Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20250410-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20250410-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    20/04/2025, 06:42

General

  • Target

    p.txt.elf

  • Size

    535KB

  • MD5

    6147e779a72c49be7d1954ecd328c571

  • SHA1

    3f1d936fb22225d2dea85bd926f28430c811e4c6

  • SHA256

    d360716cab46152dedb9c0b7179d1dc36fc8040be312cf62f76229d1d3145bd7

  • SHA512

    69d2cf66c9ff304cb879c69debe589b304f855bfdc78fe11421e75d4aeb808362101e91afca4ddf158aeed392ec92fb194b68b3b941c9737f981e6bf790b03e1

  • SSDEEP

    12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbzu66ySjQn36Eoj:/fUywKQ7Fb1pNL/p5ufjQn36Eu

Malware Config

Extracted

Family

xorddos

C2

https://ww.aass654.com/config.rar

gg.aass654.com:1523

gg.xxcc789.com:1523

gg.vvbb321.com:1523

gg.jjkk567.com:1523

gg.nnmm234.com:1523

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

  • XorDDoS payload 31 IoCs
  • Xorddos family
  • Writes memory of remote process 2 IoCs
  • Loads a kernel module 64 IoCs

    Loads a Linux kernel module, potentially to achieve persistence

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/p.txt.elf
    /tmp/p.txt.elf
    1⤵
    • Writes memory of remote process
    • Loads a kernel module
    • Creates/modifies Cron job
    PID:2044
    • /bin/sed
      sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
      2⤵
      • Reads runtime system information
      PID:2052
    • /bin/systemctl
      systemctl daemon-reload
      2⤵
      • Reads runtime system information
      PID:2061

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • /etc/cron.hourly/gcc.sh

    Filesize

    228B

    MD5

    3bab747cedc5f0ebe86aaa7f982470cd

    SHA1

    3c7d1c6931c2b3dae39d38346b780ea57c8e6142

    SHA256

    74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

    SHA512

    21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

  • /etc/crontab

    Filesize

    1KB

    MD5

    f85f0a4cb1d0da23b7e8e4a80a5a9f59

    SHA1

    f7b9ebeb87ee01c0caa97df076e6420f5e5c66a9

    SHA256

    696de2ac7d880173f049febcf30288e8f77b4ff54baf7ea70ef1261a3bbe5d97

    SHA512

    a770f7e2a0ce96ef084c9baf845148950ec23bd7a1e99d23438ff7872cfc039db690b10884e979de8aef200abde73ac5f69c9ce0cd7800ccda0b0ef0640eb27d

  • /etc/init.d/p.txt.elf

    Filesize

    310B

    MD5

    2b171ded3503f1c47f78252e1c28726f

    SHA1

    c37818b805465597d02b94386194e576532a7a17

    SHA256

    d97d6f86d47ad1244b2fea150f0895fd5535c3e1b8ad7c5e29f73c9c2c5a9d0c

    SHA512

    247b1e508334f5d8754e4e9a0c27d552133c08b9f27c45e8cb6ca8e22e13bd9c6b54db58b29e1044eff1020adc0757a8516d8597fa2ed2331aa7f00e211efdcf

  • /etc/sedoub24R

    Filesize

    1KB

    MD5

    85f7ff2020ac8c72212f076ddf33c0be

    SHA1

    df06ddd9c29e8da5cff1aa356e9529336573422f

    SHA256

    ffb48ad57868ed639fad049d11ef4b9bcdd3d2d3e556754ce69b4d6b016969a3

    SHA512

    d7e2d6116adbe768dd078b490575f7757c0e98859a96d280756446bd7e6bf46e24381b0cf86bf5ae3eb4e15bb3743a34cf910f30dd27888de4c5d12bc0a7ea00

  • /run/gcc.pid

    Filesize

    32B

    MD5

    6848d2218f8105c059bf4d96d91bfbfb

    SHA1

    afc7362655e54fc16d123e0eecf8dad93b22d33d

    SHA256

    2ded20950c8604fd9d7014cec18c82c2d24c42bf1fa8c56b806669a4872d7466

    SHA512

    d1bd8ba09d81d6e1d331907071ad79a08f04b1aaff1443d9665075786a589527e36772aa73bacaa297583a640b38176594852b9b5cad655f7001c37989cab9a6

  • /usr/bin/arutmngzgw

    Filesize

    535KB

    MD5

    4d3444b4ad50b9989d59df377f832322

    SHA1

    79e3c2b3faaa1ab5ea5f169bd274db42f6133530

    SHA256

    3243b8362617d474dd5f1085ac64d6e4d2de589d90c5ffde3e42daf78a2ca335

    SHA512

    85b78d00c25319305592897d4f96cbd7ee26ac74ac6b1808d1fe2d11bfac246f747af24040a313e443ad470f504fddbccf9147b62cee49380f19b421905ec70e

  • /usr/bin/bcgbvrqcyj

    Filesize

    535KB

    MD5

    8b193ab685c3d794a390a18618ca2951

    SHA1

    64240379d663e22b7cafd8190bf3d0025d90dd86

    SHA256

    c263f6ab4703f471c5b6b458c2b82b651a1fded08096442a2df12d4ae9f772d4

    SHA512

    64542ff1fd8f4367599c1a02c07545d0fc47ccb73191e871395489a920142ac997da9ac742828038fa07ab7bfb0609f17ca3120646804ab87a882056c2f016ff

  • /usr/bin/bfhplcffwd

    Filesize

    535KB

    MD5

    6cffe2ea5663da08f12cf10604788071

    SHA1

    6eb6665f62bc496af4620f7f63e0d9dd4cf6ae8e

    SHA256

    787d6dd817b76f86578dcfad5f36bb821b6ec9eac30e332c4491bdc142c6e3f9

    SHA512

    82979ad77ffff595d770786d7085ea727a44879dfbe01efe87a646339b341c287c70cd426f3e50b92942191048e1acb4ed0126cc6ae63eea9560d9ca4939e2fe

  • /usr/bin/bgnnqqizgq

    Filesize

    535KB

    MD5

    241a7c2c74fc8b43d4a077765d9bde36

    SHA1

    f92320befa9cf02ccd6406adeea48bdf2bf9b4fe

    SHA256

    531dd2c78d1ce5b6e457b496a54b915d2915066eb273b9daff1a89bfbc66f5e2

    SHA512

    70bd8effeaf81551903097985900b2929e958a2783a94fb0c1fc07980e03fe95dbf9a2233404eb28481a847b597d2983a39845d4ed2f3af8a7921ff6fb907b44

  • /usr/bin/bhiccysdsh

    Filesize

    535KB

    MD5

    663c18f0485b0ebeccc50ab91bbb51b9

    SHA1

    0b39b8f59e4794c74f5c6ba90290f0e27776eb27

    SHA256

    db475215d24a34df8f3eb0d46fb461fadbf6905b62e12eb9160eef06017e1100

    SHA512

    304665ec7ba92b51944b29a61f87b1175998250e14718b16009e7310cd3e6ef7938515fb6f1c1515787413ddf99f3a6092086cb4de0d80fe1e3a3cc53e9de398

  • /usr/bin/fmuvzixsge

    Filesize

    535KB

    MD5

    e40e883d3469d11eee8387cecc25bf11

    SHA1

    d73bd947f7e8533baba1db82131ba53ae7047a0a

    SHA256

    5c28158123044ecc670347a52ad8f8ab24a54662523ef5df54e2cda269b2b3d3

    SHA512

    6ccfc7921ea025920f83e3855b606e5673cfe418e1d406536dc70289924e8714b43516a7b4979d9edb381f0b3b58dfb02768aefd3c66672d4d486d7567fcc88a

  • /usr/bin/itzjtxmtdm

    Filesize

    535KB

    MD5

    334c300c249c83d3228a0bc1b1b24133

    SHA1

    52ad9c0cf21cac4e62d32e90334d47414c3cbfac

    SHA256

    101a1196aa07f90075bb2a8d8f4d661f77da699cd63a1569b8cc3348ad540592

    SHA512

    33ffc4a3d32a9b447ca9898d2e43f5c6bf8fa2638619de7ad67743e4c3909f52676ccd47133385523bcd1912cba3b32375761f3aa5b04f324a0bc12dd706e7df

  • /usr/bin/jqrqmhbtja

    Filesize

    535KB

    MD5

    e9c3e3b9a4b71abaa4d49587a481d2a3

    SHA1

    b178752233eb818d0dd8064bd84cc6f853e08cf4

    SHA256

    2b44b20ab9bea8f187b3a6e7c7c08609b86bdc5e35f1d5e68996b47f674a95ce

    SHA512

    365b849d07a19b18b818489951ba8e0086643f70c5e7f7256f3a4e2e64249d96165ddc47026024778cc665f2b745170988f9ea375137e8c9db7b0e546f51ee91

  • /usr/bin/kbpbiwjveo

    Filesize

    535KB

    MD5

    4bb902b40b29f0f837696e649c7e8f49

    SHA1

    ca9d6596b0473d41e966d26c9c99e7c0b3e4cdc7

    SHA256

    d5a193c59a00aa5a6da1f06eef93ba39d6a21f30290942edc6f8870dd4ef5d16

    SHA512

    57eb7a3529bb96cf6798752db7cb7ee9bf22770f6db22ca07d23dc03eb2c0b50f54b49388f1ae87f81f7eca71a6315438d4c842e1438fb3fc092fe07d68784cf

  • /usr/bin/kwwjxyieqt

    Filesize

    535KB

    MD5

    6885535f52a982d5a4447ff451533d2e

    SHA1

    33e8ffd113bd2a3618b39542bbd3bcf2556a509a

    SHA256

    0f655bd7363df3b33281bf238862eb4ee34c92def21af85231801d9daa5a6eeb

    SHA512

    6e13769a07b45d5c9a8e20daafa770268fb5af58134905a50b7719e368c60e1e02cb9df08dacba4f6a2765ee20bae9e2b8e204e0189a1b9424c9e9bde8534943

  • /usr/bin/mrzzjnixxg

    Filesize

    535KB

    MD5

    919cb65ccbd2046d78a22f62efadbff9

    SHA1

    14314f911b9abe0075f6d7a43e488fbdf7e4b980

    SHA256

    845248992a85714b5f3a83ccc1daec47117cf29daf5c97fc99907bfc328f64eb

    SHA512

    d32272b7e5952fc72ac74004a9739cc19a8604bfd8b2f5e9c31125be0a84f11a9427fb723de0c98ef399aea6e921b2e1a13c031eb5d0213307838a7d4bc9b6fa

  • /usr/bin/ndqpeysflr

    Filesize

    535KB

    MD5

    692a92606009bbb50e80aea96bac961a

    SHA1

    98be93319719402588ed88cc8605764e0237a5c6

    SHA256

    28a09d0054b333cad83bfb967b557a43474a655480340d798f9a4e8186ceef3d

    SHA512

    07fd04818b81269f33b6b86df633630b7eba69cd4f5f7ce065f36a51b69beda894097d31b122caeb1f810732414fd13f1f1c8df61cac405b98fb23cc7ee178b6

  • /usr/bin/nghotyjjox

    Filesize

    535KB

    MD5

    1ceeaee22c6a86c22099644c3097e857

    SHA1

    4fa4d38c1c032071289e54e38777a32bb3925dbf

    SHA256

    55190db458ada0fbfbbc56c04b5d270329cbcfd64384155251f27968e62f83ed

    SHA512

    101bc54e66c59e7870d7fba33afec332daaa09e460a05d7212c46ba6d61e1c1d5701d398937aab74a4a6abc76c3dddbacb837f93a6ff2f272d40e3c2890c33e4

  • /usr/bin/nillznvzaq

    Filesize

    535KB

    MD5

    ac316e549554a725593432aef53f106e

    SHA1

    bc5bf0b2af920dcafea7f9c42f2c0bda604270a4

    SHA256

    5973f989a72cf494ec242ac69f5da6104ccc7fb0fbd5d09152d97a7357e074a4

    SHA512

    70ca98f01fd4c1bbf925c37f1c1a73ae171ce27ea8fca30a154215ce7da615c24dfcfa2be00c5e159b0d28ea8d47d6933dcbee0051fdac33611efa566b9c9ba3

  • /usr/bin/nladrvpshj

    Filesize

    535KB

    MD5

    2f9877f74b4027d7a09ad03edf2ae55b

    SHA1

    01f8143c0f21dc34fdc4c29aa1497a3fd2245c5e

    SHA256

    796d349208580b05e684a060da85d0aa4070658c057c07b065a43a2fec1e8508

    SHA512

    d93d3832acfbc93506691a46fcb2c93d0f94867803959d9855f1280e2aab3ebbd7a84fdcc2107f0a0d05c20da72f3908ae80fb83378bc62d47855b24293c3d65

  • /usr/bin/nmwbjfbghe

    Filesize

    535KB

    MD5

    4480064c090d904ae5528392f62f5f6f

    SHA1

    54ca4213724cda22f6c2682fc3a70fceba202bc5

    SHA256

    14a27c0bfc8e97a11811dddb27bb2c80b8eaf43d2c8b95c92d49d5fa55bafed1

    SHA512

    b4885bb0cd502566af8b16785b0bde96f86392a4e671ca26dddef50154a51a5e7d71ec39c822d0370daed6ca869d30a4f32c1c2f0615099107486156d168da16

  • /usr/bin/nufioxondb

    Filesize

    535KB

    MD5

    31bca0b93767238a8987ba7157e11b86

    SHA1

    58edf51a1bf032b410a426021081155bb07baa47

    SHA256

    336b2d254272c27bcb710958aae36c39e0a0ae96a90df9c80f7a93aeba6356d6

    SHA512

    f81e826b2f831eb00b3dc3f503d982c0e4069e1071d4592fe9f8902719ddff5cd7de9ea1049713bc490a2eea89c475ca1d149927b7c34a520f3ddfa9a777e032

  • /usr/bin/odhshtdrwk

    Filesize

    535KB

    MD5

    2b4163b0b1184cfbc2e0d7c59098914c

    SHA1

    a485fbfc7d902c19969365362ccb62ee77d4ccf9

    SHA256

    ac44c2cc0b443906907e655d4edcf433881111ca746f05e9d1d676f814693737

    SHA512

    4285956dffbb3098a0dfc50faa5b55c959379b9767b93cb9c009c69c8463a1c1713b17590163ed669a300023216487c137bf677653a53b9b1655a22a92410735

  • /usr/bin/oiifwcvvpf

    Filesize

    535KB

    MD5

    117461d7f56c3d2b7e9612cab8c6465f

    SHA1

    c5558804a5457229fa0487a3da3d04c2a1f77a5d

    SHA256

    09fbc8dd187f666e6c881978da1e94900174d8e338ec1622ec055886db8ebc83

    SHA512

    fd0c44d78695ced01834be4b5efcc982fb7746ff99726d47cb6d86363640c88d02d146edc252fee75503ae149e8a1449972b8f72efb4241bb966743e21781de9

  • /usr/bin/okovormfav

    Filesize

    535KB

    MD5

    1a68bd3a5b9be191c2105228aeccbe8b

    SHA1

    5f3e96f7901cc732239c7252b91904ba730a2017

    SHA256

    61fb37d259f0a336231a6f71ae2497c046a08df0fca5ce42f859adf32d365cc6

    SHA512

    1cc677e143eb2af469023e100e5965d2cdf82a24203422bffc6f06a1b49934a17cefcf00c042f709531e89828f28bed800f213f43fda8afa529982b4e32e0879

  • /usr/bin/osxvjmtnrx

    Filesize

    535KB

    MD5

    2bb575724ad56652c6554adc687643a1

    SHA1

    6448e93fad731b82201a489d90de7f1c680b8dc2

    SHA256

    d1d1796bf5364cdfbd35245f212b5460579f71a7a516818890660af7425d52b5

    SHA512

    c0a178ffaade476742be60c55d17ee4555216de3e8b41c471d1f11b4c2931fb88aaae5d90846dc6d437054e12a5aff56d9a46b77374923c8b78e58bd4b1ef3b1

  • /usr/bin/pmzfmkrksh

    Filesize

    535KB

    MD5

    023546e270b25a566045d9eb27443d4e

    SHA1

    86a1ed25667356273b2d932f3c30eb289ee5f607

    SHA256

    3ba4902501d9dfcaf83953a5d601446e6566afa446fe4efc5db67fe6c1d55eb7

    SHA512

    f856b24a7b05473e77b14377eb9246fe91efc0a3d8d1750925f0803a1a71789b7518eb3aedebc970efe69ae4bb309deb91ae847d32b284b7958e429344b13bef

  • /usr/bin/pwiedcxgcc

    Filesize

    535KB

    MD5

    b058419a2bab4b6bef7cc54f639c1391

    SHA1

    62f53b82c0cd963bfeb49cb379d5c497a6a28524

    SHA256

    3f035e12d1e1f5faafd116d6dec73473974b6a73f5c13e6f1ab1350407fc6675

    SHA512

    0b174c10c45dbb9966c5e65f42cf54a212953bb20aee63d78479cf76404203912d61b1c7210ebec586c8c542096a6426a27a5088176e1b38743a274502883c0d

  • /usr/bin/qqeyqwebcm

    Filesize

    535KB

    MD5

    9d4af404becd82543ddce4cbcefc0a2d

    SHA1

    eb5c5e0b784e273c38efc80067dcd9a61abd6da9

    SHA256

    ca35f04365252acfbbb682b23218ebf709abb4e240a165c97051398540a0da2d

    SHA512

    c4bcde53f36baf66b775fc173f87abef69bd8a1723038833e755da38cc942d80ff0a91405fb4b34cbc3abfd5777dcc2a96b4e3a26e2de867d42cf14816770ddd

  • /usr/bin/qwtnggeljw

    Filesize

    535KB

    MD5

    bd5019360c2618365d11d274edf77eaa

    SHA1

    80c1dc025ceb38325c3f040ebc69e07596048b3c

    SHA256

    0afb12efaa23dd3228129f7ee10192a38bce75c16d37f492f9d1baa4f5d48583

    SHA512

    ef2323ebaeae1ef2bafc41b271ed044f9c867ebe12bd84c5138cb9ed8201149d796af6fe301bd842f28c66e575fd4eceb746b9526a841fed3a79fd8e91a6ad0e

  • /usr/bin/rtojoxprvc

    Filesize

    535KB

    MD5

    1cad2adc37b02a4e4064d737b121a36e

    SHA1

    ef8539e2cf00088fc7527d88f2b5f9341718fc8d

    SHA256

    1dd0cea110f7aab0ba4912b67260c1ecef3e5096ef74bb4de4cf232d122874af

    SHA512

    65d8525a794a8de490f46e12d73ac90b426e888cb399998534b9e858df831a05889bdc87484640e6558042b87bdd1613eda1b6855e2440126e4f9bbc8f9e5a23

  • /usr/bin/spbvlpqqgg

    Filesize

    535KB

    MD5

    a2f086f0f612e944733b7b1e8e2b63d6

    SHA1

    29b100e0641d92c693ac3b21e87bc09e1943e066

    SHA256

    b544eebe1440b1de81646536b21eb7494da406d13ddbaa5f27107941f3681178

    SHA512

    00f142bb6388d9093f00bf63c19826231686d35bf0d3b564d61a01abc2abe03de617724cc1615b9b0b8b2776d9151148d9963e89e576b1d629c84d6edae02d8d

  • /usr/bin/tprkdgwzkc

    Filesize

    535KB

    MD5

    0e839473d852b1de128cc2f4a1f17c2e

    SHA1

    11d1c5ac78d312a4b929749ff3e54152e8d75307

    SHA256

    090e629040ccf125ae8c87fb69cdad573c9e82fb996f98cb26c9ab776e8b54c8

    SHA512

    182c016767737e2b1bb4fbd8056147d85dd9f0b35bad6dabc0851f2776817b76b5a179ca73960db19914c80a1df2316b879e59feb9a9e54bd11ffffdfd5152f8

  • /usr/bin/uhefbolbzk

    Filesize

    535KB

    MD5

    a99925c122039fa14cd44f7b37956f67

    SHA1

    6ec31e96bf6fcd43edd2fd219cd221dabb0312b8

    SHA256

    156626d005877112150f64e112a486ce0b5aabc0ba4146b58b1e2922e20d2302

    SHA512

    9e5877fe3d791b1b0cdb16be6281421e68ad034d54b35069fd88fe9171572534f5b00c206ce5c3fa71787921bedc3a56842d91b9da0bd497da62fe05a3855041

  • /usr/bin/vbmdrpfwrx

    Filesize

    535KB

    MD5

    9f8d4ec6ac15077e17df4c7af0601124

    SHA1

    75e705948352d3fdeb85894efad5dc17b81ae2ac

    SHA256

    1d5082a9dbbc0f6a41aa2a1eaf519597ab138ef95eca29c948075874f234d9ae

    SHA512

    d8686394a7066910bd6aaf052391d991b0d41918aca94addd45e235d3a98a410f5c06c4d2964f0e03d7c26b2683f2f481ed82701d0c94c1322dbbd28d09de55d

  • /usr/lib/libudev.so

    Filesize

    535KB

    MD5

    6147e779a72c49be7d1954ecd328c571

    SHA1

    3f1d936fb22225d2dea85bd926f28430c811e4c6

    SHA256

    d360716cab46152dedb9c0b7179d1dc36fc8040be312cf62f76229d1d3145bd7

    SHA512

    69d2cf66c9ff304cb879c69debe589b304f855bfdc78fe11421e75d4aeb808362101e91afca4ddf158aeed392ec92fb194b68b3b941c9737f981e6bf790b03e1