General
-
Target
bins.sh
-
Size
10KB
-
Sample
241212-xzcg9swpfk
-
MD5
0ef4cd4b12da2c04c9935a28b574707c
-
SHA1
d1bfebb0cc8f5c8223e8f0c5fddb62fb2630a30d
-
SHA256
07d199396942a8726579d96040e7c5050b053315730edaf76b76d01a5413af43
-
SHA512
e473d8b93e142f6f1f8e39b98a2171d07fafd1dc3857d900d433351250bc7b8ca8f0076a25726a473240536c2b2108fa47fa908158559a8b9055748e4c184865
-
SSDEEP
192:LfUyMVFMc4jQopTx5O5t5Zd0NN9aYfDj4PZd0NNUx5O5tdDj4gr6VFgc4jQoz:rUyMVFkWZd0NN9aYfDj4PZd0NN/Dj4gT
Malware Config
Targets
-
-
Target
bins.sh
-
Size
10KB
-
MD5
0ef4cd4b12da2c04c9935a28b574707c
-
SHA1
d1bfebb0cc8f5c8223e8f0c5fddb62fb2630a30d
-
SHA256
07d199396942a8726579d96040e7c5050b053315730edaf76b76d01a5413af43
-
SHA512
e473d8b93e142f6f1f8e39b98a2171d07fafd1dc3857d900d433351250bc7b8ca8f0076a25726a473240536c2b2108fa47fa908158559a8b9055748e4c184865
-
SSDEEP
192:LfUyMVFMc4jQopTx5O5t5Zd0NN9aYfDj4PZd0NNUx5O5tdDj4gr6VFgc4jQoz:rUyMVFkWZd0NN9aYfDj4PZd0NN/Dj4gT
Score10/10-
Detects Xorbot
-
Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
-
Xorbot family
-
Contacts a large (1980) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE
-
Renames itself
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1