xorbot | 01762bbc6774c58954d2aef154149f25d195340c877348cbd061e6f3c429d8bd | Triage

Sharing

General

Target

bins.sh
Size

10KB
Sample

250218-e8wndsymv9
MD5

d86eaa590e3754b5c5f7d3d48aafc640
SHA1

c8813488f1208356ead6dd49754edc1174f266a7
SHA256

01762bbc6774c58954d2aef154149f25d195340c877348cbd061e6f3c429d8bd
SHA512

a6833d3c8ca3415c2b90966fcaf03a680be87a3edc4bd88fab1151486c9b92c611705d5560a3284f3bb4cdfeaeae6ba3dab3d945925e45ad9857a4c63c8ec449
SSDEEP

192:3eJJWK7i21QAcr/mRxEpVsP/GsiJzTi21QAEr/mRxYpVsP/l:3eJJWKMpVsP/GsiJz0pVsP/l

Score

10^/10

xorbot antivm botnet defense_evasion discovery execution linux persistence privilege_escalation trojan

Malware Config

Targets

- Target
  
  bins.sh
- Size
  
  10KB
- MD5
  
  d86eaa590e3754b5c5f7d3d48aafc640
- SHA1
  
  c8813488f1208356ead6dd49754edc1174f266a7
- SHA256
  
  01762bbc6774c58954d2aef154149f25d195340c877348cbd061e6f3c429d8bd
- SHA512
  
  a6833d3c8ca3415c2b90966fcaf03a680be87a3edc4bd88fab1151486c9b92c611705d5560a3284f3bb4cdfeaeae6ba3dab3d945925e45ad9857a4c63c8ec449
- SSDEEP
  
  192:3eJJWK7i21QAcr/mRxEpVsP/GsiJzTi21QAEr/mRxYpVsP/l:3eJJWKMpVsP/GsiJz0pVsP/l
Score

10^/10

xorbot botnet defense_evasion discovery execution persistence privilege_escalation trojan antivm
- Detects Xorbot
  botnet trojan
- Xorbot
  Xorbot is a linux botnet and trojan targeting IoT devices.
  botnet trojan xorbot
- Xorbot family
  xorbot
- Contacts a large (2180) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- File and Directory Permissions Modification
  Adversaries may modify file or directory permissions to evade defenses.
  defense_evasion
- Executes dropped EXE
- Renames itself
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  execution persistence privilege_escalation
- Enumerates running processes
  Discovers information about currently running processes on the system
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Cron

Persistence

Scheduled Task/Job

Cron

Privilege Escalation

Scheduled Task/Job

Cron

Defense Evasion

File and Directory Permissions Modification

Linux and Mac File and Directory Permissions Modification

Virtualization/Sandbox Evasion

System Checks

Credential Access

Discovery

Network Service Discovery

Virtualization/Sandbox Evasion

System Checks

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xorbotbotnetdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

behavioral2

xorbotantivmbotnetdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

behavioral3

xorbotbotnetdefense_evasiondiscoverytrojan

behavioral4

xorbotbotnetdiscoverytrojan