Analysis
-
max time kernel
144s -
max time network
147s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20250410-en -
resource tags
arch:amd64arch:i386image:ubuntu2404-amd64-20250410-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system -
submitted
20/04/2025, 06:42
Behavioral task
behavioral1
Sample
p.txt.elf
Resource
ubuntu2404-amd64-20250410-en
General
-
Target
p.txt.elf
-
Size
535KB
-
MD5
6147e779a72c49be7d1954ecd328c571
-
SHA1
3f1d936fb22225d2dea85bd926f28430c811e4c6
-
SHA256
d360716cab46152dedb9c0b7179d1dc36fc8040be312cf62f76229d1d3145bd7
-
SHA512
69d2cf66c9ff304cb879c69debe589b304f855bfdc78fe11421e75d4aeb808362101e91afca4ddf158aeed392ec92fb194b68b3b941c9737f981e6bf790b03e1
-
SSDEEP
12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbzu66ySjQn36Eoj:/fUywKQ7Fb1pNL/p5ufjQn36Eu
Malware Config
Extracted
xorddos
https://ww.aass654.com/config.rar
gg.aass654.com:1523
gg.xxcc789.com:1523
gg.vvbb321.com:1523
gg.jjkk567.com:1523
gg.nnmm234.com:1523
-
crc_polynomial
EDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 31 IoCs
resource yara_rule behavioral1/files/fstream-6.dat family_xorddos behavioral1/files/fstream-7.dat family_xorddos behavioral1/files/fstream-8.dat family_xorddos behavioral1/files/fstream-9.dat family_xorddos behavioral1/files/fstream-10.dat family_xorddos behavioral1/files/fstream-11.dat family_xorddos behavioral1/files/fstream-12.dat family_xorddos behavioral1/files/fstream-13.dat family_xorddos behavioral1/files/fstream-14.dat family_xorddos behavioral1/files/fstream-15.dat family_xorddos behavioral1/files/fstream-16.dat family_xorddos behavioral1/files/fstream-17.dat family_xorddos behavioral1/files/fstream-18.dat family_xorddos behavioral1/files/fstream-19.dat family_xorddos behavioral1/files/fstream-20.dat family_xorddos behavioral1/files/fstream-21.dat family_xorddos behavioral1/files/fstream-22.dat family_xorddos behavioral1/files/fstream-23.dat family_xorddos behavioral1/files/fstream-24.dat family_xorddos behavioral1/files/fstream-25.dat family_xorddos behavioral1/files/fstream-26.dat family_xorddos behavioral1/files/fstream-27.dat family_xorddos behavioral1/files/fstream-28.dat family_xorddos behavioral1/files/fstream-29.dat family_xorddos behavioral1/files/fstream-30.dat family_xorddos behavioral1/files/fstream-31.dat family_xorddos behavioral1/files/fstream-32.dat family_xorddos behavioral1/files/fstream-33.dat family_xorddos behavioral1/files/fstream-34.dat family_xorddos behavioral1/files/fstream-35.dat family_xorddos behavioral1/files/fstream-36.dat family_xorddos -
Xorddos family
-
Writes memory of remote process 2 IoCs
pid Process 2044 p.txt.elf 2053 p.txt.elf -
Loads a kernel module 64 IoCs
Loads a Linux kernel module, potentially to achieve persistence
pid Process 2044 p.txt.elf 2045 p.txt.elf 2050 p.txt.elf 2045 p.txt.elf 2054 p.txt.elf 2053 p.txt.elf 2055 p.txt.elf 2045 p.txt.elf 2057 p.txt.elf 2059 p.txt.elf 2067 p.txt.elf 2062 p.txt.elf 2064 p.txt.elf 2069 p.txt.elf 2066 p.txt.elf 2070 p.txt.elf 2071 p.txt.elf 2074 p.txt.elf 2054 p.txt.elf 2053 p.txt.elf 2053 p.txt.elf 2045 p.txt.elf 2045 p.txt.elf 2067 p.txt.elf 2067 p.txt.elf 2069 p.txt.elf 2069 p.txt.elf 2070 p.txt.elf 2070 p.txt.elf 2071 p.txt.elf 2071 p.txt.elf 2074 p.txt.elf 2074 p.txt.elf 2054 p.txt.elf 2053 p.txt.elf 2053 p.txt.elf 2067 p.txt.elf 2067 p.txt.elf 2069 p.txt.elf 2069 p.txt.elf 2070 p.txt.elf 2070 p.txt.elf 2071 p.txt.elf 2071 p.txt.elf 2074 p.txt.elf 2074 p.txt.elf 2053 p.txt.elf 2053 p.txt.elf 2067 p.txt.elf 2067 p.txt.elf 2069 p.txt.elf 2069 p.txt.elf 2070 p.txt.elf 2070 p.txt.elf 2071 p.txt.elf 2071 p.txt.elf 2074 p.txt.elf 2074 p.txt.elf 2053 p.txt.elf 2053 p.txt.elf 2067 p.txt.elf 2067 p.txt.elf 2069 p.txt.elf 2069 p.txt.elf -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/crontab p.txt.elf -
description ioc Process File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems systemctl
Processes
-
/tmp/p.txt.elf/tmp/p.txt.elf1⤵
- Writes memory of remote process
- Loads a kernel module
- Creates/modifies Cron job
PID:2044 -
/bin/sedsed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab2⤵
- Reads runtime system information
PID:2052
-
-
/bin/systemctlsystemctl daemon-reload2⤵
- Reads runtime system information
PID:2061
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228B
MD53bab747cedc5f0ebe86aaa7f982470cd
SHA13c7d1c6931c2b3dae39d38346b780ea57c8e6142
SHA25674d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5
SHA51221e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42
-
Filesize
1KB
MD5f85f0a4cb1d0da23b7e8e4a80a5a9f59
SHA1f7b9ebeb87ee01c0caa97df076e6420f5e5c66a9
SHA256696de2ac7d880173f049febcf30288e8f77b4ff54baf7ea70ef1261a3bbe5d97
SHA512a770f7e2a0ce96ef084c9baf845148950ec23bd7a1e99d23438ff7872cfc039db690b10884e979de8aef200abde73ac5f69c9ce0cd7800ccda0b0ef0640eb27d
-
Filesize
310B
MD52b171ded3503f1c47f78252e1c28726f
SHA1c37818b805465597d02b94386194e576532a7a17
SHA256d97d6f86d47ad1244b2fea150f0895fd5535c3e1b8ad7c5e29f73c9c2c5a9d0c
SHA512247b1e508334f5d8754e4e9a0c27d552133c08b9f27c45e8cb6ca8e22e13bd9c6b54db58b29e1044eff1020adc0757a8516d8597fa2ed2331aa7f00e211efdcf
-
Filesize
1KB
MD585f7ff2020ac8c72212f076ddf33c0be
SHA1df06ddd9c29e8da5cff1aa356e9529336573422f
SHA256ffb48ad57868ed639fad049d11ef4b9bcdd3d2d3e556754ce69b4d6b016969a3
SHA512d7e2d6116adbe768dd078b490575f7757c0e98859a96d280756446bd7e6bf46e24381b0cf86bf5ae3eb4e15bb3743a34cf910f30dd27888de4c5d12bc0a7ea00
-
Filesize
32B
MD56848d2218f8105c059bf4d96d91bfbfb
SHA1afc7362655e54fc16d123e0eecf8dad93b22d33d
SHA2562ded20950c8604fd9d7014cec18c82c2d24c42bf1fa8c56b806669a4872d7466
SHA512d1bd8ba09d81d6e1d331907071ad79a08f04b1aaff1443d9665075786a589527e36772aa73bacaa297583a640b38176594852b9b5cad655f7001c37989cab9a6
-
Filesize
535KB
MD54d3444b4ad50b9989d59df377f832322
SHA179e3c2b3faaa1ab5ea5f169bd274db42f6133530
SHA2563243b8362617d474dd5f1085ac64d6e4d2de589d90c5ffde3e42daf78a2ca335
SHA51285b78d00c25319305592897d4f96cbd7ee26ac74ac6b1808d1fe2d11bfac246f747af24040a313e443ad470f504fddbccf9147b62cee49380f19b421905ec70e
-
Filesize
535KB
MD58b193ab685c3d794a390a18618ca2951
SHA164240379d663e22b7cafd8190bf3d0025d90dd86
SHA256c263f6ab4703f471c5b6b458c2b82b651a1fded08096442a2df12d4ae9f772d4
SHA51264542ff1fd8f4367599c1a02c07545d0fc47ccb73191e871395489a920142ac997da9ac742828038fa07ab7bfb0609f17ca3120646804ab87a882056c2f016ff
-
Filesize
535KB
MD56cffe2ea5663da08f12cf10604788071
SHA16eb6665f62bc496af4620f7f63e0d9dd4cf6ae8e
SHA256787d6dd817b76f86578dcfad5f36bb821b6ec9eac30e332c4491bdc142c6e3f9
SHA51282979ad77ffff595d770786d7085ea727a44879dfbe01efe87a646339b341c287c70cd426f3e50b92942191048e1acb4ed0126cc6ae63eea9560d9ca4939e2fe
-
Filesize
535KB
MD5241a7c2c74fc8b43d4a077765d9bde36
SHA1f92320befa9cf02ccd6406adeea48bdf2bf9b4fe
SHA256531dd2c78d1ce5b6e457b496a54b915d2915066eb273b9daff1a89bfbc66f5e2
SHA51270bd8effeaf81551903097985900b2929e958a2783a94fb0c1fc07980e03fe95dbf9a2233404eb28481a847b597d2983a39845d4ed2f3af8a7921ff6fb907b44
-
Filesize
535KB
MD5663c18f0485b0ebeccc50ab91bbb51b9
SHA10b39b8f59e4794c74f5c6ba90290f0e27776eb27
SHA256db475215d24a34df8f3eb0d46fb461fadbf6905b62e12eb9160eef06017e1100
SHA512304665ec7ba92b51944b29a61f87b1175998250e14718b16009e7310cd3e6ef7938515fb6f1c1515787413ddf99f3a6092086cb4de0d80fe1e3a3cc53e9de398
-
Filesize
535KB
MD5e40e883d3469d11eee8387cecc25bf11
SHA1d73bd947f7e8533baba1db82131ba53ae7047a0a
SHA2565c28158123044ecc670347a52ad8f8ab24a54662523ef5df54e2cda269b2b3d3
SHA5126ccfc7921ea025920f83e3855b606e5673cfe418e1d406536dc70289924e8714b43516a7b4979d9edb381f0b3b58dfb02768aefd3c66672d4d486d7567fcc88a
-
Filesize
535KB
MD5334c300c249c83d3228a0bc1b1b24133
SHA152ad9c0cf21cac4e62d32e90334d47414c3cbfac
SHA256101a1196aa07f90075bb2a8d8f4d661f77da699cd63a1569b8cc3348ad540592
SHA51233ffc4a3d32a9b447ca9898d2e43f5c6bf8fa2638619de7ad67743e4c3909f52676ccd47133385523bcd1912cba3b32375761f3aa5b04f324a0bc12dd706e7df
-
Filesize
535KB
MD5e9c3e3b9a4b71abaa4d49587a481d2a3
SHA1b178752233eb818d0dd8064bd84cc6f853e08cf4
SHA2562b44b20ab9bea8f187b3a6e7c7c08609b86bdc5e35f1d5e68996b47f674a95ce
SHA512365b849d07a19b18b818489951ba8e0086643f70c5e7f7256f3a4e2e64249d96165ddc47026024778cc665f2b745170988f9ea375137e8c9db7b0e546f51ee91
-
Filesize
535KB
MD54bb902b40b29f0f837696e649c7e8f49
SHA1ca9d6596b0473d41e966d26c9c99e7c0b3e4cdc7
SHA256d5a193c59a00aa5a6da1f06eef93ba39d6a21f30290942edc6f8870dd4ef5d16
SHA51257eb7a3529bb96cf6798752db7cb7ee9bf22770f6db22ca07d23dc03eb2c0b50f54b49388f1ae87f81f7eca71a6315438d4c842e1438fb3fc092fe07d68784cf
-
Filesize
535KB
MD56885535f52a982d5a4447ff451533d2e
SHA133e8ffd113bd2a3618b39542bbd3bcf2556a509a
SHA2560f655bd7363df3b33281bf238862eb4ee34c92def21af85231801d9daa5a6eeb
SHA5126e13769a07b45d5c9a8e20daafa770268fb5af58134905a50b7719e368c60e1e02cb9df08dacba4f6a2765ee20bae9e2b8e204e0189a1b9424c9e9bde8534943
-
Filesize
535KB
MD5919cb65ccbd2046d78a22f62efadbff9
SHA114314f911b9abe0075f6d7a43e488fbdf7e4b980
SHA256845248992a85714b5f3a83ccc1daec47117cf29daf5c97fc99907bfc328f64eb
SHA512d32272b7e5952fc72ac74004a9739cc19a8604bfd8b2f5e9c31125be0a84f11a9427fb723de0c98ef399aea6e921b2e1a13c031eb5d0213307838a7d4bc9b6fa
-
Filesize
535KB
MD5692a92606009bbb50e80aea96bac961a
SHA198be93319719402588ed88cc8605764e0237a5c6
SHA25628a09d0054b333cad83bfb967b557a43474a655480340d798f9a4e8186ceef3d
SHA51207fd04818b81269f33b6b86df633630b7eba69cd4f5f7ce065f36a51b69beda894097d31b122caeb1f810732414fd13f1f1c8df61cac405b98fb23cc7ee178b6
-
Filesize
535KB
MD51ceeaee22c6a86c22099644c3097e857
SHA14fa4d38c1c032071289e54e38777a32bb3925dbf
SHA25655190db458ada0fbfbbc56c04b5d270329cbcfd64384155251f27968e62f83ed
SHA512101bc54e66c59e7870d7fba33afec332daaa09e460a05d7212c46ba6d61e1c1d5701d398937aab74a4a6abc76c3dddbacb837f93a6ff2f272d40e3c2890c33e4
-
Filesize
535KB
MD5ac316e549554a725593432aef53f106e
SHA1bc5bf0b2af920dcafea7f9c42f2c0bda604270a4
SHA2565973f989a72cf494ec242ac69f5da6104ccc7fb0fbd5d09152d97a7357e074a4
SHA51270ca98f01fd4c1bbf925c37f1c1a73ae171ce27ea8fca30a154215ce7da615c24dfcfa2be00c5e159b0d28ea8d47d6933dcbee0051fdac33611efa566b9c9ba3
-
Filesize
535KB
MD52f9877f74b4027d7a09ad03edf2ae55b
SHA101f8143c0f21dc34fdc4c29aa1497a3fd2245c5e
SHA256796d349208580b05e684a060da85d0aa4070658c057c07b065a43a2fec1e8508
SHA512d93d3832acfbc93506691a46fcb2c93d0f94867803959d9855f1280e2aab3ebbd7a84fdcc2107f0a0d05c20da72f3908ae80fb83378bc62d47855b24293c3d65
-
Filesize
535KB
MD54480064c090d904ae5528392f62f5f6f
SHA154ca4213724cda22f6c2682fc3a70fceba202bc5
SHA25614a27c0bfc8e97a11811dddb27bb2c80b8eaf43d2c8b95c92d49d5fa55bafed1
SHA512b4885bb0cd502566af8b16785b0bde96f86392a4e671ca26dddef50154a51a5e7d71ec39c822d0370daed6ca869d30a4f32c1c2f0615099107486156d168da16
-
Filesize
535KB
MD531bca0b93767238a8987ba7157e11b86
SHA158edf51a1bf032b410a426021081155bb07baa47
SHA256336b2d254272c27bcb710958aae36c39e0a0ae96a90df9c80f7a93aeba6356d6
SHA512f81e826b2f831eb00b3dc3f503d982c0e4069e1071d4592fe9f8902719ddff5cd7de9ea1049713bc490a2eea89c475ca1d149927b7c34a520f3ddfa9a777e032
-
Filesize
535KB
MD52b4163b0b1184cfbc2e0d7c59098914c
SHA1a485fbfc7d902c19969365362ccb62ee77d4ccf9
SHA256ac44c2cc0b443906907e655d4edcf433881111ca746f05e9d1d676f814693737
SHA5124285956dffbb3098a0dfc50faa5b55c959379b9767b93cb9c009c69c8463a1c1713b17590163ed669a300023216487c137bf677653a53b9b1655a22a92410735
-
Filesize
535KB
MD5117461d7f56c3d2b7e9612cab8c6465f
SHA1c5558804a5457229fa0487a3da3d04c2a1f77a5d
SHA25609fbc8dd187f666e6c881978da1e94900174d8e338ec1622ec055886db8ebc83
SHA512fd0c44d78695ced01834be4b5efcc982fb7746ff99726d47cb6d86363640c88d02d146edc252fee75503ae149e8a1449972b8f72efb4241bb966743e21781de9
-
Filesize
535KB
MD51a68bd3a5b9be191c2105228aeccbe8b
SHA15f3e96f7901cc732239c7252b91904ba730a2017
SHA25661fb37d259f0a336231a6f71ae2497c046a08df0fca5ce42f859adf32d365cc6
SHA5121cc677e143eb2af469023e100e5965d2cdf82a24203422bffc6f06a1b49934a17cefcf00c042f709531e89828f28bed800f213f43fda8afa529982b4e32e0879
-
Filesize
535KB
MD52bb575724ad56652c6554adc687643a1
SHA16448e93fad731b82201a489d90de7f1c680b8dc2
SHA256d1d1796bf5364cdfbd35245f212b5460579f71a7a516818890660af7425d52b5
SHA512c0a178ffaade476742be60c55d17ee4555216de3e8b41c471d1f11b4c2931fb88aaae5d90846dc6d437054e12a5aff56d9a46b77374923c8b78e58bd4b1ef3b1
-
Filesize
535KB
MD5023546e270b25a566045d9eb27443d4e
SHA186a1ed25667356273b2d932f3c30eb289ee5f607
SHA2563ba4902501d9dfcaf83953a5d601446e6566afa446fe4efc5db67fe6c1d55eb7
SHA512f856b24a7b05473e77b14377eb9246fe91efc0a3d8d1750925f0803a1a71789b7518eb3aedebc970efe69ae4bb309deb91ae847d32b284b7958e429344b13bef
-
Filesize
535KB
MD5b058419a2bab4b6bef7cc54f639c1391
SHA162f53b82c0cd963bfeb49cb379d5c497a6a28524
SHA2563f035e12d1e1f5faafd116d6dec73473974b6a73f5c13e6f1ab1350407fc6675
SHA5120b174c10c45dbb9966c5e65f42cf54a212953bb20aee63d78479cf76404203912d61b1c7210ebec586c8c542096a6426a27a5088176e1b38743a274502883c0d
-
Filesize
535KB
MD59d4af404becd82543ddce4cbcefc0a2d
SHA1eb5c5e0b784e273c38efc80067dcd9a61abd6da9
SHA256ca35f04365252acfbbb682b23218ebf709abb4e240a165c97051398540a0da2d
SHA512c4bcde53f36baf66b775fc173f87abef69bd8a1723038833e755da38cc942d80ff0a91405fb4b34cbc3abfd5777dcc2a96b4e3a26e2de867d42cf14816770ddd
-
Filesize
535KB
MD5bd5019360c2618365d11d274edf77eaa
SHA180c1dc025ceb38325c3f040ebc69e07596048b3c
SHA2560afb12efaa23dd3228129f7ee10192a38bce75c16d37f492f9d1baa4f5d48583
SHA512ef2323ebaeae1ef2bafc41b271ed044f9c867ebe12bd84c5138cb9ed8201149d796af6fe301bd842f28c66e575fd4eceb746b9526a841fed3a79fd8e91a6ad0e
-
Filesize
535KB
MD51cad2adc37b02a4e4064d737b121a36e
SHA1ef8539e2cf00088fc7527d88f2b5f9341718fc8d
SHA2561dd0cea110f7aab0ba4912b67260c1ecef3e5096ef74bb4de4cf232d122874af
SHA51265d8525a794a8de490f46e12d73ac90b426e888cb399998534b9e858df831a05889bdc87484640e6558042b87bdd1613eda1b6855e2440126e4f9bbc8f9e5a23
-
Filesize
535KB
MD5a2f086f0f612e944733b7b1e8e2b63d6
SHA129b100e0641d92c693ac3b21e87bc09e1943e066
SHA256b544eebe1440b1de81646536b21eb7494da406d13ddbaa5f27107941f3681178
SHA51200f142bb6388d9093f00bf63c19826231686d35bf0d3b564d61a01abc2abe03de617724cc1615b9b0b8b2776d9151148d9963e89e576b1d629c84d6edae02d8d
-
Filesize
535KB
MD50e839473d852b1de128cc2f4a1f17c2e
SHA111d1c5ac78d312a4b929749ff3e54152e8d75307
SHA256090e629040ccf125ae8c87fb69cdad573c9e82fb996f98cb26c9ab776e8b54c8
SHA512182c016767737e2b1bb4fbd8056147d85dd9f0b35bad6dabc0851f2776817b76b5a179ca73960db19914c80a1df2316b879e59feb9a9e54bd11ffffdfd5152f8
-
Filesize
535KB
MD5a99925c122039fa14cd44f7b37956f67
SHA16ec31e96bf6fcd43edd2fd219cd221dabb0312b8
SHA256156626d005877112150f64e112a486ce0b5aabc0ba4146b58b1e2922e20d2302
SHA5129e5877fe3d791b1b0cdb16be6281421e68ad034d54b35069fd88fe9171572534f5b00c206ce5c3fa71787921bedc3a56842d91b9da0bd497da62fe05a3855041
-
Filesize
535KB
MD59f8d4ec6ac15077e17df4c7af0601124
SHA175e705948352d3fdeb85894efad5dc17b81ae2ac
SHA2561d5082a9dbbc0f6a41aa2a1eaf519597ab138ef95eca29c948075874f234d9ae
SHA512d8686394a7066910bd6aaf052391d991b0d41918aca94addd45e235d3a98a410f5c06c4d2964f0e03d7c26b2683f2f481ed82701d0c94c1322dbbd28d09de55d
-
Filesize
535KB
MD56147e779a72c49be7d1954ecd328c571
SHA13f1d936fb22225d2dea85bd926f28430c811e4c6
SHA256d360716cab46152dedb9c0b7179d1dc36fc8040be312cf62f76229d1d3145bd7
SHA51269d2cf66c9ff304cb879c69debe589b304f855bfdc78fe11421e75d4aeb808362101e91afca4ddf158aeed392ec92fb194b68b3b941c9737f981e6bf790b03e1