Analysis Overview
SHA256
d360716cab46152dedb9c0b7179d1dc36fc8040be312cf62f76229d1d3145bd7
Threat Level: Known bad
The file p.txt.elf was found to be: Known bad.
Malicious Activity Summary
Xorddos family
XorDDoS
XorDDoS payload
Writes memory of remote process
Loads a kernel module
Creates/modifies Cron job
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-20 06:42
Signatures
XorDDoS payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xorddos family
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-20 06:42
Reported
2025-04-20 06:45
Platform
ubuntu2404-amd64-20250410-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
XorDDoS
XorDDoS payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xorddos family
Writes memory of remote process
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/p.txt.elf | N/A |
| N/A | N/A | /tmp/p.txt.elf | N/A |
Loads a kernel module
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /etc/crontab | /tmp/p.txt.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
Processes
/tmp/p.txt.elf
[/tmp/p.txt.elf]
/bin/sed
[sed -i /\/etc\/cron.hourly\/gcc.sh/d /etc/crontab]
/bin/systemctl
[systemctl daemon-reload]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | gg.nnmm234.com | udp |
| US | 8.8.4.4:53 | gg.nnmm234.com | udp |
| US | 8.8.8.8:53 | gg.nnmm234.com | udp |
| US | 8.8.8.8:53 | gg.jjkk567.com | udp |
| US | 8.8.4.4:53 | gg.jjkk567.com | udp |
| US | 8.8.8.8:53 | gg.jjkk567.com | udp |
| US | 8.8.8.8:53 | gg.vvbb321.com | udp |
| US | 198.2.208.59:1523 | gg.vvbb321.com | tcp |
Files
/etc/init.d/p.txt.elf
| MD5 | 2b171ded3503f1c47f78252e1c28726f |
| SHA1 | c37818b805465597d02b94386194e576532a7a17 |
| SHA256 | d97d6f86d47ad1244b2fea150f0895fd5535c3e1b8ad7c5e29f73c9c2c5a9d0c |
| SHA512 | 247b1e508334f5d8754e4e9a0c27d552133c08b9f27c45e8cb6ca8e22e13bd9c6b54db58b29e1044eff1020adc0757a8516d8597fa2ed2331aa7f00e211efdcf |
/etc/cron.hourly/gcc.sh
| MD5 | 3bab747cedc5f0ebe86aaa7f982470cd |
| SHA1 | 3c7d1c6931c2b3dae39d38346b780ea57c8e6142 |
| SHA256 | 74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5 |
| SHA512 | 21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42 |
/etc/sedoub24R
| MD5 | 85f7ff2020ac8c72212f076ddf33c0be |
| SHA1 | df06ddd9c29e8da5cff1aa356e9529336573422f |
| SHA256 | ffb48ad57868ed639fad049d11ef4b9bcdd3d2d3e556754ce69b4d6b016969a3 |
| SHA512 | d7e2d6116adbe768dd078b490575f7757c0e98859a96d280756446bd7e6bf46e24381b0cf86bf5ae3eb4e15bb3743a34cf910f30dd27888de4c5d12bc0a7ea00 |
/etc/crontab
| MD5 | f85f0a4cb1d0da23b7e8e4a80a5a9f59 |
| SHA1 | f7b9ebeb87ee01c0caa97df076e6420f5e5c66a9 |
| SHA256 | 696de2ac7d880173f049febcf30288e8f77b4ff54baf7ea70ef1261a3bbe5d97 |
| SHA512 | a770f7e2a0ce96ef084c9baf845148950ec23bd7a1e99d23438ff7872cfc039db690b10884e979de8aef200abde73ac5f69c9ce0cd7800ccda0b0ef0640eb27d |
/usr/lib/libudev.so
| MD5 | 6147e779a72c49be7d1954ecd328c571 |
| SHA1 | 3f1d936fb22225d2dea85bd926f28430c811e4c6 |
| SHA256 | d360716cab46152dedb9c0b7179d1dc36fc8040be312cf62f76229d1d3145bd7 |
| SHA512 | 69d2cf66c9ff304cb879c69debe589b304f855bfdc78fe11421e75d4aeb808362101e91afca4ddf158aeed392ec92fb194b68b3b941c9737f981e6bf790b03e1 |
/run/gcc.pid
| MD5 | 6848d2218f8105c059bf4d96d91bfbfb |
| SHA1 | afc7362655e54fc16d123e0eecf8dad93b22d33d |
| SHA256 | 2ded20950c8604fd9d7014cec18c82c2d24c42bf1fa8c56b806669a4872d7466 |
| SHA512 | d1bd8ba09d81d6e1d331907071ad79a08f04b1aaff1443d9665075786a589527e36772aa73bacaa297583a640b38176594852b9b5cad655f7001c37989cab9a6 |
/usr/bin/ndqpeysflr
| MD5 | 692a92606009bbb50e80aea96bac961a |
| SHA1 | 98be93319719402588ed88cc8605764e0237a5c6 |
| SHA256 | 28a09d0054b333cad83bfb967b557a43474a655480340d798f9a4e8186ceef3d |
| SHA512 | 07fd04818b81269f33b6b86df633630b7eba69cd4f5f7ce065f36a51b69beda894097d31b122caeb1f810732414fd13f1f1c8df61cac405b98fb23cc7ee178b6 |
/usr/bin/nghotyjjox
| MD5 | 1ceeaee22c6a86c22099644c3097e857 |
| SHA1 | 4fa4d38c1c032071289e54e38777a32bb3925dbf |
| SHA256 | 55190db458ada0fbfbbc56c04b5d270329cbcfd64384155251f27968e62f83ed |
| SHA512 | 101bc54e66c59e7870d7fba33afec332daaa09e460a05d7212c46ba6d61e1c1d5701d398937aab74a4a6abc76c3dddbacb837f93a6ff2f272d40e3c2890c33e4 |
/usr/bin/bgnnqqizgq
| MD5 | 241a7c2c74fc8b43d4a077765d9bde36 |
| SHA1 | f92320befa9cf02ccd6406adeea48bdf2bf9b4fe |
| SHA256 | 531dd2c78d1ce5b6e457b496a54b915d2915066eb273b9daff1a89bfbc66f5e2 |
| SHA512 | 70bd8effeaf81551903097985900b2929e958a2783a94fb0c1fc07980e03fe95dbf9a2233404eb28481a847b597d2983a39845d4ed2f3af8a7921ff6fb907b44 |
/usr/bin/tprkdgwzkc
| MD5 | 0e839473d852b1de128cc2f4a1f17c2e |
| SHA1 | 11d1c5ac78d312a4b929749ff3e54152e8d75307 |
| SHA256 | 090e629040ccf125ae8c87fb69cdad573c9e82fb996f98cb26c9ab776e8b54c8 |
| SHA512 | 182c016767737e2b1bb4fbd8056147d85dd9f0b35bad6dabc0851f2776817b76b5a179ca73960db19914c80a1df2316b879e59feb9a9e54bd11ffffdfd5152f8 |
/usr/bin/uhefbolbzk
| MD5 | a99925c122039fa14cd44f7b37956f67 |
| SHA1 | 6ec31e96bf6fcd43edd2fd219cd221dabb0312b8 |
| SHA256 | 156626d005877112150f64e112a486ce0b5aabc0ba4146b58b1e2922e20d2302 |
| SHA512 | 9e5877fe3d791b1b0cdb16be6281421e68ad034d54b35069fd88fe9171572534f5b00c206ce5c3fa71787921bedc3a56842d91b9da0bd497da62fe05a3855041 |
/usr/bin/kwwjxyieqt
| MD5 | 6885535f52a982d5a4447ff451533d2e |
| SHA1 | 33e8ffd113bd2a3618b39542bbd3bcf2556a509a |
| SHA256 | 0f655bd7363df3b33281bf238862eb4ee34c92def21af85231801d9daa5a6eeb |
| SHA512 | 6e13769a07b45d5c9a8e20daafa770268fb5af58134905a50b7719e368c60e1e02cb9df08dacba4f6a2765ee20bae9e2b8e204e0189a1b9424c9e9bde8534943 |
/usr/bin/itzjtxmtdm
| MD5 | 334c300c249c83d3228a0bc1b1b24133 |
| SHA1 | 52ad9c0cf21cac4e62d32e90334d47414c3cbfac |
| SHA256 | 101a1196aa07f90075bb2a8d8f4d661f77da699cd63a1569b8cc3348ad540592 |
| SHA512 | 33ffc4a3d32a9b447ca9898d2e43f5c6bf8fa2638619de7ad67743e4c3909f52676ccd47133385523bcd1912cba3b32375761f3aa5b04f324a0bc12dd706e7df |
/usr/bin/qwtnggeljw
| MD5 | bd5019360c2618365d11d274edf77eaa |
| SHA1 | 80c1dc025ceb38325c3f040ebc69e07596048b3c |
| SHA256 | 0afb12efaa23dd3228129f7ee10192a38bce75c16d37f492f9d1baa4f5d48583 |
| SHA512 | ef2323ebaeae1ef2bafc41b271ed044f9c867ebe12bd84c5138cb9ed8201149d796af6fe301bd842f28c66e575fd4eceb746b9526a841fed3a79fd8e91a6ad0e |
/usr/bin/fmuvzixsge
| MD5 | e40e883d3469d11eee8387cecc25bf11 |
| SHA1 | d73bd947f7e8533baba1db82131ba53ae7047a0a |
| SHA256 | 5c28158123044ecc670347a52ad8f8ab24a54662523ef5df54e2cda269b2b3d3 |
| SHA512 | 6ccfc7921ea025920f83e3855b606e5673cfe418e1d406536dc70289924e8714b43516a7b4979d9edb381f0b3b58dfb02768aefd3c66672d4d486d7567fcc88a |
/usr/bin/qqeyqwebcm
| MD5 | 9d4af404becd82543ddce4cbcefc0a2d |
| SHA1 | eb5c5e0b784e273c38efc80067dcd9a61abd6da9 |
| SHA256 | ca35f04365252acfbbb682b23218ebf709abb4e240a165c97051398540a0da2d |
| SHA512 | c4bcde53f36baf66b775fc173f87abef69bd8a1723038833e755da38cc942d80ff0a91405fb4b34cbc3abfd5777dcc2a96b4e3a26e2de867d42cf14816770ddd |
/usr/bin/nillznvzaq
| MD5 | ac316e549554a725593432aef53f106e |
| SHA1 | bc5bf0b2af920dcafea7f9c42f2c0bda604270a4 |
| SHA256 | 5973f989a72cf494ec242ac69f5da6104ccc7fb0fbd5d09152d97a7357e074a4 |
| SHA512 | 70ca98f01fd4c1bbf925c37f1c1a73ae171ce27ea8fca30a154215ce7da615c24dfcfa2be00c5e159b0d28ea8d47d6933dcbee0051fdac33611efa566b9c9ba3 |
/usr/bin/nmwbjfbghe
| MD5 | 4480064c090d904ae5528392f62f5f6f |
| SHA1 | 54ca4213724cda22f6c2682fc3a70fceba202bc5 |
| SHA256 | 14a27c0bfc8e97a11811dddb27bb2c80b8eaf43d2c8b95c92d49d5fa55bafed1 |
| SHA512 | b4885bb0cd502566af8b16785b0bde96f86392a4e671ca26dddef50154a51a5e7d71ec39c822d0370daed6ca869d30a4f32c1c2f0615099107486156d168da16 |
/usr/bin/odhshtdrwk
| MD5 | 2b4163b0b1184cfbc2e0d7c59098914c |
| SHA1 | a485fbfc7d902c19969365362ccb62ee77d4ccf9 |
| SHA256 | ac44c2cc0b443906907e655d4edcf433881111ca746f05e9d1d676f814693737 |
| SHA512 | 4285956dffbb3098a0dfc50faa5b55c959379b9767b93cb9c009c69c8463a1c1713b17590163ed669a300023216487c137bf677653a53b9b1655a22a92410735 |
/usr/bin/okovormfav
| MD5 | 1a68bd3a5b9be191c2105228aeccbe8b |
| SHA1 | 5f3e96f7901cc732239c7252b91904ba730a2017 |
| SHA256 | 61fb37d259f0a336231a6f71ae2497c046a08df0fca5ce42f859adf32d365cc6 |
| SHA512 | 1cc677e143eb2af469023e100e5965d2cdf82a24203422bffc6f06a1b49934a17cefcf00c042f709531e89828f28bed800f213f43fda8afa529982b4e32e0879 |
/usr/bin/bfhplcffwd
| MD5 | 6cffe2ea5663da08f12cf10604788071 |
| SHA1 | 6eb6665f62bc496af4620f7f63e0d9dd4cf6ae8e |
| SHA256 | 787d6dd817b76f86578dcfad5f36bb821b6ec9eac30e332c4491bdc142c6e3f9 |
| SHA512 | 82979ad77ffff595d770786d7085ea727a44879dfbe01efe87a646339b341c287c70cd426f3e50b92942191048e1acb4ed0126cc6ae63eea9560d9ca4939e2fe |
/usr/bin/osxvjmtnrx
| MD5 | 2bb575724ad56652c6554adc687643a1 |
| SHA1 | 6448e93fad731b82201a489d90de7f1c680b8dc2 |
| SHA256 | d1d1796bf5364cdfbd35245f212b5460579f71a7a516818890660af7425d52b5 |
| SHA512 | c0a178ffaade476742be60c55d17ee4555216de3e8b41c471d1f11b4c2931fb88aaae5d90846dc6d437054e12a5aff56d9a46b77374923c8b78e58bd4b1ef3b1 |
/usr/bin/nufioxondb
| MD5 | 31bca0b93767238a8987ba7157e11b86 |
| SHA1 | 58edf51a1bf032b410a426021081155bb07baa47 |
| SHA256 | 336b2d254272c27bcb710958aae36c39e0a0ae96a90df9c80f7a93aeba6356d6 |
| SHA512 | f81e826b2f831eb00b3dc3f503d982c0e4069e1071d4592fe9f8902719ddff5cd7de9ea1049713bc490a2eea89c475ca1d149927b7c34a520f3ddfa9a777e032 |
/usr/bin/rtojoxprvc
| MD5 | 1cad2adc37b02a4e4064d737b121a36e |
| SHA1 | ef8539e2cf00088fc7527d88f2b5f9341718fc8d |
| SHA256 | 1dd0cea110f7aab0ba4912b67260c1ecef3e5096ef74bb4de4cf232d122874af |
| SHA512 | 65d8525a794a8de490f46e12d73ac90b426e888cb399998534b9e858df831a05889bdc87484640e6558042b87bdd1613eda1b6855e2440126e4f9bbc8f9e5a23 |
/usr/bin/arutmngzgw
| MD5 | 4d3444b4ad50b9989d59df377f832322 |
| SHA1 | 79e3c2b3faaa1ab5ea5f169bd274db42f6133530 |
| SHA256 | 3243b8362617d474dd5f1085ac64d6e4d2de589d90c5ffde3e42daf78a2ca335 |
| SHA512 | 85b78d00c25319305592897d4f96cbd7ee26ac74ac6b1808d1fe2d11bfac246f747af24040a313e443ad470f504fddbccf9147b62cee49380f19b421905ec70e |
/usr/bin/pwiedcxgcc
| MD5 | b058419a2bab4b6bef7cc54f639c1391 |
| SHA1 | 62f53b82c0cd963bfeb49cb379d5c497a6a28524 |
| SHA256 | 3f035e12d1e1f5faafd116d6dec73473974b6a73f5c13e6f1ab1350407fc6675 |
| SHA512 | 0b174c10c45dbb9966c5e65f42cf54a212953bb20aee63d78479cf76404203912d61b1c7210ebec586c8c542096a6426a27a5088176e1b38743a274502883c0d |
/usr/bin/spbvlpqqgg
| MD5 | a2f086f0f612e944733b7b1e8e2b63d6 |
| SHA1 | 29b100e0641d92c693ac3b21e87bc09e1943e066 |
| SHA256 | b544eebe1440b1de81646536b21eb7494da406d13ddbaa5f27107941f3681178 |
| SHA512 | 00f142bb6388d9093f00bf63c19826231686d35bf0d3b564d61a01abc2abe03de617724cc1615b9b0b8b2776d9151148d9963e89e576b1d629c84d6edae02d8d |
/usr/bin/oiifwcvvpf
| MD5 | 117461d7f56c3d2b7e9612cab8c6465f |
| SHA1 | c5558804a5457229fa0487a3da3d04c2a1f77a5d |
| SHA256 | 09fbc8dd187f666e6c881978da1e94900174d8e338ec1622ec055886db8ebc83 |
| SHA512 | fd0c44d78695ced01834be4b5efcc982fb7746ff99726d47cb6d86363640c88d02d146edc252fee75503ae149e8a1449972b8f72efb4241bb966743e21781de9 |
/usr/bin/mrzzjnixxg
| MD5 | 919cb65ccbd2046d78a22f62efadbff9 |
| SHA1 | 14314f911b9abe0075f6d7a43e488fbdf7e4b980 |
| SHA256 | 845248992a85714b5f3a83ccc1daec47117cf29daf5c97fc99907bfc328f64eb |
| SHA512 | d32272b7e5952fc72ac74004a9739cc19a8604bfd8b2f5e9c31125be0a84f11a9427fb723de0c98ef399aea6e921b2e1a13c031eb5d0213307838a7d4bc9b6fa |
/usr/bin/vbmdrpfwrx
| MD5 | 9f8d4ec6ac15077e17df4c7af0601124 |
| SHA1 | 75e705948352d3fdeb85894efad5dc17b81ae2ac |
| SHA256 | 1d5082a9dbbc0f6a41aa2a1eaf519597ab138ef95eca29c948075874f234d9ae |
| SHA512 | d8686394a7066910bd6aaf052391d991b0d41918aca94addd45e235d3a98a410f5c06c4d2964f0e03d7c26b2683f2f481ed82701d0c94c1322dbbd28d09de55d |
/usr/bin/nladrvpshj
| MD5 | 2f9877f74b4027d7a09ad03edf2ae55b |
| SHA1 | 01f8143c0f21dc34fdc4c29aa1497a3fd2245c5e |
| SHA256 | 796d349208580b05e684a060da85d0aa4070658c057c07b065a43a2fec1e8508 |
| SHA512 | d93d3832acfbc93506691a46fcb2c93d0f94867803959d9855f1280e2aab3ebbd7a84fdcc2107f0a0d05c20da72f3908ae80fb83378bc62d47855b24293c3d65 |
/usr/bin/bcgbvrqcyj
| MD5 | 8b193ab685c3d794a390a18618ca2951 |
| SHA1 | 64240379d663e22b7cafd8190bf3d0025d90dd86 |
| SHA256 | c263f6ab4703f471c5b6b458c2b82b651a1fded08096442a2df12d4ae9f772d4 |
| SHA512 | 64542ff1fd8f4367599c1a02c07545d0fc47ccb73191e871395489a920142ac997da9ac742828038fa07ab7bfb0609f17ca3120646804ab87a882056c2f016ff |
/usr/bin/jqrqmhbtja
| MD5 | e9c3e3b9a4b71abaa4d49587a481d2a3 |
| SHA1 | b178752233eb818d0dd8064bd84cc6f853e08cf4 |
| SHA256 | 2b44b20ab9bea8f187b3a6e7c7c08609b86bdc5e35f1d5e68996b47f674a95ce |
| SHA512 | 365b849d07a19b18b818489951ba8e0086643f70c5e7f7256f3a4e2e64249d96165ddc47026024778cc665f2b745170988f9ea375137e8c9db7b0e546f51ee91 |
/usr/bin/bhiccysdsh
| MD5 | 663c18f0485b0ebeccc50ab91bbb51b9 |
| SHA1 | 0b39b8f59e4794c74f5c6ba90290f0e27776eb27 |
| SHA256 | db475215d24a34df8f3eb0d46fb461fadbf6905b62e12eb9160eef06017e1100 |
| SHA512 | 304665ec7ba92b51944b29a61f87b1175998250e14718b16009e7310cd3e6ef7938515fb6f1c1515787413ddf99f3a6092086cb4de0d80fe1e3a3cc53e9de398 |
/usr/bin/kbpbiwjveo
| MD5 | 4bb902b40b29f0f837696e649c7e8f49 |
| SHA1 | ca9d6596b0473d41e966d26c9c99e7c0b3e4cdc7 |
| SHA256 | d5a193c59a00aa5a6da1f06eef93ba39d6a21f30290942edc6f8870dd4ef5d16 |
| SHA512 | 57eb7a3529bb96cf6798752db7cb7ee9bf22770f6db22ca07d23dc03eb2c0b50f54b49388f1ae87f81f7eca71a6315438d4c842e1438fb3fc092fe07d68784cf |
/usr/bin/pmzfmkrksh
| MD5 | 023546e270b25a566045d9eb27443d4e |
| SHA1 | 86a1ed25667356273b2d932f3c30eb289ee5f607 |
| SHA256 | 3ba4902501d9dfcaf83953a5d601446e6566afa446fe4efc5db67fe6c1d55eb7 |
| SHA512 | f856b24a7b05473e77b14377eb9246fe91efc0a3d8d1750925f0803a1a71789b7518eb3aedebc970efe69ae4bb309deb91ae847d32b284b7958e429344b13bef |