Overview

overview

10

Static

static

10

112

ubuntu-24.04-amd64

10

Analysis

  • max time kernel
    36s
  • max time network
    34s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    05-07-2024 11:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    112

  • Size

    549KB

  • MD5

    f9191bab1e834d4aef3380700639cee9

  • SHA1

    9c20269df6694260a24ac783de2e30d627a6928a

  • SHA256

    ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73

  • SHA512

    3d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Score
10/10
xorddosbotnetdownloaderrootkit

Malware Config

Extracted

Family

xorddos

C2

api.markerbio.com:112

api.enoan2107.com:112

http://qq.com/lib.asp
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 1 IoCs
  • Writes memory of remote process 2 IoCs
  • Loads a kernel module 60 IoCs

    Loads a Linux kernel module, potentially to achieve persistence

    rootkit
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes

  • /tmp/112
    /tmp/112
    1⤵
    • Writes memory of remote process
    • Loads a kernel module
    PID:2448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /dev/shm/sem.AapLjD
    Filesize

    16B

    MD5

    076933ff9904d1110d896e2c525e39e5

    SHA1

    4188442577fa77f25820d9b2d01cc446e30684ac

    SHA256

    4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

    SHA512

    6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

    Download Submit
  • /etc/cron.hourly/vwclkfdngix.sh
    Filesize

    160B

    MD5

    c838165150dc4162b275366c030f5ceb

    SHA1

    18f73628dc80962958c1e0ac5ed29a18659bb1d0

    SHA256

    7408cc13d5bca73b0ac82f1fb5b8f1e61224a20a567d48cc44dd535f555ed3cb

    SHA512

    dca40856ba80d129f1982a96c252fb0aeca88ed8f55a08f2966cf953dbb494ae7fa6cb2f3d0a5c24ab96af778a62f791185a962147a9be5d0c9bc95bfbe31f68

    Download Submit
  • /etc/daemon.cfg
    Filesize

    32B

    MD5

    ad8cf436f2112cf6f540332eb8f9b488

    SHA1

    3d256238e25dd58457da0b639617c87c7ac8d882

    SHA256

    74fa42d0970d3cc12a39d05cca0a705759d8e4fdea56824b5ee88516a09f5817

    SHA512

    1de6750160c1087bb2457ee513606c3832a2f40b7acd56f12d4fa8a3c8e1c1f5f01e3c97a9dddebb76d8781fbb057122a8e8b0a5eda42870eea35180bdf7163f

    Download Submit
  • /usr/bin/xigndfklcwv
    Filesize

    549KB

    MD5

    da139d58889be4074d6449a7d036f517

    SHA1

    d4752755adc673b74c2fd96f1acadf47c065abf8

    SHA256

    b5e243e0f48f6ca6b36a2dd38291706e6a298511d5c5fdb77cd5f119b8e26fb0

    SHA512

    7541ff409117a6f713d8afb324071ca8064e8729d325f2bac9a90be1dec729e13cf356bd4e1a3983fb5cd8d2a02e3818a4c04886fdf2c06231effe8b5e0c6152

    Download Submit