Edit tour

Linux Analysis Report
xor1.o

Overview

General Information

Sample Name:	xor1.o
Analysis ID:	610020
MD5:	21c61e95827a7f9e1022e1b2fabe0386
SHA1:	4f40bd1086574c54ec0405892e16eb04133f9049
SHA256:	dd07bbbf82ae0e39f9b431e798b368c9886cb7d8ab91fd545fa13ff64bc023f5
Tags:	elfintelxorddos
Infos:

Detection

XorDDoS

Score:	96
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected XorDDoS Bot

Sample tries to persist itself using System V runlevels

Machine Learning detection for dropped file

Sample tries to persist itself using cron

Drops files in suspicious directories

Sample deletes itself

Machine Learning detection for sample

Writes ELF files to disk

Yara signature match

Drops files with innocent-looking names

PID-file does not contain an ASCII number

Writes shell script files to disk

Reads system information from the proc file system

Uses the "uname" system call to query kernel version information (possible evasion)

Executes the "systemctl" command used for controlling the systemd system and service manager

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Executes commands using a shell command-line interpreter

Reads CPU information from /proc indicative of miner or evasive malware

Writes shell script file to disk with an unusual file extension

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	610020
Start date and time: 15/04/202222:06:36	2022-04-15 22:06:36 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	xor1.o
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal96.troj.evad.linO@0/21@6/0

Warnings

VT rate limit hit for: ppp.gggatat456.com

Runtime Messages

Command:	/tmp/xor1.o
PID:	5224
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

xor1.o (PID: 5224, Parent: 5119, MD5: 21c61e95827a7f9e1022e1b2fabe0386) Arguments: /tmp/xor1.o

xor1.o New Fork (PID: 5225, Parent: 5224)

xor1.o New Fork (PID: 5226, Parent: 5225)

xor1.o New Fork (PID: 5227, Parent: 5226)

xor1.o New Fork (PID: 5228, Parent: 5225)

xor1.o New Fork (PID: 5229, Parent: 5228)

update-rc.d (PID: 5229, Parent: 1860, MD5: 16a21f464119ea7fad1d3660de963637) Arguments: update-rc.d xor1.o defaults

update-rc.d New Fork (PID: 5235, Parent: 5229)

systemctl (PID: 5235, Parent: 5229, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl daemon-reload

xor1.o New Fork (PID: 5230, Parent: 5225)

sh (PID: 5230, Parent: 5225, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"

sh New Fork (PID: 5231, Parent: 5230)

sed (PID: 5231, Parent: 5230, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -i /\\/etc\\/cron.hourly\\/gcc.sh/d /etc/crontab

xor1.o New Fork (PID: 5263, Parent: 5225)

xor1.o New Fork (PID: 5264, Parent: 5263)

mbycomlghf (PID: 5264, Parent: 5263, MD5: 266e022987ca9cb84b7041ccab5f462c) Arguments: /usr/bin/mbycomlghf "ifconfig eth0" 5225

mbycomlghf New Fork (PID: 5265, Parent: 5264)

xor1.o New Fork (PID: 5266, Parent: 5225)

xor1.o New Fork (PID: 5267, Parent: 5266)

mbycomlghf (PID: 5267, Parent: 5266, MD5: 266e022987ca9cb84b7041ccab5f462c) Arguments: /usr/bin/mbycomlghf "netstat -antop" 5225

mbycomlghf New Fork (PID: 5272, Parent: 5267)

xor1.o New Fork (PID: 5268, Parent: 5225)

xor1.o New Fork (PID: 5269, Parent: 5268)

mbycomlghf (PID: 5269, Parent: 5268, MD5: 266e022987ca9cb84b7041ccab5f462c) Arguments: /usr/bin/mbycomlghf who 5225

mbycomlghf New Fork (PID: 5274, Parent: 5269)

xor1.o New Fork (PID: 5270, Parent: 5225)

xor1.o New Fork (PID: 5271, Parent: 5270)

mbycomlghf (PID: 5271, Parent: 5270, MD5: 266e022987ca9cb84b7041ccab5f462c) Arguments: /usr/bin/mbycomlghf "echo \"find\"" 5225

mbycomlghf New Fork (PID: 5276, Parent: 5271)

xor1.o New Fork (PID: 5273, Parent: 5225)

xor1.o New Fork (PID: 5275, Parent: 5273)

mbycomlghf (PID: 5275, Parent: 5273, MD5: 266e022987ca9cb84b7041ccab5f462c) Arguments: /usr/bin/mbycomlghf uptime 5225

mbycomlghf New Fork (PID: 5277, Parent: 5275)

xor1.o New Fork (PID: 5281, Parent: 5225)

xor1.o New Fork (PID: 5282, Parent: 5281)

wkuqobksgz (PID: 5282, Parent: 5281, MD5: 109aeaf58efee3ac951fa24d29857c4d) Arguments: /usr/bin/wkuqobksgz su 5225

wkuqobksgz New Fork (PID: 5283, Parent: 5282)

xor1.o New Fork (PID: 5284, Parent: 5225)

xor1.o New Fork (PID: 5285, Parent: 5284)

wkuqobksgz (PID: 5285, Parent: 5284, MD5: 109aeaf58efee3ac951fa24d29857c4d) Arguments: /usr/bin/wkuqobksgz "echo \"find\"" 5225

wkuqobksgz New Fork (PID: 5288, Parent: 5285)

xor1.o New Fork (PID: 5286, Parent: 5225)

xor1.o New Fork (PID: 5287, Parent: 5286)

wkuqobksgz (PID: 5287, Parent: 5286, MD5: 109aeaf58efee3ac951fa24d29857c4d) Arguments: /usr/bin/wkuqobksgz "ifconfig eth0" 5225

wkuqobksgz New Fork (PID: 5293, Parent: 5287)

xor1.o New Fork (PID: 5289, Parent: 5225)

xor1.o New Fork (PID: 5290, Parent: 5289)

wkuqobksgz (PID: 5290, Parent: 5289, MD5: 109aeaf58efee3ac951fa24d29857c4d) Arguments: /usr/bin/wkuqobksgz "netstat -an" 5225

wkuqobksgz New Fork (PID: 5296, Parent: 5290)

xor1.o New Fork (PID: 5291, Parent: 5225)

xor1.o New Fork (PID: 5292, Parent: 5291)

wkuqobksgz (PID: 5292, Parent: 5291, MD5: 109aeaf58efee3ac951fa24d29857c4d) Arguments: /usr/bin/wkuqobksgz "cd /etc" 5225

wkuqobksgz New Fork (PID: 5297, Parent: 5292)

xor1.o New Fork (PID: 5300, Parent: 5225)

xor1.o New Fork (PID: 5301, Parent: 5300)

cglyyshjyz (PID: 5301, Parent: 5300, MD5: 3ba7870dc238c8ced74411e69ce14b0a) Arguments: /usr/bin/cglyyshjyz ls 5225

cglyyshjyz New Fork (PID: 5302, Parent: 5301)

xor1.o New Fork (PID: 5303, Parent: 5225)

xor1.o New Fork (PID: 5304, Parent: 5303)

cglyyshjyz (PID: 5304, Parent: 5303, MD5: 3ba7870dc238c8ced74411e69ce14b0a) Arguments: /usr/bin/cglyyshjyz uptime 5225

cglyyshjyz New Fork (PID: 5307, Parent: 5304)

xor1.o New Fork (PID: 5305, Parent: 5225)

xor1.o New Fork (PID: 5306, Parent: 5305)

cglyyshjyz (PID: 5306, Parent: 5305, MD5: 3ba7870dc238c8ced74411e69ce14b0a) Arguments: /usr/bin/cglyyshjyz who 5225

cglyyshjyz New Fork (PID: 5308, Parent: 5306)

xor1.o New Fork (PID: 5309, Parent: 5225)

xor1.o New Fork (PID: 5310, Parent: 5309)

cglyyshjyz (PID: 5310, Parent: 5309, MD5: 3ba7870dc238c8ced74411e69ce14b0a) Arguments: /usr/bin/cglyyshjyz "sleep 1" 5225

cglyyshjyz New Fork (PID: 5313, Parent: 5310)

xor1.o New Fork (PID: 5311, Parent: 5225)

xor1.o New Fork (PID: 5312, Parent: 5311)

cglyyshjyz (PID: 5312, Parent: 5311, MD5: 3ba7870dc238c8ced74411e69ce14b0a) Arguments: /usr/bin/cglyyshjyz "cd /etc" 5225

cglyyshjyz New Fork (PID: 5314, Parent: 5312)

xor1.o New Fork (PID: 5317, Parent: 5225)

xor1.o New Fork (PID: 5318, Parent: 5317)

iqmzdzzagu (PID: 5318, Parent: 5317, MD5: 6e76f6698ccf35c8257261f0c70180a3) Arguments: /usr/bin/iqmzdzzagu ls 5225

iqmzdzzagu New Fork (PID: 5319, Parent: 5318)

xor1.o New Fork (PID: 5320, Parent: 5225)

xor1.o New Fork (PID: 5321, Parent: 5320)

iqmzdzzagu (PID: 5321, Parent: 5320, MD5: 6e76f6698ccf35c8257261f0c70180a3) Arguments: /usr/bin/iqmzdzzagu id 5225

iqmzdzzagu New Fork (PID: 5324, Parent: 5321)

xor1.o New Fork (PID: 5322, Parent: 5225)

xor1.o New Fork (PID: 5323, Parent: 5322)

iqmzdzzagu (PID: 5323, Parent: 5322, MD5: 6e76f6698ccf35c8257261f0c70180a3) Arguments: /usr/bin/iqmzdzzagu bash 5225

iqmzdzzagu New Fork (PID: 5327, Parent: 5323)

xor1.o New Fork (PID: 5325, Parent: 5225)

xor1.o New Fork (PID: 5326, Parent: 5325)

iqmzdzzagu (PID: 5326, Parent: 5325, MD5: 6e76f6698ccf35c8257261f0c70180a3) Arguments: /usr/bin/iqmzdzzagu pwd 5225

iqmzdzzagu New Fork (PID: 5330, Parent: 5326)

xor1.o New Fork (PID: 5328, Parent: 5225)

xor1.o New Fork (PID: 5329, Parent: 5328)

iqmzdzzagu (PID: 5329, Parent: 5328, MD5: 6e76f6698ccf35c8257261f0c70180a3) Arguments: /usr/bin/iqmzdzzagu "ifconfig eth0" 5225

iqmzdzzagu New Fork (PID: 5331, Parent: 5329)

xor1.o New Fork (PID: 5334, Parent: 5225)

xor1.o New Fork (PID: 5335, Parent: 5334)

ifkpwnmtjm (PID: 5335, Parent: 5334, MD5: c6395ec6939aa3aee167136e5b0e6f81) Arguments: /usr/bin/ifkpwnmtjm su 5225

ifkpwnmtjm New Fork (PID: 5336, Parent: 5335)

xor1.o New Fork (PID: 5337, Parent: 5225)

xor1.o New Fork (PID: 5338, Parent: 5337)

ifkpwnmtjm (PID: 5338, Parent: 5337, MD5: c6395ec6939aa3aee167136e5b0e6f81) Arguments: /usr/bin/ifkpwnmtjm "ps -ef" 5225

ifkpwnmtjm New Fork (PID: 5341, Parent: 5338)

xor1.o New Fork (PID: 5339, Parent: 5225)

xor1.o New Fork (PID: 5340, Parent: 5339)

ifkpwnmtjm (PID: 5340, Parent: 5339, MD5: c6395ec6939aa3aee167136e5b0e6f81) Arguments: /usr/bin/ifkpwnmtjm "grep \"A\"" 5225

ifkpwnmtjm New Fork (PID: 5346, Parent: 5340)

xor1.o New Fork (PID: 5342, Parent: 5225)

xor1.o New Fork (PID: 5343, Parent: 5342)

ifkpwnmtjm (PID: 5343, Parent: 5342, MD5: c6395ec6939aa3aee167136e5b0e6f81) Arguments: /usr/bin/ifkpwnmtjm "ifconfig eth0" 5225

ifkpwnmtjm New Fork (PID: 5347, Parent: 5343)

xor1.o New Fork (PID: 5344, Parent: 5225)

xor1.o New Fork (PID: 5345, Parent: 5344)

ifkpwnmtjm (PID: 5345, Parent: 5344, MD5: c6395ec6939aa3aee167136e5b0e6f81) Arguments: /usr/bin/ifkpwnmtjm "ls -la" 5225

ifkpwnmtjm New Fork (PID: 5348, Parent: 5345)

xor1.o New Fork (PID: 5351, Parent: 5225)

xor1.o New Fork (PID: 5352, Parent: 5351)

jnoxdslvzn (PID: 5352, Parent: 5351, MD5: 0208723046fa446d61614ef51ee000c0) Arguments: /usr/bin/jnoxdslvzn "grep \"A\"" 5225

jnoxdslvzn New Fork (PID: 5353, Parent: 5352)

xor1.o New Fork (PID: 5354, Parent: 5225)

xor1.o New Fork (PID: 5355, Parent: 5354)

jnoxdslvzn (PID: 5355, Parent: 5354, MD5: 0208723046fa446d61614ef51ee000c0) Arguments: /usr/bin/jnoxdslvzn "cat resolv.conf" 5225

jnoxdslvzn New Fork (PID: 5358, Parent: 5355)

xor1.o New Fork (PID: 5356, Parent: 5225)

xor1.o New Fork (PID: 5357, Parent: 5356)

jnoxdslvzn (PID: 5357, Parent: 5356, MD5: 0208723046fa446d61614ef51ee000c0) Arguments: /usr/bin/jnoxdslvzn "sleep 1" 5225

jnoxdslvzn New Fork (PID: 5359, Parent: 5357)

xor1.o New Fork (PID: 5360, Parent: 5225)

xor1.o New Fork (PID: 5361, Parent: 5360)

jnoxdslvzn (PID: 5361, Parent: 5360, MD5: 0208723046fa446d61614ef51ee000c0) Arguments: /usr/bin/jnoxdslvzn whoami 5225

jnoxdslvzn New Fork (PID: 5364, Parent: 5361)

xor1.o New Fork (PID: 5362, Parent: 5225)

xor1.o New Fork (PID: 5363, Parent: 5362)

jnoxdslvzn (PID: 5363, Parent: 5362, MD5: 0208723046fa446d61614ef51ee000c0) Arguments: /usr/bin/jnoxdslvzn su 5225

jnoxdslvzn New Fork (PID: 5365, Parent: 5363)

xor1.o New Fork (PID: 5369, Parent: 5225)

xor1.o New Fork (PID: 5370, Parent: 5369)

vdplvwquwd (PID: 5370, Parent: 5369, MD5: b6ac1496f79d2c5b8959203c3ecbdc6c) Arguments: /usr/bin/vdplvwquwd "netstat -an" 5225

vdplvwquwd New Fork (PID: 5371, Parent: 5370)

xor1.o New Fork (PID: 5372, Parent: 5225)

xor1.o New Fork (PID: 5373, Parent: 5372)

vdplvwquwd (PID: 5373, Parent: 5372, MD5: b6ac1496f79d2c5b8959203c3ecbdc6c) Arguments: /usr/bin/vdplvwquwd bash 5225

vdplvwquwd New Fork (PID: 5374, Parent: 5373)

xor1.o New Fork (PID: 5375, Parent: 5225)

xor1.o New Fork (PID: 5376, Parent: 5375)

vdplvwquwd (PID: 5376, Parent: 5375, MD5: b6ac1496f79d2c5b8959203c3ecbdc6c) Arguments: /usr/bin/vdplvwquwd id 5225

vdplvwquwd New Fork (PID: 5379, Parent: 5376)

xor1.o New Fork (PID: 5377, Parent: 5225)

xor1.o New Fork (PID: 5378, Parent: 5377)

vdplvwquwd (PID: 5378, Parent: 5377, MD5: b6ac1496f79d2c5b8959203c3ecbdc6c) Arguments: /usr/bin/vdplvwquwd pwd 5225

vdplvwquwd New Fork (PID: 5382, Parent: 5378)

xor1.o New Fork (PID: 5380, Parent: 5225)

xor1.o New Fork (PID: 5381, Parent: 5380)

vdplvwquwd (PID: 5381, Parent: 5380, MD5: b6ac1496f79d2c5b8959203c3ecbdc6c) Arguments: /usr/bin/vdplvwquwd bash 5225

vdplvwquwd New Fork (PID: 5385, Parent: 5381)

xor1.o New Fork (PID: 5390, Parent: 5225)

xor1.o New Fork (PID: 5391, Parent: 5390)

ralgwrxppb (PID: 5391, Parent: 5390, MD5: e75043350a41db4373bb9b0fa5677bc2) Arguments: /usr/bin/ralgwrxppb "echo \"find\"" 5225

ralgwrxppb New Fork (PID: 5392, Parent: 5391)

xor1.o New Fork (PID: 5393, Parent: 5225)

xor1.o New Fork (PID: 5394, Parent: 5393)

ralgwrxppb (PID: 5394, Parent: 5393, MD5: e75043350a41db4373bb9b0fa5677bc2) Arguments: /usr/bin/ralgwrxppb "echo \"find\"" 5225

ralgwrxppb New Fork (PID: 5397, Parent: 5394)

xor1.o New Fork (PID: 5395, Parent: 5225)

xor1.o New Fork (PID: 5396, Parent: 5395)

ralgwrxppb (PID: 5396, Parent: 5395, MD5: e75043350a41db4373bb9b0fa5677bc2) Arguments: /usr/bin/ralgwrxppb id 5225

ralgwrxppb New Fork (PID: 5400, Parent: 5396)

xor1.o New Fork (PID: 5398, Parent: 5225)

xor1.o New Fork (PID: 5399, Parent: 5398)

ralgwrxppb (PID: 5399, Parent: 5398, MD5: e75043350a41db4373bb9b0fa5677bc2) Arguments: /usr/bin/ralgwrxppb bash 5225

ralgwrxppb New Fork (PID: 5403, Parent: 5399)

xor1.o New Fork (PID: 5401, Parent: 5225)

xor1.o New Fork (PID: 5402, Parent: 5401)

ralgwrxppb (PID: 5402, Parent: 5401, MD5: e75043350a41db4373bb9b0fa5677bc2) Arguments: /usr/bin/ralgwrxppb ifconfig 5225

ralgwrxppb New Fork (PID: 5404, Parent: 5402)

xor1.o New Fork (PID: 5407, Parent: 5225)

xor1.o New Fork (PID: 5408, Parent: 5407)

eiqbhbuvjy (PID: 5408, Parent: 5407, MD5: b563644e4e482747a9b6ebe06bad1af1) Arguments: /usr/bin/eiqbhbuvjy su 5225

eiqbhbuvjy New Fork (PID: 5409, Parent: 5408)

xor1.o New Fork (PID: 5410, Parent: 5225)

xor1.o New Fork (PID: 5411, Parent: 5410)

eiqbhbuvjy (PID: 5411, Parent: 5410, MD5: b563644e4e482747a9b6ebe06bad1af1) Arguments: /usr/bin/eiqbhbuvjy "netstat -an" 5225

eiqbhbuvjy New Fork (PID: 5412, Parent: 5411)

xor1.o New Fork (PID: 5413, Parent: 5225)

xor1.o New Fork (PID: 5414, Parent: 5413)

eiqbhbuvjy (PID: 5414, Parent: 5413, MD5: b563644e4e482747a9b6ebe06bad1af1) Arguments: /usr/bin/eiqbhbuvjy "cat resolv.conf" 5225

eiqbhbuvjy New Fork (PID: 5417, Parent: 5414)

xor1.o New Fork (PID: 5415, Parent: 5225)

xor1.o New Fork (PID: 5416, Parent: 5415)

eiqbhbuvjy (PID: 5416, Parent: 5415, MD5: b563644e4e482747a9b6ebe06bad1af1) Arguments: /usr/bin/eiqbhbuvjy "echo \"find\"" 5225

eiqbhbuvjy New Fork (PID: 5420, Parent: 5416)

xor1.o New Fork (PID: 5418, Parent: 5225)

xor1.o New Fork (PID: 5419, Parent: 5418)

eiqbhbuvjy (PID: 5419, Parent: 5418, MD5: b563644e4e482747a9b6ebe06bad1af1) Arguments: /usr/bin/eiqbhbuvjy whoami 5225

eiqbhbuvjy New Fork (PID: 5421, Parent: 5419)

xor1.o New Fork (PID: 5424, Parent: 5225)

xor1.o New Fork (PID: 5425, Parent: 5424)

jwkufnauiy (PID: 5425, Parent: 5424, MD5: 0b7a5024eb6dcfe3f8625766490c4af0) Arguments: /usr/bin/jwkufnauiy sh 5225

jwkufnauiy New Fork (PID: 5426, Parent: 5425)

xor1.o New Fork (PID: 5427, Parent: 5225)

xor1.o New Fork (PID: 5428, Parent: 5427)

jwkufnauiy (PID: 5428, Parent: 5427, MD5: 0b7a5024eb6dcfe3f8625766490c4af0) Arguments: /usr/bin/jwkufnauiy "ps -ef" 5225

jwkufnauiy New Fork (PID: 5429, Parent: 5428)

xor1.o New Fork (PID: 5430, Parent: 5225)

xor1.o New Fork (PID: 5431, Parent: 5430)

jwkufnauiy (PID: 5431, Parent: 5430, MD5: 0b7a5024eb6dcfe3f8625766490c4af0) Arguments: /usr/bin/jwkufnauiy ls 5225

jwkufnauiy New Fork (PID: 5434, Parent: 5431)

xor1.o New Fork (PID: 5432, Parent: 5225)

xor1.o New Fork (PID: 5433, Parent: 5432)

jwkufnauiy (PID: 5433, Parent: 5432, MD5: 0b7a5024eb6dcfe3f8625766490c4af0) Arguments: /usr/bin/jwkufnauiy pwd 5225

jwkufnauiy New Fork (PID: 5437, Parent: 5433)

xor1.o New Fork (PID: 5435, Parent: 5225)

xor1.o New Fork (PID: 5436, Parent: 5435)

jwkufnauiy (PID: 5436, Parent: 5435, MD5: 0b7a5024eb6dcfe3f8625766490c4af0) Arguments: /usr/bin/jwkufnauiy su 5225

jwkufnauiy New Fork (PID: 5438, Parent: 5436)

xor1.o New Fork (PID: 5441, Parent: 5225)

xor1.o New Fork (PID: 5442, Parent: 5441)

dupayarwpd (PID: 5442, Parent: 5441, MD5: 487ac7753877cbe469dc3683259736b5) Arguments: /usr/bin/dupayarwpd pwd 5225

dupayarwpd New Fork (PID: 5443, Parent: 5442)

xor1.o New Fork (PID: 5444, Parent: 5225)

xor1.o New Fork (PID: 5445, Parent: 5444)

dupayarwpd (PID: 5445, Parent: 5444, MD5: 487ac7753877cbe469dc3683259736b5) Arguments: /usr/bin/dupayarwpd ls 5225

dupayarwpd New Fork (PID: 5446, Parent: 5445)

xor1.o New Fork (PID: 5447, Parent: 5225)

xor1.o New Fork (PID: 5448, Parent: 5447)

dupayarwpd (PID: 5448, Parent: 5447, MD5: 487ac7753877cbe469dc3683259736b5) Arguments: /usr/bin/dupayarwpd "grep \"A\"" 5225

dupayarwpd New Fork (PID: 5452, Parent: 5448)

xor1.o New Fork (PID: 5449, Parent: 5225)

xor1.o New Fork (PID: 5450, Parent: 5449)

dupayarwpd (PID: 5450, Parent: 5449, MD5: 487ac7753877cbe469dc3683259736b5) Arguments: /usr/bin/dupayarwpd "ls -la" 5225

dupayarwpd New Fork (PID: 5454, Parent: 5450)

xor1.o New Fork (PID: 5451, Parent: 5225)

xor1.o New Fork (PID: 5453, Parent: 5451)

dupayarwpd (PID: 5453, Parent: 5451, MD5: 487ac7753877cbe469dc3683259736b5) Arguments: /usr/bin/dupayarwpd su 5225

dupayarwpd New Fork (PID: 5455, Parent: 5453)

xor1.o New Fork (PID: 5461, Parent: 5225)

xor1.o New Fork (PID: 5462, Parent: 5461)

sqpwspsmaf (PID: 5462, Parent: 5461, MD5: ddca7a304042ef3365d8648db1030c16) Arguments: /usr/bin/sqpwspsmaf "ls -la" 5225

sqpwspsmaf New Fork (PID: 5463, Parent: 5462)

xor1.o New Fork (PID: 5464, Parent: 5225)

xor1.o New Fork (PID: 5465, Parent: 5464)

sqpwspsmaf (PID: 5465, Parent: 5464, MD5: ddca7a304042ef3365d8648db1030c16) Arguments: /usr/bin/sqpwspsmaf ls 5225

sqpwspsmaf New Fork (PID: 5469, Parent: 5465)

xor1.o New Fork (PID: 5466, Parent: 5225)

xor1.o New Fork (PID: 5467, Parent: 5466)

sqpwspsmaf (PID: 5467, Parent: 5466, MD5: ddca7a304042ef3365d8648db1030c16) Arguments: /usr/bin/sqpwspsmaf "cat resolv.conf" 5225

sqpwspsmaf New Fork (PID: 5473, Parent: 5467)

xor1.o New Fork (PID: 5468, Parent: 5225)

xor1.o New Fork (PID: 5470, Parent: 5468)

sqpwspsmaf (PID: 5470, Parent: 5468, MD5: ddca7a304042ef3365d8648db1030c16) Arguments: /usr/bin/sqpwspsmaf "cd /etc" 5225

sqpwspsmaf New Fork (PID: 5474, Parent: 5470)

xor1.o New Fork (PID: 5471, Parent: 5225)

xor1.o New Fork (PID: 5472, Parent: 5471)

sqpwspsmaf (PID: 5472, Parent: 5471, MD5: ddca7a304042ef3365d8648db1030c16) Arguments: /usr/bin/sqpwspsmaf "cat resolv.conf" 5225

sqpwspsmaf New Fork (PID: 5475, Parent: 5472)

xor1.o New Fork (PID: 5478, Parent: 5225)

xor1.o New Fork (PID: 5479, Parent: 5478)

mtxpozvnco (PID: 5479, Parent: 5478, MD5: e2c161f9d0d7f462eda76b47ce513269) Arguments: /usr/bin/mtxpozvnco bash 5225

mtxpozvnco New Fork (PID: 5480, Parent: 5479)

xor1.o New Fork (PID: 5481, Parent: 5225)

xor1.o New Fork (PID: 5482, Parent: 5481)

mtxpozvnco (PID: 5482, Parent: 5481, MD5: e2c161f9d0d7f462eda76b47ce513269) Arguments: /usr/bin/mtxpozvnco whoami 5225

mtxpozvnco New Fork (PID: 5484, Parent: 5482)

xor1.o New Fork (PID: 5483, Parent: 5225)

xor1.o New Fork (PID: 5485, Parent: 5483)

mtxpozvnco (PID: 5485, Parent: 5483, MD5: e2c161f9d0d7f462eda76b47ce513269) Arguments: /usr/bin/mtxpozvnco "route -n" 5225

mtxpozvnco New Fork (PID: 5488, Parent: 5485)

xor1.o New Fork (PID: 5486, Parent: 5225)

xor1.o New Fork (PID: 5487, Parent: 5486)

mtxpozvnco (PID: 5487, Parent: 5486, MD5: e2c161f9d0d7f462eda76b47ce513269) Arguments: /usr/bin/mtxpozvnco "echo \"find\"" 5225

mtxpozvnco New Fork (PID: 5491, Parent: 5487)

xor1.o New Fork (PID: 5489, Parent: 5225)

xor1.o New Fork (PID: 5490, Parent: 5489)

mtxpozvnco (PID: 5490, Parent: 5489, MD5: e2c161f9d0d7f462eda76b47ce513269) Arguments: /usr/bin/mtxpozvnco "ps -ef" 5225

mtxpozvnco New Fork (PID: 5492, Parent: 5490)

xor1.o New Fork (PID: 5495, Parent: 5225)

xor1.o New Fork (PID: 5496, Parent: 5495)

uvefoplmkt (PID: 5496, Parent: 5495, MD5: 3875f293a0148fe270e22a5cb87c38dc) Arguments: /usr/bin/uvefoplmkt "route -n" 5225

uvefoplmkt New Fork (PID: 5497, Parent: 5496)

xor1.o New Fork (PID: 5498, Parent: 5225)

xor1.o New Fork (PID: 5499, Parent: 5498)

uvefoplmkt (PID: 5499, Parent: 5498, MD5: 3875f293a0148fe270e22a5cb87c38dc) Arguments: /usr/bin/uvefoplmkt top 5225

uvefoplmkt New Fork (PID: 5502, Parent: 5499)

xor1.o New Fork (PID: 5500, Parent: 5225)

xor1.o New Fork (PID: 5501, Parent: 5500)

uvefoplmkt (PID: 5501, Parent: 5500, MD5: 3875f293a0148fe270e22a5cb87c38dc) Arguments: /usr/bin/uvefoplmkt "ifconfig eth0" 5225

uvefoplmkt New Fork (PID: 5505, Parent: 5501)

xor1.o New Fork (PID: 5503, Parent: 5225)

xor1.o New Fork (PID: 5504, Parent: 5503)

uvefoplmkt (PID: 5504, Parent: 5503, MD5: 3875f293a0148fe270e22a5cb87c38dc) Arguments: /usr/bin/uvefoplmkt uptime 5225

uvefoplmkt New Fork (PID: 5506, Parent: 5504)

xor1.o New Fork (PID: 5507, Parent: 5225)

xor1.o New Fork (PID: 5508, Parent: 5507)

uvefoplmkt (PID: 5508, Parent: 5507, MD5: 3875f293a0148fe270e22a5cb87c38dc) Arguments: /usr/bin/uvefoplmkt id 5225

uvefoplmkt New Fork (PID: 5509, Parent: 5508)

xor1.o New Fork (PID: 5513, Parent: 5225)

xor1.o New Fork (PID: 5514, Parent: 5513)

wftusxulhl (PID: 5514, Parent: 5513, MD5: 5b08aaf6d666324f456c95522d18df97) Arguments: /usr/bin/wftusxulhl "ls -la" 5225

wftusxulhl New Fork (PID: 5515, Parent: 5514)

xor1.o New Fork (PID: 5516, Parent: 5225)

xor1.o New Fork (PID: 5517, Parent: 5516)

wftusxulhl (PID: 5517, Parent: 5516, MD5: 5b08aaf6d666324f456c95522d18df97) Arguments: /usr/bin/wftusxulhl who 5225

wftusxulhl New Fork (PID: 5520, Parent: 5517)

xor1.o New Fork (PID: 5518, Parent: 5225)

xor1.o New Fork (PID: 5519, Parent: 5518)

wftusxulhl (PID: 5519, Parent: 5518, MD5: 5b08aaf6d666324f456c95522d18df97) Arguments: /usr/bin/wftusxulhl bash 5225

wftusxulhl New Fork (PID: 5523, Parent: 5519)

xor1.o New Fork (PID: 5521, Parent: 5225)

xor1.o New Fork (PID: 5522, Parent: 5521)

wftusxulhl (PID: 5522, Parent: 5521, MD5: 5b08aaf6d666324f456c95522d18df97) Arguments: /usr/bin/wftusxulhl "ps -ef" 5225

wftusxulhl New Fork (PID: 5524, Parent: 5522)

xor1.o New Fork (PID: 5525, Parent: 5225)

xor1.o New Fork (PID: 5526, Parent: 5525)

wftusxulhl (PID: 5526, Parent: 5525, MD5: 5b08aaf6d666324f456c95522d18df97) Arguments: /usr/bin/wftusxulhl "echo \"find\"" 5225

wftusxulhl New Fork (PID: 5527, Parent: 5526)

xor1.o New Fork (PID: 5530, Parent: 5225)

xor1.o New Fork (PID: 5531, Parent: 5530)

whjuunzbrd (PID: 5531, Parent: 5530, MD5: 0bb4342d60a95c4d2929555dd4e25171) Arguments: /usr/bin/whjuunzbrd ifconfig 5225

whjuunzbrd New Fork (PID: 5532, Parent: 5531)

xor1.o New Fork (PID: 5533, Parent: 5225)

xor1.o New Fork (PID: 5534, Parent: 5533)

whjuunzbrd (PID: 5534, Parent: 5533, MD5: 0bb4342d60a95c4d2929555dd4e25171) Arguments: /usr/bin/whjuunzbrd "ps -ef" 5225

whjuunzbrd New Fork (PID: 5537, Parent: 5534)

xor1.o New Fork (PID: 5535, Parent: 5225)

xor1.o New Fork (PID: 5536, Parent: 5535)

whjuunzbrd (PID: 5536, Parent: 5535, MD5: 0bb4342d60a95c4d2929555dd4e25171) Arguments: /usr/bin/whjuunzbrd ls 5225

whjuunzbrd New Fork (PID: 5540, Parent: 5536)

xor1.o New Fork (PID: 5538, Parent: 5225)

xor1.o New Fork (PID: 5539, Parent: 5538)

whjuunzbrd (PID: 5539, Parent: 5538, MD5: 0bb4342d60a95c4d2929555dd4e25171) Arguments: /usr/bin/whjuunzbrd "grep \"A\"" 5225

whjuunzbrd New Fork (PID: 5543, Parent: 5539)

xor1.o New Fork (PID: 5541, Parent: 5225)

xor1.o New Fork (PID: 5542, Parent: 5541)

whjuunzbrd (PID: 5542, Parent: 5541, MD5: 0bb4342d60a95c4d2929555dd4e25171) Arguments: /usr/bin/whjuunzbrd "netstat -antop" 5225

whjuunzbrd New Fork (PID: 5546, Parent: 5542)

xor1.o New Fork (PID: 5548, Parent: 5225)

xor1.o New Fork (PID: 5549, Parent: 5548)

ljtvmuptjr (PID: 5549, Parent: 5548, MD5: 18050908179e638d911281b1da167ba5) Arguments: /usr/bin/ljtvmuptjr "route -n" 5225

ljtvmuptjr New Fork (PID: 5550, Parent: 5549)

xor1.o New Fork (PID: 5551, Parent: 5225)

xor1.o New Fork (PID: 5552, Parent: 5551)

ljtvmuptjr (PID: 5552, Parent: 5551, MD5: 18050908179e638d911281b1da167ba5) Arguments: /usr/bin/ljtvmuptjr "ifconfig eth0" 5225

ljtvmuptjr New Fork (PID: 5553, Parent: 5552)

xor1.o New Fork (PID: 5554, Parent: 5225)

xor1.o New Fork (PID: 5555, Parent: 5554)

ljtvmuptjr (PID: 5555, Parent: 5554, MD5: 18050908179e638d911281b1da167ba5) Arguments: /usr/bin/ljtvmuptjr who 5225

ljtvmuptjr New Fork (PID: 5560, Parent: 5555)

xor1.o New Fork (PID: 5558, Parent: 5225)

xor1.o New Fork (PID: 5559, Parent: 5558)

ljtvmuptjr (PID: 5559, Parent: 1860, MD5: 18050908179e638d911281b1da167ba5) Arguments: /usr/bin/ljtvmuptjr whoami 5225

ljtvmuptjr New Fork (PID: 5563, Parent: 5559)

xor1.o New Fork (PID: 5561, Parent: 5225)

xor1.o New Fork (PID: 5562, Parent: 5561)

ljtvmuptjr (PID: 5562, Parent: 1860, MD5: 18050908179e638d911281b1da167ba5) Arguments: /usr/bin/ljtvmuptjr gnome-terminal 5225

ljtvmuptjr New Fork (PID: 5564, Parent: 5562)

xor1.o New Fork (PID: 5569, Parent: 5225)

xor1.o New Fork (PID: 5570, Parent: 5569)

ignsgczdve (PID: 5570, Parent: 5569, MD5: 06d4c7964c243ed528dbfb46793775ec) Arguments: /usr/bin/ignsgczdve "sleep 1" 5225

ignsgczdve New Fork (PID: 5575, Parent: 5570)

xor1.o New Fork (PID: 5571, Parent: 5225)

xor1.o New Fork (PID: 5572, Parent: 5571)

ignsgczdve (PID: 5572, Parent: 1860, MD5: 06d4c7964c243ed528dbfb46793775ec) Arguments: /usr/bin/ignsgczdve uptime 5225

ignsgczdve New Fork (PID: 5578, Parent: 5572)

xor1.o New Fork (PID: 5573, Parent: 5225)

xor1.o New Fork (PID: 5574, Parent: 5573)

ignsgczdve (PID: 5574, Parent: 1860, MD5: 06d4c7964c243ed528dbfb46793775ec) Arguments: /usr/bin/ignsgczdve "grep \"A\"" 5225

ignsgczdve New Fork (PID: 5581, Parent: 5574)

xor1.o New Fork (PID: 5576, Parent: 5225)

xor1.o New Fork (PID: 5577, Parent: 5576)

ignsgczdve (PID: 5577, Parent: 1860, MD5: 06d4c7964c243ed528dbfb46793775ec) Arguments: /usr/bin/ignsgczdve "echo \"find\"" 5225

ignsgczdve New Fork (PID: 5582, Parent: 5577)

xor1.o New Fork (PID: 5579, Parent: 5225)

xor1.o New Fork (PID: 5580, Parent: 5579)

ignsgczdve (PID: 5580, Parent: 1860, MD5: 06d4c7964c243ed528dbfb46793775ec) Arguments: /usr/bin/ignsgczdve "ps -ef" 5225

ignsgczdve New Fork (PID: 5583, Parent: 5580)

xor1.o New Fork (PID: 5586, Parent: 5225)

xor1.o New Fork (PID: 5587, Parent: 5586)

pblqlvjegj (PID: 5587, Parent: 5586, MD5: 9160bbfcba108335f36f10633ff2706d) Arguments: /usr/bin/pblqlvjegj ls 5225

pblqlvjegj New Fork (PID: 5592, Parent: 5587)

xor1.o New Fork (PID: 5588, Parent: 5225)

xor1.o New Fork (PID: 5589, Parent: 5588)

pblqlvjegj (PID: 5589, Parent: 1860, MD5: 9160bbfcba108335f36f10633ff2706d) Arguments: /usr/bin/pblqlvjegj whoami 5225

pblqlvjegj New Fork (PID: 5595, Parent: 5589)

xor1.o New Fork (PID: 5590, Parent: 5225)

xor1.o New Fork (PID: 5591, Parent: 5590)

pblqlvjegj (PID: 5591, Parent: 1860, MD5: 9160bbfcba108335f36f10633ff2706d) Arguments: /usr/bin/pblqlvjegj uptime 5225

pblqlvjegj New Fork (PID: 5598, Parent: 5591)

xor1.o New Fork (PID: 5593, Parent: 5225)

xor1.o New Fork (PID: 5594, Parent: 5593)

pblqlvjegj (PID: 5594, Parent: 1860, MD5: 9160bbfcba108335f36f10633ff2706d) Arguments: /usr/bin/pblqlvjegj "cat resolv.conf" 5225

pblqlvjegj New Fork (PID: 5599, Parent: 5594)

xor1.o New Fork (PID: 5596, Parent: 5225)

xor1.o New Fork (PID: 5597, Parent: 5596)

pblqlvjegj (PID: 5597, Parent: 1860, MD5: 9160bbfcba108335f36f10633ff2706d) Arguments: /usr/bin/pblqlvjegj whoami 5225

pblqlvjegj New Fork (PID: 5600, Parent: 5597)

xor1.o New Fork (PID: 5603, Parent: 5225)

xor1.o New Fork (PID: 5604, Parent: 5603)

iucjpzjgvn (PID: 5604, Parent: 1860, MD5: 7c52ae3a9b63b16ec7417276689dc2de) Arguments: /usr/bin/iucjpzjgvn "ifconfig eth0" 5225

iucjpzjgvn New Fork (PID: 5609, Parent: 5604)

xor1.o New Fork (PID: 5605, Parent: 5225)

xor1.o New Fork (PID: 5606, Parent: 5605)

iucjpzjgvn (PID: 5606, Parent: 5605, MD5: 7c52ae3a9b63b16ec7417276689dc2de) Arguments: /usr/bin/iucjpzjgvn "netstat -an" 5225

iucjpzjgvn New Fork (PID: 5612, Parent: 5606)

xor1.o New Fork (PID: 5607, Parent: 5225)

xor1.o New Fork (PID: 5608, Parent: 5607)

iucjpzjgvn (PID: 5608, Parent: 1860, MD5: 7c52ae3a9b63b16ec7417276689dc2de) Arguments: /usr/bin/iucjpzjgvn "ifconfig eth0" 5225

iucjpzjgvn New Fork (PID: 5615, Parent: 5608)

xor1.o New Fork (PID: 5610, Parent: 5225)

xor1.o New Fork (PID: 5611, Parent: 5610)

iucjpzjgvn (PID: 5611, Parent: 1860, MD5: 7c52ae3a9b63b16ec7417276689dc2de) Arguments: /usr/bin/iucjpzjgvn uptime 5225

iucjpzjgvn New Fork (PID: 5616, Parent: 5611)

xor1.o New Fork (PID: 5613, Parent: 5225)

xor1.o New Fork (PID: 5614, Parent: 5613)

iucjpzjgvn (PID: 5614, Parent: 1860, MD5: 7c52ae3a9b63b16ec7417276689dc2de) Arguments: /usr/bin/iucjpzjgvn "ifconfig eth0" 5225

iucjpzjgvn New Fork (PID: 5617, Parent: 5614)

systemd New Fork (PID: 5237, Parent: 5236)

snapd-env-generator (PID: 5237, Parent: 5236, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
xor1.o	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
xor1.o	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)

Dropped Files

Source	Rule	Description	Author	Strings
/usr/bin/jwkufnauiy	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/jwkufnauiy	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/iqmzdzzagu	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/iqmzdzzagu	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/jnoxdslvzn	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/jnoxdslvzn	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/wftusxulhl	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/uvefoplmkt	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/uvefoplmkt	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/dupayarwpd	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/dupayarwpd	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/mtxpozvnco	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/mtxpozvnco	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/eiqbhbuvjy	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/eiqbhbuvjy	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/vdplvwquwd	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/vdplvwquwd	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/mbycomlghf	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/mbycomlghf	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/lib/libudev.so	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/lib/libudev.so	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/sqpwspsmaf	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/sqpwspsmaf	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/ralgwrxppb	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/ifkpwnmtjm	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/ralgwrxppb	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/ifkpwnmtjm	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/wkuqobksgz	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/wkuqobksgz	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/cglyyshjyz	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/cglyyshjyz	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
Click to see the 26 entries

Memory Dumps

Source	Rule	Description	Author	Strings
5226.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5226.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5362.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5362.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5483.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5483.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5498.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5498.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5322.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5322.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5415.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5415.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5507.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5507.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5518.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5518.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5430.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5430.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5342.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5342.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5444.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5444.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5427.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5427.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5263.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5263.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5466.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5466.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5334.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5334.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5530.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5530.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5449.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5449.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5291.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5291.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5486.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5486.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5372.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5372.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5407.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5407.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5554.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5554.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5224.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5224.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5538.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5538.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5410.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5410.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5489.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5489.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5320.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5320.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5360.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5360.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5398.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5398.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5516.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5516.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5380.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5380.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5513.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5513.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5481.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5481.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5451.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5451.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5471.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5471.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5478.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5478.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5541.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5541.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5468.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5468.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5284.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5284.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5535.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5535.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5401.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5401.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5311.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5311.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5270.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5270.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5351.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5351.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5495.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5495.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5447.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5447.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5266.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5266.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5393.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5393.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5503.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5503.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5461.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5461.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5281.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5281.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5328.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5328.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5268.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5268.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5525.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5525.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5339.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5339.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5500.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5500.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5337.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5337.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5424.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5424.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5300.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5300.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5390.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5390.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5521.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5521.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5273.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5273.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5551.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5551.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5369.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5369.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5354.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5354.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5356.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5356.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5305.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5305.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5413.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5413.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5344.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5344.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5377.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5377.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5418.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5418.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5533.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5533.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5548.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5548.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5395.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5395.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5317.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5317.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5435.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5435.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5464.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5464.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5375.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5375.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5432.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5432.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5441.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5441.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5227.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5227.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5309.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5309.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5228.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5228.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5289.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5289.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5303.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5303.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5325.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5325.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
5286.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5286.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x84cfb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x84d4d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x696f8:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x698a9:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
Process Memory Space: xor1.o PID: 5224	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5226	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5227	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5228	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5263	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5266	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5268	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5270	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5273	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5281	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5284	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5286	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5289	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5291	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5300	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5303	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5305	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5309	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5311	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5317	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5320	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5322	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5325	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5328	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5334	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5337	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5339	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5342	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5344	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5351	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5354	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5356	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5360	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5362	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5369	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5372	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5375	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5377	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5380	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5390	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5393	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5395	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5398	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5401	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5407	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5410	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5413	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5415	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5418	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5424	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5427	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5430	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5432	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5435	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5441	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5444	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5447	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5449	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5451	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5461	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5464	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5466	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5468	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5471	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5478	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5481	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5483	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xor1.o PID: 5486	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Click to see the 237 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: xor1.o	Virustotal: Detection: 50%			Perma Link
Source: xor1.o	ReversingLabs: Detection: 64%

Machine Learning detection for dropped file

Source: /usr/bin/dupayarwpd	Joe Sandbox ML: detected
Source: /usr/bin/cglyyshjyz	Joe Sandbox ML: detected
Source: /usr/bin/uvefoplmkt	Joe Sandbox ML: detected
Source: /usr/bin/mbycomlghf	Joe Sandbox ML: detected
Source: /usr/bin/mtxpozvnco	Joe Sandbox ML: detected
Source: /usr/bin/jwkufnauiy	Joe Sandbox ML: detected
Source: /usr/bin/vdplvwquwd	Joe Sandbox ML: detected
Source: /usr/bin/ralgwrxppb	Joe Sandbox ML: detected
Source: /usr/bin/sqpwspsmaf	Joe Sandbox ML: detected
Source: /usr/bin/wkuqobksgz	Joe Sandbox ML: detected
Source: /usr/bin/ifkpwnmtjm	Joe Sandbox ML: detected
Source: /usr/bin/eiqbhbuvjy	Joe Sandbox ML: detected
Source: /usr/lib/libudev.so	Joe Sandbox ML: detected
Source: /usr/bin/wftusxulhl	Joe Sandbox ML: detected
Source: /usr/bin/jnoxdslvzn	Joe Sandbox ML: detected
Source: /usr/bin/iqmzdzzagu	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: xor1.o

Joe Sandbox ML: detected

Source: /tmp/xor1.o (PID: 5225)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2021326 ET TROJAN Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org) 192.168.2.23:40274 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2021326 ET TROJAN Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org) 192.168.2.23:39319 -> 8.8.4.4:53
Source: Traffic	Snort IDS: 2021326 ET TROJAN Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org) 192.168.2.23:51721 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2020381 ET TROJAN DDoS.XOR Checkin 192.168.2.23:40610 -> 54.36.15.99:1522

Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic	TCP traffic: 192.168.2.23:43056 -> 176.31.91.137:1522
Source: global traffic	TCP traffic: 192.168.2.23:40610 -> 54.36.15.99:1522

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: xor1.o, 5224.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5226.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5227.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5228.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5263.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5266.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5268.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5270.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5273.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5281.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5284.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5286.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5289.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5291.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5300.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5303.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5305.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5309.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5311.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5317.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5320.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp	String found in binary or memory: http://aa.hostasa.org/config.rar
Source: xor1.o, 5224.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5226.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5227.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5228.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5263.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5266.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5268.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5270.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5273.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5281.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5284.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5286.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5289.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5291.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5300.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5303.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5305.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5309.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5311.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5317.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5320.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp	String found in binary or memory: http://aa.hostasa.org/config.rartat456.com:1522
Source: xor1.o, dupayarwpd.11.dr, cglyyshjyz.11.dr, uvefoplmkt.11.dr, mbycomlghf.11.dr, mtxpozvnco.11.dr, jwkufnauiy.11.dr, vdplvwquwd.11.dr, ralgwrxppb.11.dr, sqpwspsmaf.11.dr, wkuqobksgz.11.dr, ifkpwnmtjm.11.dr, eiqbhbuvjy.11.dr, libudev.so.11.dr, jnoxdslvzn.11.dr, iqmzdzzagu.11.dr	String found in binary or memory: http://www.gnu.org/software/libc/bugs.html

Source: unknown

DNS traffic detected: queries for: aa.hostasa.org

DDoS

Yara detected XorDDoS Bot

Source: Yara match	File source: xor1.o, type: SAMPLE
Source: Yara match	File source: 5226.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5362.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5483.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5498.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5322.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5415.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5507.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5518.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5430.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5342.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5444.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5427.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5263.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5466.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5334.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5530.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5449.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5291.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5486.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5372.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5407.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5554.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5224.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5538.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5410.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5489.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5320.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5360.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5398.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5516.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5380.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5513.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5481.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5451.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5471.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5478.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5541.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5468.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5284.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5535.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5401.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5311.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5270.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5351.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5495.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5447.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5266.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5393.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5503.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5461.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5281.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5328.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5268.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5525.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5339.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5500.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5337.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5424.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5300.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5390.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5521.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5273.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5551.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5369.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5354.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5356.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5305.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5413.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5344.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5377.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5418.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5533.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5548.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5395.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5317.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5435.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5464.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5375.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5432.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5441.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5227.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5309.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5228.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5289.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5303.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5325.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5286.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5226, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5227, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5263, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5266, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5270, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5273, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5281, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5286, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5289, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5291, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5303, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5305, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5309, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5311, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5317, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5322, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5325, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5334, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5337, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5339, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5342, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5351, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5354, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5362, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5369, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5375, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5377, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5390, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5393, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5395, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5398, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5401, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5407, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5410, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5413, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5415, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5418, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5427, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5430, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5435, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5441, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5447, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5449, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5451, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5461, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5466, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5471, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5478, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5481, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5483, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5486, type: MEMORYSTR
Source: Yara match	File source: /usr/bin/jwkufnauiy, type: DROPPED
Source: Yara match	File source: /usr/bin/iqmzdzzagu, type: DROPPED
Source: Yara match	File source: /usr/bin/jnoxdslvzn, type: DROPPED
Source: Yara match	File source: /usr/bin/wftusxulhl, type: DROPPED
Source: Yara match	File source: /usr/bin/uvefoplmkt, type: DROPPED
Source: Yara match	File source: /usr/bin/dupayarwpd, type: DROPPED
Source: Yara match	File source: /usr/bin/mtxpozvnco, type: DROPPED
Source: Yara match	File source: /usr/bin/eiqbhbuvjy, type: DROPPED
Source: Yara match	File source: /usr/bin/vdplvwquwd, type: DROPPED
Source: Yara match	File source: /usr/bin/mbycomlghf, type: DROPPED
Source: Yara match	File source: /usr/lib/libudev.so, type: DROPPED
Source: Yara match	File source: /usr/bin/sqpwspsmaf, type: DROPPED
Source: Yara match	File source: /usr/bin/ralgwrxppb, type: DROPPED
Source: Yara match	File source: /usr/bin/ifkpwnmtjm, type: DROPPED
Source: Yara match	File source: /usr/bin/wkuqobksgz, type: DROPPED
Source: Yara match	File source: /usr/bin/cglyyshjyz, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: xor1.o, type: SAMPLE	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5226.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5362.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5483.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5498.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5322.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5415.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5507.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5518.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5430.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5342.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5444.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5427.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5263.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5466.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5334.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5530.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5449.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5291.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5486.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5372.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5407.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5554.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5224.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5538.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5410.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5489.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5320.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5360.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5398.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5516.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5380.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5513.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5481.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5451.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5471.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5478.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5541.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5468.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5284.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5535.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5401.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5311.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5270.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5351.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5495.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5447.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5266.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5393.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5503.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5461.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5281.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5328.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5268.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5525.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5339.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5500.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5337.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5424.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5300.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5390.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5521.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5273.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5551.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5369.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5354.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5356.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5305.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5413.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5344.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5377.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5418.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5533.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5548.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5395.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5317.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5435.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5464.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5375.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5432.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5441.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5227.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5309.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5228.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5289.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5303.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5325.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: 5286.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: Detects XORDDoS Author: ditekSHen
Source: /usr/bin/jwkufnauiy, type: DROPPED	Matched rule: Detects XORDDoS Author: ditekSHen
Source: /usr/bin/iqmzdzzagu, type: DROPPED	Matched rule: Detects XORDDoS Author: ditekSHen
Source: /usr/bin/jnoxdslvzn, type: DROPPED	Matched rule: Detects XORDDoS Author: ditekSHen
Source: /usr/bin/uvefoplmkt, type: DROPPED	Matched rule: Detects XORDDoS Author: ditekSHen
Source: /usr/bin/dupayarwpd, type: DROPPED	Matched rule: Detects XORDDoS Author: ditekSHen
Source: /usr/bin/mtxpozvnco, type: DROPPED	Matched rule: Detects XORDDoS Author: ditekSHen
Source: /usr/bin/eiqbhbuvjy, type: DROPPED	Matched rule: Detects XORDDoS Author: ditekSHen
Source: /usr/bin/vdplvwquwd, type: DROPPED	Matched rule: Detects XORDDoS Author: ditekSHen
Source: /usr/bin/mbycomlghf, type: DROPPED	Matched rule: Detects XORDDoS Author: ditekSHen
Source: /usr/lib/libudev.so, type: DROPPED	Matched rule: Detects XORDDoS Author: ditekSHen
Source: /usr/bin/sqpwspsmaf, type: DROPPED	Matched rule: Detects XORDDoS Author: ditekSHen
Source: /usr/bin/ralgwrxppb, type: DROPPED	Matched rule: Detects XORDDoS Author: ditekSHen
Source: /usr/bin/ifkpwnmtjm, type: DROPPED	Matched rule: Detects XORDDoS Author: ditekSHen
Source: /usr/bin/wkuqobksgz, type: DROPPED	Matched rule: Detects XORDDoS Author: ditekSHen
Source: /usr/bin/cglyyshjyz, type: DROPPED	Matched rule: Detects XORDDoS Author: ditekSHen

Source: xor1.o, type: SAMPLE	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5226.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5362.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5483.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5498.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5322.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5415.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5507.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5518.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5430.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5342.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5444.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5427.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5263.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5466.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5334.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5530.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5449.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5291.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5486.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5372.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5407.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5554.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5224.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5538.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5410.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5489.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5320.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5360.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5398.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5516.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5380.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5513.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5481.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5451.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5471.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5478.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5541.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5468.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5284.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5535.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5401.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5311.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5270.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5351.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5495.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5447.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5266.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5393.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5503.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5461.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5281.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5328.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5268.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5525.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5339.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5500.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5337.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5424.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5300.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5390.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5521.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5273.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5551.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5369.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5354.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5356.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5305.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5413.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5344.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5377.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5418.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5533.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5548.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5395.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5317.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5435.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5464.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5375.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5432.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5441.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5227.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5309.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5228.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5289.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5303.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5325.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: 5286.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: /usr/bin/jwkufnauiy, type: DROPPED	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: /usr/bin/iqmzdzzagu, type: DROPPED	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: /usr/bin/jnoxdslvzn, type: DROPPED	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: /usr/bin/uvefoplmkt, type: DROPPED	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: /usr/bin/dupayarwpd, type: DROPPED	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: /usr/bin/mtxpozvnco, type: DROPPED	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: /usr/bin/eiqbhbuvjy, type: DROPPED	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: /usr/bin/vdplvwquwd, type: DROPPED	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: /usr/bin/mbycomlghf, type: DROPPED	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: /usr/lib/libudev.so, type: DROPPED	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: /usr/bin/sqpwspsmaf, type: DROPPED	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: /usr/bin/ralgwrxppb, type: DROPPED	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: /usr/bin/ifkpwnmtjm, type: DROPPED	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: /usr/bin/wkuqobksgz, type: DROPPED	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS
Source: /usr/bin/cglyyshjyz, type: DROPPED	Matched rule: MALWARE_Linux_XORDDoS author = ditekSHen, description = Detects XORDDoS

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal96.troj.evad.linO@0/21@6/0

Source: /tmp/xor1.o (PID: 5225)

/run/gcc.pid: uctzkuzmdwqthbcjmllhhcbjbblmxnjr

Jump to behavior

Persistence and Installation Behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/xor1.o (PID: 5225)	File: /etc/rc1.d/S90xor1.o -> /etc/init.d/xor1.o	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /etc/rc2.d/S90xor1.o -> /etc/init.d/xor1.o	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /etc/rc3.d/S90xor1.o -> /etc/init.d/xor1.o	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /etc/rc4.d/S90xor1.o -> /etc/init.d/xor1.o	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /etc/rc5.d/S90xor1.o -> /etc/init.d/xor1.o	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /etc/rc.d/rc1.d/S90xor1.o -> /etc/init.d/xor1.o	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /etc/rc.d/rc2.d/S90xor1.o -> /etc/init.d/xor1.o	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /etc/rc.d/rc3.d/S90xor1.o -> /etc/init.d/xor1.o	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /etc/rc.d/rc4.d/S90xor1.o -> /etc/init.d/xor1.o	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /etc/rc.d/rc5.d/S90xor1.o -> /etc/init.d/xor1.o	Jump to behavior

Sample tries to persist itself using cron

Source: /tmp/xor1.o (PID: 5225)	File: /etc/cron.hourly/gcc.sh	Jump to behavior
Source: /bin/sh (PID: 5230)	File: /etc/crontab	Jump to behavior
Source: /bin/sed (PID: 5231)	File: /etc/crontab	Jump to behavior

Source: /tmp/xor1.o (PID: 5225)	File written: /usr/lib/libudev.so	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File written: /usr/bin/mbycomlghf	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File written: /usr/bin/wkuqobksgz	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File written: /usr/bin/cglyyshjyz	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File written: /usr/bin/iqmzdzzagu	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File written: /usr/bin/ifkpwnmtjm	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File written: /usr/bin/jnoxdslvzn	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File written: /usr/bin/vdplvwquwd	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File written: /usr/bin/ralgwrxppb	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File written: /usr/bin/eiqbhbuvjy	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File written: /usr/bin/jwkufnauiy	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File written: /usr/bin/dupayarwpd	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File written: /usr/bin/sqpwspsmaf	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File written: /usr/bin/mtxpozvnco	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File written: /usr/bin/uvefoplmkt	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File written: /usr/bin/wftusxulhl	Jump to dropped file

Source: /tmp/xor1.o (PID: 5225)

Shell script file created: /etc/cron.hourly/gcc.sh

Jump to dropped file

Source: /tmp/xor1.o (PID: 5225)	Reads from proc file: /proc/stat	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	Reads from proc file: /proc/meminfo	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	Reads from proc file: /proc/cpuinfo	Jump to behavior

Source: /sbin/update-rc.d (PID: 5235)

Systemctl executable: /bin/systemctl -> systemctl daemon-reload

Jump to behavior

Source: /tmp/xor1.o (PID: 5230)

Shell command executed: sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"

Jump to behavior

Source: /tmp/xor1.o (PID: 5225)

Writes shell script file to disk with an unusual file extension: /etc/init.d/xor1.o

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/xor1.o (PID: 5225)	File: /etc/init.d/xor1.o	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/mbycomlghf	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/wkuqobksgz	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/cglyyshjyz	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/iqmzdzzagu	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/ifkpwnmtjm	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/jnoxdslvzn	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/vdplvwquwd	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/ralgwrxppb	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/eiqbhbuvjy	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/jwkufnauiy	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/dupayarwpd	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/sqpwspsmaf	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/mtxpozvnco	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/uvefoplmkt	Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/wftusxulhl	Jump to dropped file

Sample deletes itself

Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/mbycomlghf	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/wkuqobksgz	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/cglyyshjyz	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/iqmzdzzagu	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/ifkpwnmtjm	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/jnoxdslvzn	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/vdplvwquwd	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/ralgwrxppb	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/eiqbhbuvjy	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/jwkufnauiy	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/dupayarwpd	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/sqpwspsmaf	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/mtxpozvnco	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/uvefoplmkt	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/wftusxulhl	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/whjuunzbrd	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/ljtvmuptjr	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/ignsgczdve	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/pblqlvjegj	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	File: /usr/bin/iucjpzjgvn	Jump to behavior
Source: /usr/bin/mbycomlghf (PID: 5265)	File: /usr/bin/mbycomlghf	Jump to behavior
Source: /usr/bin/mbycomlghf (PID: 5272)	File: /usr/bin/mbycomlghf	Jump to behavior
Source: /usr/bin/mbycomlghf (PID: 5274)	File: /usr/bin/mbycomlghf	Jump to behavior
Source: /usr/bin/mbycomlghf (PID: 5276)	File: /usr/bin/mbycomlghf	Jump to behavior
Source: /usr/bin/mbycomlghf (PID: 5277)	File: /usr/bin/mbycomlghf	Jump to behavior
Source: /usr/bin/wkuqobksgz (PID: 5283)	File: /usr/bin/wkuqobksgz	Jump to behavior
Source: /usr/bin/wkuqobksgz (PID: 5288)	File: /usr/bin/wkuqobksgz	Jump to behavior
Source: /usr/bin/wkuqobksgz (PID: 5293)	File: /usr/bin/wkuqobksgz	Jump to behavior
Source: /usr/bin/wkuqobksgz (PID: 5296)	File: /usr/bin/wkuqobksgz	Jump to behavior
Source: /usr/bin/wkuqobksgz (PID: 5297)	File: /usr/bin/wkuqobksgz	Jump to behavior
Source: /usr/bin/cglyyshjyz (PID: 5302)	File: /usr/bin/cglyyshjyz	Jump to behavior
Source: /usr/bin/cglyyshjyz (PID: 5307)	File: /usr/bin/cglyyshjyz	Jump to behavior
Source: /usr/bin/cglyyshjyz (PID: 5308)	File: /usr/bin/cglyyshjyz	Jump to behavior
Source: /usr/bin/cglyyshjyz (PID: 5313)	File: /usr/bin/cglyyshjyz	Jump to behavior
Source: /usr/bin/cglyyshjyz (PID: 5314)	File: /usr/bin/cglyyshjyz	Jump to behavior
Source: /usr/bin/iqmzdzzagu (PID: 5319)	File: /usr/bin/iqmzdzzagu	Jump to behavior
Source: /usr/bin/iqmzdzzagu (PID: 5324)	File: /usr/bin/iqmzdzzagu	Jump to behavior
Source: /usr/bin/iqmzdzzagu (PID: 5327)	File: /usr/bin/iqmzdzzagu	Jump to behavior
Source: /usr/bin/iqmzdzzagu (PID: 5330)	File: /usr/bin/iqmzdzzagu	Jump to behavior
Source: /usr/bin/iqmzdzzagu (PID: 5331)	File: /usr/bin/iqmzdzzagu	Jump to behavior
Source: /usr/bin/ifkpwnmtjm (PID: 5336)	File: /usr/bin/ifkpwnmtjm	Jump to behavior
Source: /usr/bin/ifkpwnmtjm (PID: 5341)	File: /usr/bin/ifkpwnmtjm	Jump to behavior
Source: /usr/bin/ifkpwnmtjm (PID: 5346)	File: /usr/bin/ifkpwnmtjm	Jump to behavior
Source: /usr/bin/ifkpwnmtjm (PID: 5347)	File: /usr/bin/ifkpwnmtjm	Jump to behavior
Source: /usr/bin/ifkpwnmtjm (PID: 5348)	File: /usr/bin/ifkpwnmtjm	Jump to behavior
Source: /usr/bin/jnoxdslvzn (PID: 5353)	File: /usr/bin/jnoxdslvzn	Jump to behavior
Source: /usr/bin/jnoxdslvzn (PID: 5358)	File: /usr/bin/jnoxdslvzn	Jump to behavior
Source: /usr/bin/jnoxdslvzn (PID: 5359)	File: /usr/bin/jnoxdslvzn	Jump to behavior
Source: /usr/bin/jnoxdslvzn (PID: 5364)	File: /usr/bin/jnoxdslvzn	Jump to behavior
Source: /usr/bin/jnoxdslvzn (PID: 5365)	File: /usr/bin/jnoxdslvzn	Jump to behavior
Source: /usr/bin/vdplvwquwd (PID: 5371)	File: /usr/bin/vdplvwquwd	Jump to behavior
Source: /usr/bin/vdplvwquwd (PID: 5374)	File: /usr/bin/vdplvwquwd	Jump to behavior
Source: /usr/bin/vdplvwquwd (PID: 5379)	File: /usr/bin/vdplvwquwd	Jump to behavior
Source: /usr/bin/vdplvwquwd (PID: 5382)	File: /usr/bin/vdplvwquwd	Jump to behavior
Source: /usr/bin/vdplvwquwd (PID: 5385)	File: /usr/bin/vdplvwquwd	Jump to behavior
Source: /usr/bin/ralgwrxppb (PID: 5392)	File: /usr/bin/ralgwrxppb	Jump to behavior
Source: /usr/bin/ralgwrxppb (PID: 5397)	File: /usr/bin/ralgwrxppb	Jump to behavior
Source: /usr/bin/ralgwrxppb (PID: 5400)	File: /usr/bin/ralgwrxppb	Jump to behavior
Source: /usr/bin/ralgwrxppb (PID: 5403)	File: /usr/bin/ralgwrxppb	Jump to behavior
Source: /usr/bin/ralgwrxppb (PID: 5404)	File: /usr/bin/ralgwrxppb	Jump to behavior
Source: /usr/bin/eiqbhbuvjy (PID: 5409)	File: /usr/bin/eiqbhbuvjy	Jump to behavior
Source: /usr/bin/eiqbhbuvjy (PID: 5412)	File: /usr/bin/eiqbhbuvjy	Jump to behavior
Source: /usr/bin/eiqbhbuvjy (PID: 5417)	File: /usr/bin/eiqbhbuvjy	Jump to behavior
Source: /usr/bin/eiqbhbuvjy (PID: 5420)	File: /usr/bin/eiqbhbuvjy	Jump to behavior
Source: /usr/bin/eiqbhbuvjy (PID: 5421)	File: /usr/bin/eiqbhbuvjy	Jump to behavior
Source: /usr/bin/jwkufnauiy (PID: 5426)	File: /usr/bin/jwkufnauiy	Jump to behavior
Source: /usr/bin/jwkufnauiy (PID: 5429)	File: /usr/bin/jwkufnauiy	Jump to behavior
Source: /usr/bin/jwkufnauiy (PID: 5434)	File: /usr/bin/jwkufnauiy	Jump to behavior
Source: /usr/bin/jwkufnauiy (PID: 5437)	File: /usr/bin/jwkufnauiy	Jump to behavior
Source: /usr/bin/jwkufnauiy (PID: 5438)	File: /usr/bin/jwkufnauiy	Jump to behavior
Source: /usr/bin/dupayarwpd (PID: 5443)	File: /usr/bin/dupayarwpd	Jump to behavior
Source: /usr/bin/dupayarwpd (PID: 5446)	File: /usr/bin/dupayarwpd	Jump to behavior
Source: /usr/bin/dupayarwpd (PID: 5452)	File: /usr/bin/dupayarwpd	Jump to behavior
Source: /usr/bin/dupayarwpd (PID: 5454)	File: /usr/bin/dupayarwpd	Jump to behavior
Source: /usr/bin/dupayarwpd (PID: 5455)	File: /usr/bin/dupayarwpd	Jump to behavior
Source: /usr/bin/sqpwspsmaf (PID: 5463)	File: /usr/bin/sqpwspsmaf	Jump to behavior
Source: /usr/bin/sqpwspsmaf (PID: 5469)	File: /usr/bin/sqpwspsmaf	Jump to behavior
Source: /usr/bin/sqpwspsmaf (PID: 5473)	File: /usr/bin/sqpwspsmaf	Jump to behavior
Source: /usr/bin/sqpwspsmaf (PID: 5474)	File: /usr/bin/sqpwspsmaf	Jump to behavior
Source: /usr/bin/sqpwspsmaf (PID: 5475)	File: /usr/bin/sqpwspsmaf	Jump to behavior
Source: /usr/bin/mtxpozvnco (PID: 5480)	File: /usr/bin/mtxpozvnco	Jump to behavior
Source: /usr/bin/mtxpozvnco (PID: 5484)	File: /usr/bin/mtxpozvnco	Jump to behavior
Source: /usr/bin/mtxpozvnco (PID: 5488)	File: /usr/bin/mtxpozvnco	Jump to behavior
Source: /usr/bin/mtxpozvnco (PID: 5491)	File: /usr/bin/mtxpozvnco	Jump to behavior
Source: /usr/bin/mtxpozvnco (PID: 5492)	File: /usr/bin/mtxpozvnco	Jump to behavior
Source: /usr/bin/uvefoplmkt (PID: 5497)	File: /usr/bin/uvefoplmkt	Jump to behavior
Source: /usr/bin/uvefoplmkt (PID: 5502)	File: /usr/bin/uvefoplmkt	Jump to behavior
Source: /usr/bin/uvefoplmkt (PID: 5505)	File: /usr/bin/uvefoplmkt	Jump to behavior
Source: /usr/bin/uvefoplmkt (PID: 5506)	File: /usr/bin/uvefoplmkt	Jump to behavior
Source: /usr/bin/uvefoplmkt (PID: 5509)	File: /usr/bin/uvefoplmkt	Jump to behavior
Source: /usr/bin/wftusxulhl (PID: 5515)	File: /usr/bin/wftusxulhl	Jump to behavior
Source: /usr/bin/wftusxulhl (PID: 5520)	File: /usr/bin/wftusxulhl	Jump to behavior
Source: /usr/bin/wftusxulhl (PID: 5523)	File: /usr/bin/wftusxulhl	Jump to behavior
Source: /usr/bin/wftusxulhl (PID: 5524)	File: /usr/bin/wftusxulhl	Jump to behavior
Source: /usr/bin/wftusxulhl (PID: 5527)	File: /usr/bin/wftusxulhl	Jump to behavior
Source: /usr/bin/whjuunzbrd (PID: 5532)	File: /usr/bin/whjuunzbrd	Jump to behavior
Source: /usr/bin/whjuunzbrd (PID: 5537)	File: /usr/bin/whjuunzbrd	Jump to behavior
Source: /usr/bin/whjuunzbrd (PID: 5540)	File: /usr/bin/whjuunzbrd	Jump to behavior
Source: /usr/bin/whjuunzbrd (PID: 5543)	File: /usr/bin/whjuunzbrd	Jump to behavior
Source: /usr/bin/whjuunzbrd (PID: 5546)	File: /usr/bin/whjuunzbrd	Jump to behavior
Source: /usr/bin/ljtvmuptjr (PID: 5550)	File: /usr/bin/ljtvmuptjr	Jump to behavior
Source: /usr/bin/ljtvmuptjr (PID: 5553)	File: /usr/bin/ljtvmuptjr	Jump to behavior
Source: /usr/bin/ljtvmuptjr (PID: 5560)	File: /usr/bin/ljtvmuptjr	Jump to behavior
Source: /usr/bin/ljtvmuptjr (PID: 5563)	File: /usr/bin/ljtvmuptjr	Jump to behavior
Source: /usr/bin/ljtvmuptjr (PID: 5564)	File: /usr/bin/ljtvmuptjr	Jump to behavior
Source: /usr/bin/ignsgczdve (PID: 5575)	File: /usr/bin/ignsgczdve	Jump to behavior
Source: /usr/bin/ignsgczdve (PID: 5578)	File: /usr/bin/ignsgczdve	Jump to behavior
Source: /usr/bin/ignsgczdve (PID: 5581)	File: /usr/bin/ignsgczdve	Jump to behavior
Source: /usr/bin/ignsgczdve (PID: 5582)	File: /usr/bin/ignsgczdve	Jump to behavior
Source: /usr/bin/ignsgczdve (PID: 5583)	File: /usr/bin/ignsgczdve	Jump to behavior
Source: /usr/bin/pblqlvjegj (PID: 5592)	File: /usr/bin/pblqlvjegj	Jump to behavior
Source: /usr/bin/pblqlvjegj (PID: 5595)	File: /usr/bin/pblqlvjegj	Jump to behavior
Source: /usr/bin/pblqlvjegj (PID: 5598)	File: /usr/bin/pblqlvjegj	Jump to behavior
Source: /usr/bin/pblqlvjegj (PID: 5599)	File: /usr/bin/pblqlvjegj	Jump to behavior
Source: /usr/bin/pblqlvjegj (PID: 5600)	File: /usr/bin/pblqlvjegj	Jump to behavior

Source: /tmp/xor1.o (PID: 5225)	Path: /etc/cron.hourly/gcc.sh			Jump to dropped file
Source: /tmp/xor1.o (PID: 5225)	Path: /run/gcc.pid			Jump to dropped file

Source: /tmp/xor1.o (PID: 5224)	Queries kernel information via 'uname':	Jump to behavior
Source: /tmp/xor1.o (PID: 5225)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/mbycomlghf (PID: 5264)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/mbycomlghf (PID: 5267)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/mbycomlghf (PID: 5269)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/mbycomlghf (PID: 5271)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/mbycomlghf (PID: 5275)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/wkuqobksgz (PID: 5282)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/wkuqobksgz (PID: 5285)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/wkuqobksgz (PID: 5287)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/wkuqobksgz (PID: 5290)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/wkuqobksgz (PID: 5292)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/cglyyshjyz (PID: 5301)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/cglyyshjyz (PID: 5304)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/cglyyshjyz (PID: 5306)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/cglyyshjyz (PID: 5310)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/cglyyshjyz (PID: 5312)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/iqmzdzzagu (PID: 5318)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/iqmzdzzagu (PID: 5321)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/iqmzdzzagu (PID: 5323)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/iqmzdzzagu (PID: 5326)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/iqmzdzzagu (PID: 5329)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ifkpwnmtjm (PID: 5335)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ifkpwnmtjm (PID: 5338)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ifkpwnmtjm (PID: 5340)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ifkpwnmtjm (PID: 5343)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ifkpwnmtjm (PID: 5345)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/jnoxdslvzn (PID: 5352)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/jnoxdslvzn (PID: 5355)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/jnoxdslvzn (PID: 5357)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/jnoxdslvzn (PID: 5361)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/jnoxdslvzn (PID: 5363)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/vdplvwquwd (PID: 5370)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/vdplvwquwd (PID: 5373)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/vdplvwquwd (PID: 5376)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/vdplvwquwd (PID: 5378)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/vdplvwquwd (PID: 5381)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ralgwrxppb (PID: 5391)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ralgwrxppb (PID: 5394)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ralgwrxppb (PID: 5396)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ralgwrxppb (PID: 5399)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ralgwrxppb (PID: 5402)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/eiqbhbuvjy (PID: 5408)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/eiqbhbuvjy (PID: 5411)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/eiqbhbuvjy (PID: 5414)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/eiqbhbuvjy (PID: 5416)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/eiqbhbuvjy (PID: 5419)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/jwkufnauiy (PID: 5425)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/jwkufnauiy (PID: 5428)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/jwkufnauiy (PID: 5431)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/jwkufnauiy (PID: 5433)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/jwkufnauiy (PID: 5436)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dupayarwpd (PID: 5442)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dupayarwpd (PID: 5445)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dupayarwpd (PID: 5448)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dupayarwpd (PID: 5450)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dupayarwpd (PID: 5453)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/sqpwspsmaf (PID: 5462)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/sqpwspsmaf (PID: 5465)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/sqpwspsmaf (PID: 5467)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/sqpwspsmaf (PID: 5470)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/sqpwspsmaf (PID: 5472)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/mtxpozvnco (PID: 5479)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/mtxpozvnco (PID: 5482)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/mtxpozvnco (PID: 5485)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/mtxpozvnco (PID: 5487)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/mtxpozvnco (PID: 5490)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/uvefoplmkt (PID: 5496)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/uvefoplmkt (PID: 5499)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/uvefoplmkt (PID: 5501)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/uvefoplmkt (PID: 5504)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/uvefoplmkt (PID: 5508)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/wftusxulhl (PID: 5514)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/wftusxulhl (PID: 5517)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/wftusxulhl (PID: 5519)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/wftusxulhl (PID: 5522)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/wftusxulhl (PID: 5526)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/whjuunzbrd (PID: 5531)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/whjuunzbrd (PID: 5534)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/whjuunzbrd (PID: 5536)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/whjuunzbrd (PID: 5539)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/whjuunzbrd (PID: 5542)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ljtvmuptjr (PID: 5549)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ljtvmuptjr (PID: 5552)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ljtvmuptjr (PID: 5555)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ljtvmuptjr (PID: 5559)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ljtvmuptjr (PID: 5562)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ignsgczdve (PID: 5570)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ignsgczdve (PID: 5572)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ignsgczdve (PID: 5574)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ignsgczdve (PID: 5577)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ignsgczdve (PID: 5580)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pblqlvjegj (PID: 5587)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pblqlvjegj (PID: 5589)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pblqlvjegj (PID: 5591)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pblqlvjegj (PID: 5594)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pblqlvjegj (PID: 5597)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/iucjpzjgvn (PID: 5604)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/iucjpzjgvn (PID: 5606)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/iucjpzjgvn (PID: 5608)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/iucjpzjgvn (PID: 5611)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/iucjpzjgvn (PID: 5614)	Queries kernel information via 'uname':	Jump to behavior

Source: /tmp/xor1.o (PID: 5225)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Remote Access Functionality

Yara detected XorDDoS Bot

Source: Yara match	File source: xor1.o, type: SAMPLE
Source: Yara match	File source: 5226.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5362.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5483.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5498.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5322.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5415.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5507.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5518.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5430.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5342.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5444.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5427.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5263.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5466.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5334.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5530.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5449.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5291.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5486.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5372.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5407.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5554.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5224.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5538.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5410.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5489.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5320.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5360.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5398.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5516.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5380.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5513.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5481.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5451.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5471.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5478.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5541.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5468.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5284.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5535.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5401.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5311.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5270.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5351.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5495.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5447.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5266.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5393.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5503.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5461.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5281.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5328.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5268.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5525.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5339.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5500.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5337.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5424.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5300.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5390.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5521.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5273.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5551.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5369.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5354.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5356.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5305.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5413.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5344.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5377.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5418.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5533.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5548.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5395.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5317.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5435.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5464.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5375.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5432.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5441.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5227.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5309.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5228.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5289.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5303.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5325.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5286.1.000000001a887bdc.0000000047f81f2f.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5226, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5227, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5263, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5266, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5270, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5273, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5281, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5286, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5289, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5291, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5303, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5305, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5309, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5311, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5317, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5322, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5325, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5334, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5337, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5339, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5342, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5351, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5354, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5362, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5369, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5375, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5377, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5390, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5393, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5395, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5398, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5401, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5407, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5410, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5413, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5415, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5418, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5427, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5430, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5435, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5441, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5447, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5449, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5451, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5461, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5466, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5471, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5478, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5481, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5483, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xor1.o PID: 5486, type: MEMORYSTR
Source: Yara match	File source: /usr/bin/jwkufnauiy, type: DROPPED
Source: Yara match	File source: /usr/bin/iqmzdzzagu, type: DROPPED
Source: Yara match	File source: /usr/bin/jnoxdslvzn, type: DROPPED
Source: Yara match	File source: /usr/bin/wftusxulhl, type: DROPPED
Source: Yara match	File source: /usr/bin/uvefoplmkt, type: DROPPED
Source: Yara match	File source: /usr/bin/dupayarwpd, type: DROPPED
Source: Yara match	File source: /usr/bin/mtxpozvnco, type: DROPPED
Source: Yara match	File source: /usr/bin/eiqbhbuvjy, type: DROPPED
Source: Yara match	File source: /usr/bin/vdplvwquwd, type: DROPPED
Source: Yara match	File source: /usr/bin/mbycomlghf, type: DROPPED
Source: Yara match	File source: /usr/lib/libudev.so, type: DROPPED
Source: Yara match	File source: /usr/bin/sqpwspsmaf, type: DROPPED
Source: Yara match	File source: /usr/bin/ralgwrxppb, type: DROPPED
Source: Yara match	File source: /usr/bin/ifkpwnmtjm, type: DROPPED
Source: Yara match	File source: /usr/bin/wkuqobksgz, type: DROPPED
Source: Yara match	File source: /usr/bin/cglyyshjyz, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Scripting	1 Systemd Service	1 Systemd Service	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 At (Linux)	2 At (Linux)	2 At (Linux)	2 Scripting	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
xor1.o	50%	Virustotal		Browse
xor1.o	64%	ReversingLabs	Linux.Network.Xor
xor1.o	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
/usr/bin/dupayarwpd	100%	Joe Sandbox ML
/usr/bin/cglyyshjyz	100%	Joe Sandbox ML
/usr/bin/uvefoplmkt	100%	Joe Sandbox ML
/usr/bin/mbycomlghf	100%	Joe Sandbox ML
/usr/bin/mtxpozvnco	100%	Joe Sandbox ML
/usr/bin/jwkufnauiy	100%	Joe Sandbox ML
/usr/bin/vdplvwquwd	100%	Joe Sandbox ML
/usr/bin/ralgwrxppb	100%	Joe Sandbox ML
/usr/bin/sqpwspsmaf	100%	Joe Sandbox ML
/usr/bin/wkuqobksgz	100%	Joe Sandbox ML
/usr/bin/ifkpwnmtjm	100%	Joe Sandbox ML
/usr/bin/eiqbhbuvjy	100%	Joe Sandbox ML
/usr/lib/libudev.so	100%	Joe Sandbox ML
/usr/bin/wftusxulhl	100%	Joe Sandbox ML
/usr/bin/jnoxdslvzn	100%	Joe Sandbox ML
/usr/bin/iqmzdzzagu	100%	Joe Sandbox ML
/etc/cron.hourly/gcc.sh	0%	Metadefender		Browse
/etc/cron.hourly/gcc.sh	28%	ReversingLabs	Linux.Trojan.XorDDoS

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://aa.hostasa.org/config.rar	0%	Avira URL Cloud	safe
http://aa.hostasa.org/config.rartat456.com:1522	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ppp.gggatat456.com	176.31.91.137	true	false	unknown
www1.gggatat456.com	54.36.15.99	true	true	unknown
aa.hostasa.org	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.gnu.org/software/libc/bugs.html	xor1.o, dupayarwpd.11.dr, cglyyshjyz.11.dr, uvefoplmkt.11.dr, mbycomlghf.11.dr, mtxpozvnco.11.dr, jwkufnauiy.11.dr, vdplvwquwd.11.dr, ralgwrxppb.11.dr, sqpwspsmaf.11.dr, wkuqobksgz.11.dr, ifkpwnmtjm.11.dr, eiqbhbuvjy.11.dr, libudev.so.11.dr, jnoxdslvzn.11.dr, iqmzdzzagu.11.dr	false		high
http://aa.hostasa.org/config.rar	xor1.o, 5224.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5226.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5227.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5228.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5263.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5266.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5268.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5270.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5273.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5281.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5284.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5286.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5289.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5291.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5300.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5303.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5305.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5309.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5311.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5317.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5320.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp	false	Avira URL Cloud: safe	unknown
http://aa.hostasa.org/config.rartat456.com:1522	xor1.o, 5224.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5226.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5227.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5228.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5263.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5266.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5268.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5270.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5273.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5281.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5284.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5286.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5289.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5291.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5300.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5303.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5305.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5309.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5311.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5317.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp, xor1.o, 5320.1.0000000021caf6a3.000000007ecf918e.rw-.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
176.31.91.137	ppp.gggatat456.com	France	16276	OVHFR	false
54.36.15.99	www1.gggatat456.com	France	16276	OVHFR	true
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
176.31.91.137	0Xorddos.o	Get hash	malicious	Browse
54.36.15.99	0Xorddos.o	Get hash	malicious	Browse	www1.gggatat456.com/dd.rar
109.202.202.202	xor2.o	Get hash	malicious	Browse
	xor3.o	Get hash	malicious	Browse
	h2uhKUWnK6	Get hash	malicious	Browse
	apep.arm	Get hash	malicious	Browse
	task3.bin	Get hash	malicious	Browse
	BDK.mips-20220415-0546	Get hash	malicious	Browse
	BDK.x86-20220415-0546	Get hash	malicious	Browse
	BDK.arm4-20220415-0546	Get hash	malicious	Browse
	BDK.arm5-20220415-0546	Get hash	malicious	Browse
	BDK.arm6-20220415-0546	Get hash	malicious	Browse
	BDK.arm7-20220415-0546	Get hash	malicious	Browse
	8cR4Oenl9u	Get hash	malicious	Browse
	arm-20220414-2350	Get hash	malicious	Browse
	arm7-20220414-2350	Get hash	malicious	Browse
	R3pJB359fm	Get hash	malicious	Browse
	FaGf3koARC	Get hash	malicious	Browse
	wy8qAkb51p	Get hash	malicious	Browse
	NOQIfC4814	Get hash	malicious	Browse
	nAhIfxPGCA	Get hash	malicious	Browse
	arm-20220414-1850	Get hash	malicious	Browse
91.189.91.43	xor2.o	Get hash	malicious	Browse
	xor3.o	Get hash	malicious	Browse
	h2uhKUWnK6	Get hash	malicious	Browse
	apep.arm	Get hash	malicious	Browse
	task3.bin	Get hash	malicious	Browse
	BDK.mips-20220415-0546	Get hash	malicious	Browse
	BDK.x86-20220415-0546	Get hash	malicious	Browse
	BDK.arm4-20220415-0546	Get hash	malicious	Browse
	BDK.arm5-20220415-0546	Get hash	malicious	Browse
	BDK.arm6-20220415-0546	Get hash	malicious	Browse
	BDK.arm7-20220415-0546	Get hash	malicious	Browse
	8cR4Oenl9u	Get hash	malicious	Browse
	arm-20220414-2350	Get hash	malicious	Browse
	arm7-20220414-2350	Get hash	malicious	Browse
	R3pJB359fm	Get hash	malicious	Browse
	FaGf3koARC	Get hash	malicious	Browse
	wy8qAkb51p	Get hash	malicious	Browse
	NOQIfC4814	Get hash	malicious	Browse
	nAhIfxPGCA	Get hash	malicious	Browse
	arm-20220414-1850	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www1.gggatat456.com	0Xorddos.o	Get hash	malicious	Browse	54.36.15.99
	http://www1.gggatat456.com/dd.rar	Get hash	malicious	Browse	51.68.183.108
	w.txt	Get hash	malicious	Browse	92.222.83.172
	w.txt	Get hash	malicious	Browse	92.222.83.172
	1433.bin	Get hash	malicious	Browse	91.134.134.116
	libudev.so	Get hash	malicious	Browse	91.134.134.116
	TPHM5fHHv1	Get hash	malicious	Browse	51.77.240.165
ppp.gggatat456.com	0Xorddos.o	Get hash	malicious	Browse	54.36.145.106
	XZFWLZVF1Z	Get hash	malicious	Browse	54.36.15.99
	CD2uXlYGfa	Get hash	malicious	Browse	51.68.183.111
	7ZDbt9EUgm	Get hash	malicious	Browse	51.89.70.85
	ygljglkjgfg0	Get hash	malicious	Browse	51.89.52.13
	2wyzX8yBdR	Get hash	malicious	Browse	51.38.200.187

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	apep.x86	Get hash	malicious	Browse	51.255.185.111
	vKrtYWFxWA.exe	Get hash	malicious	Browse	176.31.60.250
	drvHvl3lJq.exe	Get hash	malicious	Browse	198.27.115.55
	Doc140422.exe	Get hash	malicious	Browse	51.38.207.241
	PO_140421.exe	Get hash	malicious	Browse	142.44.216.172
	Payment_Advice.xlsx	Get hash	malicious	Browse	198.27.115.55
	libexec	Get hash	malicious	Browse	51.89.217.80
	https://patient-field-1497.on.fleek.co/	Get hash	malicious	Browse	51.210.32.106
	I7lOHTNI7l	Get hash	malicious	Browse	5.39.75.160
	daddyl33t.arm-20220414-2250	Get hash	malicious	Browse	54.36.243.236
	o9lgHgNy59.exe	Get hash	malicious	Browse	46.105.31.147
	enemybotarm7-20220414-1550	Get hash	malicious	Browse	79.137.70.101
	https://onceintheflow.com/	Get hash	malicious	Browse	51.178.43.183
	enemybotarm-20220414-1550	Get hash	malicious	Browse	79.137.70.101
	https://globallegalchronicle.com/tag/baptiste-guillemot/	Get hash	malicious	Browse	51.89.9.253
	DHL_SHIPMENT_ON_HOLD_NOTIFICATION#73636_9283763_DOCUMENT.exe	Get hash	malicious	Browse	142.44.216.172
	arm7-20220414-1450	Get hash	malicious	Browse	51.70.255.224
	arm-20220414-1450	Get hash	malicious	Browse	37.187.8.251
	oLfLLnQnkJ	Get hash	malicious	Browse	192.95.6.69
	8e.dll	Get hash	malicious	Browse	94.23.45.86
OVHFR	apep.x86	Get hash	malicious	Browse	51.255.185.111
	vKrtYWFxWA.exe	Get hash	malicious	Browse	176.31.60.250
	drvHvl3lJq.exe	Get hash	malicious	Browse	198.27.115.55
	Doc140422.exe	Get hash	malicious	Browse	51.38.207.241
	PO_140421.exe	Get hash	malicious	Browse	142.44.216.172
	Payment_Advice.xlsx	Get hash	malicious	Browse	198.27.115.55
	libexec	Get hash	malicious	Browse	51.89.217.80
	https://patient-field-1497.on.fleek.co/	Get hash	malicious	Browse	51.210.32.106
	I7lOHTNI7l	Get hash	malicious	Browse	5.39.75.160
	daddyl33t.arm-20220414-2250	Get hash	malicious	Browse	54.36.243.236
	o9lgHgNy59.exe	Get hash	malicious	Browse	46.105.31.147
	enemybotarm7-20220414-1550	Get hash	malicious	Browse	79.137.70.101
	https://onceintheflow.com/	Get hash	malicious	Browse	51.178.43.183
	enemybotarm-20220414-1550	Get hash	malicious	Browse	79.137.70.101
	https://globallegalchronicle.com/tag/baptiste-guillemot/	Get hash	malicious	Browse	51.89.9.253
	DHL_SHIPMENT_ON_HOLD_NOTIFICATION#73636_9283763_DOCUMENT.exe	Get hash	malicious	Browse	142.44.216.172
	arm7-20220414-1450	Get hash	malicious	Browse	51.70.255.224
	arm-20220414-1450	Get hash	malicious	Browse	37.187.8.251
	oLfLLnQnkJ	Get hash	malicious	Browse	192.95.6.69
	8e.dll	Get hash	malicious	Browse	94.23.45.86

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
/etc/cron.hourly/gcc.sh	CCCxor.o	Get hash	malicious	Browse
	2BAFxor.o	Get hash	malicious	Browse
	task2.bin	Get hash	malicious	Browse
	task2.bin	Get hash	malicious	Browse
	task2.bin	Get hash	malicious	Browse
	0Xorddos.o	Get hash	malicious	Browse
	x.o	Get hash	malicious	Browse
	23	Get hash	malicious	Browse
	23	Get hash	malicious	Browse
	XZFWLZVF1Z	Get hash	malicious	Browse
	EgrT0zBhDa	Get hash	malicious	Browse
	4ljhdTTyiA	Get hash	malicious	Browse
	7nJAEBDitl	Get hash	malicious	Browse
	ygljglkjgfg0	Get hash	malicious	Browse
	bVexvNSHcD	Get hash	malicious	Browse
	rJabrNEtBM	Get hash	malicious	Browse
	c1152b89-b68a-49af-af67-fd4b61683a72	Get hash	malicious	Browse
	w.txt	Get hash	malicious	Browse
	w.txt	Get hash	malicious	Browse
	1433.bin	Get hash	malicious	Browse

Created / dropped Files

/etc/cron.hourly/gcc.sh

Download File

Process:	/tmp/xor1.o
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	228
Entropy (8bit):	4.807897441464882
Encrypted:	false
SSDEEP:	3:TKH4v1kxtsLNELQ9YmPQnMLnVMPQmlZnEMFaGZg28Xwf6SkCVcLNGLC75pkVKJdm:htiy4Mrm9lVNy28XbCVP270gJdE/v
MD5:	3BAB747CEDC5F0EBE86AAA7F982470CD
SHA1:	3C7D1C6931C2B3DAE39D38346B780EA57C8E6142
SHA-256:	74D31CAC40D98EE64DF2A0C29CEB229D12AC5FA699C2EE512FC69360F0CF68C5
SHA-512:	21E8A6D9CA8531D37DEF83D8903E5B0FA11ECF33D85D05EDAB1E0FEB4ACAC65AE2CF5222650FB9F533F459CCC51BB2903276FF6F827B847CC5E6DAC7D45A0A42
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 28%
Joe Sandbox View:	Filename: CCCxor.o, Detection: malicious, Browse Filename: 2BAFxor.o, Detection: malicious, Browse Filename: task2.bin, Detection: malicious, Browse Filename: task2.bin, Detection: malicious, Browse Filename: task2.bin, Detection: malicious, Browse Filename: 0Xorddos.o, Detection: malicious, Browse Filename: x.o, Detection: malicious, Browse Filename: 23, Detection: malicious, Browse Filename: 23, Detection: malicious, Browse Filename: XZFWLZVF1Z, Detection: malicious, Browse Filename: EgrT0zBhDa, Detection: malicious, Browse Filename: 4ljhdTTyiA, Detection: malicious, Browse Filename: 7nJAEBDitl, Detection: malicious, Browse Filename: ygljglkjgfg0, Detection: malicious, Browse Filename: bVexvNSHcD, Detection: malicious, Browse Filename: rJabrNEtBM, Detection: malicious, Browse Filename: c1152b89-b68a-49af-af67-fd4b61683a72, Detection: malicious, Browse Filename: w.txt, Detection: malicious, Browse Filename: w.txt, Detection: malicious, Browse Filename: 1433.bin, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	#!/bin/sh.PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin.for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done.cp /lib/libudev.so /lib/libudev.so.6./lib/libudev.so.6.

/etc/crontab

Download File

Process:	/bin/sh
File Type:	ASCII text
Category:	dropped
Size (bytes):	41
Entropy (8bit):	3.8484226636198593
Encrypted:	false
SSDEEP:	3:FFP13tKebPv4KFcKv:/P1IebPPFcKv
MD5:	636299E19F3BFB8CDA661BC956C1CE7F
SHA1:	2B45273CCBFE139D58FC3554D6943D4338C18E15
SHA-256:	8CBDE8A027F2887DD7A3C5C6F98FDF127BAE31FE457FEF9D7945C9E48D195F44
SHA-512:	41AF1A49B86C9C81965AF32B404494CC5072AFDA004F385977110F8EA134A770650CBD2F9617AFCD87D6744954659BE4AE365E65DCA4491A375275E710310F1A
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	/3 * * * root /etc/cron.hourly/gcc.sh.

/etc/init.d/xor1.o

Download File

Process:	/tmp/xor1.o
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.187866374373042
Encrypted:	false
SSDEEP:	6:hUtoFdU96AjnnsKheJEKejBE21YJvmNeMwhQKejR1DzRIYKiVa6MzrKiVq4:6Qunmj4BEMO1QKI7zunaazeaN
MD5:	10CA9BB093AB2950CD3302470BF5C0D2
SHA1:	29286D3E61F0C09D78E5B8F173F7E6339B0681C2
SHA-256:	7095B0BD4D89D97ED21AF27BB04149F6997DA1581C5016CC4A5842A9B495ACD2
SHA-512:	5A627951ED57E626DE3D95028C99C29A97232806EA5714A575062EC17E8E566D5C5C8A521157573358098A4831602B98D637A047B3C80CF510AA22594B1BA567
Malicious:	true
Reputation:	low
Preview:	#!/bin/sh.# chkconfig: 12345 90 90.# description: xor1.o.### BEGIN INIT INFO.# Provides:..xor1.o.# Required-Start:..# Required-Stop:..# Default-Start:.1 2 3 4 5.# Default-Stop:...# Short-Description:.xor1.o.### END INIT INFO.case $1 in.start)../tmp/xor1.o..;;.stop)..;;.*)../tmp/xor1.o..;;.esac.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/run/gcc.pid

Download File

Process:	/tmp/xor1.o
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.819548827786958
Encrypted:	false
SSDEEP:	3:T5/gq7xgX:d/JxgX
MD5:	5D6093F7B9363D292D90C58AFDDDF56E
SHA1:	BFD43CB54F7E029AA6F4E8946E70CB6FD6DA5F10
SHA-256:	314090DC073F5CAE92560605C9BF5510063B28E2E53105ACA9675AF13E0CC608
SHA-512:	C9918BC63967E62405C4679FA4A1FE51F362C9836E85E84A14B7B40BC26F78445D7DB7EB097373C1FB2A6C88841BA4608A8389FC84F21A8EBEB1C537EF733F0B
Malicious:	false
Reputation:	low
Preview:	uctzkuzmdwqthbcjmllhhcbjbblmxnjr

/usr/bin/cglyyshjyz

Download File

Process:	/tmp/xor1.o
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
Category:	dropped
Size (bytes):	548693
Entropy (8bit):	6.1977786094124765
Encrypted:	false
SSDEEP:	12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36EojV:/fUywKQ7Fb1pNL/p52fjQn36EuV
MD5:	3BA7870DC238C8CED74411E69CE14B0A
SHA1:	B228CDC85BFA555DAC8C6FCB5254DB35DC93E55B
SHA-256:	A32D567566313CCFFFCC0B12B1980B3AB07EFA87386583589F978E3A17ED227C
SHA-512:	E87E27021A46D863E2BC68DE8D7CC4B58CB57269DCFE306BFD8A0C5DC642C8250D7F81C388A43FDDF97BFC84A9B9F8B221A0923AA734F0426829814C1FACECC5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /usr/bin/cglyyshjyz, Author: Joe Security Rule: MALWARE_Linux_XORDDoS, Description: Detects XORDDoS, Source: /usr/bin/cglyyshjyz, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	.ELF........................4....Z......4. ...(......................I...I...............I..............Ts........................ ... ................I..............@...........Q.td........................................GNU.................U.....5...................1.^....PTRh <..h`<..QVh............U..S........[...Y..........t..~..X[.......U..S....=.....uT.....-........X......9.v...&........................9.w......t...$<h....o............[]......U..............Z..xX....t .T$..D$......D$.......$<h....q... .....t........t...$ ..............U..W.....VS.............D$......D$.......$.....E..D$.......$.........................D$......D$.......$....E..D$......D$.A.....$.................xk.D$......D$.......$.o...............v.................D$......D$..4$.\.......~........\$..D$..<$....9.t...~..4$..t&......~..<$.................[^_]..&......'....U..WVS....E..}..D$......D$.A.....$.....E.........~j.D$......D$.......$......E.....~?1.....t&...9..E.....~)..).=....~.

/usr/bin/dupayarwpd

Download File

Process:	/tmp/xor1.o
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
Category:	dropped
Size (bytes):	548693
Entropy (8bit):	6.197782588110916
Encrypted:	false
SSDEEP:	12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36Eojs:/fUywKQ7Fb1pNL/p52fjQn36Eus
MD5:	487AC7753877CBE469DC3683259736B5
SHA1:	2A548816B729E4355C097297BAC7F68985C0B80A
SHA-256:	8CCC2A9A12F3CDAC8FE486D2089F7381636DA8787F0EB9F208CE34176A05C4F0
SHA-512:	59E55CFDD114B8C0AE965D92DFE44F786A50FCFDB305615BB74B59730ED9B7D8527F37864C177F61FC9B27E7D8CA5FC6A97777F5FF05B9CBD49467CD93A1FE30
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /usr/bin/dupayarwpd, Author: Joe Security Rule: MALWARE_Linux_XORDDoS, Description: Detects XORDDoS, Source: /usr/bin/dupayarwpd, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	.ELF........................4....Z......4. ...(......................I...I...............I..............Ts........................ ... ................I..............@...........Q.td........................................GNU.................U.....5...................1.^....PTRh <..h`<..QVh............U..S........[...Y..........t..~..X[.......U..S....=.....uT.....-........X......9.v...&........................9.w......t...$<h....o............[]......U..............Z..xX....t .T$..D$......D$.......$<h....q... .....t........t...$ ..............U..W.....VS.............D$......D$.......$.....E..D$.......$.........................D$......D$.......$....E..D$......D$.A.....$.................xk.D$......D$.......$.o...............v.................D$......D$..4$.\.......~........\$..D$..<$....9.t...~..4$..t&......~..<$.................[^_]..&......'....U..WVS....E..}..D$......D$.A.....$.....E.........~j.D$......D$.......$......E.....~?1.....t&...9..E.....~)..).=....~.

/usr/bin/eiqbhbuvjy

Download File

Process:	/tmp/xor1.o
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
Category:	dropped
Size (bytes):	548693
Entropy (8bit):	6.197767847715198
Encrypted:	false
SSDEEP:	12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36EojR:/fUywKQ7Fb1pNL/p52fjQn36EuR
MD5:	B563644E4E482747A9B6EBE06BAD1AF1
SHA1:	EA3F08596CF43890498C33A1FEBB38F3C7B826C3
SHA-256:	4A0F1A01870BB859D1E569474F108AC42691B8656B1E13412711315ECB83CB59
SHA-512:	97DBFC406C0A3299E5D79D1A2B0EDCAC2BA76685345849E93B9A6C9506C613BD84FD5E39B57F55CFABA03856F9D1919630C0BFC6CCAF787139164CB2F501824F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /usr/bin/eiqbhbuvjy, Author: Joe Security Rule: MALWARE_Linux_XORDDoS, Description: Detects XORDDoS, Source: /usr/bin/eiqbhbuvjy, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	.ELF........................4....Z......4. ...(......................I...I...............I..............Ts........................ ... ................I..............@...........Q.td........................................GNU.................U.....5...................1.^....PTRh <..h`<..QVh............U..S........[...Y..........t..~..X[.......U..S....=.....uT.....-........X......9.v...&........................9.w......t...$<h....o............[]......U..............Z..xX....t .T$..D$......D$.......$<h....q... .....t........t...$ ..............U..W.....VS.............D$......D$.......$.....E..D$.......$.........................D$......D$.......$....E..D$......D$.A.....$.................xk.D$......D$.......$.o...............v.................D$......D$..4$.\.......~........\$..D$..<$....9.t...~..4$..t&......~..<$.................[^_]..&......'....U..WVS....E..}..D$......D$.A.....$.....E.........~j.D$......D$.......$......E.....~?1.....t&...9..E.....~)..).=....~.

/usr/bin/ifkpwnmtjm

Download File

Process:	/tmp/xor1.o
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
Category:	dropped
Size (bytes):	548693
Entropy (8bit):	6.197772591074579
Encrypted:	false
SSDEEP:	12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36Eojm:/fUywKQ7Fb1pNL/p52fjQn36Eum
MD5:	C6395EC6939AA3AEE167136E5B0E6F81
SHA1:	81DFB179864DBD912E77A87778D1CB25B7B7D097
SHA-256:	7B4433A56727407FDD1E11ECF778D45CE7B23168F5B6E7307BDF69E29ED49280
SHA-512:	8AEE55AFB87D1AEF926CFE44D0294ACA16B4DF5ED093AC97E5C125D76A623B2C1DF5337F4E33CDE212D98BED4571A0859B6256DC159B5DA4833012B1CD5CEDE7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /usr/bin/ifkpwnmtjm, Author: Joe Security Rule: MALWARE_Linux_XORDDoS, Description: Detects XORDDoS, Source: /usr/bin/ifkpwnmtjm, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	.ELF........................4....Z......4. ...(......................I...I...............I..............Ts........................ ... ................I..............@...........Q.td........................................GNU.................U.....5...................1.^....PTRh <..h`<..QVh............U..S........[...Y..........t..~..X[.......U..S....=.....uT.....-........X......9.v...&........................9.w......t...$<h....o............[]......U..............Z..xX....t .T$..D$......D$.......$<h....q... .....t........t...$ ..............U..W.....VS.............D$......D$.......$.....E..D$.......$.........................D$......D$.......$....E..D$......D$.A.....$.................xk.D$......D$.......$.o...............v.................D$......D$..4$.\.......~........\$..D$..<$....9.t...~..4$..t&......~..<$.................[^_]..&......'....U..WVS....E..}..D$......D$.A.....$.....E.........~j.D$......D$.......$......E.....~?1.....t&...9..E.....~)..).=....~.

/usr/bin/iqmzdzzagu

Download File

Process:	/tmp/xor1.o
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
Category:	dropped
Size (bytes):	548693
Entropy (8bit):	6.197757096627219
Encrypted:	false
SSDEEP:	12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36EojE:/fUywKQ7Fb1pNL/p52fjQn36EuE
MD5:	6E76F6698CCF35C8257261F0C70180A3
SHA1:	6624145920A4E707873FCF06F6F652A475E163AC
SHA-256:	8A8D924C05CF743F5B71719F9B71A1B83CFB63899B6C1E847DEFE09BAFBF7728
SHA-512:	74D1781669C14171296E274C2CD614CD16F34489926B9CA12B1F18BC0A0D53557CD0AA0C54DB3BAE9ABB2B85B99263C89D6276801EFF14F69FC555A66FC30267
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /usr/bin/iqmzdzzagu, Author: Joe Security Rule: MALWARE_Linux_XORDDoS, Description: Detects XORDDoS, Source: /usr/bin/iqmzdzzagu, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	.ELF........................4....Z......4. ...(......................I...I...............I..............Ts........................ ... ................I..............@...........Q.td........................................GNU.................U.....5...................1.^....PTRh <..h`<..QVh............U..S........[...Y..........t..~..X[.......U..S....=.....uT.....-........X......9.v...&........................9.w......t...$<h....o............[]......U..............Z..xX....t .T$..D$......D$.......$<h....q... .....t........t...$ ..............U..W.....VS.............D$......D$.......$.....E..D$.......$.........................D$......D$.......$....E..D$......D$.A.....$.................xk.D$......D$.......$.o...............v.................D$......D$..4$.\.......~........\$..D$..<$....9.t...~..4$..t&......~..<$.................[^_]..&......'....U..WVS....E..}..D$......D$.A.....$.....E.........~j.D$......D$.......$......E.....~?1.....t&...9..E.....~)..).=....~.

/usr/bin/jnoxdslvzn

Download File

Process:	/tmp/xor1.o
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
Category:	dropped
Size (bytes):	548693
Entropy (8bit):	6.197768231637433
Encrypted:	false
SSDEEP:	12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36Eoj3:/fUywKQ7Fb1pNL/p52fjQn36Eu3
MD5:	0208723046FA446D61614EF51EE000C0
SHA1:	3FDA430B56119A1C016ECC1585F17FBC2BD6FBE1
SHA-256:	7874A7960C53F71579BFA0C65CCA41EB5334DD92F9210F2C9CA0A8C5B6346EC2
SHA-512:	0CF9C2208B814A77B2EA32193BB3DDE26749CB2CCDBF8332BB267F271312E491EA427BF3CA46FEBA03D15B2AD30CE972F29DF720CE40D1485849E0B44764A5E9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /usr/bin/jnoxdslvzn, Author: Joe Security Rule: MALWARE_Linux_XORDDoS, Description: Detects XORDDoS, Source: /usr/bin/jnoxdslvzn, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	.ELF........................4....Z......4. ...(......................I...I...............I..............Ts........................ ... ................I..............@...........Q.td........................................GNU.................U.....5...................1.^....PTRh <..h`<..QVh............U..S........[...Y..........t..~..X[.......U..S....=.....uT.....-........X......9.v...&........................9.w......t...$<h....o............[]......U..............Z..xX....t .T$..D$......D$.......$<h....q... .....t........t...$ ..............U..W.....VS.............D$......D$.......$.....E..D$.......$.........................D$......D$.......$....E..D$......D$.A.....$.................xk.D$......D$.......$.o...............v.................D$......D$..4$.\.......~........\$..D$..<$....9.t...~..4$..t&......~..<$.................[^_]..&......'....U..WVS....E..}..D$......D$.A.....$.....E.........~j.D$......D$.......$......E.....~?1.....t&...9..E.....~)..).=....~.

/usr/bin/jwkufnauiy

Download File

Process:	/tmp/xor1.o
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
Category:	dropped
Size (bytes):	548693
Entropy (8bit):	6.197776938096916
Encrypted:	false
SSDEEP:	12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36Eoja:/fUywKQ7Fb1pNL/p52fjQn36Eua
MD5:	0B7A5024EB6DCFE3F8625766490C4AF0
SHA1:	1A72D700CEF85EAB92721B66B06D2BB5547E045C
SHA-256:	1FBAF3069DA53C463E64A88EB654F0A857BE7C53E3FB61C66EF62CBDC5A9EE4D
SHA-512:	17B255C9BC27305946EAB3F51AEBB54FC5A73ADE45AC370533390789C173193B56F7677283FF5A67C1678FC8BC78D1CBEE94B61F89974CAC2B44B746C8475738
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /usr/bin/jwkufnauiy, Author: Joe Security Rule: MALWARE_Linux_XORDDoS, Description: Detects XORDDoS, Source: /usr/bin/jwkufnauiy, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	.ELF........................4....Z......4. ...(......................I...I...............I..............Ts........................ ... ................I..............@...........Q.td........................................GNU.................U.....5...................1.^....PTRh <..h`<..QVh............U..S........[...Y..........t..~..X[.......U..S....=.....uT.....-........X......9.v...&........................9.w......t...$<h....o............[]......U..............Z..xX....t .T$..D$......D$.......$<h....q... .....t........t...$ ..............U..W.....VS.............D$......D$.......$.....E..D$.......$.........................D$......D$.......$....E..D$......D$.A.....$.................xk.D$......D$.......$.o...............v.................D$......D$..4$.\.......~........\$..D$..<$....9.t...~..4$..t&......~..<$.................[^_]..&......'....U..WVS....E..}..D$......D$.A.....$.....E.........~j.D$......D$.......$......E.....~?1.....t&...9..E.....~)..).=....~.

/usr/bin/mbycomlghf

Download File

Process:	/tmp/xor1.o
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
Category:	dropped
Size (bytes):	548693
Entropy (8bit):	6.197785340683361
Encrypted:	false
SSDEEP:	12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36Eojr:/fUywKQ7Fb1pNL/p52fjQn36Eur
MD5:	266E022987CA9CB84B7041CCAB5F462C
SHA1:	9CB9C102E63A7D0AD339A0FDF027327723CF9B64
SHA-256:	A21B9EBFA208016124E49A5355A5A05B8AA2D6F7D81C6ADF71AB212F8CD7A4D9
SHA-512:	AFCEB7229CFE8AA3E3A999F8F1970C39908B86F841F519A709A71DBDFCBB6B4DF26164406343AF77F5165ACA6D7D666235FED083F21CE217C074D56AC4FD54EC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /usr/bin/mbycomlghf, Author: Joe Security Rule: MALWARE_Linux_XORDDoS, Description: Detects XORDDoS, Source: /usr/bin/mbycomlghf, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	.ELF........................4....Z......4. ...(......................I...I...............I..............Ts........................ ... ................I..............@...........Q.td........................................GNU.................U.....5...................1.^....PTRh <..h`<..QVh............U..S........[...Y..........t..~..X[.......U..S....=.....uT.....-........X......9.v...&........................9.w......t...$<h....o............[]......U..............Z..xX....t .T$..D$......D$.......$<h....q... .....t........t...$ ..............U..W.....VS.............D$......D$.......$.....E..D$.......$.........................D$......D$.......$....E..D$......D$.A.....$.................xk.D$......D$.......$.o...............v.................D$......D$..4$.\.......~........\$..D$..<$....9.t...~..4$..t&......~..<$.................[^_]..&......'....U..WVS....E..}..D$......D$.A.....$.....E.........~j.D$......D$.......$......E.....~?1.....t&...9..E.....~)..).=....~.

/usr/bin/mtxpozvnco

Download File

Process:	/tmp/xor1.o
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
Category:	dropped
Size (bytes):	548693
Entropy (8bit):	6.19777306375563
Encrypted:	false
SSDEEP:	12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36Eojs:/fUywKQ7Fb1pNL/p52fjQn36Eus
MD5:	E2C161F9D0D7F462EDA76B47CE513269
SHA1:	AAD217E641D57DE73809D5B8FCBC988BC8B157ED
SHA-256:	14287A582C2CC8BD1C4FDD8EA9B8ED22F4373898CBF6BF9B7D3785FA0188A5A4
SHA-512:	9ED2E498E60778D08B4123CD24FCE8FAC9AE4E47DBFDA035D686E71226F4A8E0D0B3953EAC007F3728823407C932E21A85DCF63933D42F765998E64AA0439D05
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /usr/bin/mtxpozvnco, Author: Joe Security Rule: MALWARE_Linux_XORDDoS, Description: Detects XORDDoS, Source: /usr/bin/mtxpozvnco, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	.ELF........................4....Z......4. ...(......................I...I...............I..............Ts........................ ... ................I..............@...........Q.td........................................GNU.................U.....5...................1.^....PTRh <..h`<..QVh............U..S........[...Y..........t..~..X[.......U..S....=.....uT.....-........X......9.v...&........................9.w......t...$<h....o............[]......U..............Z..xX....t .T$..D$......D$.......$<h....q... .....t........t...$ ..............U..W.....VS.............D$......D$.......$.....E..D$.......$.........................D$......D$.......$....E..D$......D$.A.....$.................xk.D$......D$.......$.o...............v.................D$......D$..4$.\.......~........\$..D$..<$....9.t...~..4$..t&......~..<$.................[^_]..&......'....U..WVS....E..}..D$......D$.A.....$.....E.........~j.D$......D$.......$......E.....~?1.....t&...9..E.....~)..).=....~.

/usr/bin/ralgwrxppb

Download File

Process:	/tmp/xor1.o
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
Category:	dropped
Size (bytes):	548693
Entropy (8bit):	6.197778833034918
Encrypted:	false
SSDEEP:	12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36EojX:/fUywKQ7Fb1pNL/p52fjQn36EuX
MD5:	E75043350A41DB4373BB9B0FA5677BC2
SHA1:	735B2660D15343EA67FB495DBBE7A80D449DA339
SHA-256:	E020E6F0128CD0C08EC2F99F01E527456C0706689D983D5232EB16F4A7D8CF74
SHA-512:	11887FC0F3F5544BAA4CB73B73052F4F66A13499CF11272D0CBA3C0C9B6613906EA2F2F3365214BD2281ED9965785E2B4E8415AA0FCC0C8E3458E74EE956520A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /usr/bin/ralgwrxppb, Author: Joe Security Rule: MALWARE_Linux_XORDDoS, Description: Detects XORDDoS, Source: /usr/bin/ralgwrxppb, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	.ELF........................4....Z......4. ...(......................I...I...............I..............Ts........................ ... ................I..............@...........Q.td........................................GNU.................U.....5...................1.^....PTRh <..h`<..QVh............U..S........[...Y..........t..~..X[.......U..S....=.....uT.....-........X......9.v...&........................9.w......t...$<h....o............[]......U..............Z..xX....t .T$..D$......D$.......$<h....q... .....t........t...$ ..............U..W.....VS.............D$......D$.......$.....E..D$.......$.........................D$......D$.......$....E..D$......D$.A.....$.................xk.D$......D$.......$.o...............v.................D$......D$..4$.\.......~........\$..D$..<$....9.t...~..4$..t&......~..<$.................[^_]..&......'....U..WVS....E..}..D$......D$.A.....$.....E.........~j.D$......D$.......$......E.....~?1.....t&...9..E.....~)..).=....~.

/usr/bin/sqpwspsmaf

Download File

Process:	/tmp/xor1.o
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
Category:	dropped
Size (bytes):	548693
Entropy (8bit):	6.197787470483947
Encrypted:	false
SSDEEP:	12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36Eoj7:/fUywKQ7Fb1pNL/p52fjQn36Eu7
MD5:	DDCA7A304042EF3365D8648DB1030C16
SHA1:	923707DE6CD71BDBB80E3EDD4CFBCFA4150A5FA9
SHA-256:	E53CE3E689B63B515984D07F89B5CCA89E9338300F14CB74B115035A2456BD75
SHA-512:	24264EFC5B0218E701B0A1FCBCC0CC5A52D34BC9D4E7EBE3891F8F253A1B6B2CCB65BA6CAD9C41C076EB0E214C97B80FE2054AA94C7FD95696BF1F4C832DABC8
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /usr/bin/sqpwspsmaf, Author: Joe Security Rule: MALWARE_Linux_XORDDoS, Description: Detects XORDDoS, Source: /usr/bin/sqpwspsmaf, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	.ELF........................4....Z......4. ...(......................I...I...............I..............Ts........................ ... ................I..............@...........Q.td........................................GNU.................U.....5...................1.^....PTRh <..h`<..QVh............U..S........[...Y..........t..~..X[.......U..S....=.....uT.....-........X......9.v...&........................9.w......t...$<h....o............[]......U..............Z..xX....t .T$..D$......D$.......$<h....q... .....t........t...$ ..............U..W.....VS.............D$......D$.......$.....E..D$.......$.........................D$......D$.......$....E..D$......D$.A.....$.................xk.D$......D$.......$.o...............v.................D$......D$..4$.\.......~........\$..D$..<$....9.t...~..4$..t&......~..<$.................[^_]..&......'....U..WVS....E..}..D$......D$.A.....$.....E.........~j.D$......D$.......$......E.....~?1.....t&...9..E.....~)..).=....~.

/usr/bin/uvefoplmkt

Download File

Process:	/tmp/xor1.o
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
Category:	dropped
Size (bytes):	548693
Entropy (8bit):	6.197773135683703
Encrypted:	false
SSDEEP:	12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36Eoju:/fUywKQ7Fb1pNL/p52fjQn36Euu
MD5:	3875F293A0148FE270E22A5CB87C38DC
SHA1:	48934C1CE382A3FCA3D54DF9F13C4ECF5D2020DC
SHA-256:	CA04AB2D52811D229ECD932CE57011C9ECB146D97B6D3580CB6D75D3DC8A8D31
SHA-512:	6B8CB5F15A8BFC38D67F1C61B833AE6E4A4A4D1D2765A54D65F69CA26C746A08AB8D18B23BDA5B5243964C95412C0995408F8512B860AFF45C18811AE329B607
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /usr/bin/uvefoplmkt, Author: Joe Security Rule: MALWARE_Linux_XORDDoS, Description: Detects XORDDoS, Source: /usr/bin/uvefoplmkt, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	.ELF........................4....Z......4. ...(......................I...I...............I..............Ts........................ ... ................I..............@...........Q.td........................................GNU.................U.....5...................1.^....PTRh <..h`<..QVh............U..S........[...Y..........t..~..X[.......U..S....=.....uT.....-........X......9.v...&........................9.w......t...$<h....o............[]......U..............Z..xX....t .T$..D$......D$.......$<h....q... .....t........t...$ ..............U..W.....VS.............D$......D$.......$.....E..D$.......$.........................D$......D$.......$....E..D$......D$.A.....$.................xk.D$......D$.......$.o...............v.................D$......D$..4$.\.......~........\$..D$..<$....9.t...~..4$..t&......~..<$.................[^_]..&......'....U..WVS....E..}..D$......D$.A.....$.....E.........~j.D$......D$.......$......E.....~?1.....t&...9..E.....~)..).=....~.

/usr/bin/vdplvwquwd

Download File

Process:	/tmp/xor1.o
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
Category:	dropped
Size (bytes):	548693
Entropy (8bit):	6.1977788919228525
Encrypted:	false
SSDEEP:	12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36EojO:/fUywKQ7Fb1pNL/p52fjQn36EuO
MD5:	B6AC1496F79D2C5B8959203C3ECBDC6C
SHA1:	52D5F953082E5B1D196FCB35505AD546FDF5E707
SHA-256:	44CD367586E43A5E1421239911C2E3276DA7A68F9D42379A04656F8157A58FA0
SHA-512:	7B7F0B8A4C66BDB340CEA98BF8C373C667C5D8D196E80E58DC94547D01E4A6EC59CBD4A47B7C0835394204713988FF0EE53DAEE2A7C2D56AA5ED77B80C8C5B00
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /usr/bin/vdplvwquwd, Author: Joe Security Rule: MALWARE_Linux_XORDDoS, Description: Detects XORDDoS, Source: /usr/bin/vdplvwquwd, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	.ELF........................4....Z......4. ...(......................I...I...............I..............Ts........................ ... ................I..............@...........Q.td........................................GNU.................U.....5...................1.^....PTRh <..h`<..QVh............U..S........[...Y..........t..~..X[.......U..S....=.....uT.....-........X......9.v...&........................9.w......t...$<h....o............[]......U..............Z..xX....t .T$..D$......D$.......$<h....q... .....t........t...$ ..............U..W.....VS.............D$......D$.......$.....E..D$.......$.........................D$......D$.......$....E..D$......D$.A.....$.................xk.D$......D$.......$.o...............v.................D$......D$..4$.\.......~........\$..D$..<$....9.t...~..4$..t&......~..<$.................[^_]..&......'....U..WVS....E..}..D$......D$.A.....$.....E.........~j.D$......D$.......$......E.....~?1.....t&...9..E.....~)..).=....~.

/usr/bin/wftusxulhl

Download File

Process:	/tmp/xor1.o
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, missing section headers
Category:	dropped
Size (bytes):	438272
Entropy (8bit):	6.3524887571064825
Encrypted:	false
SSDEEP:	12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266y2:/fUywKQ7Fb1pNL/p52V
MD5:	25B252EE7BFAE0248F71E5221681034A
SHA1:	E64273B283B275E65632F805B5A93F6C25081DFD
SHA-256:	1FD26806B5A1E1D931D7B232A98898DA41841CC0F58CA935A1696340E877D018
SHA-512:	4E585485BD324A1458828EDE496B4A728A5B84D5AD80A8DBCF4388353763EA4A40CF640A547E0CBA90AA381A13B40AEBAE1957728DC749A8B4A92C8785C6212F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /usr/bin/wftusxulhl, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	.ELF........................4....Z......4. ...(......................I...I...............I..............Ts........................ ... ................I..............@...........Q.td........................................GNU.................U.....5...................1.^....PTRh <..h`<..QVh............U..S........[...Y..........t..~..X[.......U..S....=.....uT.....-........X......9.v...&........................9.w......t...$<h....o............[]......U..............Z..xX....t .T$..D$......D$.......$<h....q... .....t........t...$ ..............U..W.....VS.............D$......D$.......$.....E..D$.......$.........................D$......D$.......$....E..D$......D$.A.....$.................xk.D$......D$.......$.o...............v.................D$......D$..4$.\.......~........\$..D$..<$....9.t...~..4$..t&......~..<$.................[^_]..&......'....U..WVS....E..}..D$......D$.A.....$.....E.........~j.D$......D$.......$......E.....~?1.....t&...9..E.....~)..).=....~.

/usr/bin/wkuqobksgz

Download File

Process:	/tmp/xor1.o
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
Category:	dropped
Size (bytes):	548693
Entropy (8bit):	6.197768953065288
Encrypted:	false
SSDEEP:	12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36Eojb:/fUywKQ7Fb1pNL/p52fjQn36Eub
MD5:	109AEAF58EFEE3AC951FA24D29857C4D
SHA1:	7F3B80B3A3FA98B5469E7D4DB6330B3396541071
SHA-256:	1C971234ED26D64F2CF2693FB00A769FDA5583BC390832BEF927DE90E9FB7F84
SHA-512:	5A5CDC55D7256BAF6D0585F928BDDCF6E63A2CB72C677E6ED4C6395A38BEE7AB97164287B568458D6D5113812856836DFF1EA5418ABBD00ED34FF446D70BDBAA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /usr/bin/wkuqobksgz, Author: Joe Security Rule: MALWARE_Linux_XORDDoS, Description: Detects XORDDoS, Source: /usr/bin/wkuqobksgz, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	.ELF........................4....Z......4. ...(......................I...I...............I..............Ts........................ ... ................I..............@...........Q.td........................................GNU.................U.....5...................1.^....PTRh <..h`<..QVh............U..S........[...Y..........t..~..X[.......U..S....=.....uT.....-........X......9.v...&........................9.w......t...$<h....o............[]......U..............Z..xX....t .T$..D$......D$.......$<h....q... .....t........t...$ ..............U..W.....VS.............D$......D$.......$.....E..D$.......$.........................D$......D$.......$....E..D$......D$.A.....$.................xk.D$......D$.......$.o...............v.................D$......D$..4$.\.......~........\$..D$..<$....9.t...~..4$..t&......~..<$.................[^_]..&......'....U..WVS....E..}..D$......D$.A.....$.....E.........~j.D$......D$.......$......E.....~?1.....t&...9..E.....~)..).=....~.

/usr/lib/libudev.so

Download File

Process:	/tmp/xor1.o
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
Category:	dropped
Size (bytes):	548682
Entropy (8bit):	6.19772561904544
Encrypted:	false
SSDEEP:	12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36EojY:/fUywKQ7Fb1pNL/p52fjQn36EuY
MD5:	21C61E95827A7F9E1022E1B2FABE0386
SHA1:	4F40BD1086574C54EC0405892E16EB04133F9049
SHA-256:	DD07BBBF82AE0E39F9B431E798B368C9886CB7D8AB91FD545FA13FF64BC023F5
SHA-512:	F56AF4979B4C936DE7FEF5E3FF024132CBD3BB8F5F64E696A7DD03ED6C272C823F2340A4BA950265D5895B256F234ADEB8B71E02F4A8E4EAA1D1364475BC7469
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /usr/lib/libudev.so, Author: Joe Security Rule: MALWARE_Linux_XORDDoS, Description: Detects XORDDoS, Source: /usr/lib/libudev.so, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	.ELF........................4....Z......4. ...(......................I...I...............I..............Ts........................ ... ................I..............@...........Q.td........................................GNU.................U.....5...................1.^....PTRh <..h`<..QVh............U..S........[...Y..........t..~..X[.......U..S....=.....uT.....-........X......9.v...&........................9.w......t...$<h....o............[]......U..............Z..xX....t .T$..D$......D$.......$<h....q... .....t........t...$ ..............U..W.....VS.............D$......D$.......$.....E..D$.......$.........................D$......D$.......$....E..D$......D$.A.....$.................xk.D$......D$.......$.o...............v.................D$......D$..4$.\.......~........\$..D$..<$....9.t...~..4$..t&......~..<$.................[^_]..&......'....U..WVS....E..}..D$......D$.A.....$.....E.........~j.D$......D$.......$......E.....~?1.....t&...9..E.....~)..).=....~.

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
Entropy (8bit):	6.19772561904544
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	xor1.o
File size:	548682
MD5:	21c61e95827a7f9e1022e1b2fabe0386
SHA1:	4f40bd1086574c54ec0405892e16eb04133f9049
SHA256:	dd07bbbf82ae0e39f9b431e798b368c9886cb7d8ab91fd545fa13ff64bc023f5
SHA512:	f56af4979b4c936de7fef5e3ff024132cbd3bb8f5f64e696a7dd03ed6c272c823f2340a4ba950265d5895b256f234adeb8b71e02f4a8e4eaa1d1364475bc7469
SSDEEP:	12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36EojY:/fUywKQ7Fb1pNL/p52fjQn36EuY
TLSH:	6CC45C56E283E2F7C82705B0134BF7BF4620B6359461CD86B7989D5AB9338F22A4D353
File Content Preview:	.ELF........................4....Z......4. ...(......................I...I...............I..............Ts.......................... ... ................I..............@...........Q.td........................................GNU.................U......5...

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048110
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	5
Section Header Offset:	547576
Section Header Size:	40
Number of Section Headers:	26
Header String Table Index:	25

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.note.ABI-tag	NOTE	0x80480d4	0xd4	0x20	0x0	0x2	A	4
.init	PROGBITS	0x80480f4	0xf4	0x17	0x0	0x6	AX	4
.text	PROGBITS	0x8048110	0x110	0x681f8	0x0	0x6	AX	16
__libc_freeres_fn	PROGBITS	0x80b0310	0x68310	0x100f	0x0	0x6	AX	16
__libc_thread_freeres_fn	PROGBITS	0x80b1320	0x69320	0x1db	0x0	0x6	AX	16
.fini	PROGBITS	0x80b14fc	0x694fc	0x1c	0x0	0x6	AX	4
.rodata	PROGBITS	0x80b1520	0x69520	0x152e0	0x0	0x2	A	32
__libc_subfreeres	PROGBITS	0x80c6800	0x7e800	0x30	0x0	0x2	A	4
__libc_atexit	PROGBITS	0x80c6830	0x7e830	0x4	0x0	0x2	A	4
__libc_thread_subfreeres	PROGBITS	0x80c6834	0x7e834	0x8	0x0	0x2	A	4
.eh_frame	PROGBITS	0x80c683c	0x7e83c	0x60a0	0x0	0x2	A	4
.gcc_except_table	PROGBITS	0x80cc8dc	0x848dc	0x11b	0x0	0x2	A	1
.tdata	PROGBITS	0x80cd9f8	0x849f8	0x14	0x0	0x403	WAT	4
.tbss	NOBITS	0x80cda0c	0x84a0c	0x2c	0x0	0x403	WAT	4
.ctors	PROGBITS	0x80cda0c	0x84a0c	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x80cda14	0x84a14	0xc	0x0	0x3	WA	4
.jcr	PROGBITS	0x80cda20	0x84a20	0x4	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x80cda24	0x84a24	0x2c	0x0	0x3	WA	4
.got	PROGBITS	0x80cda50	0x84a50	0x8	0x4	0x3	WA	4
.got.plt	PROGBITS	0x80cda58	0x84a58	0xc	0x4	0x3	WA	4
.data	PROGBITS	0x80cda80	0x84a80	0xb40	0x0	0x3	WA	32
.bss	NOBITS	0x80ce5c0	0x855c0	0x6778	0x0	0x3	WA	32
__libc_freeres_ptrs	NOBITS	0x80d4d38	0x855c0	0x14	0x0	0x3	WA	4
.comment	PROGBITS	0x0	0x855c0	0x422	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x859e2	0x116	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0x849f7	0x849f7	3.3550	0x5	R E	0x1000	.note.ABI-tag .init .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata __libc_subfreeres __libc_atexit __libc_thread_subfreeres .eh_frame .gcc_except_table
LOAD	0x849f8	0x80cd9f8	0x80cd9f8	0xbc8	0x7354	2.9013	0x6	RW	0x1000	.ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs
NOTE	0xd4	0x80480d4	0x80480d4	0x20	0x20	1.7487	0x4	R	0x4	.note.ABI-tag
TLS	0x849f8	0x80cd9f8	0x80cd9f8	0x14	0x40	1.6127	0x4	R	0x4
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/15/22-22:07:22.981738	UDP	2021326	ET TROJAN Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)	40274	53	192.168.2.23	8.8.8.8
04/15/22-22:07:23.008324	UDP	2021326	ET TROJAN Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)	39319	53	192.168.2.23	8.8.4.4
04/15/22-22:07:23.026793	UDP	2021326	ET TROJAN Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)	51721	53	192.168.2.23	1.1.1.1
04/15/22-22:07:28.159260	TCP	2020381	ET TROJAN DDoS.XOR Checkin	40610	1522	192.168.2.23	54.36.15.99

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2022 22:07:22.807842016 CEST	42516	80	192.168.2.23	109.202.202.202
Apr 15, 2022 22:07:22.807849884 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 15, 2022 22:07:23.012157917 CEST	43056	1522	192.168.2.23	176.31.91.137
Apr 15, 2022 22:07:24.019870043 CEST	43056	1522	192.168.2.23	176.31.91.137
Apr 15, 2022 22:07:26.035757065 CEST	43056	1522	192.168.2.23	176.31.91.137
Apr 15, 2022 22:07:28.034655094 CEST	40610	1522	192.168.2.23	54.36.15.99
Apr 15, 2022 22:07:28.063316107 CEST	1522	40610	54.36.15.99	192.168.2.23
Apr 15, 2022 22:07:28.063577890 CEST	40610	1522	192.168.2.23	54.36.15.99
Apr 15, 2022 22:07:28.079313040 CEST	40610	1522	192.168.2.23	54.36.15.99
Apr 15, 2022 22:07:28.159104109 CEST	1522	40610	54.36.15.99	192.168.2.23
Apr 15, 2022 22:07:28.159260035 CEST	40610	1522	192.168.2.23	54.36.15.99
Apr 15, 2022 22:07:28.187530041 CEST	1522	40610	54.36.15.99	192.168.2.23
Apr 15, 2022 22:07:28.187675953 CEST	40610	1522	192.168.2.23	54.36.15.99
Apr 15, 2022 22:07:38.222968102 CEST	1522	40610	54.36.15.99	192.168.2.23
Apr 15, 2022 22:07:38.223155022 CEST	40610	1522	192.168.2.23	54.36.15.99
Apr 15, 2022 22:07:38.419576883 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 15, 2022 22:07:48.255340099 CEST	1522	40610	54.36.15.99	192.168.2.23
Apr 15, 2022 22:07:48.255438089 CEST	40610	1522	192.168.2.23	54.36.15.99
Apr 15, 2022 22:07:48.659287930 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 15, 2022 22:07:49.349942923 CEST	1522	40610	54.36.15.99	192.168.2.23
Apr 15, 2022 22:07:49.350150108 CEST	40610	1522	192.168.2.23	54.36.15.99
Apr 15, 2022 22:07:52.755321026 CEST	42516	80	192.168.2.23	109.202.202.202
Apr 15, 2022 22:07:59.382303953 CEST	1522	40610	54.36.15.99	192.168.2.23
Apr 15, 2022 22:07:59.382471085 CEST	40610	1522	192.168.2.23	54.36.15.99
Apr 15, 2022 22:08:09.414078951 CEST	1522	40610	54.36.15.99	192.168.2.23
Apr 15, 2022 22:08:09.414248943 CEST	40610	1522	192.168.2.23	54.36.15.99
Apr 15, 2022 22:08:19.378810883 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 15, 2022 22:08:19.433016062 CEST	1522	40610	54.36.15.99	192.168.2.23
Apr 15, 2022 22:08:19.433181047 CEST	40610	1522	192.168.2.23	54.36.15.99
Apr 15, 2022 22:08:24.403213978 CEST	1522	40610	54.36.15.99	192.168.2.23
Apr 15, 2022 22:08:24.403276920 CEST	40610	1522	192.168.2.23	54.36.15.99
Apr 15, 2022 22:08:34.434645891 CEST	1522	40610	54.36.15.99	192.168.2.23
Apr 15, 2022 22:08:34.434812069 CEST	40610	1522	192.168.2.23	54.36.15.99
Apr 15, 2022 22:08:39.858331919 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 15, 2022 22:08:44.483537912 CEST	1522	40610	54.36.15.99	192.168.2.23
Apr 15, 2022 22:08:44.483766079 CEST	40610	1522	192.168.2.23	54.36.15.99
Apr 15, 2022 22:08:54.517086983 CEST	1522	40610	54.36.15.99	192.168.2.23
Apr 15, 2022 22:08:54.517299891 CEST	40610	1522	192.168.2.23	54.36.15.99
Apr 15, 2022 22:08:59.456912994 CEST	1522	40610	54.36.15.99	192.168.2.23
Apr 15, 2022 22:08:59.457145929 CEST	40610	1522	192.168.2.23	54.36.15.99
Apr 15, 2022 22:09:09.487425089 CEST	1522	40610	54.36.15.99	192.168.2.23
Apr 15, 2022 22:09:09.487606049 CEST	40610	1522	192.168.2.23	54.36.15.99
Apr 15, 2022 22:09:19.535619020 CEST	1522	40610	54.36.15.99	192.168.2.23
Apr 15, 2022 22:09:19.535778999 CEST	40610	1522	192.168.2.23	54.36.15.99

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2022 22:07:22.981738091 CEST	40274	53	192.168.2.23	8.8.8.8
Apr 15, 2022 22:07:22.993216991 CEST	50845	53	192.168.2.23	8.8.8.8
Apr 15, 2022 22:07:23.008079052 CEST	53	40274	8.8.8.8	192.168.2.23
Apr 15, 2022 22:07:23.008323908 CEST	39319	53	192.168.2.23	8.8.4.4
Apr 15, 2022 22:07:23.011925936 CEST	53	50845	8.8.8.8	192.168.2.23
Apr 15, 2022 22:07:23.026202917 CEST	53	39319	8.8.4.4	192.168.2.23
Apr 15, 2022 22:07:23.026793003 CEST	51721	53	192.168.2.23	1.1.1.1
Apr 15, 2022 22:07:23.045537949 CEST	53	51721	1.1.1.1	192.168.2.23
Apr 15, 2022 22:07:23.045782089 CEST	51721	53	192.168.2.23	1.1.1.1
Apr 15, 2022 22:07:23.062870979 CEST	53	51721	1.1.1.1	192.168.2.23
Apr 15, 2022 22:07:28.017288923 CEST	39221	53	192.168.2.23	8.8.8.8
Apr 15, 2022 22:07:28.034219980 CEST	53	39221	8.8.8.8	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 15, 2022 22:07:22.981738091 CEST	192.168.2.23	8.8.8.8	0x5571	Standard query (0)	aa.hostasa.org	A (IP address)	IN (0x0001)
Apr 15, 2022 22:07:22.993216991 CEST	192.168.2.23	8.8.8.8	0x52c1	Standard query (0)	ppp.gggatat456.com	A (IP address)	IN (0x0001)
Apr 15, 2022 22:07:23.008323908 CEST	192.168.2.23	8.8.4.4	0xd7e6	Standard query (0)	aa.hostasa.org	A (IP address)	IN (0x0001)
Apr 15, 2022 22:07:23.026793003 CEST	192.168.2.23	1.1.1.1	0xcee4	Standard query (0)	aa.hostasa.org	A (IP address)	IN (0x0001)
Apr 15, 2022 22:07:23.045782089 CEST	192.168.2.23	1.1.1.1	0xcee4	Standard query (0)	aa.hostasa.org	A (IP address)	IN (0x0001)
Apr 15, 2022 22:07:28.017288923 CEST	192.168.2.23	8.8.8.8	0x5c9	Standard query (0)	www1.gggatat456.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 15, 2022 22:07:23.008079052 CEST	8.8.8.8	192.168.2.23	0x5571	Name error (3)	aa.hostasa.org	none	none	A (IP address)	IN (0x0001)
Apr 15, 2022 22:07:23.011925936 CEST	8.8.8.8	192.168.2.23	0x52c1	No error (0)	ppp.gggatat456.com		176.31.91.137	A (IP address)	IN (0x0001)
Apr 15, 2022 22:07:23.011925936 CEST	8.8.8.8	192.168.2.23	0x52c1	No error (0)	ppp.gggatat456.com		54.36.145.106	A (IP address)	IN (0x0001)
Apr 15, 2022 22:07:23.011925936 CEST	8.8.8.8	192.168.2.23	0x52c1	No error (0)	ppp.gggatat456.com		54.36.15.97	A (IP address)	IN (0x0001)
Apr 15, 2022 22:07:23.011925936 CEST	8.8.8.8	192.168.2.23	0x52c1	No error (0)	ppp.gggatat456.com		79.137.1.133	A (IP address)	IN (0x0001)
Apr 15, 2022 22:07:23.011925936 CEST	8.8.8.8	192.168.2.23	0x52c1	No error (0)	ppp.gggatat456.com		54.36.145.104	A (IP address)	IN (0x0001)
Apr 15, 2022 22:07:23.011925936 CEST	8.8.8.8	192.168.2.23	0x52c1	No error (0)	ppp.gggatat456.com		54.36.15.99	A (IP address)	IN (0x0001)
Apr 15, 2022 22:07:23.026202917 CEST	8.8.4.4	192.168.2.23	0xd7e6	Name error (3)	aa.hostasa.org	none	none	A (IP address)	IN (0x0001)
Apr 15, 2022 22:07:23.045537949 CEST	1.1.1.1	192.168.2.23	0xcee4	Name error (3)	aa.hostasa.org	none	none	A (IP address)	IN (0x0001)
Apr 15, 2022 22:07:23.062870979 CEST	1.1.1.1	192.168.2.23	0xcee4	Name error (3)	aa.hostasa.org	none	none	A (IP address)	IN (0x0001)
Apr 15, 2022 22:07:28.034219980 CEST	8.8.8.8	192.168.2.23	0x5c9	No error (0)	www1.gggatat456.com		54.36.15.99	A (IP address)	IN (0x0001)

System Behavior

Analysis Process: xor1.o PID: 5224, Parent PID: 5119

General

Start time:	22:07:21
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	/tmp/xor1.o
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5225, Parent PID: 5224

General

Start time:	22:07:21
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5226, Parent PID: 5225

General

Start time:	22:07:22
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5227, Parent PID: 5226

General

Start time:	22:07:22
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5228, Parent PID: 5225

General

Start time:	22:07:22
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5229, Parent PID: 5228

General

Start time:	22:07:22
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: update-rc.d PID: 5229, Parent PID: 1860

General

Start time:	22:07:22
Start date:	15/04/2022
Path:	/sbin/update-rc.d
Arguments:	update-rc.d xor1.o defaults
File size:	3478464 bytes
MD5 hash:	16a21f464119ea7fad1d3660de963637

Chronological Activities

Analysis Process: update-rc.d PID: 5235, Parent PID: 5229

General

Start time:	22:07:22
Start date:	15/04/2022
Path:	/sbin/update-rc.d
Arguments:	n/a
File size:	3478464 bytes
MD5 hash:	16a21f464119ea7fad1d3660de963637

Chronological Activities

Analysis Process: systemctl PID: 5235, Parent PID: 5229

General

Start time:	22:07:22
Start date:	15/04/2022
Path:	/bin/systemctl
Arguments:	systemctl daemon-reload
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: xor1.o PID: 5230, Parent PID: 5225

General

Start time:	22:07:22
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: sh PID: 5230, Parent PID: 5225

General

Start time:	22:07:22
Start date:	15/04/2022
Path:	/bin/sh
Arguments:	sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5231, Parent PID: 5230

General

Start time:	22:07:22
Start date:	15/04/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sed PID: 5231, Parent PID: 5230

General

Start time:	22:07:22
Start date:	15/04/2022
Path:	/bin/sed
Arguments:	sed -i /\\/etc\\/cron.hourly\\/gcc.sh/d /etc/crontab
File size:	121288 bytes
MD5 hash:	885062561f66aa1d4af4c54b9e7cc81a

Chronological Activities

Analysis Process: xor1.o PID: 5263, Parent PID: 5225

General

Start time:	22:07:27
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5264, Parent PID: 5263

General

Start time:	22:07:27
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: mbycomlghf PID: 5264, Parent PID: 5263

General

Start time:	22:07:27
Start date:	15/04/2022
Path:	/usr/bin/mbycomlghf
Arguments:	/usr/bin/mbycomlghf "ifconfig eth0" 5225
File size:	548693 bytes
MD5 hash:	266e022987ca9cb84b7041ccab5f462c

Chronological Activities

Analysis Process: mbycomlghf PID: 5265, Parent PID: 5264

General

Start time:	22:07:27
Start date:	15/04/2022
Path:	/usr/bin/mbycomlghf
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	266e022987ca9cb84b7041ccab5f462c

Chronological Activities

Analysis Process: xor1.o PID: 5266, Parent PID: 5225

General

Start time:	22:07:27
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5267, Parent PID: 5266

General

Start time:	22:07:27
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: mbycomlghf PID: 5267, Parent PID: 5266

General

Start time:	22:07:27
Start date:	15/04/2022
Path:	/usr/bin/mbycomlghf
Arguments:	/usr/bin/mbycomlghf "netstat -antop" 5225
File size:	548693 bytes
MD5 hash:	266e022987ca9cb84b7041ccab5f462c

Chronological Activities

Analysis Process: mbycomlghf PID: 5272, Parent PID: 5267

General

Start time:	22:07:28
Start date:	15/04/2022
Path:	/usr/bin/mbycomlghf
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	266e022987ca9cb84b7041ccab5f462c

Chronological Activities

Analysis Process: xor1.o PID: 5268, Parent PID: 5225

General

Start time:	22:07:27
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5269, Parent PID: 5268

General

Start time:	22:07:27
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: mbycomlghf PID: 5269, Parent PID: 5268

General

Start time:	22:07:27
Start date:	15/04/2022
Path:	/usr/bin/mbycomlghf
Arguments:	/usr/bin/mbycomlghf who 5225
File size:	548693 bytes
MD5 hash:	266e022987ca9cb84b7041ccab5f462c

Chronological Activities

Analysis Process: mbycomlghf PID: 5274, Parent PID: 5269

General

Start time:	22:07:28
Start date:	15/04/2022
Path:	/usr/bin/mbycomlghf
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	266e022987ca9cb84b7041ccab5f462c

Chronological Activities

Analysis Process: xor1.o PID: 5270, Parent PID: 5225

General

Start time:	22:07:27
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5271, Parent PID: 5270

General

Start time:	22:07:27
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: mbycomlghf PID: 5271, Parent PID: 5270

General

Start time:	22:07:27
Start date:	15/04/2022
Path:	/usr/bin/mbycomlghf
Arguments:	/usr/bin/mbycomlghf "echo \"find\"" 5225
File size:	548693 bytes
MD5 hash:	266e022987ca9cb84b7041ccab5f462c

Chronological Activities

Analysis Process: mbycomlghf PID: 5276, Parent PID: 5271

General

Start time:	22:07:28
Start date:	15/04/2022
Path:	/usr/bin/mbycomlghf
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	266e022987ca9cb84b7041ccab5f462c

Chronological Activities

Analysis Process: xor1.o PID: 5273, Parent PID: 5225

General

Start time:	22:07:28
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5275, Parent PID: 5273

General

Start time:	22:07:28
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: mbycomlghf PID: 5275, Parent PID: 5273

General

Start time:	22:07:28
Start date:	15/04/2022
Path:	/usr/bin/mbycomlghf
Arguments:	/usr/bin/mbycomlghf uptime 5225
File size:	548693 bytes
MD5 hash:	266e022987ca9cb84b7041ccab5f462c

Chronological Activities

Analysis Process: mbycomlghf PID: 5277, Parent PID: 5275

General

Start time:	22:07:29
Start date:	15/04/2022
Path:	/usr/bin/mbycomlghf
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	266e022987ca9cb84b7041ccab5f462c

Chronological Activities

Analysis Process: xor1.o PID: 5281, Parent PID: 5225

General

Start time:	22:07:33
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5282, Parent PID: 5281

General

Start time:	22:07:33
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: wkuqobksgz PID: 5282, Parent PID: 5281

General

Start time:	22:07:33
Start date:	15/04/2022
Path:	/usr/bin/wkuqobksgz
Arguments:	/usr/bin/wkuqobksgz su 5225
File size:	548693 bytes
MD5 hash:	109aeaf58efee3ac951fa24d29857c4d

Chronological Activities

Analysis Process: wkuqobksgz PID: 5283, Parent PID: 5282

General

Start time:	22:07:33
Start date:	15/04/2022
Path:	/usr/bin/wkuqobksgz
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	109aeaf58efee3ac951fa24d29857c4d

Chronological Activities

Analysis Process: xor1.o PID: 5284, Parent PID: 5225

General

Start time:	22:07:34
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5285, Parent PID: 5284

General

Start time:	22:07:34
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: wkuqobksgz PID: 5285, Parent PID: 5284

General

Start time:	22:07:34
Start date:	15/04/2022
Path:	/usr/bin/wkuqobksgz
Arguments:	/usr/bin/wkuqobksgz "echo \"find\"" 5225
File size:	548693 bytes
MD5 hash:	109aeaf58efee3ac951fa24d29857c4d

Chronological Activities

Analysis Process: wkuqobksgz PID: 5288, Parent PID: 5285

General

Start time:	22:07:34
Start date:	15/04/2022
Path:	/usr/bin/wkuqobksgz
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	109aeaf58efee3ac951fa24d29857c4d

Chronological Activities

Analysis Process: xor1.o PID: 5286, Parent PID: 5225

General

Start time:	22:07:34
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5287, Parent PID: 5286

General

Start time:	22:07:34
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: wkuqobksgz PID: 5287, Parent PID: 5286

General

Start time:	22:07:34
Start date:	15/04/2022
Path:	/usr/bin/wkuqobksgz
Arguments:	/usr/bin/wkuqobksgz "ifconfig eth0" 5225
File size:	548693 bytes
MD5 hash:	109aeaf58efee3ac951fa24d29857c4d

Chronological Activities

Analysis Process: wkuqobksgz PID: 5293, Parent PID: 5287

General

Start time:	22:07:35
Start date:	15/04/2022
Path:	/usr/bin/wkuqobksgz
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	109aeaf58efee3ac951fa24d29857c4d

Chronological Activities

Analysis Process: xor1.o PID: 5289, Parent PID: 5225

General

Start time:	22:07:34
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5290, Parent PID: 5289

General

Start time:	22:07:34
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: wkuqobksgz PID: 5290, Parent PID: 5289

General

Start time:	22:07:34
Start date:	15/04/2022
Path:	/usr/bin/wkuqobksgz
Arguments:	/usr/bin/wkuqobksgz "netstat -an" 5225
File size:	548693 bytes
MD5 hash:	109aeaf58efee3ac951fa24d29857c4d

Chronological Activities

Analysis Process: wkuqobksgz PID: 5296, Parent PID: 5290

General

Start time:	22:07:36
Start date:	15/04/2022
Path:	/usr/bin/wkuqobksgz
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	109aeaf58efee3ac951fa24d29857c4d

Chronological Activities

Analysis Process: xor1.o PID: 5291, Parent PID: 5225

General

Start time:	22:07:35
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5292, Parent PID: 5291

General

Start time:	22:07:35
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: wkuqobksgz PID: 5292, Parent PID: 5291

General

Start time:	22:07:35
Start date:	15/04/2022
Path:	/usr/bin/wkuqobksgz
Arguments:	/usr/bin/wkuqobksgz "cd /etc" 5225
File size:	548693 bytes
MD5 hash:	109aeaf58efee3ac951fa24d29857c4d

Chronological Activities

Analysis Process: wkuqobksgz PID: 5297, Parent PID: 5292

General

Start time:	22:07:36
Start date:	15/04/2022
Path:	/usr/bin/wkuqobksgz
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	109aeaf58efee3ac951fa24d29857c4d

Chronological Activities

Analysis Process: xor1.o PID: 5300, Parent PID: 5225

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5301, Parent PID: 5300

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: cglyyshjyz PID: 5301, Parent PID: 5300

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/usr/bin/cglyyshjyz
Arguments:	/usr/bin/cglyyshjyz ls 5225
File size:	548693 bytes
MD5 hash:	3ba7870dc238c8ced74411e69ce14b0a

Chronological Activities

Analysis Process: cglyyshjyz PID: 5302, Parent PID: 5301

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/usr/bin/cglyyshjyz
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	3ba7870dc238c8ced74411e69ce14b0a

Chronological Activities

Analysis Process: xor1.o PID: 5303, Parent PID: 5225

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5304, Parent PID: 5303

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: cglyyshjyz PID: 5304, Parent PID: 5303

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/usr/bin/cglyyshjyz
Arguments:	/usr/bin/cglyyshjyz uptime 5225
File size:	548693 bytes
MD5 hash:	3ba7870dc238c8ced74411e69ce14b0a

Chronological Activities

Analysis Process: cglyyshjyz PID: 5307, Parent PID: 5304

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/usr/bin/cglyyshjyz
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	3ba7870dc238c8ced74411e69ce14b0a

Chronological Activities

Analysis Process: xor1.o PID: 5305, Parent PID: 5225

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5306, Parent PID: 5305

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: cglyyshjyz PID: 5306, Parent PID: 5305

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/usr/bin/cglyyshjyz
Arguments:	/usr/bin/cglyyshjyz who 5225
File size:	548693 bytes
MD5 hash:	3ba7870dc238c8ced74411e69ce14b0a

Chronological Activities

Analysis Process: cglyyshjyz PID: 5308, Parent PID: 5306

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/usr/bin/cglyyshjyz
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	3ba7870dc238c8ced74411e69ce14b0a

Chronological Activities

Analysis Process: xor1.o PID: 5309, Parent PID: 5225

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5310, Parent PID: 5309

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: cglyyshjyz PID: 5310, Parent PID: 5309

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/usr/bin/cglyyshjyz
Arguments:	/usr/bin/cglyyshjyz "sleep 1" 5225
File size:	548693 bytes
MD5 hash:	3ba7870dc238c8ced74411e69ce14b0a

Chronological Activities

Analysis Process: cglyyshjyz PID: 5313, Parent PID: 5310

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/usr/bin/cglyyshjyz
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	3ba7870dc238c8ced74411e69ce14b0a

Chronological Activities

Analysis Process: xor1.o PID: 5311, Parent PID: 5225

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5312, Parent PID: 5311

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: cglyyshjyz PID: 5312, Parent PID: 5311

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/usr/bin/cglyyshjyz
Arguments:	/usr/bin/cglyyshjyz "cd /etc" 5225
File size:	548693 bytes
MD5 hash:	3ba7870dc238c8ced74411e69ce14b0a

Chronological Activities

Analysis Process: cglyyshjyz PID: 5314, Parent PID: 5312

General

Start time:	22:07:41
Start date:	15/04/2022
Path:	/usr/bin/cglyyshjyz
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	3ba7870dc238c8ced74411e69ce14b0a

Chronological Activities

Analysis Process: xor1.o PID: 5317, Parent PID: 5225

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5318, Parent PID: 5317

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: iqmzdzzagu PID: 5318, Parent PID: 5317

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/usr/bin/iqmzdzzagu
Arguments:	/usr/bin/iqmzdzzagu ls 5225
File size:	548693 bytes
MD5 hash:	6e76f6698ccf35c8257261f0c70180a3

Chronological Activities

Analysis Process: iqmzdzzagu PID: 5319, Parent PID: 5318

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/usr/bin/iqmzdzzagu
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	6e76f6698ccf35c8257261f0c70180a3

Chronological Activities

Analysis Process: xor1.o PID: 5320, Parent PID: 5225

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5321, Parent PID: 5320

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: iqmzdzzagu PID: 5321, Parent PID: 5320

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/usr/bin/iqmzdzzagu
Arguments:	/usr/bin/iqmzdzzagu id 5225
File size:	548693 bytes
MD5 hash:	6e76f6698ccf35c8257261f0c70180a3

Chronological Activities

Analysis Process: iqmzdzzagu PID: 5324, Parent PID: 5321

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/usr/bin/iqmzdzzagu
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	6e76f6698ccf35c8257261f0c70180a3

Chronological Activities

Analysis Process: xor1.o PID: 5322, Parent PID: 5225

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5323, Parent PID: 5322

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: iqmzdzzagu PID: 5323, Parent PID: 5322

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/usr/bin/iqmzdzzagu
Arguments:	/usr/bin/iqmzdzzagu bash 5225
File size:	548693 bytes
MD5 hash:	6e76f6698ccf35c8257261f0c70180a3

Chronological Activities

Analysis Process: iqmzdzzagu PID: 5327, Parent PID: 5323

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/usr/bin/iqmzdzzagu
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	6e76f6698ccf35c8257261f0c70180a3

Chronological Activities

Analysis Process: xor1.o PID: 5325, Parent PID: 5225

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5326, Parent PID: 5325

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: iqmzdzzagu PID: 5326, Parent PID: 5325

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/usr/bin/iqmzdzzagu
Arguments:	/usr/bin/iqmzdzzagu pwd 5225
File size:	548693 bytes
MD5 hash:	6e76f6698ccf35c8257261f0c70180a3

Chronological Activities

Analysis Process: iqmzdzzagu PID: 5330, Parent PID: 5326

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/usr/bin/iqmzdzzagu
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	6e76f6698ccf35c8257261f0c70180a3

Chronological Activities

Analysis Process: xor1.o PID: 5328, Parent PID: 5225

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5329, Parent PID: 5328

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: iqmzdzzagu PID: 5329, Parent PID: 5328

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/usr/bin/iqmzdzzagu
Arguments:	/usr/bin/iqmzdzzagu "ifconfig eth0" 5225
File size:	548693 bytes
MD5 hash:	6e76f6698ccf35c8257261f0c70180a3

Chronological Activities

Analysis Process: iqmzdzzagu PID: 5331, Parent PID: 5329

General

Start time:	22:07:47
Start date:	15/04/2022
Path:	/usr/bin/iqmzdzzagu
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	6e76f6698ccf35c8257261f0c70180a3

Chronological Activities

Analysis Process: xor1.o PID: 5334, Parent PID: 5225

General

Start time:	22:07:52
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5335, Parent PID: 5334

General

Start time:	22:07:52
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ifkpwnmtjm PID: 5335, Parent PID: 5334

General

Start time:	22:07:52
Start date:	15/04/2022
Path:	/usr/bin/ifkpwnmtjm
Arguments:	/usr/bin/ifkpwnmtjm su 5225
File size:	548693 bytes
MD5 hash:	c6395ec6939aa3aee167136e5b0e6f81

Chronological Activities

Analysis Process: ifkpwnmtjm PID: 5336, Parent PID: 5335

General

Start time:	22:07:52
Start date:	15/04/2022
Path:	/usr/bin/ifkpwnmtjm
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	c6395ec6939aa3aee167136e5b0e6f81

Chronological Activities

Analysis Process: xor1.o PID: 5337, Parent PID: 5225

General

Start time:	22:07:53
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5338, Parent PID: 5337

General

Start time:	22:07:53
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ifkpwnmtjm PID: 5338, Parent PID: 5337

General

Start time:	22:07:53
Start date:	15/04/2022
Path:	/usr/bin/ifkpwnmtjm
Arguments:	/usr/bin/ifkpwnmtjm "ps -ef" 5225
File size:	548693 bytes
MD5 hash:	c6395ec6939aa3aee167136e5b0e6f81

Chronological Activities

Analysis Process: ifkpwnmtjm PID: 5341, Parent PID: 5338

General

Start time:	22:07:53
Start date:	15/04/2022
Path:	/usr/bin/ifkpwnmtjm
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	c6395ec6939aa3aee167136e5b0e6f81

Chronological Activities

Analysis Process: xor1.o PID: 5339, Parent PID: 5225

General

Start time:	22:07:53
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5340, Parent PID: 5339

General

Start time:	22:07:53
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ifkpwnmtjm PID: 5340, Parent PID: 5339

General

Start time:	22:07:53
Start date:	15/04/2022
Path:	/usr/bin/ifkpwnmtjm
Arguments:	/usr/bin/ifkpwnmtjm "grep \"A\"" 5225
File size:	548693 bytes
MD5 hash:	c6395ec6939aa3aee167136e5b0e6f81

Chronological Activities

Analysis Process: ifkpwnmtjm PID: 5346, Parent PID: 5340

General

Start time:	22:07:53
Start date:	15/04/2022
Path:	/usr/bin/ifkpwnmtjm
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	c6395ec6939aa3aee167136e5b0e6f81

Chronological Activities

Analysis Process: xor1.o PID: 5342, Parent PID: 5225

General

Start time:	22:07:53
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5343, Parent PID: 5342

General

Start time:	22:07:53
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ifkpwnmtjm PID: 5343, Parent PID: 5342

General

Start time:	22:07:53
Start date:	15/04/2022
Path:	/usr/bin/ifkpwnmtjm
Arguments:	/usr/bin/ifkpwnmtjm "ifconfig eth0" 5225
File size:	548693 bytes
MD5 hash:	c6395ec6939aa3aee167136e5b0e6f81

Chronological Activities

Analysis Process: ifkpwnmtjm PID: 5347, Parent PID: 5343

General

Start time:	22:07:54
Start date:	15/04/2022
Path:	/usr/bin/ifkpwnmtjm
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	c6395ec6939aa3aee167136e5b0e6f81

Chronological Activities

Analysis Process: xor1.o PID: 5344, Parent PID: 5225

General

Start time:	22:07:53
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5345, Parent PID: 5344

General

Start time:	22:07:53
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ifkpwnmtjm PID: 5345, Parent PID: 5344

General

Start time:	22:07:53
Start date:	15/04/2022
Path:	/usr/bin/ifkpwnmtjm
Arguments:	/usr/bin/ifkpwnmtjm "ls -la" 5225
File size:	548693 bytes
MD5 hash:	c6395ec6939aa3aee167136e5b0e6f81

Chronological Activities

Analysis Process: ifkpwnmtjm PID: 5348, Parent PID: 5345

General

Start time:	22:07:54
Start date:	15/04/2022
Path:	/usr/bin/ifkpwnmtjm
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	c6395ec6939aa3aee167136e5b0e6f81

Chronological Activities

Analysis Process: xor1.o PID: 5351, Parent PID: 5225

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5352, Parent PID: 5351

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: jnoxdslvzn PID: 5352, Parent PID: 5351

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/usr/bin/jnoxdslvzn
Arguments:	/usr/bin/jnoxdslvzn "grep \"A\"" 5225
File size:	548693 bytes
MD5 hash:	0208723046fa446d61614ef51ee000c0

Chronological Activities

Analysis Process: jnoxdslvzn PID: 5353, Parent PID: 5352

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/usr/bin/jnoxdslvzn
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	0208723046fa446d61614ef51ee000c0

Chronological Activities

Analysis Process: xor1.o PID: 5354, Parent PID: 5225

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5355, Parent PID: 5354

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: jnoxdslvzn PID: 5355, Parent PID: 5354

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/usr/bin/jnoxdslvzn
Arguments:	/usr/bin/jnoxdslvzn "cat resolv.conf" 5225
File size:	548693 bytes
MD5 hash:	0208723046fa446d61614ef51ee000c0

Chronological Activities

Analysis Process: jnoxdslvzn PID: 5358, Parent PID: 5355

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/usr/bin/jnoxdslvzn
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	0208723046fa446d61614ef51ee000c0

Chronological Activities

Analysis Process: xor1.o PID: 5356, Parent PID: 5225

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5357, Parent PID: 5356

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: jnoxdslvzn PID: 5357, Parent PID: 5356

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/usr/bin/jnoxdslvzn
Arguments:	/usr/bin/jnoxdslvzn "sleep 1" 5225
File size:	548693 bytes
MD5 hash:	0208723046fa446d61614ef51ee000c0

Chronological Activities

Analysis Process: jnoxdslvzn PID: 5359, Parent PID: 5357

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/usr/bin/jnoxdslvzn
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	0208723046fa446d61614ef51ee000c0

Chronological Activities

Analysis Process: xor1.o PID: 5360, Parent PID: 5225

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5361, Parent PID: 5360

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: jnoxdslvzn PID: 5361, Parent PID: 5360

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/usr/bin/jnoxdslvzn
Arguments:	/usr/bin/jnoxdslvzn whoami 5225
File size:	548693 bytes
MD5 hash:	0208723046fa446d61614ef51ee000c0

Chronological Activities

Analysis Process: jnoxdslvzn PID: 5364, Parent PID: 5361

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/usr/bin/jnoxdslvzn
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	0208723046fa446d61614ef51ee000c0

Chronological Activities

Analysis Process: xor1.o PID: 5362, Parent PID: 5225

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5363, Parent PID: 5362

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: jnoxdslvzn PID: 5363, Parent PID: 5362

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/usr/bin/jnoxdslvzn
Arguments:	/usr/bin/jnoxdslvzn su 5225
File size:	548693 bytes
MD5 hash:	0208723046fa446d61614ef51ee000c0

Chronological Activities

Analysis Process: jnoxdslvzn PID: 5365, Parent PID: 5363

General

Start time:	22:07:59
Start date:	15/04/2022
Path:	/usr/bin/jnoxdslvzn
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	0208723046fa446d61614ef51ee000c0

Chronological Activities

Analysis Process: xor1.o PID: 5369, Parent PID: 5225

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5370, Parent PID: 5369

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: vdplvwquwd PID: 5370, Parent PID: 5369

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/usr/bin/vdplvwquwd
Arguments:	/usr/bin/vdplvwquwd "netstat -an" 5225
File size:	548693 bytes
MD5 hash:	b6ac1496f79d2c5b8959203c3ecbdc6c

Chronological Activities

Analysis Process: vdplvwquwd PID: 5371, Parent PID: 5370

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/usr/bin/vdplvwquwd
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	b6ac1496f79d2c5b8959203c3ecbdc6c

Chronological Activities

Analysis Process: xor1.o PID: 5372, Parent PID: 5225

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5373, Parent PID: 5372

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: vdplvwquwd PID: 5373, Parent PID: 5372

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/usr/bin/vdplvwquwd
Arguments:	/usr/bin/vdplvwquwd bash 5225
File size:	548693 bytes
MD5 hash:	b6ac1496f79d2c5b8959203c3ecbdc6c

Chronological Activities

Analysis Process: vdplvwquwd PID: 5374, Parent PID: 5373

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/usr/bin/vdplvwquwd
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	b6ac1496f79d2c5b8959203c3ecbdc6c

Chronological Activities

Analysis Process: xor1.o PID: 5375, Parent PID: 5225

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5376, Parent PID: 5375

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: vdplvwquwd PID: 5376, Parent PID: 5375

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/usr/bin/vdplvwquwd
Arguments:	/usr/bin/vdplvwquwd id 5225
File size:	548693 bytes
MD5 hash:	b6ac1496f79d2c5b8959203c3ecbdc6c

Chronological Activities

Analysis Process: vdplvwquwd PID: 5379, Parent PID: 5376

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/usr/bin/vdplvwquwd
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	b6ac1496f79d2c5b8959203c3ecbdc6c

Chronological Activities

Analysis Process: xor1.o PID: 5377, Parent PID: 5225

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5378, Parent PID: 5377

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: vdplvwquwd PID: 5378, Parent PID: 5377

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/usr/bin/vdplvwquwd
Arguments:	/usr/bin/vdplvwquwd pwd 5225
File size:	548693 bytes
MD5 hash:	b6ac1496f79d2c5b8959203c3ecbdc6c

Chronological Activities

Analysis Process: vdplvwquwd PID: 5382, Parent PID: 5378

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/usr/bin/vdplvwquwd
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	b6ac1496f79d2c5b8959203c3ecbdc6c

Chronological Activities

Analysis Process: xor1.o PID: 5380, Parent PID: 5225

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5381, Parent PID: 5380

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: vdplvwquwd PID: 5381, Parent PID: 5380

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/usr/bin/vdplvwquwd
Arguments:	/usr/bin/vdplvwquwd bash 5225
File size:	548693 bytes
MD5 hash:	b6ac1496f79d2c5b8959203c3ecbdc6c

Chronological Activities

Analysis Process: vdplvwquwd PID: 5385, Parent PID: 5381

General

Start time:	22:08:05
Start date:	15/04/2022
Path:	/usr/bin/vdplvwquwd
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	b6ac1496f79d2c5b8959203c3ecbdc6c

Chronological Activities

Analysis Process: xor1.o PID: 5390, Parent PID: 5225

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5391, Parent PID: 5390

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ralgwrxppb PID: 5391, Parent PID: 5390

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/usr/bin/ralgwrxppb
Arguments:	/usr/bin/ralgwrxppb "echo \"find\"" 5225
File size:	548693 bytes
MD5 hash:	e75043350a41db4373bb9b0fa5677bc2

Chronological Activities

Analysis Process: ralgwrxppb PID: 5392, Parent PID: 5391

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/usr/bin/ralgwrxppb
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	e75043350a41db4373bb9b0fa5677bc2

Chronological Activities

Analysis Process: xor1.o PID: 5393, Parent PID: 5225

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5394, Parent PID: 5393

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ralgwrxppb PID: 5394, Parent PID: 5393

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/usr/bin/ralgwrxppb
Arguments:	/usr/bin/ralgwrxppb "echo \"find\"" 5225
File size:	548693 bytes
MD5 hash:	e75043350a41db4373bb9b0fa5677bc2

Chronological Activities

Analysis Process: ralgwrxppb PID: 5397, Parent PID: 5394

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/usr/bin/ralgwrxppb
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	e75043350a41db4373bb9b0fa5677bc2

Chronological Activities

Analysis Process: xor1.o PID: 5395, Parent PID: 5225

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5396, Parent PID: 5395

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ralgwrxppb PID: 5396, Parent PID: 5395

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/usr/bin/ralgwrxppb
Arguments:	/usr/bin/ralgwrxppb id 5225
File size:	548693 bytes
MD5 hash:	e75043350a41db4373bb9b0fa5677bc2

Chronological Activities

Analysis Process: ralgwrxppb PID: 5400, Parent PID: 5396

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/usr/bin/ralgwrxppb
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	e75043350a41db4373bb9b0fa5677bc2

Chronological Activities

Analysis Process: xor1.o PID: 5398, Parent PID: 5225

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5399, Parent PID: 5398

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ralgwrxppb PID: 5399, Parent PID: 5398

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/usr/bin/ralgwrxppb
Arguments:	/usr/bin/ralgwrxppb bash 5225
File size:	548693 bytes
MD5 hash:	e75043350a41db4373bb9b0fa5677bc2

Chronological Activities

Analysis Process: ralgwrxppb PID: 5403, Parent PID: 5399

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/usr/bin/ralgwrxppb
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	e75043350a41db4373bb9b0fa5677bc2

Chronological Activities

Analysis Process: xor1.o PID: 5401, Parent PID: 5225

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5402, Parent PID: 5401

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ralgwrxppb PID: 5402, Parent PID: 5401

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/usr/bin/ralgwrxppb
Arguments:	/usr/bin/ralgwrxppb ifconfig 5225
File size:	548693 bytes
MD5 hash:	e75043350a41db4373bb9b0fa5677bc2

Chronological Activities

Analysis Process: ralgwrxppb PID: 5404, Parent PID: 5402

General

Start time:	22:08:11
Start date:	15/04/2022
Path:	/usr/bin/ralgwrxppb
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	e75043350a41db4373bb9b0fa5677bc2

Chronological Activities

Analysis Process: xor1.o PID: 5407, Parent PID: 5225

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5408, Parent PID: 5407

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: eiqbhbuvjy PID: 5408, Parent PID: 5407

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/usr/bin/eiqbhbuvjy
Arguments:	/usr/bin/eiqbhbuvjy su 5225
File size:	548693 bytes
MD5 hash:	b563644e4e482747a9b6ebe06bad1af1

Chronological Activities

Analysis Process: eiqbhbuvjy PID: 5409, Parent PID: 5408

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/usr/bin/eiqbhbuvjy
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	b563644e4e482747a9b6ebe06bad1af1

Chronological Activities

Analysis Process: xor1.o PID: 5410, Parent PID: 5225

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5411, Parent PID: 5410

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: eiqbhbuvjy PID: 5411, Parent PID: 5410

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/usr/bin/eiqbhbuvjy
Arguments:	/usr/bin/eiqbhbuvjy "netstat -an" 5225
File size:	548693 bytes
MD5 hash:	b563644e4e482747a9b6ebe06bad1af1

Chronological Activities

Analysis Process: eiqbhbuvjy PID: 5412, Parent PID: 5411

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/usr/bin/eiqbhbuvjy
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	b563644e4e482747a9b6ebe06bad1af1

Chronological Activities

Analysis Process: xor1.o PID: 5413, Parent PID: 5225

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5414, Parent PID: 5413

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: eiqbhbuvjy PID: 5414, Parent PID: 5413

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/usr/bin/eiqbhbuvjy
Arguments:	/usr/bin/eiqbhbuvjy "cat resolv.conf" 5225
File size:	548693 bytes
MD5 hash:	b563644e4e482747a9b6ebe06bad1af1

Chronological Activities

Analysis Process: eiqbhbuvjy PID: 5417, Parent PID: 5414

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/usr/bin/eiqbhbuvjy
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	b563644e4e482747a9b6ebe06bad1af1

Chronological Activities

Analysis Process: xor1.o PID: 5415, Parent PID: 5225

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5416, Parent PID: 5415

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: eiqbhbuvjy PID: 5416, Parent PID: 5415

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/usr/bin/eiqbhbuvjy
Arguments:	/usr/bin/eiqbhbuvjy "echo \"find\"" 5225
File size:	548693 bytes
MD5 hash:	b563644e4e482747a9b6ebe06bad1af1

Chronological Activities

Analysis Process: eiqbhbuvjy PID: 5420, Parent PID: 5416

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/usr/bin/eiqbhbuvjy
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	b563644e4e482747a9b6ebe06bad1af1

Chronological Activities

Analysis Process: xor1.o PID: 5418, Parent PID: 5225

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5419, Parent PID: 5418

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: eiqbhbuvjy PID: 5419, Parent PID: 5418

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/usr/bin/eiqbhbuvjy
Arguments:	/usr/bin/eiqbhbuvjy whoami 5225
File size:	548693 bytes
MD5 hash:	b563644e4e482747a9b6ebe06bad1af1

Chronological Activities

Analysis Process: eiqbhbuvjy PID: 5421, Parent PID: 5419

General

Start time:	22:08:17
Start date:	15/04/2022
Path:	/usr/bin/eiqbhbuvjy
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	b563644e4e482747a9b6ebe06bad1af1

Chronological Activities

Analysis Process: xor1.o PID: 5424, Parent PID: 5225

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5425, Parent PID: 5424

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: jwkufnauiy PID: 5425, Parent PID: 5424

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/usr/bin/jwkufnauiy
Arguments:	/usr/bin/jwkufnauiy sh 5225
File size:	548693 bytes
MD5 hash:	0b7a5024eb6dcfe3f8625766490c4af0

Chronological Activities

Analysis Process: jwkufnauiy PID: 5426, Parent PID: 5425

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/usr/bin/jwkufnauiy
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	0b7a5024eb6dcfe3f8625766490c4af0

Chronological Activities

Analysis Process: xor1.o PID: 5427, Parent PID: 5225

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5428, Parent PID: 5427

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: jwkufnauiy PID: 5428, Parent PID: 5427

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/usr/bin/jwkufnauiy
Arguments:	/usr/bin/jwkufnauiy "ps -ef" 5225
File size:	548693 bytes
MD5 hash:	0b7a5024eb6dcfe3f8625766490c4af0

Chronological Activities

Analysis Process: jwkufnauiy PID: 5429, Parent PID: 5428

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/usr/bin/jwkufnauiy
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	0b7a5024eb6dcfe3f8625766490c4af0

Chronological Activities

Analysis Process: xor1.o PID: 5430, Parent PID: 5225

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5431, Parent PID: 5430

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: jwkufnauiy PID: 5431, Parent PID: 5430

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/usr/bin/jwkufnauiy
Arguments:	/usr/bin/jwkufnauiy ls 5225
File size:	548693 bytes
MD5 hash:	0b7a5024eb6dcfe3f8625766490c4af0

Chronological Activities

Analysis Process: jwkufnauiy PID: 5434, Parent PID: 5431

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/usr/bin/jwkufnauiy
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	0b7a5024eb6dcfe3f8625766490c4af0

Chronological Activities

Analysis Process: xor1.o PID: 5432, Parent PID: 5225

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5433, Parent PID: 5432

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: jwkufnauiy PID: 5433, Parent PID: 5432

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/usr/bin/jwkufnauiy
Arguments:	/usr/bin/jwkufnauiy pwd 5225
File size:	548693 bytes
MD5 hash:	0b7a5024eb6dcfe3f8625766490c4af0

Chronological Activities

Analysis Process: jwkufnauiy PID: 5437, Parent PID: 5433

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/usr/bin/jwkufnauiy
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	0b7a5024eb6dcfe3f8625766490c4af0

Chronological Activities

Analysis Process: xor1.o PID: 5435, Parent PID: 5225

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5436, Parent PID: 5435

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: jwkufnauiy PID: 5436, Parent PID: 5435

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/usr/bin/jwkufnauiy
Arguments:	/usr/bin/jwkufnauiy su 5225
File size:	548693 bytes
MD5 hash:	0b7a5024eb6dcfe3f8625766490c4af0

Chronological Activities

Analysis Process: jwkufnauiy PID: 5438, Parent PID: 5436

General

Start time:	22:08:23
Start date:	15/04/2022
Path:	/usr/bin/jwkufnauiy
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	0b7a5024eb6dcfe3f8625766490c4af0

Chronological Activities

Analysis Process: xor1.o PID: 5441, Parent PID: 5225

General

Start time:	22:08:28
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5442, Parent PID: 5441

General

Start time:	22:08:28
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: dupayarwpd PID: 5442, Parent PID: 5441

General

Start time:	22:08:28
Start date:	15/04/2022
Path:	/usr/bin/dupayarwpd
Arguments:	/usr/bin/dupayarwpd pwd 5225
File size:	548693 bytes
MD5 hash:	487ac7753877cbe469dc3683259736b5

Chronological Activities

Analysis Process: dupayarwpd PID: 5443, Parent PID: 5442

General

Start time:	22:08:28
Start date:	15/04/2022
Path:	/usr/bin/dupayarwpd
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	487ac7753877cbe469dc3683259736b5

Chronological Activities

Analysis Process: xor1.o PID: 5444, Parent PID: 5225

General

Start time:	22:08:29
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5445, Parent PID: 5444

General

Start time:	22:08:29
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: dupayarwpd PID: 5445, Parent PID: 5444

General

Start time:	22:08:29
Start date:	15/04/2022
Path:	/usr/bin/dupayarwpd
Arguments:	/usr/bin/dupayarwpd ls 5225
File size:	548693 bytes
MD5 hash:	487ac7753877cbe469dc3683259736b5

Chronological Activities

Analysis Process: dupayarwpd PID: 5446, Parent PID: 5445

General

Start time:	22:08:29
Start date:	15/04/2022
Path:	/usr/bin/dupayarwpd
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	487ac7753877cbe469dc3683259736b5

Chronological Activities

Analysis Process: xor1.o PID: 5447, Parent PID: 5225

General

Start time:	22:08:29
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5448, Parent PID: 5447

General

Start time:	22:08:29
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: dupayarwpd PID: 5448, Parent PID: 5447

General

Start time:	22:08:29
Start date:	15/04/2022
Path:	/usr/bin/dupayarwpd
Arguments:	/usr/bin/dupayarwpd "grep \"A\"" 5225
File size:	548693 bytes
MD5 hash:	487ac7753877cbe469dc3683259736b5

Chronological Activities

Analysis Process: dupayarwpd PID: 5452, Parent PID: 5448

General

Start time:	22:08:30
Start date:	15/04/2022
Path:	/usr/bin/dupayarwpd
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	487ac7753877cbe469dc3683259736b5

Chronological Activities

Analysis Process: xor1.o PID: 5449, Parent PID: 5225

General

Start time:	22:08:29
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5450, Parent PID: 5449

General

Start time:	22:08:29
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: dupayarwpd PID: 5450, Parent PID: 5449

General

Start time:	22:08:29
Start date:	15/04/2022
Path:	/usr/bin/dupayarwpd
Arguments:	/usr/bin/dupayarwpd "ls -la" 5225
File size:	548693 bytes
MD5 hash:	487ac7753877cbe469dc3683259736b5

Chronological Activities

Analysis Process: dupayarwpd PID: 5454, Parent PID: 5450

General

Start time:	22:08:30
Start date:	15/04/2022
Path:	/usr/bin/dupayarwpd
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	487ac7753877cbe469dc3683259736b5

Chronological Activities

Analysis Process: xor1.o PID: 5451, Parent PID: 5225

General

Start time:	22:08:30
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5453, Parent PID: 5451

General

Start time:	22:08:30
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: dupayarwpd PID: 5453, Parent PID: 5451

General

Start time:	22:08:30
Start date:	15/04/2022
Path:	/usr/bin/dupayarwpd
Arguments:	/usr/bin/dupayarwpd su 5225
File size:	548693 bytes
MD5 hash:	487ac7753877cbe469dc3683259736b5

Chronological Activities

Analysis Process: dupayarwpd PID: 5455, Parent PID: 5453

General

Start time:	22:08:30
Start date:	15/04/2022
Path:	/usr/bin/dupayarwpd
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	487ac7753877cbe469dc3683259736b5

Chronological Activities

Analysis Process: xor1.o PID: 5461, Parent PID: 5225

General

Start time:	22:08:35
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5462, Parent PID: 5461

General

Start time:	22:08:35
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: sqpwspsmaf PID: 5462, Parent PID: 5461

General

Start time:	22:08:35
Start date:	15/04/2022
Path:	/usr/bin/sqpwspsmaf
Arguments:	/usr/bin/sqpwspsmaf "ls -la" 5225
File size:	548693 bytes
MD5 hash:	ddca7a304042ef3365d8648db1030c16

Chronological Activities

Analysis Process: sqpwspsmaf PID: 5463, Parent PID: 5462

General

Start time:	22:08:35
Start date:	15/04/2022
Path:	/usr/bin/sqpwspsmaf
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	ddca7a304042ef3365d8648db1030c16

Chronological Activities

Analysis Process: xor1.o PID: 5464, Parent PID: 5225

General

Start time:	22:08:35
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5465, Parent PID: 5464

General

Start time:	22:08:35
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: sqpwspsmaf PID: 5465, Parent PID: 5464

General

Start time:	22:08:35
Start date:	15/04/2022
Path:	/usr/bin/sqpwspsmaf
Arguments:	/usr/bin/sqpwspsmaf ls 5225
File size:	548693 bytes
MD5 hash:	ddca7a304042ef3365d8648db1030c16

Chronological Activities

Analysis Process: sqpwspsmaf PID: 5469, Parent PID: 5465

General

Start time:	22:08:36
Start date:	15/04/2022
Path:	/usr/bin/sqpwspsmaf
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	ddca7a304042ef3365d8648db1030c16

Chronological Activities

Analysis Process: xor1.o PID: 5466, Parent PID: 5225

General

Start time:	22:08:36
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5467, Parent PID: 5466

General

Start time:	22:08:36
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: sqpwspsmaf PID: 5467, Parent PID: 5466

General

Start time:	22:08:36
Start date:	15/04/2022
Path:	/usr/bin/sqpwspsmaf
Arguments:	/usr/bin/sqpwspsmaf "cat resolv.conf" 5225
File size:	548693 bytes
MD5 hash:	ddca7a304042ef3365d8648db1030c16

Chronological Activities

Analysis Process: sqpwspsmaf PID: 5473, Parent PID: 5467

General

Start time:	22:08:36
Start date:	15/04/2022
Path:	/usr/bin/sqpwspsmaf
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	ddca7a304042ef3365d8648db1030c16

Chronological Activities

Analysis Process: xor1.o PID: 5468, Parent PID: 5225

General

Start time:	22:08:36
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5470, Parent PID: 5468

General

Start time:	22:08:36
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: sqpwspsmaf PID: 5470, Parent PID: 5468

General

Start time:	22:08:36
Start date:	15/04/2022
Path:	/usr/bin/sqpwspsmaf
Arguments:	/usr/bin/sqpwspsmaf "cd /etc" 5225
File size:	548693 bytes
MD5 hash:	ddca7a304042ef3365d8648db1030c16

Chronological Activities

Analysis Process: sqpwspsmaf PID: 5474, Parent PID: 5470

General

Start time:	22:08:37
Start date:	15/04/2022
Path:	/usr/bin/sqpwspsmaf
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	ddca7a304042ef3365d8648db1030c16

Chronological Activities

Analysis Process: xor1.o PID: 5471, Parent PID: 5225

General

Start time:	22:08:36
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5472, Parent PID: 5471

General

Start time:	22:08:36
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: sqpwspsmaf PID: 5472, Parent PID: 5471

General

Start time:	22:08:36
Start date:	15/04/2022
Path:	/usr/bin/sqpwspsmaf
Arguments:	/usr/bin/sqpwspsmaf "cat resolv.conf" 5225
File size:	548693 bytes
MD5 hash:	ddca7a304042ef3365d8648db1030c16

Chronological Activities

Analysis Process: sqpwspsmaf PID: 5475, Parent PID: 5472

General

Start time:	22:08:37
Start date:	15/04/2022
Path:	/usr/bin/sqpwspsmaf
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	ddca7a304042ef3365d8648db1030c16

Chronological Activities

Analysis Process: xor1.o PID: 5478, Parent PID: 5225

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5479, Parent PID: 5478

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: mtxpozvnco PID: 5479, Parent PID: 5478

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/usr/bin/mtxpozvnco
Arguments:	/usr/bin/mtxpozvnco bash 5225
File size:	548693 bytes
MD5 hash:	e2c161f9d0d7f462eda76b47ce513269

Chronological Activities

Analysis Process: mtxpozvnco PID: 5480, Parent PID: 5479

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/usr/bin/mtxpozvnco
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	e2c161f9d0d7f462eda76b47ce513269

Chronological Activities

Analysis Process: xor1.o PID: 5481, Parent PID: 5225

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5482, Parent PID: 5481

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: mtxpozvnco PID: 5482, Parent PID: 5481

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/usr/bin/mtxpozvnco
Arguments:	/usr/bin/mtxpozvnco whoami 5225
File size:	548693 bytes
MD5 hash:	e2c161f9d0d7f462eda76b47ce513269

Chronological Activities

Analysis Process: mtxpozvnco PID: 5484, Parent PID: 5482

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/usr/bin/mtxpozvnco
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	e2c161f9d0d7f462eda76b47ce513269

Chronological Activities

Analysis Process: xor1.o PID: 5483, Parent PID: 5225

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5485, Parent PID: 5483

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: mtxpozvnco PID: 5485, Parent PID: 5483

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/usr/bin/mtxpozvnco
Arguments:	/usr/bin/mtxpozvnco "route -n" 5225
File size:	548693 bytes
MD5 hash:	e2c161f9d0d7f462eda76b47ce513269

Chronological Activities

Analysis Process: mtxpozvnco PID: 5488, Parent PID: 5485

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/usr/bin/mtxpozvnco
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	e2c161f9d0d7f462eda76b47ce513269

Chronological Activities

Analysis Process: xor1.o PID: 5486, Parent PID: 5225

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5487, Parent PID: 5486

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: mtxpozvnco PID: 5487, Parent PID: 5486

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/usr/bin/mtxpozvnco
Arguments:	/usr/bin/mtxpozvnco "echo \"find\"" 5225
File size:	548693 bytes
MD5 hash:	e2c161f9d0d7f462eda76b47ce513269

Chronological Activities

Analysis Process: mtxpozvnco PID: 5491, Parent PID: 5487

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/usr/bin/mtxpozvnco
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	e2c161f9d0d7f462eda76b47ce513269

Chronological Activities

Analysis Process: xor1.o PID: 5489, Parent PID: 5225

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5490, Parent PID: 5489

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: mtxpozvnco PID: 5490, Parent PID: 5489

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/usr/bin/mtxpozvnco
Arguments:	/usr/bin/mtxpozvnco "ps -ef" 5225
File size:	548693 bytes
MD5 hash:	e2c161f9d0d7f462eda76b47ce513269

Chronological Activities

Analysis Process: mtxpozvnco PID: 5492, Parent PID: 5490

General

Start time:	22:08:42
Start date:	15/04/2022
Path:	/usr/bin/mtxpozvnco
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	e2c161f9d0d7f462eda76b47ce513269

Chronological Activities

Analysis Process: xor1.o PID: 5495, Parent PID: 5225

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5496, Parent PID: 5495

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: uvefoplmkt PID: 5496, Parent PID: 5495

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/usr/bin/uvefoplmkt
Arguments:	/usr/bin/uvefoplmkt "route -n" 5225
File size:	548693 bytes
MD5 hash:	3875f293a0148fe270e22a5cb87c38dc

Chronological Activities

Analysis Process: uvefoplmkt PID: 5497, Parent PID: 5496

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/usr/bin/uvefoplmkt
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	3875f293a0148fe270e22a5cb87c38dc

Chronological Activities

Analysis Process: xor1.o PID: 5498, Parent PID: 5225

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5499, Parent PID: 5498

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: uvefoplmkt PID: 5499, Parent PID: 5498

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/usr/bin/uvefoplmkt
Arguments:	/usr/bin/uvefoplmkt top 5225
File size:	548693 bytes
MD5 hash:	3875f293a0148fe270e22a5cb87c38dc

Chronological Activities

Analysis Process: uvefoplmkt PID: 5502, Parent PID: 5499

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/usr/bin/uvefoplmkt
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	3875f293a0148fe270e22a5cb87c38dc

Chronological Activities

Analysis Process: xor1.o PID: 5500, Parent PID: 5225

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5501, Parent PID: 5500

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: uvefoplmkt PID: 5501, Parent PID: 5500

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/usr/bin/uvefoplmkt
Arguments:	/usr/bin/uvefoplmkt "ifconfig eth0" 5225
File size:	548693 bytes
MD5 hash:	3875f293a0148fe270e22a5cb87c38dc

Chronological Activities

Analysis Process: uvefoplmkt PID: 5505, Parent PID: 5501

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/usr/bin/uvefoplmkt
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	3875f293a0148fe270e22a5cb87c38dc

Chronological Activities

Analysis Process: xor1.o PID: 5503, Parent PID: 5225

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5504, Parent PID: 5503

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: uvefoplmkt PID: 5504, Parent PID: 5503

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/usr/bin/uvefoplmkt
Arguments:	/usr/bin/uvefoplmkt uptime 5225
File size:	548693 bytes
MD5 hash:	3875f293a0148fe270e22a5cb87c38dc

Chronological Activities

Analysis Process: uvefoplmkt PID: 5506, Parent PID: 5504

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/usr/bin/uvefoplmkt
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	3875f293a0148fe270e22a5cb87c38dc

Chronological Activities

Analysis Process: xor1.o PID: 5507, Parent PID: 5225

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5508, Parent PID: 5507

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: uvefoplmkt PID: 5508, Parent PID: 5507

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/usr/bin/uvefoplmkt
Arguments:	/usr/bin/uvefoplmkt id 5225
File size:	548693 bytes
MD5 hash:	3875f293a0148fe270e22a5cb87c38dc

Chronological Activities

Analysis Process: uvefoplmkt PID: 5509, Parent PID: 5508

General

Start time:	22:08:48
Start date:	15/04/2022
Path:	/usr/bin/uvefoplmkt
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	3875f293a0148fe270e22a5cb87c38dc

Chronological Activities

Analysis Process: xor1.o PID: 5513, Parent PID: 5225

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5514, Parent PID: 5513

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: wftusxulhl PID: 5514, Parent PID: 5513

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/usr/bin/wftusxulhl
Arguments:	/usr/bin/wftusxulhl "ls -la" 5225
File size:	548693 bytes
MD5 hash:	5b08aaf6d666324f456c95522d18df97

Chronological Activities

Analysis Process: wftusxulhl PID: 5515, Parent PID: 5514

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/usr/bin/wftusxulhl
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	5b08aaf6d666324f456c95522d18df97

Chronological Activities

Analysis Process: xor1.o PID: 5516, Parent PID: 5225

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5517, Parent PID: 5516

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: wftusxulhl PID: 5517, Parent PID: 5516

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/usr/bin/wftusxulhl
Arguments:	/usr/bin/wftusxulhl who 5225
File size:	548693 bytes
MD5 hash:	5b08aaf6d666324f456c95522d18df97

Chronological Activities

Analysis Process: wftusxulhl PID: 5520, Parent PID: 5517

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/usr/bin/wftusxulhl
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	5b08aaf6d666324f456c95522d18df97

Chronological Activities

Analysis Process: xor1.o PID: 5518, Parent PID: 5225

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5519, Parent PID: 5518

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: wftusxulhl PID: 5519, Parent PID: 5518

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/usr/bin/wftusxulhl
Arguments:	/usr/bin/wftusxulhl bash 5225
File size:	548693 bytes
MD5 hash:	5b08aaf6d666324f456c95522d18df97

Chronological Activities

Analysis Process: wftusxulhl PID: 5523, Parent PID: 5519

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/usr/bin/wftusxulhl
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	5b08aaf6d666324f456c95522d18df97

Chronological Activities

Analysis Process: xor1.o PID: 5521, Parent PID: 5225

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5522, Parent PID: 5521

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: wftusxulhl PID: 5522, Parent PID: 5521

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/usr/bin/wftusxulhl
Arguments:	/usr/bin/wftusxulhl "ps -ef" 5225
File size:	548693 bytes
MD5 hash:	5b08aaf6d666324f456c95522d18df97

Chronological Activities

Analysis Process: wftusxulhl PID: 5524, Parent PID: 5522

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/usr/bin/wftusxulhl
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	5b08aaf6d666324f456c95522d18df97

Chronological Activities

Analysis Process: xor1.o PID: 5525, Parent PID: 5225

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5526, Parent PID: 5525

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: wftusxulhl PID: 5526, Parent PID: 5525

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/usr/bin/wftusxulhl
Arguments:	/usr/bin/wftusxulhl "echo \"find\"" 5225
File size:	548693 bytes
MD5 hash:	5b08aaf6d666324f456c95522d18df97

Chronological Activities

Analysis Process: wftusxulhl PID: 5527, Parent PID: 5526

General

Start time:	22:08:54
Start date:	15/04/2022
Path:	/usr/bin/wftusxulhl
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	5b08aaf6d666324f456c95522d18df97

Chronological Activities

Analysis Process: xor1.o PID: 5530, Parent PID: 5225

General

Start time:	22:08:59
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5531, Parent PID: 5530

General

Start time:	22:08:59
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: whjuunzbrd PID: 5531, Parent PID: 5530

General

Start time:	22:08:59
Start date:	15/04/2022
Path:	/usr/bin/whjuunzbrd
Arguments:	/usr/bin/whjuunzbrd ifconfig 5225
File size:	548693 bytes
MD5 hash:	0bb4342d60a95c4d2929555dd4e25171

Chronological Activities

Analysis Process: whjuunzbrd PID: 5532, Parent PID: 5531

General

Start time:	22:08:59
Start date:	15/04/2022
Path:	/usr/bin/whjuunzbrd
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	0bb4342d60a95c4d2929555dd4e25171

Chronological Activities

Analysis Process: xor1.o PID: 5533, Parent PID: 5225

General

Start time:	22:08:59
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5534, Parent PID: 5533

General

Start time:	22:08:59
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: whjuunzbrd PID: 5534, Parent PID: 5533

General

Start time:	22:08:59
Start date:	15/04/2022
Path:	/usr/bin/whjuunzbrd
Arguments:	/usr/bin/whjuunzbrd "ps -ef" 5225
File size:	548693 bytes
MD5 hash:	0bb4342d60a95c4d2929555dd4e25171

Chronological Activities

Analysis Process: whjuunzbrd PID: 5537, Parent PID: 5534

General

Start time:	22:09:00
Start date:	15/04/2022
Path:	/usr/bin/whjuunzbrd
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	0bb4342d60a95c4d2929555dd4e25171

Chronological Activities

Analysis Process: xor1.o PID: 5535, Parent PID: 5225

General

Start time:	22:09:00
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5536, Parent PID: 5535

General

Start time:	22:09:00
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: whjuunzbrd PID: 5536, Parent PID: 5535

General

Start time:	22:09:00
Start date:	15/04/2022
Path:	/usr/bin/whjuunzbrd
Arguments:	/usr/bin/whjuunzbrd ls 5225
File size:	548693 bytes
MD5 hash:	0bb4342d60a95c4d2929555dd4e25171

Chronological Activities

Analysis Process: whjuunzbrd PID: 5540, Parent PID: 5536

General

Start time:	22:09:00
Start date:	15/04/2022
Path:	/usr/bin/whjuunzbrd
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	0bb4342d60a95c4d2929555dd4e25171

Chronological Activities

Analysis Process: xor1.o PID: 5538, Parent PID: 5225

General

Start time:	22:09:00
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5539, Parent PID: 5538

General

Start time:	22:09:00
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: whjuunzbrd PID: 5539, Parent PID: 5538

General

Start time:	22:09:00
Start date:	15/04/2022
Path:	/usr/bin/whjuunzbrd
Arguments:	/usr/bin/whjuunzbrd "grep \"A\"" 5225
File size:	548693 bytes
MD5 hash:	0bb4342d60a95c4d2929555dd4e25171

Chronological Activities

Analysis Process: whjuunzbrd PID: 5543, Parent PID: 5539

General

Start time:	22:09:00
Start date:	15/04/2022
Path:	/usr/bin/whjuunzbrd
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	0bb4342d60a95c4d2929555dd4e25171

Chronological Activities

Analysis Process: xor1.o PID: 5541, Parent PID: 5225

General

Start time:	22:09:00
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5542, Parent PID: 5541

General

Start time:	22:09:00
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: whjuunzbrd PID: 5542, Parent PID: 5541

General

Start time:	22:09:00
Start date:	15/04/2022
Path:	/usr/bin/whjuunzbrd
Arguments:	/usr/bin/whjuunzbrd "netstat -antop" 5225
File size:	548693 bytes
MD5 hash:	0bb4342d60a95c4d2929555dd4e25171

Chronological Activities

Analysis Process: whjuunzbrd PID: 5546, Parent PID: 5542

General

Start time:	22:09:00
Start date:	15/04/2022
Path:	/usr/bin/whjuunzbrd
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	0bb4342d60a95c4d2929555dd4e25171

Chronological Activities

Analysis Process: xor1.o PID: 5548, Parent PID: 5225

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5549, Parent PID: 5548

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ljtvmuptjr PID: 5549, Parent PID: 5548

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/usr/bin/ljtvmuptjr
Arguments:	/usr/bin/ljtvmuptjr "route -n" 5225
File size:	548693 bytes
MD5 hash:	18050908179e638d911281b1da167ba5

Chronological Activities

Analysis Process: ljtvmuptjr PID: 5550, Parent PID: 5549

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/usr/bin/ljtvmuptjr
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	18050908179e638d911281b1da167ba5

Chronological Activities

Analysis Process: xor1.o PID: 5551, Parent PID: 5225

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5552, Parent PID: 5551

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ljtvmuptjr PID: 5552, Parent PID: 5551

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/usr/bin/ljtvmuptjr
Arguments:	/usr/bin/ljtvmuptjr "ifconfig eth0" 5225
File size:	548693 bytes
MD5 hash:	18050908179e638d911281b1da167ba5

Chronological Activities

Analysis Process: ljtvmuptjr PID: 5553, Parent PID: 5552

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/usr/bin/ljtvmuptjr
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	18050908179e638d911281b1da167ba5

Chronological Activities

Analysis Process: xor1.o PID: 5554, Parent PID: 5225

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5555, Parent PID: 5554

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ljtvmuptjr PID: 5555, Parent PID: 5554

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/usr/bin/ljtvmuptjr
Arguments:	/usr/bin/ljtvmuptjr who 5225
File size:	548693 bytes
MD5 hash:	18050908179e638d911281b1da167ba5

Chronological Activities

Analysis Process: ljtvmuptjr PID: 5560, Parent PID: 5555

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/usr/bin/ljtvmuptjr
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	18050908179e638d911281b1da167ba5

Chronological Activities

Analysis Process: xor1.o PID: 5558, Parent PID: 5225

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5559, Parent PID: 5558

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ljtvmuptjr PID: 5559, Parent PID: 1860

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/usr/bin/ljtvmuptjr
Arguments:	/usr/bin/ljtvmuptjr whoami 5225
File size:	548693 bytes
MD5 hash:	18050908179e638d911281b1da167ba5

Chronological Activities

Analysis Process: ljtvmuptjr PID: 5563, Parent PID: 5559

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/usr/bin/ljtvmuptjr
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	18050908179e638d911281b1da167ba5

Chronological Activities

Analysis Process: xor1.o PID: 5561, Parent PID: 5225

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5562, Parent PID: 5561

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ljtvmuptjr PID: 5562, Parent PID: 1860

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/usr/bin/ljtvmuptjr
Arguments:	/usr/bin/ljtvmuptjr gnome-terminal 5225
File size:	548693 bytes
MD5 hash:	18050908179e638d911281b1da167ba5

Chronological Activities

Analysis Process: ljtvmuptjr PID: 5564, Parent PID: 5562

General

Start time:	22:09:05
Start date:	15/04/2022
Path:	/usr/bin/ljtvmuptjr
Arguments:	n/a
File size:	548693 bytes
MD5 hash:	18050908179e638d911281b1da167ba5

Chronological Activities

Analysis Process: xor1.o PID: 5569, Parent PID: 5225

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5570, Parent PID: 5569

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ignsgczdve PID: 5570, Parent PID: 5569

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/usr/bin/ignsgczdve
Arguments:	/usr/bin/ignsgczdve "sleep 1" 5225
File size:	548704 bytes
MD5 hash:	06d4c7964c243ed528dbfb46793775ec

Chronological Activities

Analysis Process: ignsgczdve PID: 5575, Parent PID: 5570

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/usr/bin/ignsgczdve
Arguments:	n/a
File size:	548704 bytes
MD5 hash:	06d4c7964c243ed528dbfb46793775ec

Chronological Activities

Analysis Process: xor1.o PID: 5571, Parent PID: 5225

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5572, Parent PID: 5571

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ignsgczdve PID: 5572, Parent PID: 1860

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/usr/bin/ignsgczdve
Arguments:	/usr/bin/ignsgczdve uptime 5225
File size:	548704 bytes
MD5 hash:	06d4c7964c243ed528dbfb46793775ec

Chronological Activities

Analysis Process: ignsgczdve PID: 5578, Parent PID: 5572

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/usr/bin/ignsgczdve
Arguments:	n/a
File size:	548704 bytes
MD5 hash:	06d4c7964c243ed528dbfb46793775ec

Chronological Activities

Analysis Process: xor1.o PID: 5573, Parent PID: 5225

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5574, Parent PID: 5573

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ignsgczdve PID: 5574, Parent PID: 1860

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/usr/bin/ignsgczdve
Arguments:	/usr/bin/ignsgczdve "grep \"A\"" 5225
File size:	548704 bytes
MD5 hash:	06d4c7964c243ed528dbfb46793775ec

Chronological Activities

Analysis Process: ignsgczdve PID: 5581, Parent PID: 5574

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/usr/bin/ignsgczdve
Arguments:	n/a
File size:	548704 bytes
MD5 hash:	06d4c7964c243ed528dbfb46793775ec

Chronological Activities

Analysis Process: xor1.o PID: 5576, Parent PID: 5225

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5577, Parent PID: 5576

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ignsgczdve PID: 5577, Parent PID: 1860

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/usr/bin/ignsgczdve
Arguments:	/usr/bin/ignsgczdve "echo \"find\"" 5225
File size:	548704 bytes
MD5 hash:	06d4c7964c243ed528dbfb46793775ec

Chronological Activities

Analysis Process: ignsgczdve PID: 5582, Parent PID: 5577

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/usr/bin/ignsgczdve
Arguments:	n/a
File size:	548704 bytes
MD5 hash:	06d4c7964c243ed528dbfb46793775ec

Chronological Activities

Analysis Process: xor1.o PID: 5579, Parent PID: 5225

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5580, Parent PID: 5579

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: ignsgczdve PID: 5580, Parent PID: 1860

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/usr/bin/ignsgczdve
Arguments:	/usr/bin/ignsgczdve "ps -ef" 5225
File size:	548704 bytes
MD5 hash:	06d4c7964c243ed528dbfb46793775ec

Chronological Activities

Analysis Process: ignsgczdve PID: 5583, Parent PID: 5580

General

Start time:	22:09:11
Start date:	15/04/2022
Path:	/usr/bin/ignsgczdve
Arguments:	n/a
File size:	548704 bytes
MD5 hash:	06d4c7964c243ed528dbfb46793775ec

Chronological Activities

Analysis Process: xor1.o PID: 5586, Parent PID: 5225

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5587, Parent PID: 5586

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: pblqlvjegj PID: 5587, Parent PID: 5586

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/usr/bin/pblqlvjegj
Arguments:	/usr/bin/pblqlvjegj ls 5225
File size:	548704 bytes
MD5 hash:	9160bbfcba108335f36f10633ff2706d

Chronological Activities

Analysis Process: pblqlvjegj PID: 5592, Parent PID: 5587

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/usr/bin/pblqlvjegj
Arguments:	n/a
File size:	548704 bytes
MD5 hash:	9160bbfcba108335f36f10633ff2706d

Chronological Activities

Analysis Process: xor1.o PID: 5588, Parent PID: 5225

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5589, Parent PID: 5588

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: pblqlvjegj PID: 5589, Parent PID: 1860

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/usr/bin/pblqlvjegj
Arguments:	/usr/bin/pblqlvjegj whoami 5225
File size:	548704 bytes
MD5 hash:	9160bbfcba108335f36f10633ff2706d

Chronological Activities

Analysis Process: pblqlvjegj PID: 5595, Parent PID: 5589

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/usr/bin/pblqlvjegj
Arguments:	n/a
File size:	548704 bytes
MD5 hash:	9160bbfcba108335f36f10633ff2706d

Chronological Activities

Analysis Process: xor1.o PID: 5590, Parent PID: 5225

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5591, Parent PID: 5590

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: pblqlvjegj PID: 5591, Parent PID: 1860

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/usr/bin/pblqlvjegj
Arguments:	/usr/bin/pblqlvjegj uptime 5225
File size:	548704 bytes
MD5 hash:	9160bbfcba108335f36f10633ff2706d

Chronological Activities

Analysis Process: pblqlvjegj PID: 5598, Parent PID: 5591

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/usr/bin/pblqlvjegj
Arguments:	n/a
File size:	548704 bytes
MD5 hash:	9160bbfcba108335f36f10633ff2706d

Chronological Activities

Analysis Process: xor1.o PID: 5593, Parent PID: 5225

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5594, Parent PID: 5593

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: pblqlvjegj PID: 5594, Parent PID: 1860

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/usr/bin/pblqlvjegj
Arguments:	/usr/bin/pblqlvjegj "cat resolv.conf" 5225
File size:	548704 bytes
MD5 hash:	9160bbfcba108335f36f10633ff2706d

Chronological Activities

Analysis Process: pblqlvjegj PID: 5599, Parent PID: 5594

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/usr/bin/pblqlvjegj
Arguments:	n/a
File size:	548704 bytes
MD5 hash:	9160bbfcba108335f36f10633ff2706d

Chronological Activities

Analysis Process: xor1.o PID: 5596, Parent PID: 5225

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5597, Parent PID: 5596

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: pblqlvjegj PID: 5597, Parent PID: 1860

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/usr/bin/pblqlvjegj
Arguments:	/usr/bin/pblqlvjegj whoami 5225
File size:	548704 bytes
MD5 hash:	9160bbfcba108335f36f10633ff2706d

Chronological Activities

Analysis Process: pblqlvjegj PID: 5600, Parent PID: 5597

General

Start time:	22:09:16
Start date:	15/04/2022
Path:	/usr/bin/pblqlvjegj
Arguments:	n/a
File size:	548704 bytes
MD5 hash:	9160bbfcba108335f36f10633ff2706d

Chronological Activities

Analysis Process: xor1.o PID: 5603, Parent PID: 5225

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5604, Parent PID: 5603

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: iucjpzjgvn PID: 5604, Parent PID: 1860

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/usr/bin/iucjpzjgvn
Arguments:	/usr/bin/iucjpzjgvn "ifconfig eth0" 5225
File size:	548704 bytes
MD5 hash:	7c52ae3a9b63b16ec7417276689dc2de

Chronological Activities

Analysis Process: iucjpzjgvn PID: 5609, Parent PID: 5604

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/usr/bin/iucjpzjgvn
Arguments:	n/a
File size:	548704 bytes
MD5 hash:	7c52ae3a9b63b16ec7417276689dc2de

Chronological Activities

Analysis Process: xor1.o PID: 5605, Parent PID: 5225

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5606, Parent PID: 5605

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: iucjpzjgvn PID: 5606, Parent PID: 5605

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/usr/bin/iucjpzjgvn
Arguments:	/usr/bin/iucjpzjgvn "netstat -an" 5225
File size:	548704 bytes
MD5 hash:	7c52ae3a9b63b16ec7417276689dc2de

Chronological Activities

Analysis Process: iucjpzjgvn PID: 5612, Parent PID: 5606

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/usr/bin/iucjpzjgvn
Arguments:	n/a
File size:	548704 bytes
MD5 hash:	7c52ae3a9b63b16ec7417276689dc2de

Chronological Activities

Analysis Process: xor1.o PID: 5607, Parent PID: 5225

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5608, Parent PID: 5607

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: iucjpzjgvn PID: 5608, Parent PID: 1860

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/usr/bin/iucjpzjgvn
Arguments:	/usr/bin/iucjpzjgvn "ifconfig eth0" 5225
File size:	548704 bytes
MD5 hash:	7c52ae3a9b63b16ec7417276689dc2de

Chronological Activities

Analysis Process: iucjpzjgvn PID: 5615, Parent PID: 5608

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/usr/bin/iucjpzjgvn
Arguments:	n/a
File size:	548704 bytes
MD5 hash:	7c52ae3a9b63b16ec7417276689dc2de

Chronological Activities

Analysis Process: xor1.o PID: 5610, Parent PID: 5225

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5611, Parent PID: 5610

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: iucjpzjgvn PID: 5611, Parent PID: 1860

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/usr/bin/iucjpzjgvn
Arguments:	/usr/bin/iucjpzjgvn uptime 5225
File size:	548704 bytes
MD5 hash:	7c52ae3a9b63b16ec7417276689dc2de

Chronological Activities

Analysis Process: iucjpzjgvn PID: 5616, Parent PID: 5611

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/usr/bin/iucjpzjgvn
Arguments:	n/a
File size:	548704 bytes
MD5 hash:	7c52ae3a9b63b16ec7417276689dc2de

Chronological Activities

Analysis Process: xor1.o PID: 5613, Parent PID: 5225

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: xor1.o PID: 5614, Parent PID: 5613

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/tmp/xor1.o
Arguments:	n/a
File size:	548682 bytes
MD5 hash:	21c61e95827a7f9e1022e1b2fabe0386

Chronological Activities

Analysis Process: iucjpzjgvn PID: 5614, Parent PID: 1860

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/usr/bin/iucjpzjgvn
Arguments:	/usr/bin/iucjpzjgvn "ifconfig eth0" 5225
File size:	548704 bytes
MD5 hash:	7c52ae3a9b63b16ec7417276689dc2de

Chronological Activities

Analysis Process: iucjpzjgvn PID: 5617, Parent PID: 5614

General

Start time:	22:09:22
Start date:	15/04/2022
Path:	/usr/bin/iucjpzjgvn
Arguments:	n/a
File size:	548704 bytes
MD5 hash:	7c52ae3a9b63b16ec7417276689dc2de

Chronological Activities

Analysis Process: systemd PID: 5237, Parent PID: 5236

General

Start time:	22:07:22
Start date:	15/04/2022
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snapd-env-generator PID: 5237, Parent PID: 5236

General

Start time:	22:07:22
Start date:	15/04/2022
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at command within Linux operating systems enables administrators to schedule tasks.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report xor1.o

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Networking

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/cron.hourly/gcc.sh

/etc/crontab

/etc/init.d/xor1.o

/memfd:snapd-env-generator (deleted)

/run/gcc.pid

/usr/bin/cglyyshjyz

/usr/bin/dupayarwpd

/usr/bin/eiqbhbuvjy

/usr/bin/ifkpwnmtjm

/usr/bin/iqmzdzzagu

/usr/bin/jnoxdslvzn

/usr/bin/jwkufnauiy

/usr/bin/mbycomlghf

/usr/bin/mtxpozvnco

/usr/bin/ralgwrxppb

/usr/bin/sqpwspsmaf

/usr/bin/uvefoplmkt

/usr/bin/vdplvwquwd

/usr/bin/wftusxulhl

/usr/bin/wkuqobksgz

/usr/lib/libudev.so

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Linux Analysis Report
xor1.o