin/lfjtcbydxaxfb	1645
/usr/bin/xusjktcrkmondt	1648
/usr/bin/laerjxvmy	1650
/usr/bin/laxsdmqxgbh	1654
/usr/bin/dakrpaukqh	1657
/usr/bin/avwwhu	1660
/usr/bin/swwmzkc	1663
/usr/bin/sfnobwkaqgydfi	1668
/usr/bin/qffqifdbwdvgvf	1666
/usr/bin/dalitvpwzmb	1672
/usr/bin/uwbnqhagizqkpw	1675
/usr/bin/sdsagtlqm	1677
/usr/bin/iihwjeqhfdamgg	1681
/usr/bin/fxjwvupbm	1683
/usr/bin/hfcarmkbwg	1687
/usr/bin/dgnzaeaptjuxl	1692
/usr/bin/kvrgdgiacre	1694
/usr/bin/poekhkrujtzli	1698
/usr/bin/wfsivef	1700
/usr/bin/mjuulynpadfhnm	1704
/usr/bin/iacjnk	1707
/usr/bin/jrytme	1709
/usr/bin/shuarwcbl	1715
/usr/bin/bqkxmxwzowct	1713
/usr/bin/hxghqvlry	1719
/usr/bin/dvpatoqq	1722
/usr/bin/jvlssnkqqnchu	1725
/usr/bin/pbyhttr	1730
/usr/bin/pbpmojkroi	1728
/usr/bin/glhuxzmkbtec	1734
/usr/bin/rryitzqmsjdzwm	1739
/usr/bin/huxxdh	1737
/usr/bin/umfenalskumhs	1743
/usr/bin/piiijtbijq	1746
/usr/bin/utzqismuz	1749
/usr/bin/jzebkynrqe	1752
/usr/bin/zptiiustmsn	1754
/usr/bin/ufqosmol	1758
/usr/bin/ppzznote	1761
/usr/bin/dfiwpqt	1764
/usr/bin/lfbynvffkzrykp	1767
/usr/bin/zorpcmvxpc	1769
/usr/bin/orxhai	1773
/usr/bin/biexqljpd	1776

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalation

Cron

T1053.003

description	ioc
File opened for modification	/etc/cron.hourly/fle.c361a070fb4266a71c82eed4c1a5b86c947a8a73d9932b926b09e299476a49d5.sh

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc
File opened for reading	/proc/net/tcp

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 2 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc
File opened for modification	/etc/init.d/fle.c361a070fb4266a71c82eed4c1a5b86c947a8a73d9932b926b09e299476a49d5

Write file to user bin folder 64 IoCs

persistence

description	ioc
File opened for modification	/usr/bin/ufqosmol
File opened for modification	/usr/bin/zorpcmvxpc
File opened for modification	/usr/bin/ahyrhcnjrrcd
File opened for modification	/usr/bin/kvrgdgiacre
File opened for modification	/usr/bin/ucufsk
File opened for modification	/usr/bin/phipqizemkkl
File opened for modification	/usr/bin/zvkwtbx
File opened for modification	/usr/bin/rbtasxre
File opened for modification	/usr/bin/jalrqfvfb
File opened for modification	/usr/bin/xxdrqtnmdh
File opened for modification	/usr/bin/swwmzkc
File opened for modification	/usr/bin/qffqifdbwdvgvf
File opened for modification	/usr/bin/aqvturjur
File opened for modification	/usr/bin/kcbeqv
File opened for modification	/usr/bin/heyyvvmjdnz
File opened for modification	/usr/bin/wgnkycezir
File opened for modification	/usr/bin/fystzrcwqayz
File opened for modification	/usr/bin/pprsqbaxijzlfm
File opened for modification	/usr/bin/zwrjhvdnxkeaq
File opened for modification	/usr/bin/yymbcjwefbyrs
File opened for modification	/usr/bin/wfxxoec
File opened for modification	/usr/bin/vrrracvzfhgcy
File opened for modification	/usr/bin/loxvuami
File opened for modification	/usr/bin/sdsagtlqm
File opened for modification	/usr/bin/jzebkynrqe
File opened for modification	/usr/bin/lcrezhod
File opened for modification	/usr/bin/kvfgoz
File opened for modification	/usr/bin/tbzrsrwqmge
File opened for modification	/usr/bin/xegvssuqe
File opened for modification	/usr/bin/ztzeoltmvondg
File opened for modification	/usr/bin/sssfcen
File opened for modification	/usr/bin/fxncjrdb
File opened for modification	/usr/bin/cyuklttbqp
File opened for modification	/usr/bin/diibdvzcjdguz
File opened for modification	/usr/bin/mjuulynpadfhnm
File opened for modification	/usr/bin/sfnobwkaqgydfi
File opened for modification	/usr/bin/bqkxmxwzowct
File opened for modification	/usr/bin/rryitzqmsjdzwm
File opened for modification	/usr/bin/umfenalskumhs
File opened for modification	/usr/bin/orxhai
File opened for modification	/usr/bin/laerjxvmy
File opened for modification	/usr/bin/kcurhuadg
File opened for modification	/usr/bin/rryujxmhsmkym
File opened for modification	/usr/bin/uygqlrd
File opened for modification	/usr/bin/geyvqmdegcc
File opened for modification	/usr/bin/hicculhjksvy
File opened for modification	/usr/bin/fxjwvupbm
File opened for modification	/usr/bin/iacjnk
File opened for modification	/usr/bin/aigjxbiqzok
File opened for modification	/usr/bin/grojldfzbc
File opened for modification	/usr/bin/juvnraiato
File opened for modification	/usr/bin/piiijtbijq
File opened for modification	/usr/bin/ljtvnie
File opened for modification	/usr/bin/rsvzbxbaunk
File opened for modification	/usr/bin/rmnhxzegbs
File opened for modification	/usr/bin/aydatwmlmich
File opened for modification	/usr/bin/tkuutmuueubzk
File opened for modification	/usr/bin/xusjktcrkmondt
File opened for modification	/usr/bin/dfiwpqt
File opened for modification	/usr/bin/fwtjefajwk
File opened for modification	/usr/bin/bpyobwh
File opened for modification	/usr/bin/mrnijbz
File opened for modification	/usr/bin/judqkm
File opened for modification	/usr/bin/kpovrvn

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc
File opened for reading	/proc/net/tcp

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc
File opened for reading	/proc/701/fd
File opened for reading	/proc/1762/fd
File opened for reading	/proc/1822/fd
File opened for reading	/proc/1864/fd
File opened for reading	/proc/2041/fd
File opened for reading	/proc/705/fd
File opened for reading	/proc/1092/fd
File opened for reading	/proc/1172/fd
File opened for reading	/proc/1231/fd
File opened for reading	/proc/1/fd
File opened for reading	/proc/756/fd
File opened for reading	/proc/1166/fd
File opened for reading	/proc/1750/fd
File opened for reading	/proc/2003/fd
File opened for reading	/proc/1197/fd
File opened for reading	/proc/1289/fd
File opened for reading	/proc/1888/fd
File opened for reading	/proc/1930/fd
File opened for reading	/proc/1999/fd
File opened for reading	/proc/682/fd
File opened for reading	/proc/1091/fd
File opened for reading	/proc/1945/fd
File opened for reading	/proc/2013/fd
File opened for reading	/proc/1199/fd
File opened for reading	/proc/1243/fd
File opened for reading	/proc/1843/fd
File opened for reading	/proc/1882/fd
File opened for reading	/proc/628/fd
File opened for reading	/proc/729/fd
File opened for reading	/proc/1816/fd
File opened for reading	/proc/2038/fd
File opened for reading	/proc/1016/fd
File opened for reading	/proc/1147/fd
File opened for reading	/proc/1165/fd
File opened for reading	/proc/1774/fd
File opened for reading	/proc/1860/fd
File opened for reading	/proc/1951/fd
File opened for reading	/proc/2020/fd
File opened for reading	/proc/755/fd
File opened for reading	/proc/1491/fd
File opened for reading	/proc/1777/fd
File opened for reading	/proc/1840/fd
File opened for reading	/proc/1861/fd
File opened for reading	/proc/1920/fd
File opened for reading	/proc/1966/fd
File opened for reading	/proc/1351/fd
File opened for reading	/proc/1376/fd
File opened for reading	/proc/1589/fd
File opened for reading	/proc/1831/fd
File opened for reading	/proc/1955/fd
File opened for reading	/proc/631/fd
File opened for reading	/proc/1765/fd
File opened for reading	/proc/2028/fd
File opened for reading	/proc/2068/fd
File opened for reading	/proc/975/fd
File opened for reading	/proc/1981/fd
File opened for reading	/proc/2029/fd
File opened for reading	/proc/2034/fd
File opened for reading	/proc/995/fd
File opened for reading	/proc/1740/fd
File opened for reading	/proc/2007/fd
File opened for reading	/proc/2008/fd
File opened for reading	/proc/630/fd
File opened for reading	/proc/1986/fd

Writes file to shm directory 2 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

description	ioc
File opened for modification	/dev/shm/sem.mpbzcn
File opened for modification	/dev/shm/sem.JcqyGl

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/fle.c361a070fb4266a71c82eed4c1a5b86c947a8a73d9932b926b09e299476a49d5
File opened for modification	/tmp/fle.c361a070fb4266a71c82eed4c1a5b86c947a8a73d9932b926b09e299476a49d5.sh

/usr/bin/zzqnorptgr
/usr/bin/zzqnorptgr -d 1571
1⤵
- Deletes itself
PID:1575

/usr/bin/yglrnfiidhcv
/usr/bin/yglrnfiidhcv -d 1571
1⤵
- Deletes itself
PID:1578

/usr/bin/vitedmqqqqvmm
/usr/bin/vitedmqqqqvmm -d 1571
1⤵
- Deletes itself
PID:1581

/usr/bin/bogwmmkgbp
/usr/bin/bogwmmkgbp -d 1571
1⤵
- Deletes itself
PID:1583

/usr/bin/juvnraiato
/usr/bin/juvnraiato -d 1571
1⤵
- Deletes itself
PID:1587

/usr/bin/heyyvvmjdnz
/usr/bin/heyyvvmjdnz -d 1571
1⤵
- Deletes itself
PID:1599

/usr/bin/loxvuami
/usr/bin/loxvuami -d 1571
1⤵
- Deletes itself
PID:1601

/usr/bin/ifzafkcbyhi
/usr/bin/ifzafkcbyhi -d 1571
1⤵
- Deletes itself
PID:1605

/usr/bin/hicculhjksvy
/usr/bin/hicculhjksvy -d 1571
1⤵
- Deletes itself
PID:1608

/usr/bin/sssfcen
/usr/bin/sssfcen -d 1571
1⤵
- Deletes itself
PID:1611

/usr/bin/pwnmxeerwluabd
/usr/bin/pwnmxeerwluabd -d 1571
1⤵
- Deletes itself
PID:1616

/usr/bin/pprsqbaxijzlfm
/usr/bin/pprsqbaxijzlfm -d 1571
1⤵
- Deletes itself
PID:1614

/usr/bin/quxkmplnmvyn
/usr/bin/quxkmplnmvyn -d 1571
1⤵
- Deletes itself
PID:1620

/usr/bin/dzdsyqgv
/usr/bin/dzdsyqgv -d 1571
1⤵
- Deletes itself
PID:1622

/usr/bin/lmryitz
/usr/bin/lmryitz -d 1571
1⤵
- Deletes itself
PID:1626

/usr/bin/tnuwiumopgb
/usr/bin/tnuwiumopgb -d 1571
1⤵
- Deletes itself
PID:1630

/usr/bin/zaovbcwtkxvhqk
/usr/bin/zaovbcwtkxvhqk -d 1571
1⤵
- Deletes itself
PID:1633

/usr/bin/xxdrqtnmdh
/usr/bin/xxdrqtnmdh -d 1571
1⤵
- Deletes itself
PID:1636

/usr/bin/tygveixsdyu
/usr/bin/tygveixsdyu -d 1571
1⤵
- Deletes itself
PID:1639

/usr/bin/ugzpqrclo
/usr/bin/ugzpqrclo -d 1571
1⤵
- Deletes itself
PID:1642

/usr/bin/lfjtcbydxaxfb
/usr/bin/lfjtcbydxaxfb -d 1571
1⤵
- Deletes itself
PID:1645

/usr/bin/xusjktcrkmondt
/usr/bin/xusjktcrkmondt -d 1571
1⤵
- Deletes itself
PID:1648

/usr/bin/laerjxvmy
/usr/bin/laerjxvmy -d 1571
1⤵
- Deletes itself
PID:1650

/usr/bin/laxsdmqxgbh
/usr/bin/laxsdmqxgbh -d 1571
1⤵
- Deletes itself
PID:1654

/usr/bin/dakrpaukqh
/usr/bin/dakrpaukqh -d 1571
1⤵
- Deletes itself
PID:1657

/usr/bin/avwwhu
/usr/bin/avwwhu -d 1571
1⤵
- Deletes itself
PID:1660

/usr/bin/swwmzkc
/usr/bin/swwmzkc -d 1571
1⤵
- Deletes itself
PID:1663

/usr/bin/sfnobwkaqgydfi
/usr/bin/sfnobwkaqgydfi -d 1571
1⤵
- Deletes itself
PID:1668

/usr/bin/qffqifdbwdvgvf
/usr/bin/qffqifdbwdvgvf -d 1571
1⤵
- Deletes itself
PID:1666

/usr/bin/dalitvpwzmb
/usr/bin/dalitvpwzmb -d 1571
1⤵
- Deletes itself
PID:1672

/usr/bin/uwbnqhagizqkpw
/usr/bin/uwbnqhagizqkpw -d 1571
1⤵
- Deletes itself
PID:1675

/usr/bin/sdsagtlqm
/usr/bin/sdsagtlqm -d 1571
1⤵
- Deletes itself
PID:1677

/usr/bin/iihwjeqhfdamgg
/usr/bin/iihwjeqhfdamgg -d 1571
1⤵
- Deletes itself
PID:1681

/usr/bin/fxjwvupbm
/usr/bin/fxjwvupbm -d 1571
1⤵
- Deletes itself
PID:1683

/usr/bin/hfcarmkbwg
/usr/bin/hfcarmkbwg -d 1571
1⤵
- Deletes itself
PID:1687

/usr/bin/kvrgdgiacre
/usr/bin/kvrgdgiacre -d 1571
1⤵
- Deletes itself
PID:1694

/usr/bin/dgnzaeaptjuxl
/usr/bin/dgnzaeaptjuxl -d 1571
1⤵
- Deletes itself
PID:1692

/usr/bin/poekhkrujtzli
/usr/bin/poekhkrujtzli -d 1571
1⤵
- Deletes itself
PID:1698

/usr/bin/wfsivef
/usr/bin/wfsivef -d 1571
1⤵
- Deletes itself
PID:1700

/usr/bin/mjuulynpadfhnm
/usr/bin/mjuulynpadfhnm -d 1571
1⤵
- Deletes itself
PID:1704

/usr/bin/iacjnk
/usr/bin/iacjnk -d 1571
1⤵
- Deletes itself
PID:1707

/usr/bin/jrytme
/usr/bin/jrytme -d 1571
1⤵
- Deletes itself
PID:1709

/usr/bin/bqkxmxwzowct
/usr/bin/bqkxmxwzowct -d 1571
1⤵
- Deletes itself
PID:1713

/usr/bin/shuarwcbl
/usr/bin/shuarwcbl -d 1571
1⤵
- Deletes itself
PID:1715

/usr/bin/hxghqvlry
/usr/bin/hxghqvlry -d 1571
1⤵
- Deletes itself
PID:1719

/usr/bin/dvpatoqq
/usr/bin/dvpatoqq -d 1571
1⤵
- Deletes itself
PID:1722

/usr/bin/jvlssnkqqnchu
/usr/bin/jvlssnkqqnchu -d 1571
1⤵
- Deletes itself
PID:1725

/usr/bin/pbyhttr
/usr/bin/pbyhttr -d 1571
1⤵
- Deletes itself
PID:1730

/usr/bin/pbpmojkroi
/usr/bin/pbpmojkroi -d 1571
1⤵
- Deletes itself
PID:1728

/usr/bin/glhuxzmkbtec
/usr/bin/glhuxzmkbtec -d 1571
1⤵
- Deletes itself
PID:1734

/usr/bin/rryitzqmsjdzwm
/usr/bin/rryitzqmsjdzwm -d 1571
1⤵
- Deletes itself
PID:1739

/usr/bin/huxxdh
/usr/bin/huxxdh -d 1571
1⤵
- Deletes itself
PID:1737

/usr/bin/umfenalskumhs
/usr/bin/umfenalskumhs -d 1571
1⤵
- Deletes itself
PID:1743

/usr/bin/piiijtbijq
/usr/bin/piiijtbijq -d 1571
1⤵
- Deletes itself
PID:1746

/usr/bin/utzqismuz
/usr/bin/utzqismuz -d 1571
1⤵
- Deletes itself
PID:1749

/usr/bin/jzebkynrqe
/usr/bin/jzebkynrqe -d 1571
1⤵
- Deletes itself
PID:1752

/usr/bin/zptiiustmsn
/usr/bin/zptiiustmsn -d 1571
1⤵
- Deletes itself
PID:1754

/usr/bin/ufqosmol
/usr/bin/ufqosmol -d 1571
1⤵
- Deletes itself
PID:1758

/usr/bin/ppzznote
/usr/bin/ppzznote -d 1571
1⤵
- Deletes itself
PID:1761

/usr/bin/dfiwpqt
/usr/bin/dfiwpqt -d 1571
1⤵
- Deletes itself
PID:1764

/usr/bin/lfbynvffkzrykp
/usr/bin/lfbynvffkzrykp -d 1571
1⤵
- Deletes itself
PID:1767

/usr/bin/zorpcmvxpc
/usr/bin/zorpcmvxpc -d 1571
1⤵
- Deletes itself
PID:1769

/usr/bin/orxhai
/usr/bin/orxhai -d 1571
1⤵
- Deletes itself
PID:1773

/usr/bin/biexqljpd
/usr/bin/biexqljpd -d 1571
1⤵
- Deletes itself
PID:1776

/usr/bin/asybipskbnit
/usr/bin/asybipskbnit -d 1571
1⤵
PID:1779

/usr/bin/phipqizemkkl
/usr/bin/phipqizemkkl -d 1571
1⤵
PID:1782

/usr/bin/wupbdptbtb
/usr/bin/wupbdptbtb -d 1571
1⤵
PID:1785

/usr/bin/lnubxnqp
/usr/bin/lnubxnqp -d 1571
1⤵
PID:1787

/usr/bin/bgklfrxpd
/usr/bin/bgklfrxpd -d 1571
1⤵
PID:1791

/usr/bin/pbchchwxjrycf
/usr/bin/pbchchwxjrycf -d 1571
1⤵
PID:1794

/usr/bin/wgnkycezir
/usr/bin/wgnkycezir -d 1571
1⤵
PID:1797

/usr/bin/qkkhptz
/usr/bin/qkkhptz -d 1571
1⤵
PID:1799

/usr/bin/xgtferqwr
/usr/bin/xgtferqwr -d 1571
1⤵
PID:1803

/usr/bin/bhojvyhzfjky
/usr/bin/bhojvyhzfjky -d 1571
1⤵
PID:1805

/usr/bin/aigjxbiqzok
/usr/bin/aigjxbiqzok -d 1571
1⤵
PID:1809

/usr/bin/vdwrwouecdzdma
/usr/bin/vdwrwouecdzdma -d 1571
1⤵
PID:1812

/usr/bin/vkirmqawpbgicv
/usr/bin/vkirmqawpbgicv -d 1571
1⤵
PID:1815

/usr/bin/iqxgjtufxzkyew
/usr/bin/iqxgjtufxzkyew -d 1571
1⤵
PID:1818

/usr/bin/oulwnyopwfrc
/usr/bin/oulwnyopwfrc -d 1571
1⤵
PID:1821

/usr/bin/tzhepekay
/usr/bin/tzhepekay -d 1571
1⤵
PID:1824

/usr/bin/hxgrwkqxamiwbi
/usr/bin/hxgrwkqxamiwbi -d 1571
1⤵
PID:1827

/usr/bin/repkhfdgmjy
/usr/bin/repkhfdgmjy -d 1571
1⤵
PID:1830

/usr/bin/wardiolbmxtl
/usr/bin/wardiolbmxtl -d 1571
1⤵
PID:1833

/usr/bin/fwtjefajwk
/usr/bin/fwtjefajwk -d 1571
1⤵
PID:1835

/usr/bin/bpyobwh
/usr/bin/bpyobwh -d 1571
1⤵
PID:1839

/usr/bin/zyaholkdkeoh
/usr/bin/zyaholkdkeoh -d 1571
1⤵
PID:1842

/usr/bin/kcurhuadg
/usr/bin/kcurhuadg -d 1571
1⤵
PID:1845

/usr/bin/fystzrcwqayz
/usr/bin/fystzrcwqayz -d 1571
1⤵
PID:1848

/usr/bin/ljtvnie
/usr/bin/ljtvnie -d 1571
1⤵
PID:1851

/usr/bin/ugtlnqnqwhx
/usr/bin/ugtlnqnqwhx -d 1571
1⤵
PID:1854

/usr/bin/aqvturjur
/usr/bin/aqvturjur -d 1571
1⤵
PID:1857

/usr/bin/lcrezhod
/usr/bin/lcrezhod -d 1571
1⤵
PID:1859

/usr/bin/ljzwwpmpot
/usr/bin/ljzwwpmpot -d 1571
1⤵
PID:1863

/usr/bin/kvfgoz
/usr/bin/kvfgoz -d 1571
1⤵
PID:1866

/usr/bin/zwrjhvdnxkeaq
/usr/bin/zwrjhvdnxkeaq -d 1571
1⤵
PID:1868

/usr/bin/mrnijbz
/usr/bin/mrnijbz -d 1571
1⤵
PID:1872

/usr/bin/vmhstpjspkoiu
/usr/bin/vmhstpjspkoiu -d 1571
1⤵
PID:1875

/usr/bin/fxncjrdb
/usr/bin/fxncjrdb -d 1571
1⤵
PID:1878

/usr/bin/rsvzbxbaunk
/usr/bin/rsvzbxbaunk -d 1571
1⤵
PID:1880

/usr/bin/izzaqkragog
/usr/bin/izzaqkragog -d 1571
1⤵
PID:1884

/usr/bin/diounp
/usr/bin/diounp -d 1571
1⤵
PID:1887

/usr/bin/ejaglzhnvw
/usr/bin/ejaglzhnvw -d 1571
1⤵
PID:1890

/usr/bin/lezlgr
/usr/bin/lezlgr -d 1571
1⤵
PID:1893

/usr/bin/xsdoykriyoyp
/usr/bin/xsdoykriyoyp -d 1571
1⤵
PID:1895

/usr/bin/cyuklttbqp
/usr/bin/cyuklttbqp -d 1571
1⤵
PID:1899

/usr/bin/cvzncr
/usr/bin/cvzncr -d 1571
1⤵
PID:1902

/usr/bin/blrrjb
/usr/bin/blrrjb -d 1571
1⤵
PID:1905

/usr/bin/tbzrsrwqmge
/usr/bin/tbzrsrwqmge -d 1571
1⤵
PID:1908

/usr/bin/ahyrhcnjrrcd
/usr/bin/ahyrhcnjrrcd -d 1571
1⤵
PID:1910

/usr/bin/numyxxrywl
/usr/bin/numyxxrywl -d 1571
1⤵
PID:1914

/usr/bin/phidpolrvljdny
/usr/bin/phidpolrvljdny -d 1571
1⤵
PID:1917

/usr/bin/grojldfzbc
/usr/bin/grojldfzbc -d 1571
1⤵
PID:1919

/usr/bin/ucufsk
/usr/bin/ucufsk -d 1571
1⤵
PID:1923

/usr/bin/anerav
/usr/bin/anerav -d 1571
1⤵
PID:1926

/usr/bin/ngrcgfizvt
/usr/bin/ngrcgfizvt -d 1571
1⤵
PID:1929

/usr/bin/yymbcjwefbyrs
/usr/bin/yymbcjwefbyrs -d 1571
1⤵
PID:1932

/usr/bin/hwshtexcyz
/usr/bin/hwshtexcyz -d 1571
1⤵
PID:1935

/usr/bin/diibdvzcjdguz
/usr/bin/diibdvzcjdguz -d 1571
1⤵
PID:1938

/usr/bin/aclrukyqeimj
/usr/bin/aclrukyqeimj -d 1571
1⤵
PID:1941

/usr/bin/ojeymognsdp
/usr/bin/ojeymognsdp -d 1571
1⤵
PID:1944

/usr/bin/nschtpjvbbqnbi
/usr/bin/nschtpjvbbqnbi -d 1571
1⤵
PID:1947

/usr/bin/judqkm
/usr/bin/judqkm -d 1571
1⤵
PID:1949

/usr/bin/jalrqfvfb
/usr/bin/jalrqfvfb -d 1571
1⤵
PID:1953

/usr/bin/zgrsxbpyefofq
/usr/bin/zgrsxbpyefofq -d 1571
1⤵
PID:1956

/usr/bin/rmnhxzegbs
/usr/bin/rmnhxzegbs -d 1571
1⤵
PID:1959

/usr/bin/jffqvkgfdtsl
/usr/bin/jffqvkgfdtsl -d 1571
1⤵
PID:1964

/usr/bin/rxuybezhyre
/usr/bin/rxuybezhyre -d 1571
1⤵
PID:1962

/usr/bin/rryujxmhsmkym
/usr/bin/rryujxmhsmkym -d 1571
1⤵
PID:1968

/usr/bin/wfxxoec
/usr/bin/wfxxoec -d 1571
1⤵
PID:1971

/usr/bin/zpnesgyfapxy
/usr/bin/zpnesgyfapxy -d 1571
1⤵
PID:1974

/usr/bin/wrbyipecxdiyu
/usr/bin/wrbyipecxdiyu -d 1571
1⤵
PID:1979

/usr/bin/iyyrsmbqyspgsm
/usr/bin/iyyrsmbqyspgsm -d 1571
1⤵
PID:1977

/usr/bin/ygpwghotihtd
/usr/bin/ygpwghotihtd -d 1571
1⤵
PID:1983

/usr/bin/zvkwtbx
/usr/bin/zvkwtbx -d 1571
1⤵
PID:1985

/usr/bin/lowomz
/usr/bin/lowomz -d 1571
1⤵
PID:1989

/usr/bin/ktfkcu
/usr/bin/ktfkcu -d 1571
1⤵
PID:1995

/usr/bin/ibxbmg
/usr/bin/ibxbmg -d 1571
1⤵
PID:1997

/usr/bin/pewmpsfs
/usr/bin/pewmpsfs -d 1571
1⤵
PID:2001

/usr/bin/xegvssuqe
/usr/bin/xegvssuqe -d 1571
1⤵
PID:2004

/usr/bin/vrrracvzfhgcy
/usr/bin/vrrracvzfhgcy -d 1571
1⤵
PID:2006

/usr/bin/zmbtrulqa
/usr/bin/zmbtrulqa -d 1571
1⤵
PID:2010

/usr/bin/numjktzhksakuv
/usr/bin/numjktzhksakuv -d 1571
1⤵
PID:2012

/usr/bin/aerceedqfzk
/usr/bin/aerceedqfzk -d 1571
1⤵
PID:2016

/usr/bin/kcbeqv
/usr/bin/kcbeqv -d 1571
1⤵
PID:2019

/usr/bin/zhoaqyt
/usr/bin/zhoaqyt -d 1571
1⤵
PID:2022

/usr/bin/kpovrvn
/usr/bin/kpovrvn -d 1571
1⤵
PID:2025

/usr/bin/ztzsyae
/usr/bin/ztzsyae -d 1571
1⤵
PID:2027

/usr/bin/ngfrydmy
/usr/bin/ngfrydmy -d 1571
1⤵
PID:2031

/usr/bin/aydatwmlmich
/usr/bin/aydatwmlmich -d 1571
1⤵
PID:2033

/usr/bin/yhqabqafunl
/usr/bin/yhqabqafunl -d 1571
1⤵
PID:2037

/usr/bin/hkdvkpy
/usr/bin/hkdvkpy -d 1571
1⤵
PID:2040

/usr/bin/uygqlrd
/usr/bin/uygqlrd -d 1571
1⤵
PID:2043

/usr/bin/tkuutmuueubzk
/usr/bin/tkuutmuueubzk -d 1571
1⤵
PID:2046

/usr/bin/ztzeoltmvondg
/usr/bin/ztzeoltmvondg -d 1571
1⤵
PID:2049

/usr/bin/ulvoyrkrdeoh
/usr/bin/ulvoyrkrdeoh -d 1571
1⤵
PID:2052

/usr/bin/pimehffnushiqx
/usr/bin/pimehffnushiqx -d 1571
1⤵
PID:2055

/usr/bin/tdvorsepjog
/usr/bin/tdvorsepjog -d 1571
1⤵
PID:2058

/usr/bin/swwuoghuqmcd
/usr/bin/swwuoghuqmcd -d 1571
1⤵
PID:2061

/usr/bin/umtkjoepm
/usr/bin/umtkjoepm -d 1571
1⤵
PID:2064

/usr/bin/geyvqmdegcc
/usr/bin/geyvqmdegcc -d 1571
1⤵
PID:2066

/usr/bin/qjjkzyoei
/usr/bin/qjjkzyoei -d 1571
1⤵
PID:2070

/usr/bin/rbtasxre
/usr/bin/rbtasxre -d 1571
1⤵
PID:2073

/usr/bin/zipuydaf
/usr/bin/zipuydaf -d 1571
1⤵
PID:2076

/usr/bin/chmuqxgr
/usr/bin/chmuqxgr -d 1571
1⤵
PID:2079

/usr/bin/vwgenhzpzz
/usr/bin/vwgenhzpzz -d 1571
1⤵
PID:2082

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/dev/shm/sem.JcqyGl

Filesize
16B

MD5
076933ff9904d1110d896e2c525e39e5

SHA1
4188442577fa77f25820d9b2d01cc446e30684ac

SHA256
4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

SHA512
6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

Download Submit
/etc/cron.hourly/fle.c361a070fb4266a71c82eed4c1a5b86c947a8a73d9932b926b09e299476a49d5.sh

Filesize
205B

MD5
bfec1b0cbc5cf83b4826aabe30206943

SHA1
d09ae8c5f29f603b0b848dd81aae836b2dd3b0c7

SHA256
f31172f4c0d500a69bbdf8a122deac844cf06790a611310adc6da8c480cc9eb4

SHA512
0eda73fd4013d43a8f1071b8bea7ae22e4a2c47f49c164da19bcec513a14dce3e6a3bb5a01853a56074caccb7ee3f7f1475df84233d843fc0b246127d46e4189

Download Submit
/etc/daemon.cfg

Filesize
32B

MD5
45b281e9c9772f4c7f5897244ac4b439

SHA1
ecfe58f8e7465c97c743b2ebc3684abfbefbe884

SHA256
e413a73546c36088d1d5413f825d7fab73da676c04ea2671bc98e678941c7983

SHA512
789463bda59c6a629d30b78625fc06dc48935b9f67897d9798c6a55878865f2732cb369d3f39134cee212164b2c478e02b69fccff4fb356da4ca6924c5b1d752

Download Submit
/etc/init.d/fle.c361a070fb4266a71c82eed4c1a5b86c947a8a73d9932b926b09e299476a49d5

Filesize
628B

MD5
37c54fc3e1640cbcf085ea55b579f9ed

SHA1
e10a0c3885116e3160c21e1acfdc6042e4d99130

SHA256
3d01fd824f264362d5ebb87f13b8942ba8c6ac2909ad254dd160baacf112b3ff

SHA512
cf3872865c70bf85e2efe32e8ffba12aef8d72267549a5ee2ccbd67e4c36c278a394d79217314edcfeda8edb0ba2e6b0146674e2a6214e0223504abde43e1b33

Download Submit
/tmp/fle.c361a070fb4266a71c82eed4c1a5b86c947a8a73d9932b926b09e299476a49d5

Filesize
549KB

MD5
27e7ff9211cfa5cfa709a199363cddfb

SHA1
e26ee39502fb9da0167da2ea0ab833f263fca32f

SHA256
5d94a674992e90b629b2399d37a8a749c68b5a1c4dee28c17a6624bf070a163c

SHA512
383475f925bf75cd77321f388eedee0bf116ad50204bdea5800e09e164f8a6de82a71a4d1cfef3a066c03748872e252a24de80fa5b0ffb2ad972f9b0f8ee5a33

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads