Analysis
-
max time kernel
149s -
max time network
148s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20250307-en -
resource tags
-
submitted
30/03/2025, 15:32
General
-
Target
ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73
-
Size
549KB
-
MD5
f9191bab1e834d4aef3380700639cee9
-
SHA1
9c20269df6694260a24ac783de2e30d627a6928a
-
SHA256
ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73
-
SHA512
3d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5
-
SSDEEP
12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO
Malware Config
Extracted
xorddos
api.markerbio.com:112
api.enoan2107.com:112
http://qq.com/lib.asp
-
crc_polynomial
CDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 1 IoCs
-
Xorddos family
-
Deletes itself 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies init.d 2 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
-
Write file to user bin folder 64 IoCs
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to shm directory 2 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
Processes
-
/usr/bin/tabupw/usr/bin/tabupw1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Enumerates active TCP sockets
- Modifies init.d
- Write file to user bin folder
- Reads system network configuration
- Reads runtime system information
- Writes file to shm directory
-
/usr/bin/sfegba/usr/bin/sfegba -d 15671⤵
- Deletes itself
-
/usr/bin/rdtoimjocmox/usr/bin/rdtoimjocmox -d 15671⤵
- Deletes itself
-
/usr/bin/fzwfmpziiqt/usr/bin/fzwfmpziiqt -d 15671⤵
- Deletes itself
-
/usr/bin/uvcfmrmnptz/usr/bin/uvcfmrmnptz -d 15671⤵
- Deletes itself
-
/usr/bin/jpkdadiv/usr/bin/jpkdadiv -d 15671⤵
- Deletes itself
-
/usr/bin/ikhzdggxqvj/usr/bin/ikhzdggxqvj -d 15671⤵
- Deletes itself
-
/usr/bin/dhlrvknrfpy/usr/bin/dhlrvknrfpy -d 15671⤵
- Deletes itself
-
/usr/bin/xndshwbmdmd/usr/bin/xndshwbmdmd -d 15671⤵
- Deletes itself
-
/usr/bin/ytsdiqxtdguima/usr/bin/ytsdiqxtdguima -d 15671⤵
- Deletes itself
-
/usr/bin/exrbueho/usr/bin/exrbueho -d 15671⤵
- Deletes itself
-
/usr/bin/kwgfzmahacpf/usr/bin/kwgfzmahacpf -d 15671⤵
- Deletes itself
-
/usr/bin/hiwnplbv/usr/bin/hiwnplbv -d 15671⤵
- Deletes itself
-
/usr/bin/egglrhlxqwvwd/usr/bin/egglrhlxqwvwd -d 15671⤵
- Deletes itself
-
/usr/bin/iddlgvsica/usr/bin/iddlgvsica -d 15671⤵
- Deletes itself
-
/usr/bin/psrsnwxv/usr/bin/psrsnwxv -d 15671⤵
- Deletes itself
-
/usr/bin/tjozyittxpsst/usr/bin/tjozyittxpsst -d 15671⤵
- Deletes itself
-
/usr/bin/jdkwlf/usr/bin/jdkwlf -d 15671⤵
- Deletes itself
-
/usr/bin/jeawiwhjwn/usr/bin/jeawiwhjwn -d 15671⤵
- Deletes itself
-
/usr/bin/bxqmeehnug/usr/bin/bxqmeehnug -d 15671⤵
- Deletes itself
-
/usr/bin/dzhaqzvjdeogc/usr/bin/dzhaqzvjdeogc -d 15671⤵
- Deletes itself
-
/usr/bin/xwqudezenbvm/usr/bin/xwqudezenbvm -d 15671⤵
- Deletes itself
-
/usr/bin/gscwyh/usr/bin/gscwyh -d 15671⤵
- Deletes itself
-
/usr/bin/cscdtggsz/usr/bin/cscdtggsz -d 15671⤵
- Deletes itself
-
/usr/bin/xzunvzuughv/usr/bin/xzunvzuughv -d 15671⤵
- Deletes itself
-
/usr/bin/wujoygmf/usr/bin/wujoygmf -d 15671⤵
- Deletes itself
-
/usr/bin/oaftvnanpymo/usr/bin/oaftvnanpymo -d 15671⤵
- Deletes itself
-
/usr/bin/ajuwfad/usr/bin/ajuwfad -d 15671⤵
- Deletes itself
-
/usr/bin/dbuopvudaxucf/usr/bin/dbuopvudaxucf -d 15671⤵
- Deletes itself
-
/usr/bin/ngdolfkzufwai/usr/bin/ngdolfkzufwai -d 15671⤵
- Deletes itself
-
/usr/bin/yspnhpaxkcie/usr/bin/yspnhpaxkcie -d 15671⤵
- Deletes itself
-
/usr/bin/cyakeyymdo/usr/bin/cyakeyymdo -d 15671⤵
- Deletes itself
-
/usr/bin/iazfivfq/usr/bin/iazfivfq -d 15671⤵
- Deletes itself
-
/usr/bin/bcrknkjlo/usr/bin/bcrknkjlo -d 15671⤵
- Deletes itself
-
/usr/bin/lqyldflbro/usr/bin/lqyldflbro -d 15671⤵
- Deletes itself
-
/usr/bin/rzrqebllt/usr/bin/rzrqebllt -d 15671⤵
- Deletes itself
-
/usr/bin/ddnxgbv/usr/bin/ddnxgbv -d 15671⤵
- Deletes itself
-
/usr/bin/liwqphrjxiawcs/usr/bin/liwqphrjxiawcs -d 15671⤵
- Deletes itself
-
/usr/bin/yghigcqpqalg/usr/bin/yghigcqpqalg -d 15671⤵
- Deletes itself
-
/usr/bin/uazrkzqmru/usr/bin/uazrkzqmru -d 15671⤵
- Deletes itself
-
/usr/bin/wirejmhjupt/usr/bin/wirejmhjupt -d 15671⤵
- Deletes itself
-
/usr/bin/rccjpvejroax/usr/bin/rccjpvejroax -d 15671⤵
- Deletes itself
-
/usr/bin/oflkwem/usr/bin/oflkwem -d 15671⤵
- Deletes itself
-
/usr/bin/qfzajrcjjfcl/usr/bin/qfzajrcjjfcl -d 15671⤵
- Deletes itself
-
/usr/bin/mccslvgnsfdz/usr/bin/mccslvgnsfdz -d 15671⤵
- Deletes itself
-
/usr/bin/nxxbnngmppdty/usr/bin/nxxbnngmppdty -d 15671⤵
- Deletes itself
-
/usr/bin/pdywgapwxox/usr/bin/pdywgapwxox -d 15671⤵
- Deletes itself
-
/usr/bin/ydzfpchjn/usr/bin/ydzfpchjn -d 15671⤵
- Deletes itself
-
/usr/bin/bewqvbjuph/usr/bin/bewqvbjuph -d 15671⤵
- Deletes itself
-
/usr/bin/poorxzg/usr/bin/poorxzg -d 15671⤵
- Deletes itself
-
/usr/bin/qjbmsbdozrl/usr/bin/qjbmsbdozrl -d 15671⤵
- Deletes itself
-
/usr/bin/ssylrxrsnd/usr/bin/ssylrxrsnd -d 15671⤵
- Deletes itself
-
/usr/bin/bvxfjwy/usr/bin/bvxfjwy -d 15671⤵
- Deletes itself
-
/usr/bin/itosdbdzmg/usr/bin/itosdbdzmg -d 15671⤵
- Deletes itself
-
/usr/bin/uywslppdieie/usr/bin/uywslppdieie -d 15671⤵
- Deletes itself
-
/usr/bin/dbmoalmi/usr/bin/dbmoalmi -d 15671⤵
- Deletes itself
-
/usr/bin/mdabudl/usr/bin/mdabudl -d 15671⤵
- Deletes itself
-
/usr/bin/nrgqvugvhsfn/usr/bin/nrgqvugvhsfn -d 15671⤵
- Deletes itself
-
/usr/bin/hxaohscxdrjj/usr/bin/hxaohscxdrjj -d 15671⤵
- Deletes itself
-
/usr/bin/lfuyghqozlih/usr/bin/lfuyghqozlih -d 15671⤵
- Deletes itself
-
/usr/bin/qzndwwcxkkrn/usr/bin/qzndwwcxkkrn -d 15671⤵
- Deletes itself
-
/usr/bin/uhbfpinh/usr/bin/uhbfpinh -d 15671⤵
- Deletes itself
-
/usr/bin/clgynfjz/usr/bin/clgynfjz -d 15671⤵
- Deletes itself
-
/usr/bin/yhscaazglq/usr/bin/yhscaazglq -d 15671⤵
- Deletes itself
-
/usr/bin/esfltmcbakmev/usr/bin/esfltmcbakmev -d 15671⤵
-
/usr/bin/dkzokv/usr/bin/dkzokv -d 15671⤵
-
/usr/bin/tqqvqpddhnjzu/usr/bin/tqqvqpddhnjzu -d 15671⤵
-
/usr/bin/shyvjihnf/usr/bin/shyvjihnf -d 15671⤵
-
/usr/bin/ssbgezu/usr/bin/ssbgezu -d 15671⤵
-
/usr/bin/rkujbxmik/usr/bin/rkujbxmik -d 15671⤵
-
/usr/bin/jhtdoryzcio/usr/bin/jhtdoryzcio -d 15671⤵
-
/usr/bin/mhdpphqmghy/usr/bin/mhdpphqmghy -d 15671⤵
-
/usr/bin/qaxekk/usr/bin/qaxekk -d 15671⤵
-
/usr/bin/urwxhqyiuiwdu/usr/bin/urwxhqyiuiwdu -d 15671⤵
-
/usr/bin/hlxqcjxjhxcjx/usr/bin/hlxqcjxjhxcjx -d 15671⤵
-
/usr/bin/ujmqck/usr/bin/ujmqck -d 15671⤵
-
/usr/bin/lantuvrarx/usr/bin/lantuvrarx -d 15671⤵
-
/usr/bin/duzffyqoysavdu/usr/bin/duzffyqoysavdu -d 15671⤵
-
/usr/bin/pmizbtcpmwkdy/usr/bin/pmizbtcpmwkdy -d 15671⤵
-
/usr/bin/chhyjmdh/usr/bin/chhyjmdh -d 15671⤵
-
/usr/bin/uhxucaqkrcssdn/usr/bin/uhxucaqkrcssdn -d 15671⤵
-
/usr/bin/uzrffrjj/usr/bin/uzrffrjj -d 15671⤵
-
/usr/bin/qikenti/usr/bin/qikenti -d 15671⤵
-
/usr/bin/bfdfhtq/usr/bin/bfdfhtq -d 15671⤵
-
/usr/bin/xktdynxzg/usr/bin/xktdynxzg -d 15671⤵
-
/usr/bin/gynqzfa/usr/bin/gynqzfa -d 15671⤵
-
/usr/bin/jpeszfz/usr/bin/jpeszfz -d 15671⤵
-
/usr/bin/ljydjvnc/usr/bin/ljydjvnc -d 15671⤵
-
/usr/bin/lqylyarwqjxvli/usr/bin/lqylyarwqjxvli -d 15671⤵
-
/usr/bin/bnzauaehjekva/usr/bin/bnzauaehjekva -d 15671⤵
-
/usr/bin/xanpyaqbumtdmo/usr/bin/xanpyaqbumtdmo -d 15671⤵
-
/usr/bin/utqjusgvynedaz/usr/bin/utqjusgvynedaz -d 15671⤵
-
/usr/bin/azhpqiqglkve/usr/bin/azhpqiqglkve -d 15671⤵
-
/usr/bin/jsedmwpiovdpk/usr/bin/jsedmwpiovdpk -d 15671⤵
-
/usr/bin/sklxmke/usr/bin/sklxmke -d 15671⤵
-
/usr/bin/doulzeidtrw/usr/bin/doulzeidtrw -d 15671⤵
-
/usr/bin/xkumslj/usr/bin/xkumslj -d 15671⤵
-
/usr/bin/atgugr/usr/bin/atgugr -d 15671⤵
-
/usr/bin/sexwhoqunudr/usr/bin/sexwhoqunudr -d 15671⤵
-
/usr/bin/unorxkdrvonx/usr/bin/unorxkdrvonx -d 15671⤵
-
/usr/bin/vronkitkhayxw/usr/bin/vronkitkhayxw -d 15671⤵
-
/usr/bin/uzekur/usr/bin/uzekur -d 15671⤵
-
/usr/bin/nqktighxfp/usr/bin/nqktighxfp -d 15671⤵
-
/usr/bin/hqzlcvfcixnbh/usr/bin/hqzlcvfcixnbh -d 15671⤵
-
/usr/bin/xfijqbtxdtw/usr/bin/xfijqbtxdtw -d 15671⤵
-
/usr/bin/jfaaazikjylexo/usr/bin/jfaaazikjylexo -d 15671⤵
-
/usr/bin/tphmqsqlzt/usr/bin/tphmqsqlzt -d 15671⤵
-
/usr/bin/xixefilfln/usr/bin/xixefilfln -d 15671⤵
-
/usr/bin/txqtkwqaw/usr/bin/txqtkwqaw -d 15671⤵
-
/usr/bin/qdxgyouzjqwr/usr/bin/qdxgyouzjqwr -d 15671⤵
-
/usr/bin/dyyqfjgm/usr/bin/dyyqfjgm -d 15671⤵
-
/usr/bin/dezqbp/usr/bin/dezqbp -d 15671⤵
-
/usr/bin/zaifapdole/usr/bin/zaifapdole -d 15671⤵
-
/usr/bin/bbqsgoqyt/usr/bin/bbqsgoqyt -d 15671⤵
-
/usr/bin/eihkmgapxqpa/usr/bin/eihkmgapxqpa -d 15671⤵
-
/usr/bin/uaqzqddnggf/usr/bin/uaqzqddnggf -d 15671⤵
-
/usr/bin/ovpnqstyadlifc/usr/bin/ovpnqstyadlifc -d 15671⤵
-
/usr/bin/yrgzniroyusna/usr/bin/yrgzniroyusna -d 15671⤵
-
/usr/bin/sypnpefkzem/usr/bin/sypnpefkzem -d 15671⤵
-
/usr/bin/ruktcinkhcsy/usr/bin/ruktcinkhcsy -d 15671⤵
-
/usr/bin/quldwlxxcm/usr/bin/quldwlxxcm -d 15671⤵
-
/usr/bin/isyiwknphxkji/usr/bin/isyiwknphxkji -d 15671⤵
-
/usr/bin/urcmsvf/usr/bin/urcmsvf -d 15671⤵
-
/usr/bin/gkjtiiyu/usr/bin/gkjtiiyu -d 15671⤵
-
/usr/bin/iovqmhfbof/usr/bin/iovqmhfbof -d 15671⤵
-
/usr/bin/annwepkymp/usr/bin/annwepkymp -d 15671⤵
-
/usr/bin/sawokgmg/usr/bin/sawokgmg -d 15671⤵
-
/usr/bin/wvznhhulxzzzo/usr/bin/wvznhhulxzzzo -d 15671⤵
-
/usr/bin/vvegtqxglx/usr/bin/vvegtqxglx -d 15671⤵
-
/usr/bin/zjknqpjloy/usr/bin/zjknqpjloy -d 15671⤵
-
/usr/bin/xtfvuewjrsgxy/usr/bin/xtfvuewjrsgxy -d 15671⤵
-
/usr/bin/nviyvoxgzm/usr/bin/nviyvoxgzm -d 15671⤵
-
/usr/bin/owjewecrlzmqv/usr/bin/owjewecrlzmqv -d 15671⤵
-
/usr/bin/jndgnevlougdto/usr/bin/jndgnevlougdto -d 15671⤵
-
/usr/bin/ilsgwyc/usr/bin/ilsgwyc -d 15671⤵
-
/usr/bin/aumbgex/usr/bin/aumbgex -d 15671⤵
-
/usr/bin/pmkvaosnf/usr/bin/pmkvaosnf -d 15671⤵
-
/usr/bin/viijmqwgwt/usr/bin/viijmqwgwt -d 15671⤵
-
/usr/bin/athuhic/usr/bin/athuhic -d 15671⤵
-
/usr/bin/hjcwtzykslp/usr/bin/hjcwtzykslp -d 15671⤵
-
/usr/bin/gxqplimrghx/usr/bin/gxqplimrghx -d 15671⤵
-
/usr/bin/aedkpix/usr/bin/aedkpix -d 15671⤵
-
/usr/bin/rculbsvtfmcll/usr/bin/rculbsvtfmcll -d 15671⤵
-
/usr/bin/dwdrpjymsatw/usr/bin/dwdrpjymsatw -d 15671⤵
-
/usr/bin/kemivofipzflfr/usr/bin/kemivofipzflfr -d 15671⤵
-
/usr/bin/qcjvamop/usr/bin/qcjvamop -d 15671⤵
-
/usr/bin/meopzmb/usr/bin/meopzmb -d 15671⤵
-
/usr/bin/qntodyw/usr/bin/qntodyw -d 15671⤵
-
/usr/bin/ycgdvxv/usr/bin/ycgdvxv -d 15671⤵
-
/usr/bin/grathsruwhj/usr/bin/grathsruwhj -d 15671⤵
-
/usr/bin/umgkazyfyxa/usr/bin/umgkazyfyxa -d 15671⤵
-
/usr/bin/zgdudyumrxf/usr/bin/zgdudyumrxf -d 15671⤵
-
/usr/bin/pyvnfgizsqmu/usr/bin/pyvnfgizsqmu -d 15671⤵
-
/usr/bin/kapjapk/usr/bin/kapjapk -d 15671⤵
-
/usr/bin/sfotbakahl/usr/bin/sfotbakahl -d 15671⤵
-
/usr/bin/fgclommheyd/usr/bin/fgclommheyd -d 15671⤵
-
/usr/bin/ldlugb/usr/bin/ldlugb -d 15671⤵
-
/usr/bin/ptmdmpgzq/usr/bin/ptmdmpgzq -d 15671⤵
-
/usr/bin/mfvvkijy/usr/bin/mfvvkijy -d 15671⤵
-
/usr/bin/qdtuzezkafn/usr/bin/qdtuzezkafn -d 15671⤵
-
/usr/bin/wjrcvh/usr/bin/wjrcvh -d 15671⤵
-
/usr/bin/cvydhylveh/usr/bin/cvydhylveh -d 15671⤵
-
/usr/bin/wzxjeueqcprxgw/usr/bin/wzxjeueqcprxgw -d 15671⤵
-
/usr/bin/xjbetydtjk/usr/bin/xjbetydtjk -d 15671⤵
-
/usr/bin/pcsevrmrjqmjuu/usr/bin/pcsevrmrjqmjuu -d 15671⤵
-
/usr/bin/frnovlaw/usr/bin/frnovlaw -d 15671⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Scheduled Task/Job
1Cron
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD5076933ff9904d1110d896e2c525e39e5
SHA14188442577fa77f25820d9b2d01cc446e30684ac
SHA2564cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0
SHA5126fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34
-
Filesize
155B
MD5eee5e3b4ebaf512af1bd7c0f93d1e727
SHA1e9fcc62f76b43dab21a49114e05410d19542c4a1
SHA2567c6ddc7a796231cd646a4370cb0f422f4e929373453da7833e84a96df3bf5c13
SHA512e1c4996c46c6ff25ee9a029c400fb827e75c15772c56fc83e41e4a49a99d8742f4bc8a46d63e7c6ab100b6acefeb523896256703400f9d7406cac520cc230fe5
-
Filesize
32B
MD5005f736884123978530a5a900d5e7a09
SHA1aa0584a9f95b333048f63aa52764cfd765e6cb52
SHA256703d5b6415de375c12f6ec243b0c67053a63da8a5150103531e0b49b02e03594
SHA512bebf8ad75f6c1ff01657d884fa596b0e81e8143aef743caa21cd33d967adfc0acf24b8a34f1543d2bfb6145e789ad891ac7ca535b9def9e38549293c52c9732a
-
Filesize
326B
MD52e49d12ff41bc24eb71c21c2f46af44c
SHA1110cfd01064308cde034ef7f4be142a75c9951c1
SHA2560e09ce20ebb1345db1493de31676de95a7fd32af38d8208e0bad85072036bf33
SHA512853ccdda6346325ef5c7219e1d29dcb267e6f13d6f20bbd1a6bdb09be8f7393e9d63ea25e08e02142c1d18bfdf1107b129eeda076ba743e0510b9b3979ee08ec
-
Filesize
549KB
MD569a56c627bf5d215a7276025ee06d7ea
SHA1394697b9ddaf066a4074707b0fa4a1667fcd286e
SHA2564352fde5afe2b51bc44c4f0f54da87d9b1cc8ae4f58e99fa626534fee13b3384
SHA5120251507d7bcfb30498615ff03ddac7f9cf9f6694a27ca6dba6278d078c68874840f0e1b1a6fbb6b246b0a4b0822a5c4896e9cf57f7dbd2b5e84b63ad7c7a9366