Edit tour

Linux Analysis Report
23.vir

Overview

General Information

Sample Name:	23.vir
Analysis ID:	659483
MD5:	9c7f574ad4c0e4a394f57d3d50227a58
SHA1:	d148b8051c438d792d2604c6aa69002743503197
SHA256:	b242c3eca68edc7c09505570455398cce9b02689287690971762899d1fb2b1a8
Infos:

Detection

XorDDoS

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus detection for dropped file

Yara detected XorDDoS Bot

Snort IDS alert for network traffic

Sample tries to persist itself using System V runlevels

Machine Learning detection for dropped file

Sample tries to persist itself using cron

Drops files in suspicious directories

Sample deletes itself

Machine Learning detection for sample

Writes ELF files to disk

Yara signature match

Drops files with innocent-looking names

PID-file does not contain an ASCII number

Writes shell script files to disk

Reads system information from the proc file system

Uses the "uname" system call to query kernel version information (possible evasion)

Executes the "systemctl" command used for controlling the systemd system and service manager

Sample and/or dropped files contains symbols with suspicious names

Reads CPU information from /proc indicative of miner or evasive malware

Writes shell script file to disk with an unusual file extension

Classification

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	659483
Start date and time: 08/07/202208:42:29	2022-07-08 08:42:29 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	23.vir
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 88.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:	default
Detection:	MAL
Classification:	mal100.troj.evad.linVIR@0/20@3/0

Warnings

VT rate limit hit for: www.gzcfr5axf6.com:3309

Runtime Messages

Command:	/tmp/23.vir
PID:	9489
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu1

23.vir (PID: 9489, Parent: 9421, MD5: 9c7f574ad4c0e4a394f57d3d50227a58) Arguments: /tmp/23.vir

23.vir New Fork (PID: 9490, Parent: 9489)

23.vir New Fork (PID: 9492, Parent: 9490)

23.vir New Fork (PID: 9495, Parent: 9492)

23.vir New Fork (PID: 9501, Parent: 9490)

23.vir New Fork (PID: 9502, Parent: 9501)

update-rc.d (PID: 9502, Parent: 3310, MD5: e9e125904f9ed8ff4c8504a55a149005) Arguments: /usr/bin/perl /usr/sbin/update-rc.d 23.vir defaults

update-rc.d New Fork (PID: 9530, Parent: 9502)

insserv (PID: 9530, Parent: 9502, MD5: 34c11674a0b29347001640aeae7c94f1) Arguments: /usr/lib/insserv/insserv 23.vir

update-rc.d New Fork (PID: 9581, Parent: 9502)

systemctl (PID: 9581, Parent: 9502, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl daemon-reload

23.vir New Fork (PID: 9504, Parent: 9490)

dash (PID: 9504, Parent: 9490, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"

dash New Fork (PID: 9507, Parent: 9504)

sed (PID: 9507, Parent: 9504, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -i /\\/etc\\/cron.hourly\\/gcc.sh/d /etc/crontab

23.vir New Fork (PID: 9590, Parent: 9490)

23.vir New Fork (PID: 9591, Parent: 9590)

nqyyaftfcu (PID: 9591, Parent: 9590, MD5: a708c38c98167a46094ab442093ef474) Arguments: /usr/bin/nqyyaftfcu whoami 9490

nqyyaftfcu New Fork (PID: 9592, Parent: 9591)

23.vir New Fork (PID: 9601, Parent: 9490)

23.vir New Fork (PID: 9602, Parent: 9601)

nqyyaftfcu (PID: 9602, Parent: 9601, MD5: a708c38c98167a46094ab442093ef474) Arguments: /usr/bin/nqyyaftfcu ls 9490

nqyyaftfcu New Fork (PID: 9603, Parent: 9602)

23.vir New Fork (PID: 9612, Parent: 9490)

23.vir New Fork (PID: 9613, Parent: 9612)

nqyyaftfcu (PID: 9613, Parent: 9612, MD5: a708c38c98167a46094ab442093ef474) Arguments: /usr/bin/nqyyaftfcu top 9490

nqyyaftfcu New Fork (PID: 9614, Parent: 9613)

23.vir New Fork (PID: 9623, Parent: 9490)

23.vir New Fork (PID: 9624, Parent: 9623)

nqyyaftfcu (PID: 9624, Parent: 9623, MD5: a708c38c98167a46094ab442093ef474) Arguments: /usr/bin/nqyyaftfcu "route -n" 9490

nqyyaftfcu New Fork (PID: 9625, Parent: 9624)

23.vir New Fork (PID: 9634, Parent: 9490)

23.vir New Fork (PID: 9635, Parent: 9634)

nqyyaftfcu (PID: 9635, Parent: 9634, MD5: a708c38c98167a46094ab442093ef474) Arguments: /usr/bin/nqyyaftfcu top 9490

nqyyaftfcu New Fork (PID: 9636, Parent: 9635)

23.vir New Fork (PID: 9645, Parent: 9490)

23.vir New Fork (PID: 9646, Parent: 9645)

xycbwuwgff (PID: 9646, Parent: 9645, MD5: f24e29767ae092cda8496f59dd557bb3) Arguments: /usr/bin/xycbwuwgff uptime 9490

xycbwuwgff New Fork (PID: 9647, Parent: 9646)

23.vir New Fork (PID: 9656, Parent: 9490)

23.vir New Fork (PID: 9657, Parent: 9656)

xycbwuwgff (PID: 9657, Parent: 9656, MD5: f24e29767ae092cda8496f59dd557bb3) Arguments: /usr/bin/xycbwuwgff sh 9490

xycbwuwgff New Fork (PID: 9658, Parent: 9657)

23.vir New Fork (PID: 9667, Parent: 9490)

23.vir New Fork (PID: 9668, Parent: 9667)

xycbwuwgff (PID: 9668, Parent: 9667, MD5: f24e29767ae092cda8496f59dd557bb3) Arguments: /usr/bin/xycbwuwgff "route -n" 9490

xycbwuwgff New Fork (PID: 9669, Parent: 9668)

23.vir New Fork (PID: 9678, Parent: 9490)

23.vir New Fork (PID: 9679, Parent: 9678)

xycbwuwgff (PID: 9679, Parent: 9678, MD5: f24e29767ae092cda8496f59dd557bb3) Arguments: /usr/bin/xycbwuwgff "cd /etc" 9490

xycbwuwgff New Fork (PID: 9680, Parent: 9679)

23.vir New Fork (PID: 9689, Parent: 9490)

23.vir New Fork (PID: 9690, Parent: 9689)

xycbwuwgff (PID: 9690, Parent: 9689, MD5: f24e29767ae092cda8496f59dd557bb3) Arguments: /usr/bin/xycbwuwgff "netstat -an" 9490

xycbwuwgff New Fork (PID: 9691, Parent: 9690)

23.vir New Fork (PID: 9700, Parent: 9490)

23.vir New Fork (PID: 9701, Parent: 9700)

oswtkhubva (PID: 9701, Parent: 9700, MD5: 099612600a4160976784f782ac66f41f) Arguments: /usr/bin/oswtkhubva "cat resolv.conf" 9490

oswtkhubva New Fork (PID: 9702, Parent: 9701)

23.vir New Fork (PID: 9711, Parent: 9490)

23.vir New Fork (PID: 9712, Parent: 9711)

oswtkhubva (PID: 9712, Parent: 9711, MD5: 099612600a4160976784f782ac66f41f) Arguments: /usr/bin/oswtkhubva ls 9490

oswtkhubva New Fork (PID: 9713, Parent: 9712)

23.vir New Fork (PID: 9722, Parent: 9490)

23.vir New Fork (PID: 9723, Parent: 9722)

oswtkhubva (PID: 9723, Parent: 9722, MD5: 099612600a4160976784f782ac66f41f) Arguments: /usr/bin/oswtkhubva top 9490

oswtkhubva New Fork (PID: 9724, Parent: 9723)

23.vir New Fork (PID: 9733, Parent: 9490)

23.vir New Fork (PID: 9734, Parent: 9733)

oswtkhubva (PID: 9734, Parent: 9733, MD5: 099612600a4160976784f782ac66f41f) Arguments: /usr/bin/oswtkhubva "netstat -an" 9490

oswtkhubva New Fork (PID: 9735, Parent: 9734)

23.vir New Fork (PID: 9744, Parent: 9490)

23.vir New Fork (PID: 9745, Parent: 9744)

oswtkhubva (PID: 9745, Parent: 9744, MD5: 099612600a4160976784f782ac66f41f) Arguments: /usr/bin/oswtkhubva gnome-terminal 9490

oswtkhubva New Fork (PID: 9746, Parent: 9745)

23.vir New Fork (PID: 9755, Parent: 9490)

23.vir New Fork (PID: 9756, Parent: 9755)

oefibujxuu (PID: 9756, Parent: 9755, MD5: 84a3af158396081e0452d7e5de4058d5) Arguments: /usr/bin/oefibujxuu "netstat -an" 9490

oefibujxuu New Fork (PID: 9757, Parent: 9756)

23.vir New Fork (PID: 9766, Parent: 9490)

23.vir New Fork (PID: 9767, Parent: 9766)

oefibujxuu (PID: 9767, Parent: 9766, MD5: 84a3af158396081e0452d7e5de4058d5) Arguments: /usr/bin/oefibujxuu "cat resolv.conf" 9490

oefibujxuu New Fork (PID: 9768, Parent: 9767)

23.vir New Fork (PID: 9777, Parent: 9490)

23.vir New Fork (PID: 9778, Parent: 9777)

oefibujxuu (PID: 9778, Parent: 9777, MD5: 84a3af158396081e0452d7e5de4058d5) Arguments: /usr/bin/oefibujxuu ls 9490

oefibujxuu New Fork (PID: 9779, Parent: 9778)

23.vir New Fork (PID: 9788, Parent: 9490)

23.vir New Fork (PID: 9789, Parent: 9788)

oefibujxuu (PID: 9789, Parent: 9788, MD5: 84a3af158396081e0452d7e5de4058d5) Arguments: /usr/bin/oefibujxuu pwd 9490

oefibujxuu New Fork (PID: 9790, Parent: 9789)

23.vir New Fork (PID: 9799, Parent: 9490)

23.vir New Fork (PID: 9800, Parent: 9799)

oefibujxuu (PID: 9800, Parent: 9799, MD5: 84a3af158396081e0452d7e5de4058d5) Arguments: /usr/bin/oefibujxuu ifconfig 9490

oefibujxuu New Fork (PID: 9801, Parent: 9800)

23.vir New Fork (PID: 9810, Parent: 9490)

23.vir New Fork (PID: 9811, Parent: 9810)

lzibcaczrf (PID: 9811, Parent: 9810, MD5: be950a6fad896a7cb33a39bc6a16d42c) Arguments: /usr/bin/lzibcaczrf "grep \"A\"" 9490

lzibcaczrf New Fork (PID: 9812, Parent: 9811)

23.vir New Fork (PID: 9821, Parent: 9490)

23.vir New Fork (PID: 9822, Parent: 9821)

lzibcaczrf (PID: 9822, Parent: 9821, MD5: be950a6fad896a7cb33a39bc6a16d42c) Arguments: /usr/bin/lzibcaczrf sh 9490

lzibcaczrf New Fork (PID: 9823, Parent: 9822)

23.vir New Fork (PID: 9832, Parent: 9490)

23.vir New Fork (PID: 9833, Parent: 9832)

lzibcaczrf (PID: 9833, Parent: 9832, MD5: be950a6fad896a7cb33a39bc6a16d42c) Arguments: /usr/bin/lzibcaczrf ls 9490

lzibcaczrf New Fork (PID: 9834, Parent: 9833)

23.vir New Fork (PID: 9843, Parent: 9490)

23.vir New Fork (PID: 9844, Parent: 9843)

lzibcaczrf (PID: 9844, Parent: 9843, MD5: be950a6fad896a7cb33a39bc6a16d42c) Arguments: /usr/bin/lzibcaczrf id 9490

lzibcaczrf New Fork (PID: 9845, Parent: 9844)

23.vir New Fork (PID: 9854, Parent: 9490)

23.vir New Fork (PID: 9855, Parent: 9854)

lzibcaczrf (PID: 9855, Parent: 9854, MD5: be950a6fad896a7cb33a39bc6a16d42c) Arguments: /usr/bin/lzibcaczrf whoami 9490

lzibcaczrf New Fork (PID: 9856, Parent: 9855)

23.vir New Fork (PID: 9865, Parent: 9490)

23.vir New Fork (PID: 9866, Parent: 9865)

fujnmwlbbw (PID: 9866, Parent: 9865, MD5: 1782b17a2d52ba656d195db009f4802e) Arguments: /usr/bin/fujnmwlbbw ifconfig 9490

fujnmwlbbw New Fork (PID: 9867, Parent: 9866)

23.vir New Fork (PID: 9875, Parent: 9490)

23.vir New Fork (PID: 9876, Parent: 9875)

fujnmwlbbw (PID: 9876, Parent: 9875, MD5: 1782b17a2d52ba656d195db009f4802e) Arguments: /usr/bin/fujnmwlbbw "cat resolv.conf" 9490

fujnmwlbbw New Fork (PID: 9878, Parent: 9876)

23.vir New Fork (PID: 9887, Parent: 9490)

23.vir New Fork (PID: 9888, Parent: 9887)

fujnmwlbbw (PID: 9888, Parent: 9887, MD5: 1782b17a2d52ba656d195db009f4802e) Arguments: /usr/bin/fujnmwlbbw ls 9490

fujnmwlbbw New Fork (PID: 9889, Parent: 9888)

23.vir New Fork (PID: 9898, Parent: 9490)

23.vir New Fork (PID: 9899, Parent: 9898)

fujnmwlbbw (PID: 9899, Parent: 9898, MD5: 1782b17a2d52ba656d195db009f4802e) Arguments: /usr/bin/fujnmwlbbw whoami 9490

fujnmwlbbw New Fork (PID: 9900, Parent: 9899)

23.vir New Fork (PID: 9909, Parent: 9490)

23.vir New Fork (PID: 9910, Parent: 9909)

fujnmwlbbw (PID: 9910, Parent: 9909, MD5: 1782b17a2d52ba656d195db009f4802e) Arguments: /usr/bin/fujnmwlbbw "route -n" 9490

fujnmwlbbw New Fork (PID: 9912, Parent: 9910)

23.vir New Fork (PID: 9920, Parent: 9490)

23.vir New Fork (PID: 9921, Parent: 9920)

lylocfjohc (PID: 9921, Parent: 9920, MD5: b6974a31394a7cfa3459bc9c292b6c35) Arguments: /usr/bin/lylocfjohc whoami 9490

lylocfjohc New Fork (PID: 9922, Parent: 9921)

23.vir New Fork (PID: 9931, Parent: 9490)

23.vir New Fork (PID: 9932, Parent: 9931)

lylocfjohc (PID: 9932, Parent: 9931, MD5: b6974a31394a7cfa3459bc9c292b6c35) Arguments: /usr/bin/lylocfjohc gnome-terminal 9490

lylocfjohc New Fork (PID: 9933, Parent: 9932)

23.vir New Fork (PID: 9942, Parent: 9490)

23.vir New Fork (PID: 9943, Parent: 9942)

lylocfjohc (PID: 9943, Parent: 9942, MD5: b6974a31394a7cfa3459bc9c292b6c35) Arguments: /usr/bin/lylocfjohc "grep \"A\"" 9490

lylocfjohc New Fork (PID: 9944, Parent: 9943)

23.vir New Fork (PID: 9953, Parent: 9490)

23.vir New Fork (PID: 9954, Parent: 9953)

lylocfjohc (PID: 9954, Parent: 9953, MD5: b6974a31394a7cfa3459bc9c292b6c35) Arguments: /usr/bin/lylocfjohc sh 9490

lylocfjohc New Fork (PID: 9955, Parent: 9954)

23.vir New Fork (PID: 9964, Parent: 9490)

23.vir New Fork (PID: 9965, Parent: 9964)

lylocfjohc (PID: 9965, Parent: 9964, MD5: b6974a31394a7cfa3459bc9c292b6c35) Arguments: /usr/bin/lylocfjohc gnome-terminal 9490

lylocfjohc New Fork (PID: 9967, Parent: 9965)

23.vir New Fork (PID: 9975, Parent: 9490)

23.vir New Fork (PID: 9976, Parent: 9975)

xyannwkfrh (PID: 9976, Parent: 9975, MD5: dae25d95cdecf1c7b60789e239f5e45a) Arguments: /usr/bin/xyannwkfrh ifconfig 9490

xyannwkfrh New Fork (PID: 9977, Parent: 9976)

23.vir New Fork (PID: 9986, Parent: 9490)

23.vir New Fork (PID: 9987, Parent: 9986)

xyannwkfrh (PID: 9987, Parent: 9986, MD5: dae25d95cdecf1c7b60789e239f5e45a) Arguments: /usr/bin/xyannwkfrh ifconfig 9490

xyannwkfrh New Fork (PID: 9988, Parent: 9987)

23.vir New Fork (PID: 9997, Parent: 9490)

23.vir New Fork (PID: 9998, Parent: 9997)

xyannwkfrh (PID: 9998, Parent: 9997, MD5: dae25d95cdecf1c7b60789e239f5e45a) Arguments: /usr/bin/xyannwkfrh gnome-terminal 9490

xyannwkfrh New Fork (PID: 9999, Parent: 9998)

23.vir New Fork (PID: 10008, Parent: 9490)

23.vir New Fork (PID: 10009, Parent: 10008)

xyannwkfrh (PID: 10009, Parent: 10008, MD5: dae25d95cdecf1c7b60789e239f5e45a) Arguments: /usr/bin/xyannwkfrh ls 9490

xyannwkfrh New Fork (PID: 10011, Parent: 10009)

23.vir New Fork (PID: 10019, Parent: 9490)

23.vir New Fork (PID: 10020, Parent: 10019)

xyannwkfrh (PID: 10020, Parent: 10019, MD5: dae25d95cdecf1c7b60789e239f5e45a) Arguments: /usr/bin/xyannwkfrh "ps -ef" 9490

xyannwkfrh New Fork (PID: 10021, Parent: 10020)

23.vir New Fork (PID: 10032, Parent: 9490)

23.vir New Fork (PID: 10033, Parent: 10032)

yhevizbcnp (PID: 10033, Parent: 10032, MD5: 9957c178272c6cd1dfad9a5e7c7767f5) Arguments: /usr/bin/yhevizbcnp uptime 9490

yhevizbcnp New Fork (PID: 10034, Parent: 10033)

23.vir New Fork (PID: 10043, Parent: 9490)

23.vir New Fork (PID: 10044, Parent: 10043)

yhevizbcnp (PID: 10044, Parent: 10043, MD5: 9957c178272c6cd1dfad9a5e7c7767f5) Arguments: /usr/bin/yhevizbcnp "sleep 1" 9490

yhevizbcnp New Fork (PID: 10045, Parent: 10044)

23.vir New Fork (PID: 10054, Parent: 9490)

23.vir New Fork (PID: 10055, Parent: 10054)

yhevizbcnp (PID: 10055, Parent: 10054, MD5: 9957c178272c6cd1dfad9a5e7c7767f5) Arguments: /usr/bin/yhevizbcnp "echo \"find\"" 9490

yhevizbcnp New Fork (PID: 10057, Parent: 10055)

23.vir New Fork (PID: 10065, Parent: 9490)

23.vir New Fork (PID: 10066, Parent: 10065)

yhevizbcnp (PID: 10066, Parent: 10065, MD5: 9957c178272c6cd1dfad9a5e7c7767f5) Arguments: /usr/bin/yhevizbcnp "cd /etc" 9490

yhevizbcnp New Fork (PID: 10067, Parent: 10066)

23.vir New Fork (PID: 10076, Parent: 9490)

23.vir New Fork (PID: 10077, Parent: 10076)

yhevizbcnp (PID: 10077, Parent: 10076, MD5: 9957c178272c6cd1dfad9a5e7c7767f5) Arguments: /usr/bin/yhevizbcnp "netstat -antop" 9490

yhevizbcnp New Fork (PID: 10078, Parent: 10077)

23.vir New Fork (PID: 10087, Parent: 9490)

23.vir New Fork (PID: 10088, Parent: 10087)

xqbdnwqfkw (PID: 10088, Parent: 10087, MD5: 19ace0802cb175193123792399e47ba3) Arguments: /usr/bin/xqbdnwqfkw su 9490

xqbdnwqfkw New Fork (PID: 10089, Parent: 10088)

23.vir New Fork (PID: 10098, Parent: 9490)

23.vir New Fork (PID: 10099, Parent: 10098)

xqbdnwqfkw (PID: 10099, Parent: 10098, MD5: 19ace0802cb175193123792399e47ba3) Arguments: /usr/bin/xqbdnwqfkw "echo \"find\"" 9490

xqbdnwqfkw New Fork (PID: 10100, Parent: 10099)

23.vir New Fork (PID: 10109, Parent: 9490)

23.vir New Fork (PID: 10110, Parent: 10109)

xqbdnwqfkw (PID: 10110, Parent: 10109, MD5: 19ace0802cb175193123792399e47ba3) Arguments: /usr/bin/xqbdnwqfkw who 9490

xqbdnwqfkw New Fork (PID: 10111, Parent: 10110)

23.vir New Fork (PID: 10120, Parent: 9490)

23.vir New Fork (PID: 10121, Parent: 10120)

xqbdnwqfkw (PID: 10121, Parent: 10120, MD5: 19ace0802cb175193123792399e47ba3) Arguments: /usr/bin/xqbdnwqfkw "ls -la" 9490

xqbdnwqfkw New Fork (PID: 10122, Parent: 10121)

23.vir New Fork (PID: 10131, Parent: 9490)

23.vir New Fork (PID: 10132, Parent: 10131)

xqbdnwqfkw (PID: 10132, Parent: 10131, MD5: 19ace0802cb175193123792399e47ba3) Arguments: /usr/bin/xqbdnwqfkw ifconfig 9490

xqbdnwqfkw New Fork (PID: 10133, Parent: 10132)

23.vir New Fork (PID: 10142, Parent: 9490)

23.vir New Fork (PID: 10143, Parent: 10142)

oamtagxisa (PID: 10143, Parent: 10142, MD5: 54cd38ab45aba0b229ef7a1dc2337762) Arguments: /usr/bin/oamtagxisa "echo \"find\"" 9490

oamtagxisa New Fork (PID: 10144, Parent: 10143)

23.vir New Fork (PID: 10153, Parent: 9490)

23.vir New Fork (PID: 10154, Parent: 10153)

oamtagxisa (PID: 10154, Parent: 10153, MD5: 54cd38ab45aba0b229ef7a1dc2337762) Arguments: /usr/bin/oamtagxisa ifconfig 9490

oamtagxisa New Fork (PID: 10155, Parent: 10154)

23.vir New Fork (PID: 10164, Parent: 9490)

23.vir New Fork (PID: 10165, Parent: 10164)

oamtagxisa (PID: 10165, Parent: 10164, MD5: 54cd38ab45aba0b229ef7a1dc2337762) Arguments: /usr/bin/oamtagxisa pwd 9490

oamtagxisa New Fork (PID: 10166, Parent: 10165)

23.vir New Fork (PID: 10175, Parent: 9490)

23.vir New Fork (PID: 10176, Parent: 10175)

oamtagxisa (PID: 10176, Parent: 10175, MD5: 54cd38ab45aba0b229ef7a1dc2337762) Arguments: /usr/bin/oamtagxisa sh 9490

oamtagxisa New Fork (PID: 10177, Parent: 10176)

23.vir New Fork (PID: 10186, Parent: 9490)

23.vir New Fork (PID: 10187, Parent: 10186)

oamtagxisa (PID: 10187, Parent: 10186, MD5: 54cd38ab45aba0b229ef7a1dc2337762) Arguments: /usr/bin/oamtagxisa bash 9490

oamtagxisa New Fork (PID: 10188, Parent: 10187)

23.vir New Fork (PID: 10197, Parent: 9490)

23.vir New Fork (PID: 10198, Parent: 10197)

gsteyamogh (PID: 10198, Parent: 10197, MD5: f8cd8367f7aae0494580345867a126e9) Arguments: /usr/bin/gsteyamogh "netstat -antop" 9490

gsteyamogh New Fork (PID: 10199, Parent: 10198)

23.vir New Fork (PID: 10208, Parent: 9490)

23.vir New Fork (PID: 10209, Parent: 10208)

gsteyamogh (PID: 10209, Parent: 10208, MD5: f8cd8367f7aae0494580345867a126e9) Arguments: /usr/bin/gsteyamogh id 9490

gsteyamogh New Fork (PID: 10210, Parent: 10209)

23.vir New Fork (PID: 10219, Parent: 9490)

23.vir New Fork (PID: 10220, Parent: 10219)

gsteyamogh (PID: 10220, Parent: 10219, MD5: f8cd8367f7aae0494580345867a126e9) Arguments: /usr/bin/gsteyamogh su 9490

gsteyamogh New Fork (PID: 10221, Parent: 10220)

23.vir New Fork (PID: 10230, Parent: 9490)

23.vir New Fork (PID: 10231, Parent: 10230)

gsteyamogh (PID: 10231, Parent: 10230, MD5: f8cd8367f7aae0494580345867a126e9) Arguments: /usr/bin/gsteyamogh gnome-terminal 9490

gsteyamogh New Fork (PID: 10232, Parent: 10231)

23.vir New Fork (PID: 10241, Parent: 9490)

23.vir New Fork (PID: 10242, Parent: 10241)

gsteyamogh (PID: 10242, Parent: 10241, MD5: f8cd8367f7aae0494580345867a126e9) Arguments: /usr/bin/gsteyamogh "echo \"find\"" 9490

gsteyamogh New Fork (PID: 10243, Parent: 10242)

23.vir New Fork (PID: 10252, Parent: 9490)

23.vir New Fork (PID: 10253, Parent: 10252)

tpisgxwkqw (PID: 10253, Parent: 10252, MD5: c8a547cbac003d02f51cf9bbce721873) Arguments: /usr/bin/tpisgxwkqw top 9490

tpisgxwkqw New Fork (PID: 10254, Parent: 10253)

23.vir New Fork (PID: 10263, Parent: 9490)

23.vir New Fork (PID: 10264, Parent: 10263)

tpisgxwkqw (PID: 10264, Parent: 10263, MD5: c8a547cbac003d02f51cf9bbce721873) Arguments: /usr/bin/tpisgxwkqw "sleep 1" 9490

tpisgxwkqw New Fork (PID: 10265, Parent: 10264)

23.vir New Fork (PID: 10274, Parent: 9490)

23.vir New Fork (PID: 10275, Parent: 10274)

tpisgxwkqw (PID: 10275, Parent: 10274, MD5: c8a547cbac003d02f51cf9bbce721873) Arguments: /usr/bin/tpisgxwkqw "ls -la" 9490

tpisgxwkqw New Fork (PID: 10276, Parent: 10275)

23.vir New Fork (PID: 10285, Parent: 9490)

23.vir New Fork (PID: 10286, Parent: 10285)

tpisgxwkqw (PID: 10286, Parent: 10285, MD5: c8a547cbac003d02f51cf9bbce721873) Arguments: /usr/bin/tpisgxwkqw sh 9490

tpisgxwkqw New Fork (PID: 10287, Parent: 10286)

23.vir New Fork (PID: 10296, Parent: 9490)

23.vir New Fork (PID: 10297, Parent: 10296)

tpisgxwkqw (PID: 10297, Parent: 10296, MD5: c8a547cbac003d02f51cf9bbce721873) Arguments: /usr/bin/tpisgxwkqw ls 9490

tpisgxwkqw New Fork (PID: 10298, Parent: 10297)

23.vir New Fork (PID: 10307, Parent: 9490)

23.vir New Fork (PID: 10308, Parent: 10307)

jnkinnshpy (PID: 10308, Parent: 10307, MD5: 206a4efc19126d9f30ee6cd036e9b8ea) Arguments: /usr/bin/jnkinnshpy "netstat -an" 9490

jnkinnshpy New Fork (PID: 10309, Parent: 10308)

23.vir New Fork (PID: 10318, Parent: 9490)

23.vir New Fork (PID: 10319, Parent: 10318)

jnkinnshpy (PID: 10319, Parent: 10318, MD5: 206a4efc19126d9f30ee6cd036e9b8ea) Arguments: /usr/bin/jnkinnshpy "cd /etc" 9490

jnkinnshpy New Fork (PID: 10320, Parent: 10319)

23.vir New Fork (PID: 10329, Parent: 9490)

23.vir New Fork (PID: 10330, Parent: 10329)

jnkinnshpy (PID: 10330, Parent: 10329, MD5: 206a4efc19126d9f30ee6cd036e9b8ea) Arguments: /usr/bin/jnkinnshpy "ls -la" 9490

jnkinnshpy New Fork (PID: 10331, Parent: 10330)

23.vir New Fork (PID: 10340, Parent: 9490)

23.vir New Fork (PID: 10341, Parent: 10340)

jnkinnshpy (PID: 10341, Parent: 10340, MD5: 206a4efc19126d9f30ee6cd036e9b8ea) Arguments: /usr/bin/jnkinnshpy ifconfig 9490

jnkinnshpy New Fork (PID: 10342, Parent: 10341)

23.vir New Fork (PID: 10351, Parent: 9490)

23.vir New Fork (PID: 10352, Parent: 10351)

jnkinnshpy (PID: 10352, Parent: 10351, MD5: 206a4efc19126d9f30ee6cd036e9b8ea) Arguments: /usr/bin/jnkinnshpy "cat resolv.conf" 9490

jnkinnshpy New Fork (PID: 10353, Parent: 10352)

23.vir New Fork (PID: 10362, Parent: 9490)

23.vir New Fork (PID: 10363, Parent: 10362)

syxbrhhmvm (PID: 10363, Parent: 10362, MD5: 7bdabf954a90f114ea4524ca37bc67b3) Arguments: /usr/bin/syxbrhhmvm whoami 9490

syxbrhhmvm New Fork (PID: 10364, Parent: 10363)

23.vir New Fork (PID: 10373, Parent: 9490)

23.vir New Fork (PID: 10374, Parent: 10373)

syxbrhhmvm (PID: 10374, Parent: 10373, MD5: 7bdabf954a90f114ea4524ca37bc67b3) Arguments: /usr/bin/syxbrhhmvm bash 9490

syxbrhhmvm New Fork (PID: 10375, Parent: 10374)

23.vir New Fork (PID: 10384, Parent: 9490)

23.vir New Fork (PID: 10385, Parent: 10384)

syxbrhhmvm (PID: 10385, Parent: 10384, MD5: 7bdabf954a90f114ea4524ca37bc67b3) Arguments: /usr/bin/syxbrhhmvm who 9490

syxbrhhmvm New Fork (PID: 10386, Parent: 10385)

23.vir New Fork (PID: 10395, Parent: 9490)

23.vir New Fork (PID: 10396, Parent: 10395)

syxbrhhmvm (PID: 10396, Parent: 10395, MD5: 7bdabf954a90f114ea4524ca37bc67b3) Arguments: /usr/bin/syxbrhhmvm uptime 9490

syxbrhhmvm New Fork (PID: 10397, Parent: 10396)

23.vir New Fork (PID: 10406, Parent: 9490)

23.vir New Fork (PID: 10407, Parent: 10406)

syxbrhhmvm (PID: 10407, Parent: 10406, MD5: 7bdabf954a90f114ea4524ca37bc67b3) Arguments: /usr/bin/syxbrhhmvm bash 9490

syxbrhhmvm New Fork (PID: 10408, Parent: 10407)

23.vir New Fork (PID: 10417, Parent: 9490)

23.vir New Fork (PID: 10418, Parent: 10417)

zdrddgmqbp (PID: 10418, Parent: 10417, MD5: 4e0d940624ff3758b26c8335c13c6d2d) Arguments: /usr/bin/zdrddgmqbp "ls -la" 9490

zdrddgmqbp New Fork (PID: 10419, Parent: 10418)

23.vir New Fork (PID: 10428, Parent: 9490)

23.vir New Fork (PID: 10429, Parent: 10428)

zdrddgmqbp (PID: 10429, Parent: 10428, MD5: 4e0d940624ff3758b26c8335c13c6d2d) Arguments: /usr/bin/zdrddgmqbp "echo \"find\"" 9490

zdrddgmqbp New Fork (PID: 10430, Parent: 10429)

23.vir New Fork (PID: 10439, Parent: 9490)

23.vir New Fork (PID: 10440, Parent: 10439)

zdrddgmqbp (PID: 10440, Parent: 10439, MD5: 4e0d940624ff3758b26c8335c13c6d2d) Arguments: /usr/bin/zdrddgmqbp "ifconfig eth0" 9490

zdrddgmqbp New Fork (PID: 10442, Parent: 10440)

23.vir New Fork (PID: 10450, Parent: 9490)

23.vir New Fork (PID: 10451, Parent: 10450)

zdrddgmqbp (PID: 10451, Parent: 10450, MD5: 4e0d940624ff3758b26c8335c13c6d2d) Arguments: /usr/bin/zdrddgmqbp "cat resolv.conf" 9490

zdrddgmqbp New Fork (PID: 10452, Parent: 10451)

23.vir New Fork (PID: 10461, Parent: 9490)

23.vir New Fork (PID: 10462, Parent: 10461)

zdrddgmqbp (PID: 10462, Parent: 10461, MD5: 4e0d940624ff3758b26c8335c13c6d2d) Arguments: /usr/bin/zdrddgmqbp "grep \"A\"" 9490

zdrddgmqbp New Fork (PID: 10463, Parent: 10462)

23.vir New Fork (PID: 10472, Parent: 9490)

23.vir New Fork (PID: 10473, Parent: 10472)

ohcipqjuyk (PID: 10473, Parent: 10472, MD5: 02f0a01d7b16efdf76cc83099383059a) Arguments: /usr/bin/ohcipqjuyk id 9490

ohcipqjuyk New Fork (PID: 10474, Parent: 10473)

23.vir New Fork (PID: 10483, Parent: 9490)

23.vir New Fork (PID: 10484, Parent: 10483)

ohcipqjuyk (PID: 10484, Parent: 10483, MD5: 02f0a01d7b16efdf76cc83099383059a) Arguments: /usr/bin/ohcipqjuyk "grep \"A\"" 9490

ohcipqjuyk New Fork (PID: 10485, Parent: 10484)

23.vir New Fork (PID: 10494, Parent: 9490)

23.vir New Fork (PID: 10495, Parent: 10494)

ohcipqjuyk (PID: 10495, Parent: 10494, MD5: 02f0a01d7b16efdf76cc83099383059a) Arguments: /usr/bin/ohcipqjuyk "ifconfig eth0" 9490

ohcipqjuyk New Fork (PID: 10496, Parent: 10495)

23.vir New Fork (PID: 10504, Parent: 9490)

23.vir New Fork (PID: 10505, Parent: 10504)

ohcipqjuyk (PID: 10505, Parent: 3310, MD5: 02f0a01d7b16efdf76cc83099383059a) Arguments: /usr/bin/ohcipqjuyk whoami 9490

ohcipqjuyk New Fork (PID: 10509, Parent: 10505)

23.vir New Fork (PID: 10507, Parent: 9490)

23.vir New Fork (PID: 10508, Parent: 10507)

ohcipqjuyk (PID: 10508, Parent: 3310, MD5: 02f0a01d7b16efdf76cc83099383059a) Arguments: /usr/bin/ohcipqjuyk who 9490

ohcipqjuyk New Fork (PID: 10510, Parent: 10508)

23.vir New Fork (PID: 10527, Parent: 9490)

23.vir New Fork (PID: 10528, Parent: 10527)

nogrxfedbf (PID: 10528, Parent: 3310, MD5: 7d5305777baf06234bbc70e3b2eb7f2e) Arguments: /usr/bin/nogrxfedbf ls 9490

nogrxfedbf New Fork (PID: 10530, Parent: 10528)

23.vir New Fork (PID: 10529, Parent: 9490)

23.vir New Fork (PID: 10531, Parent: 10529)

nogrxfedbf (PID: 10531, Parent: 3310, MD5: 7d5305777baf06234bbc70e3b2eb7f2e) Arguments: /usr/bin/nogrxfedbf "netstat -an" 9490

nogrxfedbf New Fork (PID: 10535, Parent: 10531)

23.vir New Fork (PID: 10532, Parent: 9490)

23.vir New Fork (PID: 10533, Parent: 10532)

nogrxfedbf (PID: 10533, Parent: 3310, MD5: 7d5305777baf06234bbc70e3b2eb7f2e) Arguments: /usr/bin/nogrxfedbf su 9490

nogrxfedbf New Fork (PID: 10536, Parent: 10533)

23.vir New Fork (PID: 10534, Parent: 9490)

23.vir New Fork (PID: 10538, Parent: 10534)

nogrxfedbf (PID: 10538, Parent: 10534, MD5: 7d5305777baf06234bbc70e3b2eb7f2e) Arguments: /usr/bin/nogrxfedbf sh 9490

nogrxfedbf New Fork (PID: 10540, Parent: 10538)

23.vir New Fork (PID: 10542, Parent: 9490)

23.vir New Fork (PID: 10544, Parent: 10542)

nogrxfedbf (PID: 10544, Parent: 3310, MD5: 7d5305777baf06234bbc70e3b2eb7f2e) Arguments: /usr/bin/nogrxfedbf who 9490

nogrxfedbf New Fork (PID: 10550, Parent: 10544)

23.vir New Fork (PID: 10582, Parent: 9490)

23.vir New Fork (PID: 10583, Parent: 10582)

qhnzcpncui (PID: 10583, Parent: 3310, MD5: 711c5de918753d4876905bad918edcac) Arguments: /usr/bin/qhnzcpncui whoami 9490

qhnzcpncui New Fork (PID: 10585, Parent: 10583)

23.vir New Fork (PID: 10584, Parent: 9490)

23.vir New Fork (PID: 10586, Parent: 10584)

qhnzcpncui (PID: 10586, Parent: 10584, MD5: 711c5de918753d4876905bad918edcac) Arguments: /usr/bin/qhnzcpncui ls 9490

qhnzcpncui New Fork (PID: 10595, Parent: 10586)

23.vir New Fork (PID: 10588, Parent: 9490)

23.vir New Fork (PID: 10590, Parent: 10588)

qhnzcpncui (PID: 10590, Parent: 3310, MD5: 711c5de918753d4876905bad918edcac) Arguments: /usr/bin/qhnzcpncui ifconfig 9490

qhnzcpncui New Fork (PID: 10598, Parent: 10590)

23.vir New Fork (PID: 10592, Parent: 9490)

23.vir New Fork (PID: 10596, Parent: 10592)

qhnzcpncui (PID: 10596, Parent: 3310, MD5: 711c5de918753d4876905bad918edcac) Arguments: /usr/bin/qhnzcpncui top 9490

qhnzcpncui New Fork (PID: 10600, Parent: 10596)

23.vir New Fork (PID: 10599, Parent: 9490)

23.vir New Fork (PID: 10603, Parent: 10599)

qhnzcpncui (PID: 10603, Parent: 3310, MD5: 711c5de918753d4876905bad918edcac) Arguments: /usr/bin/qhnzcpncui "echo \"find\"" 9490

qhnzcpncui New Fork (PID: 10609, Parent: 10603)

23.vir New Fork (PID: 10639, Parent: 9490)

23.vir New Fork (PID: 10640, Parent: 10639)

mewtasvpys (PID: 10640, Parent: 3310, MD5: e3ad0e5542cecf25e39c5284451df4c6) Arguments: /usr/bin/mewtasvpys pwd 9490

mewtasvpys New Fork (PID: 10644, Parent: 10640)

23.vir New Fork (PID: 10641, Parent: 9490)

23.vir New Fork (PID: 10642, Parent: 10641)

mewtasvpys (PID: 10642, Parent: 3310, MD5: e3ad0e5542cecf25e39c5284451df4c6) Arguments: /usr/bin/mewtasvpys ls 9490

mewtasvpys New Fork (PID: 10647, Parent: 10642)

23.vir New Fork (PID: 10643, Parent: 9490)

23.vir New Fork (PID: 10645, Parent: 10643)

mewtasvpys (PID: 10645, Parent: 3310, MD5: e3ad0e5542cecf25e39c5284451df4c6) Arguments: /usr/bin/mewtasvpys gnome-terminal 9490

mewtasvpys New Fork (PID: 10648, Parent: 10645)

23.vir New Fork (PID: 10646, Parent: 9490)

23.vir New Fork (PID: 10650, Parent: 10646)

mewtasvpys (PID: 10650, Parent: 3310, MD5: e3ad0e5542cecf25e39c5284451df4c6) Arguments: /usr/bin/mewtasvpys gnome-terminal 9490

mewtasvpys New Fork (PID: 10653, Parent: 10650)

23.vir New Fork (PID: 10651, Parent: 9490)

23.vir New Fork (PID: 10655, Parent: 10651)

mewtasvpys (PID: 10655, Parent: 3310, MD5: e3ad0e5542cecf25e39c5284451df4c6) Arguments: /usr/bin/mewtasvpys "netstat -an" 9490

mewtasvpys New Fork (PID: 10659, Parent: 10655)

23.vir New Fork (PID: 10694, Parent: 9490)

23.vir New Fork (PID: 10695, Parent: 10694)

ggyluxfsos (PID: 10695, Parent: 3310, MD5: 24cae81d5d268c06903b13bf0322400f) Arguments: /usr/bin/ggyluxfsos top 9490

ggyluxfsos New Fork (PID: 10701, Parent: 10695)

23.vir New Fork (PID: 10696, Parent: 9490)

23.vir New Fork (PID: 10697, Parent: 10696)

ggyluxfsos (PID: 10697, Parent: 3310, MD5: 24cae81d5d268c06903b13bf0322400f) Arguments: /usr/bin/ggyluxfsos "route -n" 9490

ggyluxfsos New Fork (PID: 10699, Parent: 10697)

23.vir New Fork (PID: 10698, Parent: 9490)

23.vir New Fork (PID: 10700, Parent: 10698)

ggyluxfsos (PID: 10700, Parent: 10698, MD5: 24cae81d5d268c06903b13bf0322400f) Arguments: /usr/bin/ggyluxfsos gnome-terminal 9490

ggyluxfsos New Fork (PID: 10702, Parent: 10700)

23.vir New Fork (PID: 10703, Parent: 9490)

23.vir New Fork (PID: 10705, Parent: 10703)

ggyluxfsos (PID: 10705, Parent: 3310, MD5: 24cae81d5d268c06903b13bf0322400f) Arguments: /usr/bin/ggyluxfsos gnome-terminal 9490

ggyluxfsos New Fork (PID: 10711, Parent: 10705)

23.vir New Fork (PID: 10707, Parent: 9490)

23.vir New Fork (PID: 10710, Parent: 10707)

ggyluxfsos (PID: 10710, Parent: 3310, MD5: 24cae81d5d268c06903b13bf0322400f) Arguments: /usr/bin/ggyluxfsos "sleep 1" 9490

ggyluxfsos New Fork (PID: 10722, Parent: 10710)

23.vir New Fork (PID: 10749, Parent: 9490)

23.vir New Fork (PID: 10750, Parent: 10749)

xwmwyvvctt (PID: 10750, Parent: 3310, MD5: 89569bd45a52810ab859a1895c0705f0) Arguments: /usr/bin/xwmwyvvctt "ifconfig eth0" 9490

xwmwyvvctt New Fork (PID: 10754, Parent: 10750)

23.vir New Fork (PID: 10751, Parent: 9490)

23.vir New Fork (PID: 10752, Parent: 10751)

xwmwyvvctt (PID: 10752, Parent: 3310, MD5: 89569bd45a52810ab859a1895c0705f0) Arguments: /usr/bin/xwmwyvvctt "grep \"A\"" 9490

xwmwyvvctt New Fork (PID: 10760, Parent: 10752)

23.vir New Fork (PID: 10753, Parent: 9490)

23.vir New Fork (PID: 10755, Parent: 10753)

xwmwyvvctt (PID: 10755, Parent: 3310, MD5: 89569bd45a52810ab859a1895c0705f0) Arguments: /usr/bin/xwmwyvvctt gnome-terminal 9490

xwmwyvvctt New Fork (PID: 10758, Parent: 10755)

23.vir New Fork (PID: 10756, Parent: 9490)

23.vir New Fork (PID: 10759, Parent: 10756)

xwmwyvvctt (PID: 10759, Parent: 10756, MD5: 89569bd45a52810ab859a1895c0705f0) Arguments: /usr/bin/xwmwyvvctt ls 9490

xwmwyvvctt New Fork (PID: 10762, Parent: 10759)

23.vir New Fork (PID: 10764, Parent: 9490)

23.vir New Fork (PID: 10767, Parent: 10764)

xwmwyvvctt (PID: 10767, Parent: 3310, MD5: 89569bd45a52810ab859a1895c0705f0) Arguments: /usr/bin/xwmwyvvctt "cd /etc" 9490

xwmwyvvctt New Fork (PID: 10770, Parent: 10767)

23.vir New Fork (PID: 10804, Parent: 9490)

23.vir New Fork (PID: 10805, Parent: 10804)

spsubpmzry (PID: 10805, Parent: 3310, MD5: c81c682f808bf43948a6dbaf38cb14e5) Arguments: /usr/bin/spsubpmzry "netstat -an" 9490

spsubpmzry New Fork (PID: 10809, Parent: 10805)

23.vir New Fork (PID: 10806, Parent: 9490)

23.vir New Fork (PID: 10807, Parent: 10806)

spsubpmzry (PID: 10807, Parent: 3310, MD5: c81c682f808bf43948a6dbaf38cb14e5) Arguments: /usr/bin/spsubpmzry whoami 9490

spsubpmzry New Fork (PID: 10812, Parent: 10807)

23.vir New Fork (PID: 10808, Parent: 9490)

23.vir New Fork (PID: 10811, Parent: 10808)

spsubpmzry (PID: 10811, Parent: 3310, MD5: c81c682f808bf43948a6dbaf38cb14e5) Arguments: /usr/bin/spsubpmzry sh 9490

spsubpmzry New Fork (PID: 10825, Parent: 10811)

23.vir New Fork (PID: 10813, Parent: 9490)

23.vir New Fork (PID: 10816, Parent: 10813)

spsubpmzry (PID: 10816, Parent: 3310, MD5: c81c682f808bf43948a6dbaf38cb14e5) Arguments: /usr/bin/spsubpmzry "ps -ef" 9490

spsubpmzry New Fork (PID: 10824, Parent: 10816)

23.vir New Fork (PID: 10818, Parent: 9490)

23.vir New Fork (PID: 10821, Parent: 10818)

spsubpmzry (PID: 10821, Parent: 3310, MD5: c81c682f808bf43948a6dbaf38cb14e5) Arguments: /usr/bin/spsubpmzry gnome-terminal 9490

spsubpmzry New Fork (PID: 10827, Parent: 10821)

23.vir New Fork (PID: 10859, Parent: 9490)

23.vir New Fork (PID: 10860, Parent: 10859)

jcmuhrpzdv (PID: 10860, Parent: 3310, MD5: 56d49091b209428ca7d4e2f1fd53e1ef) Arguments: /usr/bin/jcmuhrpzdv bash 9490

jcmuhrpzdv New Fork (PID: 10864, Parent: 10860)

23.vir New Fork (PID: 10861, Parent: 9490)

23.vir New Fork (PID: 10862, Parent: 10861)

jcmuhrpzdv (PID: 10862, Parent: 3310, MD5: 56d49091b209428ca7d4e2f1fd53e1ef) Arguments: /usr/bin/jcmuhrpzdv id 9490

jcmuhrpzdv New Fork (PID: 10867, Parent: 10862)

23.vir New Fork (PID: 10863, Parent: 9490)

23.vir New Fork (PID: 10865, Parent: 10863)

jcmuhrpzdv (PID: 10865, Parent: 3310, MD5: 56d49091b209428ca7d4e2f1fd53e1ef) Arguments: /usr/bin/jcmuhrpzdv "cat resolv.conf" 9490

jcmuhrpzdv New Fork (PID: 10869, Parent: 10865)

23.vir New Fork (PID: 10866, Parent: 9490)

23.vir New Fork (PID: 10870, Parent: 10866)

jcmuhrpzdv (PID: 10870, Parent: 3310, MD5: 56d49091b209428ca7d4e2f1fd53e1ef) Arguments: /usr/bin/jcmuhrpzdv "ifconfig eth0" 9490

jcmuhrpzdv New Fork (PID: 10874, Parent: 10870)

23.vir New Fork (PID: 10871, Parent: 9490)

23.vir New Fork (PID: 10875, Parent: 10871)

jcmuhrpzdv (PID: 10875, Parent: 10871, MD5: 56d49091b209428ca7d4e2f1fd53e1ef) Arguments: /usr/bin/jcmuhrpzdv "sleep 1" 9490

jcmuhrpzdv New Fork (PID: 10879, Parent: 10875)

23.vir New Fork (PID: 10914, Parent: 9490)

23.vir New Fork (PID: 10915, Parent: 10914)

akcqxkcmkc (PID: 10915, Parent: 3310, MD5: 8458902d22bab108fb4e0204428bcd95) Arguments: /usr/bin/akcqxkcmkc who 9490

akcqxkcmkc New Fork (PID: 10919, Parent: 10915)

23.vir New Fork (PID: 10916, Parent: 9490)

23.vir New Fork (PID: 10917, Parent: 10916)

akcqxkcmkc (PID: 10917, Parent: 3310, MD5: 8458902d22bab108fb4e0204428bcd95) Arguments: /usr/bin/akcqxkcmkc whoami 9490

akcqxkcmkc New Fork (PID: 10921, Parent: 10917)

23.vir New Fork (PID: 10918, Parent: 9490)

23.vir New Fork (PID: 10920, Parent: 10918)

akcqxkcmkc (PID: 10920, Parent: 3310, MD5: 8458902d22bab108fb4e0204428bcd95) Arguments: /usr/bin/akcqxkcmkc "route -n" 9490

akcqxkcmkc New Fork (PID: 10924, Parent: 10920)

23.vir New Fork (PID: 10922, Parent: 9490)

23.vir New Fork (PID: 10923, Parent: 10922)

akcqxkcmkc (PID: 10923, Parent: 3310, MD5: 8458902d22bab108fb4e0204428bcd95) Arguments: /usr/bin/akcqxkcmkc bash 9490

akcqxkcmkc New Fork (PID: 10927, Parent: 10923)

23.vir New Fork (PID: 10926, Parent: 9490)

23.vir New Fork (PID: 10928, Parent: 10926)

akcqxkcmkc (PID: 10928, Parent: 10926, MD5: 8458902d22bab108fb4e0204428bcd95) Arguments: /usr/bin/akcqxkcmkc sh 9490

akcqxkcmkc New Fork (PID: 10931, Parent: 10928)

23.vir New Fork (PID: 10969, Parent: 9490)

23.vir New Fork (PID: 10970, Parent: 10969)

dctvqidcpx (PID: 10970, Parent: 3310, MD5: acfc2826b0e80d23a26be4de00f7198c) Arguments: /usr/bin/dctvqidcpx "ls -la" 9490

dctvqidcpx New Fork (PID: 10972, Parent: 10970)

23.vir New Fork (PID: 10971, Parent: 9490)

23.vir New Fork (PID: 10973, Parent: 10971)

dctvqidcpx (PID: 10973, Parent: 3310, MD5: acfc2826b0e80d23a26be4de00f7198c) Arguments: /usr/bin/dctvqidcpx "netstat -an" 9490

dctvqidcpx New Fork (PID: 10975, Parent: 10973)

23.vir New Fork (PID: 10974, Parent: 9490)

23.vir New Fork (PID: 10976, Parent: 10974)

dctvqidcpx (PID: 10976, Parent: 3310, MD5: acfc2826b0e80d23a26be4de00f7198c) Arguments: /usr/bin/dctvqidcpx "route -n" 9490

dctvqidcpx New Fork (PID: 10985, Parent: 10976)

23.vir New Fork (PID: 10978, Parent: 9490)

23.vir New Fork (PID: 10979, Parent: 10978)

dctvqidcpx (PID: 10979, Parent: 3310, MD5: acfc2826b0e80d23a26be4de00f7198c) Arguments: /usr/bin/dctvqidcpx sh 9490

dctvqidcpx New Fork (PID: 10983, Parent: 10979)

23.vir New Fork (PID: 10980, Parent: 9490)

23.vir New Fork (PID: 10984, Parent: 10980)

dctvqidcpx (PID: 10984, Parent: 10980, MD5: acfc2826b0e80d23a26be4de00f7198c) Arguments: /usr/bin/dctvqidcpx "echo \"find\"" 9490

dctvqidcpx New Fork (PID: 10988, Parent: 10984)

23.vir New Fork (PID: 11024, Parent: 9490)

23.vir New Fork (PID: 11025, Parent: 11024)

lvaqnxtxyv (PID: 11025, Parent: 3310, MD5: 9d0507cb7dbbba5632a5513bec1ed0dd) Arguments: /usr/bin/lvaqnxtxyv ls 9490

lvaqnxtxyv New Fork (PID: 11029, Parent: 11025)

23.vir New Fork (PID: 11026, Parent: 9490)

23.vir New Fork (PID: 11027, Parent: 11026)

lvaqnxtxyv (PID: 11027, Parent: 3310, MD5: 9d0507cb7dbbba5632a5513bec1ed0dd) Arguments: /usr/bin/lvaqnxtxyv id 9490

lvaqnxtxyv New Fork (PID: 11036, Parent: 11027)

23.vir New Fork (PID: 11028, Parent: 9490)

23.vir New Fork (PID: 11030, Parent: 11028)

lvaqnxtxyv (PID: 11030, Parent: 3310, MD5: 9d0507cb7dbbba5632a5513bec1ed0dd) Arguments: /usr/bin/lvaqnxtxyv "sleep 1" 9490

lvaqnxtxyv New Fork (PID: 11035, Parent: 11030)

23.vir New Fork (PID: 11031, Parent: 9490)

23.vir New Fork (PID: 11032, Parent: 11031)

lvaqnxtxyv (PID: 11032, Parent: 3310, MD5: 9d0507cb7dbbba5632a5513bec1ed0dd) Arguments: /usr/bin/lvaqnxtxyv who 9490

lvaqnxtxyv New Fork (PID: 11042, Parent: 11032)

23.vir New Fork (PID: 11033, Parent: 9490)

23.vir New Fork (PID: 11037, Parent: 11033)

lvaqnxtxyv (PID: 11037, Parent: 11033, MD5: 9d0507cb7dbbba5632a5513bec1ed0dd) Arguments: /usr/bin/lvaqnxtxyv ls 9490

lvaqnxtxyv New Fork (PID: 11039, Parent: 11037)

23.vir New Fork (PID: 11079, Parent: 9490)

23.vir New Fork (PID: 11080, Parent: 11079)

bttoegalab (PID: 11080, Parent: 3310, MD5: 2a6279779a5dc3ec157fce0a50c8b9c3) Arguments: /usr/bin/bttoegalab su 9490

bttoegalab New Fork (PID: 11082, Parent: 11080)

23.vir New Fork (PID: 11081, Parent: 9490)

23.vir New Fork (PID: 11083, Parent: 11081)

bttoegalab (PID: 11083, Parent: 11081, MD5: 2a6279779a5dc3ec157fce0a50c8b9c3) Arguments: /usr/bin/bttoegalab "route -n" 9490

bttoegalab New Fork (PID: 11084, Parent: 11083)

23.vir New Fork (PID: 11085, Parent: 9490)

23.vir New Fork (PID: 11086, Parent: 11085)

bttoegalab (PID: 11086, Parent: 3310, MD5: 2a6279779a5dc3ec157fce0a50c8b9c3) Arguments: /usr/bin/bttoegalab whoami 9490

bttoegalab New Fork (PID: 11089, Parent: 11086)

23.vir New Fork (PID: 11088, Parent: 9490)

23.vir New Fork (PID: 11090, Parent: 11088)

bttoegalab (PID: 11090, Parent: 11088, MD5: 2a6279779a5dc3ec157fce0a50c8b9c3) Arguments: /usr/bin/bttoegalab sh 9490

bttoegalab New Fork (PID: 11092, Parent: 11090)

23.vir New Fork (PID: 11094, Parent: 9490)

23.vir New Fork (PID: 11096, Parent: 11094)

bttoegalab (PID: 11096, Parent: 3310, MD5: 2a6279779a5dc3ec157fce0a50c8b9c3) Arguments: /usr/bin/bttoegalab whoami 9490

bttoegalab New Fork (PID: 11107, Parent: 11096)

23.vir New Fork (PID: 11134, Parent: 9490)

23.vir New Fork (PID: 11135, Parent: 11134)

kgzpduqztf (PID: 11135, Parent: 3310, MD5: f67f079f2885a893c0e6dcbd197c4176) Arguments: /usr/bin/kgzpduqztf "grep \"A\"" 9490

kgzpduqztf New Fork (PID: 11137, Parent: 11135)

23.vir New Fork (PID: 11136, Parent: 9490)

23.vir New Fork (PID: 11138, Parent: 11136)

kgzpduqztf (PID: 11138, Parent: 3310, MD5: f67f079f2885a893c0e6dcbd197c4176) Arguments: /usr/bin/kgzpduqztf pwd 9490

kgzpduqztf New Fork (PID: 11150, Parent: 11138)

23.vir New Fork (PID: 11140, Parent: 9490)

23.vir New Fork (PID: 11142, Parent: 11140)

kgzpduqztf (PID: 11142, Parent: 3310, MD5: f67f079f2885a893c0e6dcbd197c4176) Arguments: /usr/bin/kgzpduqztf whoami 9490

kgzpduqztf New Fork (PID: 11159, Parent: 11142)

23.vir New Fork (PID: 11144, Parent: 9490)

23.vir New Fork (PID: 11147, Parent: 11144)

kgzpduqztf (PID: 11147, Parent: 3310, MD5: f67f079f2885a893c0e6dcbd197c4176) Arguments: /usr/bin/kgzpduqztf "route -n" 9490

kgzpduqztf New Fork (PID: 11161, Parent: 11147)

23.vir New Fork (PID: 11149, Parent: 9490)

23.vir New Fork (PID: 11152, Parent: 11149)

kgzpduqztf (PID: 11152, Parent: 3310, MD5: f67f079f2885a893c0e6dcbd197c4176) Arguments: /usr/bin/kgzpduqztf top 9490

kgzpduqztf New Fork (PID: 11157, Parent: 11152)

23.vir New Fork (PID: 11199, Parent: 9490)

23.vir New Fork (PID: 11200, Parent: 11199)

bsahphdkyw (PID: 11200, Parent: 3310, MD5: c9f62cfe5bda72a2175f7c0e76f5c611) Arguments: /usr/bin/bsahphdkyw bash 9490

bsahphdkyw New Fork (PID: 11206, Parent: 11200)

23.vir New Fork (PID: 11201, Parent: 9490)

23.vir New Fork (PID: 11202, Parent: 11201)

bsahphdkyw (PID: 11202, Parent: 3310, MD5: c9f62cfe5bda72a2175f7c0e76f5c611) Arguments: /usr/bin/bsahphdkyw uptime 9490

bsahphdkyw New Fork (PID: 11212, Parent: 11202)

23.vir New Fork (PID: 11203, Parent: 9490)

23.vir New Fork (PID: 11204, Parent: 11203)

bsahphdkyw (PID: 11204, Parent: 3310, MD5: c9f62cfe5bda72a2175f7c0e76f5c611) Arguments: /usr/bin/bsahphdkyw id 9490

bsahphdkyw New Fork (PID: 11209, Parent: 11204)

23.vir New Fork (PID: 11205, Parent: 9490)

23.vir New Fork (PID: 11207, Parent: 11205)

bsahphdkyw (PID: 11207, Parent: 3310, MD5: c9f62cfe5bda72a2175f7c0e76f5c611) Arguments: /usr/bin/bsahphdkyw "netstat -an" 9490

bsahphdkyw New Fork (PID: 11214, Parent: 11207)

23.vir New Fork (PID: 11208, Parent: 9490)

23.vir New Fork (PID: 11210, Parent: 11208)

bsahphdkyw (PID: 11210, Parent: 3310, MD5: c9f62cfe5bda72a2175f7c0e76f5c611) Arguments: /usr/bin/bsahphdkyw whoami 9490

bsahphdkyw New Fork (PID: 11211, Parent: 11210)

23.vir New Fork (PID: 11254, Parent: 9490)

23.vir New Fork (PID: 11255, Parent: 11254)

eualgoidvu (PID: 11255, Parent: 3310, MD5: 1624e15f9671816660bfe2b9e2ff57df) Arguments: /usr/bin/eualgoidvu uptime 9490

eualgoidvu New Fork (PID: 11265, Parent: 11255)

23.vir New Fork (PID: 11256, Parent: 9490)

23.vir New Fork (PID: 11257, Parent: 11256)

eualgoidvu (PID: 11257, Parent: 3310, MD5: 1624e15f9671816660bfe2b9e2ff57df) Arguments: /usr/bin/eualgoidvu ifconfig 9490

eualgoidvu New Fork (PID: 11267, Parent: 11257)

23.vir New Fork (PID: 11258, Parent: 9490)

23.vir New Fork (PID: 11259, Parent: 11258)

eualgoidvu (PID: 11259, Parent: 3310, MD5: 1624e15f9671816660bfe2b9e2ff57df) Arguments: /usr/bin/eualgoidvu who 9490

eualgoidvu New Fork (PID: 11268, Parent: 11259)

23.vir New Fork (PID: 11260, Parent: 9490)

23.vir New Fork (PID: 11261, Parent: 11260)

eualgoidvu (PID: 11261, Parent: 3310, MD5: 1624e15f9671816660bfe2b9e2ff57df) Arguments: /usr/bin/eualgoidvu "sleep 1" 9490

eualgoidvu New Fork (PID: 11264, Parent: 11261)

23.vir New Fork (PID: 11262, Parent: 9490)

23.vir New Fork (PID: 11263, Parent: 11262)

eualgoidvu (PID: 11263, Parent: 3310, MD5: 1624e15f9671816660bfe2b9e2ff57df) Arguments: /usr/bin/eualgoidvu uptime 9490

eualgoidvu New Fork (PID: 11266, Parent: 11263)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
23.vir	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
23.vir	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x863fb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x8644d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x6ad30:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x6ae29:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
23.vir	XOR_DDosv1	Rule to detect XOR DDos infection	Akamai CSIRT	0x6b0e4:$st0: BB2FA36AAA9541F0 0x6b0f4:$st0: BB2FA36AAA9541F0 0x6b124:$st0: BB2FA36AAA9541F0 0x6b134:$st0: BB2FA36AAA9541F0 0x6b144:$st0: BB2FA36AAA9541F0 0x6b154:$st0: BB2FA36AAA9541F0 0x6b164:$st0: BB2FA36AAA9541F0 0x6b174:$st0: BB2FA36AAA9541F0 0x6b184:$st0: BB2FA36AAA9541F0 0x6b194:$st0: BB2FA36AAA9541F0 0x6b1a4:$st0: BB2FA36AAA9541F0 0x6b1b4:$st0: BB2FA36AAA9541F0 0x6b1c4:$st0: BB2FA36AAA9541F0 0x6b1d4:$st0: BB2FA36AAA9541F0 0x6b1e4:$st0: BB2FA36AAA9541F0 0x6b1f4:$st0: BB2FA36AAA9541F0 0x6b204:$st0: BB2FA36AAA9541F0 0x6b214:$st0: BB2FA36AAA9541F0 0x6b224:$st0: BB2FA36AAA9541F0 0x6b234:$st0: BB2FA36AAA9541F0 0x6b244:$st0: BB2FA36AAA9541F0

Dropped Files

Source	Rule	Description	Author	Strings
/usr/bin/fujnmwlbbw	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/fujnmwlbbw	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x863fb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x8644d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x6ad30:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x6ae29:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/fujnmwlbbw	XOR_DDosv1	Rule to detect XOR DDos infection	Akamai CSIRT	0x6b0e4:$st0: BB2FA36AAA9541F0 0x6b0f4:$st0: BB2FA36AAA9541F0 0x6b124:$st0: BB2FA36AAA9541F0 0x6b134:$st0: BB2FA36AAA9541F0 0x6b144:$st0: BB2FA36AAA9541F0 0x6b154:$st0: BB2FA36AAA9541F0 0x6b164:$st0: BB2FA36AAA9541F0 0x6b174:$st0: BB2FA36AAA9541F0 0x6b184:$st0: BB2FA36AAA9541F0 0x6b194:$st0: BB2FA36AAA9541F0 0x6b1a4:$st0: BB2FA36AAA9541F0 0x6b1b4:$st0: BB2FA36AAA9541F0 0x6b1c4:$st0: BB2FA36AAA9541F0 0x6b1d4:$st0: BB2FA36AAA9541F0 0x6b1e4:$st0: BB2FA36AAA9541F0 0x6b1f4:$st0: BB2FA36AAA9541F0 0x6b204:$st0: BB2FA36AAA9541F0 0x6b214:$st0: BB2FA36AAA9541F0 0x6b224:$st0: BB2FA36AAA9541F0 0x6b234:$st0: BB2FA36AAA9541F0 0x6b244:$st0: BB2FA36AAA9541F0
/usr/bin/lylocfjohc	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/lylocfjohc	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x863fb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x8644d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x6ad30:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x6ae29:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/lylocfjohc	XOR_DDosv1	Rule to detect XOR DDos infection	Akamai CSIRT	0x6b0e4:$st0: BB2FA36AAA9541F0 0x6b0f4:$st0: BB2FA36AAA9541F0 0x6b124:$st0: BB2FA36AAA9541F0 0x6b134:$st0: BB2FA36AAA9541F0 0x6b144:$st0: BB2FA36AAA9541F0 0x6b154:$st0: BB2FA36AAA9541F0 0x6b164:$st0: BB2FA36AAA9541F0 0x6b174:$st0: BB2FA36AAA9541F0 0x6b184:$st0: BB2FA36AAA9541F0 0x6b194:$st0: BB2FA36AAA9541F0 0x6b1a4:$st0: BB2FA36AAA9541F0 0x6b1b4:$st0: BB2FA36AAA9541F0 0x6b1c4:$st0: BB2FA36AAA9541F0 0x6b1d4:$st0: BB2FA36AAA9541F0 0x6b1e4:$st0: BB2FA36AAA9541F0 0x6b1f4:$st0: BB2FA36AAA9541F0 0x6b204:$st0: BB2FA36AAA9541F0 0x6b214:$st0: BB2FA36AAA9541F0 0x6b224:$st0: BB2FA36AAA9541F0 0x6b234:$st0: BB2FA36AAA9541F0 0x6b244:$st0: BB2FA36AAA9541F0
/lib/libudev.so	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/lib/libudev.so	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x863fb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x8644d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x6ad30:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x6ae29:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/lib/libudev.so	XOR_DDosv1	Rule to detect XOR DDos infection	Akamai CSIRT	0x6b0e4:$st0: BB2FA36AAA9541F0 0x6b0f4:$st0: BB2FA36AAA9541F0 0x6b124:$st0: BB2FA36AAA9541F0 0x6b134:$st0: BB2FA36AAA9541F0 0x6b144:$st0: BB2FA36AAA9541F0 0x6b154:$st0: BB2FA36AAA9541F0 0x6b164:$st0: BB2FA36AAA9541F0 0x6b174:$st0: BB2FA36AAA9541F0 0x6b184:$st0: BB2FA36AAA9541F0 0x6b194:$st0: BB2FA36AAA9541F0 0x6b1a4:$st0: BB2FA36AAA9541F0 0x6b1b4:$st0: BB2FA36AAA9541F0 0x6b1c4:$st0: BB2FA36AAA9541F0 0x6b1d4:$st0: BB2FA36AAA9541F0 0x6b1e4:$st0: BB2FA36AAA9541F0 0x6b1f4:$st0: BB2FA36AAA9541F0 0x6b204:$st0: BB2FA36AAA9541F0 0x6b214:$st0: BB2FA36AAA9541F0 0x6b224:$st0: BB2FA36AAA9541F0 0x6b234:$st0: BB2FA36AAA9541F0 0x6b244:$st0: BB2FA36AAA9541F0
/usr/bin/xyannwkfrh	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/xyannwkfrh	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x863fb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x8644d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x6ad30:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x6ae29:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/xyannwkfrh	XOR_DDosv1	Rule to detect XOR DDos infection	Akamai CSIRT	0x6b0e4:$st0: BB2FA36AAA9541F0 0x6b0f4:$st0: BB2FA36AAA9541F0 0x6b124:$st0: BB2FA36AAA9541F0 0x6b134:$st0: BB2FA36AAA9541F0 0x6b144:$st0: BB2FA36AAA9541F0 0x6b154:$st0: BB2FA36AAA9541F0 0x6b164:$st0: BB2FA36AAA9541F0 0x6b174:$st0: BB2FA36AAA9541F0 0x6b184:$st0: BB2FA36AAA9541F0 0x6b194:$st0: BB2FA36AAA9541F0 0x6b1a4:$st0: BB2FA36AAA9541F0 0x6b1b4:$st0: BB2FA36AAA9541F0 0x6b1c4:$st0: BB2FA36AAA9541F0 0x6b1d4:$st0: BB2FA36AAA9541F0 0x6b1e4:$st0: BB2FA36AAA9541F0 0x6b1f4:$st0: BB2FA36AAA9541F0 0x6b204:$st0: BB2FA36AAA9541F0 0x6b214:$st0: BB2FA36AAA9541F0 0x6b224:$st0: BB2FA36AAA9541F0 0x6b234:$st0: BB2FA36AAA9541F0 0x6b244:$st0: BB2FA36AAA9541F0
/usr/bin/oamtagxisa	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/oamtagxisa	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x863fb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x8644d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x6ad30:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x6ae29:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/oamtagxisa	XOR_DDosv1	Rule to detect XOR DDos infection	Akamai CSIRT	0x6b0e4:$st0: BB2FA36AAA9541F0 0x6b0f4:$st0: BB2FA36AAA9541F0 0x6b124:$st0: BB2FA36AAA9541F0 0x6b134:$st0: BB2FA36AAA9541F0 0x6b144:$st0: BB2FA36AAA9541F0 0x6b154:$st0: BB2FA36AAA9541F0 0x6b164:$st0: BB2FA36AAA9541F0 0x6b174:$st0: BB2FA36AAA9541F0 0x6b184:$st0: BB2FA36AAA9541F0 0x6b194:$st0: BB2FA36AAA9541F0 0x6b1a4:$st0: BB2FA36AAA9541F0 0x6b1b4:$st0: BB2FA36AAA9541F0 0x6b1c4:$st0: BB2FA36AAA9541F0 0x6b1d4:$st0: BB2FA36AAA9541F0 0x6b1e4:$st0: BB2FA36AAA9541F0 0x6b1f4:$st0: BB2FA36AAA9541F0 0x6b204:$st0: BB2FA36AAA9541F0 0x6b214:$st0: BB2FA36AAA9541F0 0x6b224:$st0: BB2FA36AAA9541F0 0x6b234:$st0: BB2FA36AAA9541F0 0x6b244:$st0: BB2FA36AAA9541F0
/usr/bin/xqbdnwqfkw	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/xqbdnwqfkw	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x863fb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x8644d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x6ad30:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x6ae29:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/xqbdnwqfkw	XOR_DDosv1	Rule to detect XOR DDos infection	Akamai CSIRT	0x6b0e4:$st0: BB2FA36AAA9541F0 0x6b0f4:$st0: BB2FA36AAA9541F0 0x6b124:$st0: BB2FA36AAA9541F0 0x6b134:$st0: BB2FA36AAA9541F0 0x6b144:$st0: BB2FA36AAA9541F0 0x6b154:$st0: BB2FA36AAA9541F0 0x6b164:$st0: BB2FA36AAA9541F0 0x6b174:$st0: BB2FA36AAA9541F0 0x6b184:$st0: BB2FA36AAA9541F0 0x6b194:$st0: BB2FA36AAA9541F0 0x6b1a4:$st0: BB2FA36AAA9541F0 0x6b1b4:$st0: BB2FA36AAA9541F0 0x6b1c4:$st0: BB2FA36AAA9541F0 0x6b1d4:$st0: BB2FA36AAA9541F0 0x6b1e4:$st0: BB2FA36AAA9541F0 0x6b1f4:$st0: BB2FA36AAA9541F0 0x6b204:$st0: BB2FA36AAA9541F0 0x6b214:$st0: BB2FA36AAA9541F0 0x6b224:$st0: BB2FA36AAA9541F0 0x6b234:$st0: BB2FA36AAA9541F0 0x6b244:$st0: BB2FA36AAA9541F0
/usr/bin/gsteyamogh	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/gsteyamogh	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x863fb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x8644d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x6ad30:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x6ae29:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/yhevizbcnp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/yhevizbcnp	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x863fb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x8644d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x6ad30:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x6ae29:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/yhevizbcnp	XOR_DDosv1	Rule to detect XOR DDos infection	Akamai CSIRT	0x6b0e4:$st0: BB2FA36AAA9541F0 0x6b0f4:$st0: BB2FA36AAA9541F0 0x6b124:$st0: BB2FA36AAA9541F0 0x6b134:$st0: BB2FA36AAA9541F0 0x6b144:$st0: BB2FA36AAA9541F0 0x6b154:$st0: BB2FA36AAA9541F0 0x6b164:$st0: BB2FA36AAA9541F0 0x6b174:$st0: BB2FA36AAA9541F0 0x6b184:$st0: BB2FA36AAA9541F0 0x6b194:$st0: BB2FA36AAA9541F0 0x6b1a4:$st0: BB2FA36AAA9541F0 0x6b1b4:$st0: BB2FA36AAA9541F0 0x6b1c4:$st0: BB2FA36AAA9541F0 0x6b1d4:$st0: BB2FA36AAA9541F0 0x6b1e4:$st0: BB2FA36AAA9541F0 0x6b1f4:$st0: BB2FA36AAA9541F0 0x6b204:$st0: BB2FA36AAA9541F0 0x6b214:$st0: BB2FA36AAA9541F0 0x6b224:$st0: BB2FA36AAA9541F0 0x6b234:$st0: BB2FA36AAA9541F0 0x6b244:$st0: BB2FA36AAA9541F0
/usr/bin/oswtkhubva	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/xycbwuwgff	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/xycbwuwgff	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x863fb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x8644d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x6ad30:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x6ae29:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/xycbwuwgff	XOR_DDosv1	Rule to detect XOR DDos infection	Akamai CSIRT	0x6b0e4:$st0: BB2FA36AAA9541F0 0x6b0f4:$st0: BB2FA36AAA9541F0 0x6b124:$st0: BB2FA36AAA9541F0 0x6b134:$st0: BB2FA36AAA9541F0 0x6b144:$st0: BB2FA36AAA9541F0 0x6b154:$st0: BB2FA36AAA9541F0 0x6b164:$st0: BB2FA36AAA9541F0 0x6b174:$st0: BB2FA36AAA9541F0 0x6b184:$st0: BB2FA36AAA9541F0 0x6b194:$st0: BB2FA36AAA9541F0 0x6b1a4:$st0: BB2FA36AAA9541F0 0x6b1b4:$st0: BB2FA36AAA9541F0 0x6b1c4:$st0: BB2FA36AAA9541F0 0x6b1d4:$st0: BB2FA36AAA9541F0 0x6b1e4:$st0: BB2FA36AAA9541F0 0x6b1f4:$st0: BB2FA36AAA9541F0 0x6b204:$st0: BB2FA36AAA9541F0 0x6b214:$st0: BB2FA36AAA9541F0 0x6b224:$st0: BB2FA36AAA9541F0 0x6b234:$st0: BB2FA36AAA9541F0 0x6b244:$st0: BB2FA36AAA9541F0
/usr/bin/oswtkhubva	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x863fb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x8644d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x6ad30:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x6ae29:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/nqyyaftfcu	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/oswtkhubva	XOR_DDosv1	Rule to detect XOR DDos infection	Akamai CSIRT	0x6b0e4:$st0: BB2FA36AAA9541F0 0x6b0f4:$st0: BB2FA36AAA9541F0 0x6b124:$st0: BB2FA36AAA9541F0 0x6b134:$st0: BB2FA36AAA9541F0 0x6b144:$st0: BB2FA36AAA9541F0 0x6b154:$st0: BB2FA36AAA9541F0 0x6b164:$st0: BB2FA36AAA9541F0 0x6b174:$st0: BB2FA36AAA9541F0 0x6b184:$st0: BB2FA36AAA9541F0 0x6b194:$st0: BB2FA36AAA9541F0 0x6b1a4:$st0: BB2FA36AAA9541F0 0x6b1b4:$st0: BB2FA36AAA9541F0 0x6b1c4:$st0: BB2FA36AAA9541F0 0x6b1d4:$st0: BB2FA36AAA9541F0 0x6b1e4:$st0: BB2FA36AAA9541F0 0x6b1f4:$st0: BB2FA36AAA9541F0 0x6b204:$st0: BB2FA36AAA9541F0 0x6b214:$st0: BB2FA36AAA9541F0 0x6b224:$st0: BB2FA36AAA9541F0 0x6b234:$st0: BB2FA36AAA9541F0 0x6b244:$st0: BB2FA36AAA9541F0
/usr/bin/nqyyaftfcu	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x863fb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x8644d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x6ad30:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x6ae29:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/nqyyaftfcu	XOR_DDosv1	Rule to detect XOR DDos infection	Akamai CSIRT	0x6b0e4:$st0: BB2FA36AAA9541F0 0x6b0f4:$st0: BB2FA36AAA9541F0 0x6b124:$st0: BB2FA36AAA9541F0 0x6b134:$st0: BB2FA36AAA9541F0 0x6b144:$st0: BB2FA36AAA9541F0 0x6b154:$st0: BB2FA36AAA9541F0 0x6b164:$st0: BB2FA36AAA9541F0 0x6b174:$st0: BB2FA36AAA9541F0 0x6b184:$st0: BB2FA36AAA9541F0 0x6b194:$st0: BB2FA36AAA9541F0 0x6b1a4:$st0: BB2FA36AAA9541F0 0x6b1b4:$st0: BB2FA36AAA9541F0 0x6b1c4:$st0: BB2FA36AAA9541F0 0x6b1d4:$st0: BB2FA36AAA9541F0 0x6b1e4:$st0: BB2FA36AAA9541F0 0x6b1f4:$st0: BB2FA36AAA9541F0 0x6b204:$st0: BB2FA36AAA9541F0 0x6b214:$st0: BB2FA36AAA9541F0 0x6b224:$st0: BB2FA36AAA9541F0 0x6b234:$st0: BB2FA36AAA9541F0 0x6b244:$st0: BB2FA36AAA9541F0
/usr/bin/oefibujxuu	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/oefibujxuu	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x863fb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x8644d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x6ad30:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x6ae29:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/oefibujxuu	XOR_DDosv1	Rule to detect XOR DDos infection	Akamai CSIRT	0x6b0e4:$st0: BB2FA36AAA9541F0 0x6b0f4:$st0: BB2FA36AAA9541F0 0x6b124:$st0: BB2FA36AAA9541F0 0x6b134:$st0: BB2FA36AAA9541F0 0x6b144:$st0: BB2FA36AAA9541F0 0x6b154:$st0: BB2FA36AAA9541F0 0x6b164:$st0: BB2FA36AAA9541F0 0x6b174:$st0: BB2FA36AAA9541F0 0x6b184:$st0: BB2FA36AAA9541F0 0x6b194:$st0: BB2FA36AAA9541F0 0x6b1a4:$st0: BB2FA36AAA9541F0 0x6b1b4:$st0: BB2FA36AAA9541F0 0x6b1c4:$st0: BB2FA36AAA9541F0 0x6b1d4:$st0: BB2FA36AAA9541F0 0x6b1e4:$st0: BB2FA36AAA9541F0 0x6b1f4:$st0: BB2FA36AAA9541F0 0x6b204:$st0: BB2FA36AAA9541F0 0x6b214:$st0: BB2FA36AAA9541F0 0x6b224:$st0: BB2FA36AAA9541F0 0x6b234:$st0: BB2FA36AAA9541F0 0x6b244:$st0: BB2FA36AAA9541F0
/usr/bin/lzibcaczrf	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/bin/lzibcaczrf	MALWARE_Linux_XORDDoS	Detects XORDDoS	ditekSHen	0x863fb:$s1: for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done 0x8644d:$s2: cp /lib/libudev.so /lib/libudev.so.6 0x6ad30:$s3: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab 0x6ae29:$s4: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/usr/bin/lzibcaczrf	XOR_DDosv1	Rule to detect XOR DDos infection	Akamai CSIRT	0x6b0e4:$st0: BB2FA36AAA9541F0 0x6b0f4:$st0: BB2FA36AAA9541F0 0x6b124:$st0: BB2FA36AAA9541F0 0x6b134:$st0: BB2FA36AAA9541F0 0x6b144:$st0: BB2FA36AAA9541F0 0x6b154:$st0: BB2FA36AAA9541F0 0x6b164:$st0: BB2FA36AAA9541F0 0x6b174:$st0: BB2FA36AAA9541F0 0x6b184:$st0: BB2FA36AAA9541F0 0x6b194:$st0: BB2FA36AAA9541F0 0x6b1a4:$st0: BB2FA36AAA9541F0 0x6b1b4:$st0: BB2FA36AAA9541F0 0x6b1c4:$st0: BB2FA36AAA9541F0 0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report
23.vir

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Dropped Files

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report 23.vir

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Dropped Files

Linux Analysis Report
23.vir