Overview

overview

10

Static

static

10

mdmnpygceatyeq

ubuntu-24.04-amd64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    28/02/2025, 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mdmnpygceatyeq

  • Size

    544KB

  • MD5

    f44ae424e83e10004380f6aadceebb15

  • SHA1

    173c9062c3326d4940cf7b6cc70c1a750dda2a49

  • SHA256

    a89c8ef292c00472850398e72e2bfa6beb9e5e460d52863faf6cefa7c6d723f5

  • SHA512

    e05aca5a978932c4b842e04d77c717e88a82fae00e99edb7ed7c2569fbdc9b1dc70a812c21b386f3ee1535a799296e6ecbcda15d0a5e9e73afcfcff6c47bd326

  • SSDEEP

    12288:JbinNy0Y1nvEtXBx6DkkJmAGyPexU279WnjVZ6ySWKZ:1iNy0evmxvkJmApPexUm9cVEb

Score
10/10
xorddosbotnetdownloaderrootkit

Malware Config

Extracted

Family

xorddos

C2

topbannersun.com:8623

wowapplecar.com:8623
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 1 IoCs
  • Xorddos family
    xorddos
  • Writes memory of remote process 2 IoCs
  • Loads a kernel module 64 IoCs

    Loads a Linux kernel module, potentially to achieve persistence

    rootkit

Processes

  • /tmp/mdmnpygceatyeq
    /tmp/mdmnpygceatyeq
    1⤵
    • Writes memory of remote process
    • Loads a kernel module
    PID:2869

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /dev/shm/sem.VHD5vH
    Filesize

    16B

    MD5

    076933ff9904d1110d896e2c525e39e5

    SHA1

    4188442577fa77f25820d9b2d01cc446e30684ac

    SHA256

    4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

    SHA512

    6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

    Download Submit

  • /etc/cron.hourly/qeytaecgypnmdm.sh
    Filesize

    151B

    MD5

    df8177ee97c13e3f34698ccda1a79345

    SHA1

    2ba03e7a8fb6494533134045d507600263019410

    SHA256

    e2fa7920e26919de3417e42777ae588eaa81222558909846e1aedd2769fc5e28

    SHA512

    c03f9be1d8042f1a4d15e149b62a7ebd3beb08a1bbb0010a178f611b2552819a7b5b3f762e3322123fa6d47a7b6f0c0bb2ee44c343579103d0dde9895ededfe5

    Download Submit

  • /etc/daemon.cfg
    Filesize

    32B

    MD5

    ce648b957fe9cff4f7bafd958d62dab7

    SHA1

    80a23693683134d54372bdf93d8afa639df1734a

    SHA256

    f2e5010a497115399c93399f14c1450f1a84e1bb6fb3358f1073d36598faf69a

    SHA512

    ac57f9704293cd3a5c6a2aaaccaa578bd5ded7235b7fffda18d3c48786d76d0613515af4e7909b427ac46f41c5fc346c29040519ec9581d510bfa509b88c7c1e

    Download Submit

  • /tmp/qeytaecgypnmdm
    Filesize

    544KB

    MD5

    f44ae424e83e10004380f6aadceebb15

    SHA1

    173c9062c3326d4940cf7b6cc70c1a750dda2a49

    SHA256

    a89c8ef292c00472850398e72e2bfa6beb9e5e460d52863faf6cefa7c6d723f5

    SHA512

    e05aca5a978932c4b842e04d77c717e88a82fae00e99edb7ed7c2569fbdc9b1dc70a812c21b386f3ee1535a799296e6ecbcda15d0a5e9e73afcfcff6c47bd326

    Download Submit