xorddos | ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73

General

Target

112.elf
Size

549KB
MD5

f9191bab1e834d4aef3380700639cee9
SHA1

9c20269df6694260a24ac783de2e30d627a6928a
SHA256

ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73
SHA512

3d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5
SSDEEP

12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

C2

api.markerbio.com:112

api.enoan2107.com:112

http://qq.com/lib.asp

Attributes

crc_polynomial
CDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos
XorDDoS payload 1 IoCs

Processes:

resource yara_rule

/usr/bin/hynadtsowyl family_xorddos

resource	yara_rule
/usr/bin/hynadtsowyl	family_xorddos

Deletes itself 64 IoCs

Processes:

pid
1588
1599
1603
1608
1609
1612
1638
1639
1644
1647
1648
1653
1655
1661
1662
1665
1673
1674
1679
1682
1683
1688
1689
1694
1696
1698
1702
1704
1707
1710
1713
1717
1721
1722
1727
1728
1735
1736
1739
1744
1745
1750
1751
1754
1757
1760
1763
1766
1769
1772
1775
1778
1781
1784
1787
1790
1793
1796
1799
1802
1805
1808
1811
1814

Executes dropped EXE 64 IoCs

Processes:

hynadtsowylzmpxfeosezjhxazuhkfumwiomixppwseajbbfwenvmrpyxkkvsajhyfoefzprbqwzwucxosxlcjgjrducchsypunivdewqqcpgunryyzxkcomgkoycojndcoclntnrosptrlnkpyjykzmqoxgrauxckxscnmtdhwndmnomommgblulirppcogcwzlaihpmfajcowqxcjtpslfpvrxzoykqhshtmvzpkvhhuqpbicisrdjqzpnpwhzrxlmwytkhpvyeiheaaimtnladgkczhplfsmetrztxwcgcehqazekcjqmnpvccuqeykvyswhzaoigkokusvmidblhfylgkggpbezcnkttwigqabehkhxoseodymqonunrbcbwvebphftrccoswshafovvdsiuvkvriyllhqgjibxaashcvpqskmvnhhkzpexdrevdffgchiukrgamqvynigvuhaerrknosvxufgrwqkctuovkzbtituollycrszomewfnqeimbyhxkstunnkaakaeseshiooldeplrsaflnzejntupwsaikectpqiumrhfmvirhvrlehavdhndrattzjdbfsupgkhyrerfxmlurukulmghfqlixddm

ioc	pid	process
/usr/bin/hynadtsowyl	1591	hynadtsowyl
/usr/bin/zmpxfeosezj	1596	zmpxfeosezj
/usr/bin/hxazuhkfumwio	1598	hxazuhkfumwio
/usr/bin/mixppwsea	1605	mixppwsea
/usr/bin/jbbfwenv	1607	jbbfwenv
/usr/bin/mrpyxkkvsajh	1611	mrpyxkkvsajh
/usr/bin/yfoefzprbqwzw	1635	yfoefzprbqwzw
/usr/bin/ucxosxlcjg	1637	ucxosxlcjg
/usr/bin/jrducc	1641	jrducc
/usr/bin/hsypunivdew	1643	hsypunivdew
/usr/bin/qqcpgunryyzxk	1646	qqcpgunryyzxk
/usr/bin/comgkoyc	1650	comgkoyc
/usr/bin/ojndco	1652	ojndco
/usr/bin/clntnrosptrlnk	1657	clntnrosptrlnk
/usr/bin/pyjykz	1660	pyjykz
/usr/bin/mqoxgrauxc	1664	mqoxgrauxc
/usr/bin/kxscnmt	1670	kxscnmt
/usr/bin/dhwndmnom	1672	dhwndmnom
/usr/bin/ommgbl	1676	ommgbl
/usr/bin/ulirppco	1678	ulirppco
/usr/bin/gcwzlaihpm	1681	gcwzlaihpm
/usr/bin/fajcowq	1685	fajcowq
/usr/bin/xcjtpslf	1687	xcjtpslf
/usr/bin/pvrxzoykqhsht	1691	pvrxzoykqhsht
/usr/bin/mvzpkvhhu	1693	mvzpkvhhu
/usr/bin/qpbicisrdjq	1697	qpbicisrdjq
/usr/bin/zpnpwhzrxlmw	1700	zpnpwhzrxlmw
/usr/bin/ytkhpvye	1703	ytkhpvye
/usr/bin/iheaaimtnl	1706	iheaaimtnl
/usr/bin/adgkczhplfsm	1709	adgkczhplfsm
/usr/bin/etrztxwcgceh	1712	etrztxwcgceh
/usr/bin/qazekcjqmnpvc	1715	qazekcjqmnpvc
/usr/bin/cuqeykvy	1718	cuqeykvy
/usr/bin/swhzaoi	1720	swhzaoi
/usr/bin/gkokusvm	1724	gkokusvm
/usr/bin/idblhf	1726	idblhf
/usr/bin/ylgkggpbezc	1732	ylgkggpbezc
/usr/bin/nkttwigqabehkh	1734	nkttwigqabehkh
/usr/bin/xoseod	1738	xoseod
/usr/bin/ymqonunrbcbwv	1741	ymqonunrbcbwv
/usr/bin/ebphft	1743	ebphft
/usr/bin/rccoswsha	1747	rccoswsha
/usr/bin/fovvdsiuvkvri	1749	fovvdsiuvkvri
/usr/bin/yllhqg	1753	yllhqg
/usr/bin/jibxaashcvpqsk	1756	jibxaashcvpqsk
/usr/bin/mvnhhkzpexdrev	1759	mvnhhkzpexdrev
/usr/bin/dffgchiu	1762	dffgchiu
/usr/bin/krgamqvynigvuh	1765	krgamqvynigvuh
/usr/bin/aerrkno	1768	aerrkno
/usr/bin/svxufgrwqkct	1771	svxufgrwqkct
/usr/bin/uovkzb	1774	uovkzb
/usr/bin/tituoll	1777	tituoll
/usr/bin/ycrszomewf	1780	ycrszomewf
/usr/bin/nqeimbyh	1783	nqeimbyh
/usr/bin/xkstunnkaakae	1786	xkstunnkaakae
/usr/bin/seshiooldeplrs	1789	seshiooldeplrs
/usr/bin/aflnzejntupw	1792	aflnzejntupw
/usr/bin/saikectpqi	1795	saikectpqi
/usr/bin/umrhfmvirhvrle	1798	umrhfmvirhvrle
/usr/bin/havdhndra	1801	havdhndra
/usr/bin/ttzjdbfsup	1804	ttzjdbfsup
/usr/bin/gkhyrerf	1807	gkhyrerf
/usr/bin/xmlurukulmg	1810	xmlurukulmg
/usr/bin/hfqlixddm	1813	hfqlixddm

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 114.114.114.114
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

hynadtsowyl

description ioc process

File opened for modification /etc/cron.hourly/lywostdanyh.sh hynadtsowyl
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

hynadtsowyl

description ioc process

File opened for reading /proc/net/tcp hynadtsowyl
Enumerates running processes
Discovers information about currently running processes on the system
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

hynadtsowyl

description ioc process

File opened for modification /etc/init.d/lywostdanyh hynadtsowyl

description	ioc
Destination IP	114.114.114.114

description	ioc	process
File opened for modification	/etc/cron.hourly/lywostdanyh.sh	hynadtsowyl

description	ioc	process
File opened for reading	/proc/net/tcp	hynadtsowyl

description	ioc	process
File opened for modification	/etc/init.d/lywostdanyh	hynadtsowyl

Write file to user bin folder 1 TTPs 64 IoCs

Hijack Execution Flow

T1574

Processes:

hynadtsowyl112.elf

description	ioc	process
File opened for modification	/usr/bin/gcwzlaihpm	hynadtsowyl
File opened for modification	/usr/bin/ylgkggpbezc	hynadtsowyl
File opened for modification	/usr/bin/mvnhhkzpexdrev	hynadtsowyl
File opened for modification	/usr/bin/tkmcgl	hynadtsowyl
File opened for modification	/usr/bin/wjzdlupzww	hynadtsowyl
File opened for modification	/usr/bin/rmhybeoxl	hynadtsowyl
File opened for modification	/usr/bin/ytkhpvye	hynadtsowyl
File opened for modification	/usr/bin/cqsihjyrq	hynadtsowyl
File opened for modification	/usr/bin/mdldlwdt	hynadtsowyl
File opened for modification	/usr/bin/wvogbylhn	hynadtsowyl
File opened for modification	/usr/bin/fqmplnobzupyi	hynadtsowyl
File opened for modification	/usr/bin/fovvdsiuvkvri	hynadtsowyl
File opened for modification	/usr/bin/lzmlsqcx	hynadtsowyl
File opened for modification	/usr/bin/bjzleczlqloxg	hynadtsowyl
File opened for modification	/usr/bin/lxyjnoyerldn	hynadtsowyl
File opened for modification	/usr/bin/wgrumpsgjqijwg	hynadtsowyl
File opened for modification	/usr/bin/mrpyxkkvsajh	hynadtsowyl
File opened for modification	/usr/bin/mqoxgrauxc	hynadtsowyl
File opened for modification	/usr/bin/pvrxzoykqhsht	hynadtsowyl
File opened for modification	/usr/bin/wyazxriqgkorx	hynadtsowyl
File opened for modification	/usr/bin/mkzgyrroiwuj	hynadtsowyl
File opened for modification	/usr/bin/cylwjdyyirvzgz	hynadtsowyl
File opened for modification	/usr/bin/snkxwxqsmr	hynadtsowyl
File opened for modification	/usr/bin/ulirppco	hynadtsowyl
File opened for modification	/usr/bin/cuqeykvy	hynadtsowyl
File opened for modification	/usr/bin/yllhqg	hynadtsowyl
File opened for modification	/usr/bin/svxufgrwqkct	hynadtsowyl
File opened for modification	/usr/bin/ycrszomewf	hynadtsowyl
File opened for modification	/usr/bin/ifxevxtp	hynadtsowyl
File opened for modification	/usr/bin/hrercbxmdxxbg	hynadtsowyl
File opened for modification	/usr/bin/lywostdanyh	hynadtsowyl
File opened for modification	/usr/bin/ucxosxlcjg	hynadtsowyl
File opened for modification	/usr/bin/seshiooldeplrs	hynadtsowyl
File opened for modification	/usr/bin/saikectpqi	hynadtsowyl
File opened for modification	/usr/bin/zoyixzgqrdyth	hynadtsowyl
File opened for modification	/usr/bin/yarumomxhexjt	hynadtsowyl
File opened for modification	/usr/bin/mvzpkvhhu	hynadtsowyl
File opened for modification	/usr/bin/ymqonunrbcbwv	hynadtsowyl
File opened for modification	/usr/bin/xomgnzlwbnedos	hynadtsowyl
File opened for modification	/usr/bin/wwtuyayew	hynadtsowyl
File opened for modification	/usr/bin/yfoefzprbqwzw	hynadtsowyl
File opened for modification	/usr/bin/idblhf	hynadtsowyl
File opened for modification	/usr/bin/aerrkno	hynadtsowyl
File opened for modification	/usr/bin/blpycjizxufbbn	hynadtsowyl
File opened for modification	/usr/bin/gkdenkxaoiv	hynadtsowyl
File opened for modification	/usr/bin/hsypunivdew	hynadtsowyl
File opened for modification	/usr/bin/kxscnmt	hynadtsowyl
File opened for modification	/usr/bin/jibxaashcvpqsk	hynadtsowyl
File opened for modification	/usr/bin/gkhyrerf	hynadtsowyl
File opened for modification	/usr/bin/qazekcjqmnpvc	hynadtsowyl
File opened for modification	/usr/bin/uovkzb	hynadtsowyl
File opened for modification	/usr/bin/xmlurukulmg	hynadtsowyl
File opened for modification	/usr/bin/whxxywfvxnn	hynadtsowyl
File opened for modification	/usr/bin/hynadtsowyl	112.elf
File opened for modification	/usr/bin/zmpxfeosezj	hynadtsowyl
File opened for modification	/usr/bin/xxkwkqijxl	hynadtsowyl
File opened for modification	/usr/bin/oprclxwy	hynadtsowyl
File opened for modification	/usr/bin/eshqnxwlp	hynadtsowyl
File opened for modification	/usr/bin/zpnpwhzrxlmw	hynadtsowyl
File opened for modification	/usr/bin/vlpqlhxmf	hynadtsowyl
File opened for modification	/usr/bin/ojhxuyuam	hynadtsowyl
File opened for modification	/usr/bin/hxbmwsqfgtsl	hynadtsowyl
File opened for modification	/usr/bin/akvhqqzbxrsyif	hynadtsowyl
File opened for modification	/usr/bin/opknnybqjbgg	hynadtsowyl

Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

hynadtsowyl

description ioc process

File opened for reading /proc/net/tcp hynadtsowyl

description	ioc	process
File opened for reading	/proc/net/tcp	hynadtsowyl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

hynadtsowyl

description	ioc	process
File opened for reading	/proc/1154/fd	hynadtsowyl
File opened for reading	/proc/1728/fd	hynadtsowyl
File opened for reading	/proc/1736/fd	hynadtsowyl
File opened for reading	/proc/1826/fd	hynadtsowyl
File opened for reading	/proc/1865/fd	hynadtsowyl
File opened for reading	/proc/446/fd	hynadtsowyl
File opened for reading	/proc/693/fd	hynadtsowyl
File opened for reading	/proc/1056/fd	hynadtsowyl
File opened for reading	/proc/1159/fd	hynadtsowyl
File opened for reading	/proc/1212/fd	hynadtsowyl
File opened for reading	/proc/2107/fd	hynadtsowyl
File opened for reading	/proc/1829/fd	hynadtsowyl
File opened for reading	/proc/2033/fd	hynadtsowyl
File opened for reading	/proc/838/fd	hynadtsowyl
File opened for reading	/proc/1041/fd	hynadtsowyl
File opened for reading	/proc/1717/fd	hynadtsowyl
File opened for reading	/proc/520/fd	hynadtsowyl
File opened for reading	/proc/754/fd	hynadtsowyl
File opened for reading	/proc/1010/fd	hynadtsowyl
File opened for reading	/proc/1744/fd	hynadtsowyl
File opened for reading	/proc/1074/fd	hynadtsowyl
File opened for reading	/proc/1772/fd	hynadtsowyl
File opened for reading	/proc/2003/fd	hynadtsowyl
File opened for reading	/proc/1268/fd	hynadtsowyl
File opened for reading	/proc/1426/fd	hynadtsowyl
File opened for reading	/proc/1710/fd	hynadtsowyl
File opened for reading	/proc/1841/fd	hynadtsowyl
File opened for reading	/proc/1050/fd	hynadtsowyl
File opened for reading	/proc/1111/fd	hynadtsowyl
File opened for reading	/proc/1665/fd	hynadtsowyl
File opened for reading	/proc/1/fd	hynadtsowyl
File opened for reading	/proc/1745/fd	hynadtsowyl
File opened for reading	/proc/1750/fd	hynadtsowyl
File opened for reading	/proc/1921/fd	hynadtsowyl
File opened for reading	/proc/1982/fd	hynadtsowyl
File opened for reading	/proc/2057/fd	hynadtsowyl
File opened for reading	/proc/2090/fd	hynadtsowyl
File opened for reading	/proc/1662/fd	hynadtsowyl
File opened for reading	/proc/1674/fd	hynadtsowyl
File opened for reading	/proc/1704/fd	hynadtsowyl
File opened for reading	/proc/1713/fd	hynadtsowyl
File opened for reading	/proc/1900/fd	hynadtsowyl
File opened for reading	/proc/373/fd	hynadtsowyl
File opened for reading	/proc/1264/fd	hynadtsowyl
File opened for reading	/proc/1529/fd	hynadtsowyl
File opened for reading	/proc/2093/fd	hynadtsowyl
File opened for reading	/proc/1961/fd	hynadtsowyl
File opened for reading	/proc/2021/fd	hynadtsowyl
File opened for reading	/proc/2083/fd	hynadtsowyl
File opened for reading	/proc/1199/fd	hynadtsowyl
File opened for reading	/proc/1915/fd	hynadtsowyl
File opened for reading	/proc/1707/fd	hynadtsowyl
File opened for reading	/proc/1778/fd	hynadtsowyl
File opened for reading	/proc/1862/fd	hynadtsowyl
File opened for reading	/proc/1793/fd	hynadtsowyl
File opened for reading	/proc/1892/fd	hynadtsowyl
File opened for reading	/proc/2042/fd	hynadtsowyl
File opened for reading	/proc/2066/fd	hynadtsowyl
File opened for reading	/proc/631/fd	hynadtsowyl
File opened for reading	/proc/968/fd	hynadtsowyl
File opened for reading	/proc/1757/fd	hynadtsowyl
File opened for reading	/proc/1171/fd	hynadtsowyl
File opened for reading	/proc/1332/fd	hynadtsowyl
File opened for reading	/proc/1688/fd	hynadtsowyl

Writes file to shm directory 2 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

hynadtsowyl

description ioc process

File opened for modification /dev/shm/sem.axhetm hynadtsowyl
File opened for modification /dev/shm/sem.Lyn3XB hynadtsowyl

description	ioc	process
File opened for modification	/dev/shm/sem.axhetm	hynadtsowyl
File opened for modification	/dev/shm/sem.Lyn3XB	hynadtsowyl

/tmp/112.elf
/tmp/112.elf
1⤵
- Write file to user bin folder
PID:1587

/usr/bin/hynadtsowyl
/usr/bin/hynadtsowyl
1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Enumerates active TCP sockets
- Modifies init.d
- Write file to user bin folder
- Reads system network configuration
- Reads runtime system information
- Writes file to shm directory
PID:1591

/usr/bin/zmpxfeosezj
/usr/bin/zmpxfeosezj -d 1592
1⤵
- Executes dropped EXE
PID:1596

/usr/bin/hxazuhkfumwio
/usr/bin/hxazuhkfumwio -d 1592
1⤵
- Executes dropped EXE
PID:1598

/usr/bin/mixppwsea
/usr/bin/mixppwsea -d 1592
1⤵
- Executes dropped EXE
PID:1605

/usr/bin/jbbfwenv
/usr/bin/jbbfwenv -d 1592
1⤵
- Executes dropped EXE
PID:1607

/usr/bin/mrpyxkkvsajh
/usr/bin/mrpyxkkvsajh -d 1592
1⤵
- Executes dropped EXE
PID:1611

/usr/bin/yfoefzprbqwzw
/usr/bin/yfoefzprbqwzw -d 1592
1⤵
- Executes dropped EXE
PID:1635

/usr/bin/ucxosxlcjg
/usr/bin/ucxosxlcjg -d 1592
1⤵
- Executes dropped EXE
PID:1637

/usr/bin/jrducc
/usr/bin/jrducc -d 1592
1⤵
- Executes dropped EXE
PID:1641

/usr/bin/hsypunivdew
/usr/bin/hsypunivdew -d 1592
1⤵
- Executes dropped EXE
PID:1643

/usr/bin/qqcpgunryyzxk
/usr/bin/qqcpgunryyzxk -d 1592
1⤵
- Executes dropped EXE
PID:1646

/usr/bin/comgkoyc
/usr/bin/comgkoyc -d 1592
1⤵
- Executes dropped EXE
PID:1650

/usr/bin/ojndco
/usr/bin/ojndco -d 1592
1⤵
- Executes dropped EXE
PID:1652

/usr/bin/clntnrosptrlnk
/usr/bin/clntnrosptrlnk -d 1592
1⤵
- Executes dropped EXE
PID:1657

/usr/bin/pyjykz
/usr/bin/pyjykz -d 1592
1⤵
- Executes dropped EXE
PID:1660

/usr/bin/mqoxgrauxc
/usr/bin/mqoxgrauxc -d 1592
1⤵
- Executes dropped EXE
PID:1664

/usr/bin/kxscnmt
/usr/bin/kxscnmt -d 1592
1⤵
- Executes dropped EXE
PID:1670

/usr/bin/dhwndmnom
/usr/bin/dhwndmnom -d 1592
1⤵
- Executes dropped EXE
PID:1672

/usr/bin/ommgbl
/usr/bin/ommgbl -d 1592
1⤵
- Executes dropped EXE
PID:1676

/usr/bin/ulirppco
/usr/bin/ulirppco -d 1592
1⤵
- Executes dropped EXE
PID:1678

/usr/bin/gcwzlaihpm
/usr/bin/gcwzlaihpm -d 1592
1⤵
- Executes dropped EXE
PID:1681

/usr/bin/fajcowq
/usr/bin/fajcowq -d 1592
1⤵
- Executes dropped EXE
PID:1685

/usr/bin/xcjtpslf
/usr/bin/xcjtpslf -d 1592
1⤵
- Executes dropped EXE
PID:1687

/usr/bin/pvrxzoykqhsht
/usr/bin/pvrxzoykqhsht -d 1592
1⤵
- Executes dropped EXE
PID:1691

/usr/bin/mvzpkvhhu
/usr/bin/mvzpkvhhu -d 1592
1⤵
- Executes dropped EXE
PID:1693

/usr/bin/qpbicisrdjq
/usr/bin/qpbicisrdjq -d 1592
1⤵
- Executes dropped EXE
PID:1697

/usr/bin/zpnpwhzrxlmw
/usr/bin/zpnpwhzrxlmw -d 1592
1⤵
- Executes dropped EXE
PID:1700

/usr/bin/ytkhpvye
/usr/bin/ytkhpvye -d 1592
1⤵
- Executes dropped EXE
PID:1703

/usr/bin/iheaaimtnl
/usr/bin/iheaaimtnl -d 1592
1⤵
- Executes dropped EXE
PID:1706

/usr/bin/adgkczhplfsm
/usr/bin/adgkczhplfsm -d 1592
1⤵
- Executes dropped EXE
PID:1709

/usr/bin/etrztxwcgceh
/usr/bin/etrztxwcgceh -d 1592
1⤵
- Executes dropped EXE
PID:1712

/usr/bin/qazekcjqmnpvc
/usr/bin/qazekcjqmnpvc -d 1592
1⤵
- Executes dropped EXE
PID:1715

/usr/bin/cuqeykvy
/usr/bin/cuqeykvy -d 1592
1⤵
- Executes dropped EXE
PID:1718

/usr/bin/swhzaoi
/usr/bin/swhzaoi -d 1592
1⤵
- Executes dropped EXE
PID:1720

/usr/bin/gkokusvm
/usr/bin/gkokusvm -d 1592
1⤵
- Executes dropped EXE
PID:1724

/usr/bin/idblhf
/usr/bin/idblhf -d 1592
1⤵
- Executes dropped EXE
PID:1726

/usr/bin/ylgkggpbezc
/usr/bin/ylgkggpbezc -d 1592
1⤵
- Executes dropped EXE
PID:1732

/usr/bin/nkttwigqabehkh
/usr/bin/nkttwigqabehkh -d 1592
1⤵
- Executes dropped EXE
PID:1734

/usr/bin/xoseod
/usr/bin/xoseod -d 1592
1⤵
- Executes dropped EXE
PID:1738

/usr/bin/ymqonunrbcbwv
/usr/bin/ymqonunrbcbwv -d 1592
1⤵
- Executes dropped EXE
PID:1741

/usr/bin/ebphft
/usr/bin/ebphft -d 1592
1⤵
- Executes dropped EXE
PID:1743

/usr/bin/rccoswsha
/usr/bin/rccoswsha -d 1592
1⤵
- Executes dropped EXE
PID:1747

/usr/bin/fovvdsiuvkvri
/usr/bin/fovvdsiuvkvri -d 1592
1⤵
- Executes dropped EXE
PID:1749

/usr/bin/yllhqg
/usr/bin/yllhqg -d 1592
1⤵
- Executes dropped EXE
PID:1753

/usr/bin/jibxaashcvpqsk
/usr/bin/jibxaashcvpqsk -d 1592
1⤵
- Executes dropped EXE
PID:1756

/usr/bin/mvnhhkzpexdrev
/usr/bin/mvnhhkzpexdrev -d 1592
1⤵
- Executes dropped EXE
PID:1759

/usr/bin/dffgchiu
/usr/bin/dffgchiu -d 1592
1⤵
- Executes dropped EXE
PID:1762

/usr/bin/krgamqvynigvuh
/usr/bin/krgamqvynigvuh -d 1592
1⤵
- Executes dropped EXE
PID:1765

/usr/bin/aerrkno
/usr/bin/aerrkno -d 1592
1⤵
- Executes dropped EXE
PID:1768

/usr/bin/svxufgrwqkct
/usr/bin/svxufgrwqkct -d 1592
1⤵
- Executes dropped EXE
PID:1771

/usr/bin/uovkzb
/usr/bin/uovkzb -d 1592
1⤵
- Executes dropped EXE
PID:1774

/usr/bin/tituoll
/usr/bin/tituoll -d 1592
1⤵
- Executes dropped EXE
PID:1777

/usr/bin/ycrszomewf
/usr/bin/ycrszomewf -d 1592
1⤵
- Executes dropped EXE
PID:1780

/usr/bin/nqeimbyh
/usr/bin/nqeimbyh -d 1592
1⤵
- Executes dropped EXE
PID:1783

/usr/bin/xkstunnkaakae
/usr/bin/xkstunnkaakae -d 1592
1⤵
- Executes dropped EXE
PID:1786

/usr/bin/seshiooldeplrs
/usr/bin/seshiooldeplrs -d 1592
1⤵
- Executes dropped EXE
PID:1789

/usr/bin/aflnzejntupw
/usr/bin/aflnzejntupw -d 1592
1⤵
- Executes dropped EXE
PID:1792

/usr/bin/saikectpqi
/usr/bin/saikectpqi -d 1592
1⤵
- Executes dropped EXE
PID:1795

/usr/bin/umrhfmvirhvrle
/usr/bin/umrhfmvirhvrle -d 1592
1⤵
- Executes dropped EXE
PID:1798

/usr/bin/havdhndra
/usr/bin/havdhndra -d 1592
1⤵
- Executes dropped EXE
PID:1801

/usr/bin/ttzjdbfsup
/usr/bin/ttzjdbfsup -d 1592
1⤵
- Executes dropped EXE
PID:1804

/usr/bin/gkhyrerf
/usr/bin/gkhyrerf -d 1592
1⤵
- Executes dropped EXE
PID:1807

/usr/bin/xmlurukulmg
/usr/bin/xmlurukulmg -d 1592
1⤵
- Executes dropped EXE
PID:1810

/usr/bin/hfqlixddm
/usr/bin/hfqlixddm -d 1592
1⤵
- Executes dropped EXE
PID:1813

/usr/bin/lzmlsqcx
/usr/bin/lzmlsqcx -d 1592
1⤵
PID:1816

/usr/bin/blpycjizxufbbn
/usr/bin/blpycjizxufbbn -d 1592
1⤵
PID:1819

/usr/bin/ovrtafwm
/usr/bin/ovrtafwm -d 1592
1⤵
PID:1822

/usr/bin/kxxacwedkvbm
/usr/bin/kxxacwedkvbm -d 1592
1⤵
PID:1824

/usr/bin/lldhtflgazd
/usr/bin/lldhtflgazd -d 1592
1⤵
PID:1828

/usr/bin/vezrsdbrcd
/usr/bin/vezrsdbrcd -d 1592
1⤵
PID:1831

/usr/bin/bjzleczlqloxg
/usr/bin/bjzleczlqloxg -d 1592
1⤵
PID:1834

/usr/bin/imwkppfvoynu
/usr/bin/imwkppfvoynu -d 1592
1⤵
PID:1837

/usr/bin/hygazq
/usr/bin/hygazq -d 1592
1⤵
PID:1839

/usr/bin/kuekhwxwtdrerp
/usr/bin/kuekhwxwtdrerp -d 1592
1⤵
PID:1843

/usr/bin/ifxevxtp
/usr/bin/ifxevxtp -d 1592
1⤵
PID:1846

/usr/bin/aogdpwe
/usr/bin/aogdpwe -d 1592
1⤵
PID:1849

/usr/bin/tkmcgl
/usr/bin/tkmcgl -d 1592
1⤵
PID:1852

/usr/bin/cqsihjyrq
/usr/bin/cqsihjyrq -d 1592
1⤵
PID:1855

/usr/bin/xmurdutt
/usr/bin/xmurdutt -d 1592
1⤵
PID:1858

/usr/bin/wjzdlupzww
/usr/bin/wjzdlupzww -d 1592
1⤵
PID:1861

/usr/bin/xacrijagc
/usr/bin/xacrijagc -d 1592
1⤵
PID:1864

/usr/bin/dadzrgtmcvllw
/usr/bin/dadzrgtmcvllw -d 1592
1⤵
PID:1867

/usr/bin/yqfxpb
/usr/bin/yqfxpb -d 1592
1⤵
PID:1869

/usr/bin/mdldlwdt
/usr/bin/mdldlwdt -d 1592
1⤵
PID:1873

/usr/bin/wyazxriqgkorx
/usr/bin/wyazxriqgkorx -d 1592
1⤵
PID:1876

/usr/bin/hxbmwsqfgtsl
/usr/bin/hxbmwsqfgtsl -d 1592
1⤵
PID:1879

/usr/bin/qoaqnzrmykw
/usr/bin/qoaqnzrmykw -d 1592
1⤵
PID:1882

/usr/bin/qidjhpqeq
/usr/bin/qidjhpqeq -d 1592
1⤵
PID:1884

/usr/bin/akvhqqzbxrsyif
/usr/bin/akvhqqzbxrsyif -d 1592
1⤵
PID:1887

/usr/bin/btxlqoe
/usr/bin/btxlqoe -d 1592
1⤵
PID:1891

/usr/bin/tnijembjnmgue
/usr/bin/tnijembjnmgue -d 1592
1⤵
PID:1894

/usr/bin/wgwpawxfvaa
/usr/bin/wgwpawxfvaa -d 1592
1⤵
PID:1897

/usr/bin/mqjqredznjnr
/usr/bin/mqjqredznjnr -d 1592
1⤵
PID:1899

/usr/bin/adaxjzvrvkrrk
/usr/bin/adaxjzvrvkrrk -d 1592
1⤵
PID:1902

/usr/bin/mkzgyrroiwuj
/usr/bin/mkzgyrroiwuj -d 1592
1⤵
PID:1905

/usr/bin/dxcyzhaw
/usr/bin/dxcyzhaw -d 1592
1⤵
PID:1909

/usr/bin/ztiuecloaza
/usr/bin/ztiuecloaza -d 1592
1⤵
PID:1912

/usr/bin/izrbpbzj
/usr/bin/izrbpbzj -d 1592
1⤵
PID:1914

/usr/bin/lpmnplxpkqrd
/usr/bin/lpmnplxpkqrd -d 1592
1⤵
PID:1918

/usr/bin/ljczxdayeiz
/usr/bin/ljczxdayeiz -d 1592
1⤵
PID:1920

/usr/bin/moblyqwpcmep
/usr/bin/moblyqwpcmep -d 1592
1⤵
PID:1924

/usr/bin/vzbmfbyoezoj
/usr/bin/vzbmfbyoezoj -d 1592
1⤵
PID:1927

/usr/bin/opknnybqjbgg
/usr/bin/opknnybqjbgg -d 1592
1⤵
PID:1929

/usr/bin/kuwzfsbge
/usr/bin/kuwzfsbge -d 1592
1⤵
PID:1933

/usr/bin/hewndmwfam
/usr/bin/hewndmwfam -d 1592
1⤵
PID:1936

/usr/bin/pbpttyubg
/usr/bin/pbpttyubg -d 1592
1⤵
PID:1939

/usr/bin/lcjmhbpn
/usr/bin/lcjmhbpn -d 1592
1⤵
PID:1942

/usr/bin/xxkwkqijxl
/usr/bin/xxkwkqijxl -d 1592
1⤵
PID:1945

/usr/bin/oaaftv
/usr/bin/oaaftv -d 1592
1⤵
PID:1948

/usr/bin/qwmdjqmvyq
/usr/bin/qwmdjqmvyq -d 1592
1⤵
PID:1951

/usr/bin/nwkkiixyrixch
/usr/bin/nwkkiixyrixch -d 1592
1⤵
PID:1954

/usr/bin/ehsycyqamtjch
/usr/bin/ehsycyqamtjch -d 1592
1⤵
PID:1957

/usr/bin/axtqvgceobehj
/usr/bin/axtqvgceobehj -d 1592
1⤵
PID:1959

/usr/bin/lqpqzkqdigd
/usr/bin/lqpqzkqdigd -d 1592
1⤵
PID:1963

/usr/bin/zoyixzgqrdyth
/usr/bin/zoyixzgqrdyth -d 1592
1⤵
PID:1966

/usr/bin/vouesg
/usr/bin/vouesg -d 1592
1⤵
PID:1969

/usr/bin/jyytoc
/usr/bin/jyytoc -d 1592
1⤵
PID:1972

/usr/bin/whxxywfvxnn
/usr/bin/whxxywfvxnn -d 1592
1⤵
PID:1975

/usr/bin/rmhybeoxl
/usr/bin/rmhybeoxl -d 1592
1⤵
PID:1978

/usr/bin/fkqdiltmnpumou
/usr/bin/fkqdiltmnpumou -d 1592
1⤵
PID:1981

/usr/bin/uphhevysfz
/usr/bin/uphhevysfz -d 1592
1⤵
PID:1984

/usr/bin/jptwyagqg
/usr/bin/jptwyagqg -d 1592
1⤵
PID:1987

/usr/bin/bbbqtxdhrnb
/usr/bin/bbbqtxdhrnb -d 1592
1⤵
PID:1990

/usr/bin/vlpqlhxmf
/usr/bin/vlpqlhxmf -d 1592
1⤵
PID:1993

/usr/bin/cafaamqidt
/usr/bin/cafaamqidt -d 1592
1⤵
PID:1996

/usr/bin/gkdenkxaoiv
/usr/bin/gkdenkxaoiv -d 1592
1⤵
PID:1999

/usr/bin/xomgnzlwbnedos
/usr/bin/xomgnzlwbnedos -d 1592
1⤵
PID:2002

/usr/bin/wvogbylhn
/usr/bin/wvogbylhn -d 1592
1⤵
PID:2005

/usr/bin/fqmplnobzupyi
/usr/bin/fqmplnobzupyi -d 1592
1⤵
PID:2008

/usr/bin/bxreljbkgqsi
/usr/bin/bxreljbkgqsi -d 1592
1⤵
PID:2011

/usr/bin/epecwuqlhdz
/usr/bin/epecwuqlhdz -d 1592
1⤵
PID:2014

/usr/bin/cwcdgp
/usr/bin/cwcdgp -d 1592
1⤵
PID:2020

/usr/bin/djlrumbdevlv
/usr/bin/djlrumbdevlv -d 1592
1⤵
PID:2023

/usr/bin/cbdzxtmgyorbmv
/usr/bin/cbdzxtmgyorbmv -d 1592
1⤵
PID:2026

/usr/bin/snkxwxqsmr
/usr/bin/snkxwxqsmr -d 1592
1⤵
PID:2029

/usr/bin/qpinqlqumppaw
/usr/bin/qpinqlqumppaw -d 1592
1⤵
PID:2032

/usr/bin/oprclxwy
/usr/bin/oprclxwy -d 1592
1⤵
PID:2035

/usr/bin/uwjkqve
/usr/bin/uwjkqve -d 1592
1⤵
PID:2038

/usr/bin/ntwdljvf
/usr/bin/ntwdljvf -d 1592
1⤵
PID:2041

/usr/bin/lxyjnoyerldn
/usr/bin/lxyjnoyerldn -d 1592
1⤵
PID:2044

/usr/bin/ojhxuyuam
/usr/bin/ojhxuyuam -d 1592
1⤵
PID:2047

/usr/bin/vinguiorvnpe
/usr/bin/vinguiorvnpe -d 1592
1⤵
PID:2050

/usr/bin/efgxqlkczulxqj
/usr/bin/efgxqlkczulxqj -d 1592
1⤵
PID:2053

/usr/bin/sxbnio
/usr/bin/sxbnio -d 1592
1⤵
PID:2056

/usr/bin/czjtuylbypggow
/usr/bin/czjtuylbypggow -d 1592
1⤵
PID:2059

/usr/bin/yarumomxhexjt
/usr/bin/yarumomxhexjt -d 1592
1⤵
PID:2062

/usr/bin/zpjaaevzpwzgc
/usr/bin/zpjaaevzpwzgc -d 1592
1⤵
PID:2065

/usr/bin/uaxvbqppgemoi
/usr/bin/uaxvbqppgemoi -d 1592
1⤵
PID:2068

/usr/bin/zeqavzbv
/usr/bin/zeqavzbv -d 1592
1⤵
PID:2071

/usr/bin/wwtuyayew
/usr/bin/wwtuyayew -d 1592
1⤵
PID:2074

/usr/bin/drbujqa
/usr/bin/drbujqa -d 1592
1⤵
PID:2077

/usr/bin/fqxopbh
/usr/bin/fqxopbh -d 1592
1⤵
PID:2080

/usr/bin/wgrumpsgjqijwg
/usr/bin/wgrumpsgjqijwg -d 1592
1⤵
PID:2082

/usr/bin/cylwjdyyirvzgz
/usr/bin/cylwjdyyirvzgz -d 1592
1⤵
PID:2085

/usr/bin/yxmrtzg
/usr/bin/yxmrtzg -d 1592
1⤵
PID:2089

/usr/bin/hrercbxmdxxbg
/usr/bin/hrercbxmdxxbg -d 1592
1⤵
PID:2092

/usr/bin/bgjsckbdqza
/usr/bin/bgjsckbdqza -d 1592
1⤵
PID:2095

/usr/bin/twdbkmtodxrd
/usr/bin/twdbkmtodxrd -d 1592
1⤵
PID:2097

/usr/bin/wcgxljb
/usr/bin/wcgxljb -d 1592
1⤵
PID:2101

/usr/bin/utvewyuybyr
/usr/bin/utvewyuybyr -d 1592
1⤵
PID:2103

/usr/bin/eshqnxwlp
/usr/bin/eshqnxwlp -d 1592
1⤵
PID:2106

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

/dev/shm/sem.Lyn3XB
Filesize
16B

MD5
076933ff9904d1110d896e2c525e39e5

SHA1
4188442577fa77f25820d9b2d01cc446e30684ac

SHA256
4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

SHA512
6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

Download Submit
/etc/cron.hourly/lywostdanyh.sh
Filesize
160B

MD5
4fe080225150af3abd75bf5a2a4e9e3a

SHA1
03494d3e58d318680e7df8ac9357c52b7704d289

SHA256
ee32c651d90250aa8a3e1393bbe52cf56417e8abe2b76fb2d20572c3606d8813

SHA512
7c7522cfc31d39213c7cb5ff108255d8d211bc5ba59cf909ff6bdb26b1e86afeb7f4d783960de21cce08be6846c32b7302689dfd06feee38d848716a95515212

Download Submit
/etc/daemon.cfg
Filesize
32B

MD5
47329ffc1641a98b708383f6f3ee7866

SHA1
202fa10fe2fb96c9a6e2d4b7882d33df124e733a

SHA256
8e5a0ae390b756f4654387695189314df4a833de1c128b864bc114070470094b

SHA512
73e4bb3989e9e030e943d8d3b0bab7899a878d28620e617ac93a44f016fc308140a7515c8e4bd2bab1c22d6c2a918ddbd5e0271cfa040981f96259d0eb89862b

Download Submit
/etc/init.d/lywostdanyh
Filesize
351B

MD5
dc5bff093effc8f2d92f47d889488e0b

SHA1
36aa2b9b80e820b7ae2010bd0ec2ffcd7c93e750

SHA256
45787ac0fd32137fae817b682c93f241ea871d1dd04bfa3d1a8492a3391fe629

SHA512
8e0248d7944b33009dbd96d313f0ca34a836835c0547e21a8299838271ba216f65b746e59620a8511a244b17ce962324a118aecdac92f1f560eb92210841b512

Download Submit
/usr/bin/hynadtsowyl
Filesize
549KB

MD5
3cd75dcdf0f92f69f3bfc79d766346ed

SHA1
23b344cc4474e54222e174dd9d4ddf56b2264d9d

SHA256
6895704b1d7b15e376401641eb1fe82d57fcb11391a32bf0027c38ebd99b2185

SHA512
a33fa5f44b398fa5122e976db0050b91547e80acc25982768d48f8538bef9b7488ebb8d5c3ec9cf3331ed500eea3aca4d2dc25dcb30f729442f5b26ce5874037

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads