5c2af09316a4a4a888f23cced4db98389c59547708c49b3d689c750327392ed6

Analysis

max time kernel
3s
max time network
105s
platform
debian-9_armhf
resource
debian9-armhf-20221111-en
resource tags

arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
05-07-2023 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start.sh
Size

1KB
MD5

d94f826979b9c9f6fff5788e8b9d4425
SHA1

0d2d9b9a71fdff445412c2197f7740414824ace3
SHA256

5c2af09316a4a4a888f23cced4db98389c59547708c49b3d689c750327392ed6
SHA512

26ac5d3ca7fd72b4ce028f568cac7e298ef9b399ae84aa36bb3271ad0127c8b86ee8f368d8d22f9d35e7949173577d799a9937aba1dcf7944a3051149f0ffd81

Score

6^/10

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 6 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/138/cmdline	pgrep
File opened for reading	/proc/280/cmdline	pgrep
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/111/stat	ps
File opened for reading	/proc/20/cmdline	pgrep
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/149/stat	ps
File opened for reading	/proc/17/stat	ps
File opened for reading	/proc/81/stat	ps
File opened for reading	/proc/111/stat	ps
File opened for reading	/proc/208/cmdline	ps
File opened for reading	/proc/365/stat	ps
File opened for reading	/proc/361/stat	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/9/status	ps
File opened for reading	/proc/320/stat	ps
File opened for reading	/proc/20/status	ps
File opened for reading	/proc/111/cmdline	ps
File opened for reading	/proc/319/cmdline	ps
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/24/cmdline	ps
File opened for reading	/proc/26/cmdline	pgrep
File opened for reading	/proc/41/cmdline	pgrep
File opened for reading	/proc/109/status	pgrep
File opened for reading	/proc/4/status	ps
File opened for reading	/proc/13/status	ps
File opened for reading	/proc/23/stat	ps
File opened for reading	/proc/367/status	ps
File opened for reading	/proc/239/stat	ps
File opened for reading	/proc/stat	ps
File opened for reading	/proc/238/cmdline	pgrep
File opened for reading	/proc/237/cmdline	ps
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/380/status	ps
File opened for reading	/proc/381/stat	ps
File opened for reading	/proc/14/cmdline	ps
File opened for reading	/proc/141/cmdline	pgrep
File opened for reading	/proc/377/stat	ps
File opened for reading	/proc/5/status	ps
File opened for reading	/proc/19/status	ps
File opened for reading	/proc/8/stat	ps
File opened for reading	/proc/22/status	ps
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/320/stat	ps
File opened for reading	/proc/364/cmdline	ps
File opened for reading	/proc/365/cmdline	ps
File opened for reading	/proc/6/status	pgrep
File opened for reading	/proc/41/cmdline	ps
File opened for reading	/proc/140/cmdline	pgrep
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/14/cmdline	ps
File opened for reading	/proc/11/cmdline	ps
File opened for reading	/proc/371/cmdline	ps
File opened for reading	/proc/109/cmdline	pgrep
File opened for reading	/proc/3/cmdline	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/141/stat	ps
File opened for reading	/proc/3/cmdline	pgrep
File opened for reading	/proc/13/cmdline	pgrep
File opened for reading	/proc/17/cmdline	pgrep
File opened for reading	/proc/43/status	pgrep

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/proc

/tmp/start.sh
/tmp/start.sh
1⤵
PID:365
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:366
- /bin/grep
  grep -v grep
  2⤵
  PID:367
- /bin/grep
  grep /tmp/kill.sh
  2⤵
  PID:368
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:369
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:370
- /usr/bin/pgrep
  pgrep -f "while true do.*killall.*kdevtmpfsi.*kinsing.*xmrig"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:374
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:375
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:376
- /usr/bin/awk
  awk "{if(\$3>40.0) print \$2}"
  2⤵
  PID:377
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:378
- /bin/grep
  grep -v grep
  2⤵
  PID:379
- /bin/grep
  grep tmp
  2⤵
  PID:380
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:381
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:382
- - /usr/local/sbin/kill
    kill -9 13
    3⤵
    PID:383
- - /usr/local/bin/kill
    kill -9 13
    3⤵
    PID:383
- - /usr/sbin/kill
    kill -9 13
    3⤵
    PID:383
- - /usr/bin/kill
    kill -9 13
    3⤵
    PID:383
- - /sbin/kill
    kill -9 13
    3⤵
    PID:383
- - /bin/kill
    kill -9 13
    3⤵
    - Reads CPU attributes
    PID:383
- - /usr/local/sbin/kill
    kill -9 365
    3⤵
    PID:384
- - /usr/local/bin/kill
    kill -9 365
    3⤵
    PID:384
- - /usr/sbin/kill
    kill -9 365
    3⤵
    PID:384
- - /usr/bin/kill
    kill -9 365
    3⤵
    PID:384
- - /sbin/kill
    kill -9 365
    3⤵
    PID:384
- - /bin/kill
    kill -9 365
    3⤵
    - Reads CPU attributes
    PID:384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads