5c2af09316a4a4a888f23cced4db98389c59547708c49b3d689c750327392ed6

Analysis

max time kernel
4s
max time network
103s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
05/07/2023, 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start.sh
Size

1KB
MD5

d94f826979b9c9f6fff5788e8b9d4425
SHA1

0d2d9b9a71fdff445412c2197f7740414824ace3
SHA256

5c2af09316a4a4a888f23cced4db98389c59547708c49b3d689c750327392ed6
SHA512

26ac5d3ca7fd72b4ce028f568cac7e298ef9b399ae84aa36bb3271ad0127c8b86ee8f368d8d22f9d35e7949173577d799a9937aba1dcf7944a3051149f0ffd81

Score

6^/10

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 6 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/192/cmdline	pgrep
File opened for reading	/proc/28/cmdline	ps
File opened for reading	/proc/80/cmdline	ps
File opened for reading	/proc/25/cmdline	pgrep
File opened for reading	/proc/34/cmdline	ps
File opened for reading	/proc/4/status	ps
File opened for reading	/proc/418/cmdline	ps
File opened for reading	/proc/80/stat	ps
File opened for reading	/proc/166/status	ps
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/18/cmdline	ps
File opened for reading	/proc/31/cmdline	pgrep
File opened for reading	/proc/416/status	pgrep
File opened for reading	/proc/416/cmdline	ps
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/25/status	ps
File opened for reading	/proc/25/status	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/458/cmdline	ps
File opened for reading	/proc/162/status	pgrep
File opened for reading	/proc/164/status	ps
File opened for reading	/proc/581/stat	ps
File opened for reading	/proc/341/status	ps
File opened for reading	/proc/590/status	ps
File opened for reading	/proc/347/status	pgrep
File opened for reading	/proc/356/status	ps
File opened for reading	/proc/584/stat	ps
File opened for reading	/proc/29/status	ps
File opened for reading	/proc/36/status	ps
File opened for reading	/proc/156/stat	ps
File opened for reading	/proc/458/status	ps
File opened for reading	/proc/1/stat	ps
File opened for reading	/proc/22/status	ps
File opened for reading	/proc/289/status	ps
File opened for reading	/proc/35/stat	ps
File opened for reading	/proc/81/status	ps
File opened for reading	/proc/79/cmdline	ps
File opened for reading	/proc/170/status	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/15/stat	ps
File opened for reading	/proc/592/stat	ps
File opened for reading	/proc/418/status	pgrep
File opened for reading	/proc/163/stat	ps
File opened for reading	/proc/27/status	ps
File opened for reading	/proc/6/status	ps
File opened for reading	/proc/3/stat	ps
File opened for reading	/proc/286/status	ps
File opened for reading	/proc/2/cmdline	ps
File opened for reading	/proc/347/status	ps
File opened for reading	/proc/self/stat	ps
File opened for reading	/proc/582/stat	ps
File opened for reading	/proc/165/stat	ps
File opened for reading	/proc/223/cmdline	pgrep
File opened for reading	/proc/83/stat	ps
File opened for reading	/proc/18/cmdline	ps
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/581/status	pgrep
File opened for reading	/proc/193/cmdline	ps
File opened for reading	/proc/34/status	pgrep
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/32/cmdline	ps
File opened for reading	/proc/577/status	ps
File opened for reading	/proc/2/cmdline	pgrep
File opened for reading	/proc/447/status	pgrep

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/proc

/tmp/start.sh
/tmp/start.sh
1⤵
PID:581
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:582
- /bin/grep
  grep -v grep
  2⤵
  PID:583
- /bin/grep
  grep /tmp/kill.sh
  2⤵
  PID:584
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:585
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:586
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:588
- /usr/bin/pgrep
  pgrep -f "while true do.*killall.*kdevtmpfsi.*kinsing.*xmrig"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:587
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:589
- /usr/bin/awk
  awk "{if(\$3>40.0) print \$2}"
  2⤵
  PID:590
- /bin/grep
  grep -v grep
  2⤵
  PID:592
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:591
- /bin/grep
  grep tmp
  2⤵
  PID:593
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:594
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:595
- - /usr/local/sbin/kill
    kill -9 13
    3⤵
    PID:600
- - /usr/local/bin/kill
    kill -9 13
    3⤵
    PID:600
- - /usr/sbin/kill
    kill -9 13
    3⤵
    PID:600
- - /usr/bin/kill
    kill -9 13
    3⤵
    PID:600
- - /sbin/kill
    kill -9 13
    3⤵
    PID:600
- - /bin/kill
    kill -9 13
    3⤵
    - Reads CPU attributes
    PID:600
- - /usr/local/sbin/kill
    kill -9 581
    3⤵
    PID:601
- - /usr/local/bin/kill
    kill -9 581
    3⤵
    PID:601
- - /usr/sbin/kill
    kill -9 581
    3⤵
    PID:601
- - /usr/bin/kill
    kill -9 581
    3⤵
    PID:601
- - /sbin/kill
    kill -9 581
    3⤵
    PID:601
- - /bin/kill
    kill -9 581
    3⤵
    - Reads CPU attributes
    PID:601

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...