Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
23s -
max time network
9s -
platform
debian-9_armhf -
resource
debian9-armhf-20231215-en -
resource tags
arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
20/12/2023, 05:14
Static task
static1
Behavioral task
behavioral1
Sample
ai.sh
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral2
Sample
ai.sh
Resource
debian9-armhf-20231215-en
Behavioral task
behavioral3
Sample
ai.sh
Resource
debian9-mipsbe-20231215-en
Behavioral task
behavioral4
Sample
ai.sh
Resource
debian9-mipsel-20231215-en
General
-
Target
ai.sh
-
Size
831B
-
MD5
b1a64a7afeda8fc66076eae49bdb6267
-
SHA1
0d840e800c0dac1d51f8a243056e94ed385c3a98
-
SHA256
9d5036d204e6598fd4c4ac93688c9acdec3d6a1e4d14018ec16db955f3ee8b24
-
SHA512
619c55b6f6d222c8a831a441205b75359976d9d80ba01734640d81b96a32e2b263448e16be8d3dad9afb1c78ebcd717cbc8dbefe134fc593f079a931140c67fa
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 1 IoCs
resource yara_rule behavioral2/files/fstream-6.dat family_kaiten2 -
Detects Kaiten/Tsunami payload 1 IoCs
resource yara_rule behavioral2/files/fstream-6.dat family_kaiten -
XMRig Miner payload 4 IoCs
resource yara_rule behavioral2/files/fstream-3.dat family_xmrig behavioral2/files/fstream-3.dat xmrig behavioral2/files/fstream-10.dat family_xmrig behavioral2/files/fstream-10.dat xmrig -
Executes dropped EXE 7 IoCs
ioc pid Process /var/tmp/.22/start 688 start /var/tmp/.22/hide 690 hide /var/tmp/.22/create 692 create /var/tmp/.22/auto 772 auto /var/tmp/.22/init 776 init /var/tmp/.22/mining 781 mining /var/tmp/.22/init 783 init -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.xnt8NK crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 2 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/790/status ps File opened for reading /proc/792/stat ps File opened for reading /proc/filesystems crontab File opened for reading /proc/136/cmdline pkill File opened for reading /proc/148/status pkill File opened for reading /proc/166/cmdline pkill File opened for reading /proc/640/cmdline ps File opened for reading /proc/22/stat ps File opened for reading /proc/41/cmdline ps File opened for reading /proc/599/cmdline ps File opened for reading /proc/13/status pkill File opened for reading /proc/98/cmdline pkill File opened for reading /proc/274/cmdline pkill File opened for reading /proc/311/status pkill File opened for reading /proc/3/cmdline ps File opened for reading /proc/314/stat ps File opened for reading /proc/781/cmdline ps File opened for reading /proc/filesystems ps File opened for reading /proc/2/status ps File opened for reading /proc/9/status ps File opened for reading /proc/20/status pkill File opened for reading /proc/21/status pkill File opened for reading /proc/139/cmdline pkill File opened for reading /proc/283/cmdline pkill File opened for reading /proc/662/cmdline pkill File opened for reading /proc/9/cmdline ps File opened for reading /proc/14/stat ps File opened for reading /proc/136/cmdline ps File opened for reading /proc/109/cmdline ps File opened for reading /proc/139/cmdline ps File opened for reading /proc/323/stat ps File opened for reading /proc/686/status pkill File opened for reading /proc/772/cmdline pkill File opened for reading /proc/8/stat ps File opened for reading /proc/26/cmdline ps File opened for reading /proc/28/status ps File opened for reading /proc/581/stat ps File opened for reading /proc/2/cmdline pkill File opened for reading /proc/24/status pkill File opened for reading /proc/110/cmdline ps File opened for reading /proc/793/cmdline ps File opened for reading /proc/11/status pkill File opened for reading /proc/77/status ps File opened for reading /proc/272/stat ps File opened for reading /proc/589/stat ps File opened for reading /proc/42/stat ps File opened for reading /proc/6/status pkill File opened for reading /proc/286/cmdline pkill File opened for reading /proc/599/cmdline pkill File opened for reading /proc/638/status pkill File opened for reading /proc/18/cmdline ps File opened for reading /proc/21/cmdline ps File opened for reading /proc/287/stat ps File opened for reading /proc/644/stat ps File opened for reading /proc/42/status pkill File opened for reading /proc/42/cmdline pkill File opened for reading /proc/4/cmdline ps File opened for reading /proc/6/status ps File opened for reading /proc/15/cmdline ps File opened for reading /proc/786/stat ps File opened for reading /proc/6/stat ps File opened for reading /proc/283/cmdline ps File opened for reading /proc/638/cmdline ps File opened for reading /proc/640/stat ps -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/sh-thd.HVezhm ai.sh
Processes
-
/tmp/ai.sh/tmp/ai.sh1⤵
- Writes file to tmp directory
PID:658 -
/bin/grepgrep EST2⤵PID:671
-
-
/bin/grepgrep 94.241.140.1772⤵PID:672
-
-
/bin/grepgrep 802⤵PID:673
-
-
/bin/mkdirmkdir -p /var/tmp/.222⤵PID:675
-
-
/bin/tartar -xf xm.jpg2⤵PID:682
-
/usr/local/sbin/gzipgzip -d3⤵PID:684
-
-
/usr/local/bin/gzipgzip -d3⤵PID:684
-
-
/usr/sbin/gzipgzip -d3⤵PID:684
-
-
/usr/bin/gzipgzip -d3⤵PID:684
-
-
/sbin/gzipgzip -d3⤵PID:684
-
-
/bin/gzipgzip -d3⤵PID:684
-
-
-
/bin/chmodchmod +x start2⤵PID:687
-
-
/var/tmp/.22/start./start2⤵
- Executes dropped EXE
PID:688 -
/bin/unameuname -m3⤵PID:689
-
-
/var/tmp/.22/hide./hide3⤵
- Executes dropped EXE
PID:690
-
-
/var/tmp/.22/create./create3⤵
- Executes dropped EXE
PID:692 -
/bin/catcat auto4⤵PID:693
-
-
/usr/bin/crontabcrontab cronjobs4⤵
- Creates/modifies Cron job
PID:694
-
-
/bin/rmrm -f cronjobs4⤵PID:762
-
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:767
-
-
/bin/chmodchmod u+x auto init.d4⤵PID:770
-
-
/bin/shsh -c "./auto > /dev/null 2>&1 &"4⤵PID:771
-
-
/bin/rmrm -f aarch64 x86_64 hide.c init.c start create4⤵PID:773
-
-
-
-
/usr/bin/base64base64 -d1⤵PID:668
-
/bin/catcat1⤵PID:680
-
/var/tmp/.22/auto./auto1⤵
- Executes dropped EXE
PID:772 -
/var/tmp/.22/init.d/var/tmp/.22/init.d2⤵PID:774
-
/var/tmp/.22/init./init3⤵
- Executes dropped EXE
PID:776
-
-
-
/bin/chmodchmod 755 auto hide init init.d logs mining mkcfg xm.jpg2⤵PID:778
-
-
/usr/bin/pkillpkill -9 init2⤵
- Reads CPU attributes
- Reads runtime system information
PID:780
-
-
/var/tmp/.22/mining./mining1⤵
- Executes dropped EXE
PID:781 -
/var/tmp/.22/init/var/tmp/.22/init2⤵
- Executes dropped EXE
PID:783
-
-
/bin/unameuname -m2⤵PID:785
-
-
/bin/psps -ef2⤵
- Reads CPU attributes
- Reads runtime system information
PID:787
-
-
/bin/grepgrep "sendmail: accepting connections"2⤵PID:788
-
-
/bin/grepgrep -v grep2⤵PID:789
-
-
/usr/bin/awkawk "{print \$2}"2⤵PID:791
-
-
/usr/bin/headhead -12⤵PID:792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5d73b6cacb30d623ccbb82cb8b3489476
SHA183a9395088a8885f45dfb4de5dc509aa74bb5164
SHA2561a6177c310e4ddd1526252e4fcecfa3c78a440760f4adae90e4b2d60ad3000c5
SHA51294e1949188ff086eec6dbc72dc01967f5c952928399db92656d65dc30f767e188f1a43f9558ffcf0fffaf38a522b335e6509228330780a97f09432c1b50f5941
-
Filesize
266B
MD52c45f7b3f01e9572c4bd494fffca25aa
SHA131012c82d6f1633d2a4b75228516d662f35c1625
SHA25646ec04534cf3c81cd39a7a7dae63c5f43f800ec3f679410dd044a30c96a89a2a
SHA5126e59afa38913d924ed7d40dca131e4a5e45a3dc60f6740611995be6ff9879f021bfd4e9d2f878d630d749bd93e441f68d17749e445240f65cbae7b6f402c3f58
-
Filesize
4.2MB
MD57b9dcdf38da77fae4048dd7e131ddd30
SHA1cbcb2f6654a9a143f70c09ca7b47f4da40957581
SHA2569912dcecb64a7f76360ea5a80ca06c0b2ae86783a104c9c9638708003bf825a1
SHA512324825b9339fbf93eba8ecc08cfcb478edbddb6c3e6216304603d1d2e18238780a052b56d722796716add9c8756167c8538ea6d4aaef458d4a887ec0967ee8c9
-
Filesize
13B
MD5814dd64cc10a8383fa795113ba6fc201
SHA1bfd109586b63447862882cacc5e1560cbbc5d759
SHA2562d6b8ac13c7c35eb920dbdb703537e379bd275089a090aa2043bdcd4db6ae319
SHA51222d94b78f5079941c475999bb38a56b7f3253e503a349157f4a8da1afe77385253a9adf2e046bed99e258bce423195bcd9a518fbc1de622aa09dd052284f448e
-
Filesize
237B
MD531dd8df9646ec4ba759bb9bab05d50d2
SHA156d64851b676586beaab6b385e270855815e95bd
SHA2565b1574e562a37087c472f214870d022e7ca80de38a601f6b16893cc2a398071f
SHA512ae95c5016b6ccbd94a0700801bd31f113e366a1f54460a1c102f694a52d703fde19242a8bd886a854494b679793344ae123d1cd9086e97254122e8bd51d5ffb0
-
Filesize
669B
MD518d2b80638dc8ed90e86c7caf316fe43
SHA1887f50f37a7e57abd113153becd5d8e36a780b19
SHA256d6a88499031026e3216ac733dd5b6365d597fa91599d33ec10a65cbb72e229b8
SHA5121ab557c50377097f1b4f59bacea66de1b569ea8e341d47155919d2996157f71e078e3a4b474ef005c7320e4eb46199fdda01dcffe5df6973778059466c0f2cec
-
Filesize
44B
MD598b58e548a19a44729a7d714872f9c40
SHA1e547c6d88e92e35b5ebec931f0437aa1ea5885ac
SHA2560bf4705afed32cc558a79fc696d1a4f9d58fa5e50a6cf4debd7ef0fba4e4016a
SHA512a1892a0e42d614dfda33ba377e59227f9c1fb1f88d1378e45f3620ddfa4150def0b453e26289c9056c5a24f07909ce0d04fe607c1f41d05b087358a6c62f7e28
-
Filesize
84B
MD5376ad2f12d602894f51b5af852cd66fe
SHA154817f1951a10091d576fe3adbd1ded616227087
SHA2569a90d545850ccd6839475a2409fc65db6a7261e3f4c9c0b9a005bee4539941be
SHA512dee880479e82fc7d4627e1aec389b16fdfa5c64921da048b23ca7ccc6d60271118230eb0487831a5d1509cc291504a897e552a680997db99db78bd181084c019
-
Filesize
17KB
MD50bb4618c041fdb18c2e115b65bc5401f
SHA1d9d039df279c4cdcceba347630a5fbdd296fca22
SHA2563f1e584ca9393a3f635d8a8573e5b7f863df0dc092911de03bffc2d4ab4f8b53
SHA5127dfc744f8aa5d571db704a56d6f5d5bda4b1889b1829a1cdbcc0272d059dc9fa1d2055e56c47ffb39851f175bbde41a6b137a1175cb7ad06eb64c601302538cf
-
Filesize
41KB
MD53d7964550b662754985bae37e0ee427b
SHA13de28ccabe03f53cc4f534c96337ece4878d7a0e
SHA25603fab42e0825e6c35b803a125d63191dcf819f48bc9152180379b6c598632075
SHA51275849f318fa46c8415fac9bded6b0bcecc2762cbb3b2c63d0d27794bfaaf8803fff3b67919758a2b7d534f30ea0a4010e828615a09d64f562820e111b00ea7c3
-
Filesize
355B
MD58674ce902ffedf49ae4be47baabcc2c0
SHA1441ecd5d3a928125e10a0b6b19f7eed31cfd4476
SHA2568f93a7dd12dbd84749cb5cf675cd8371bd732655a8d048f269d8e88e8136e2e3
SHA5128428b05454cc9a6ccc3ddea862d9f38b6f10f542ebf6f784b2f7027a985f1adc9bf7c69d3306b6d4d1896af9ec8e7fe1e1d9291c60652c46d7e5126a2d2e3380
-
Filesize
2KB
MD5b586844bb52809b9dd6c5982347e27e0
SHA11aa9693db7bd01099d3022c5d697b601a938e205
SHA256a86693407c7ec7a73e1f0e39ae7727f8bdbbc690cbaedeb3817f04cb9f87a57c
SHA5122a3c4031b987178e8b93ced37794d2b2803ffb595b431f05b25793fd4874d8059d9499b8c00ca5abeb7524bba3c4d23a3a5cf2091a811c79224803f7a5f440f0
-
Filesize
176B
MD5fe2ac6ae76a359f127213790c460496f
SHA1df036a0088e1f418cb6e618fae06cf6282e79452
SHA2560f1e5ab87d39835c6c28f242e68f7855a57813ef8e3e07091eee4f4d4f7ef78d
SHA5128e41371af2cca37fff463fa1fff44db1cb462c8bf65f93f0ba0779adcfb4c812e411baf00bd67a2e7c92ddb27d65894bb18e205d6ca0e588c81219ba1b272889
-
Filesize
4.6MB
MD51ba3f6f197a8ddd84cf30e29eed01ae9
SHA1e63b06246de680ac8357fb2d2fb467c630b85dd2
SHA256bbcdffd6fa3b1370dfc091bfd3bfca38be013f72f94af7ef29466d911c9604d8
SHA512818f671bbe14e3b863511fc13fd83bf30fdf6c89240431d96b4d85105d99552c16f3e90ff52f90ce2e1cb3a14df37be6f99203eeb24ff0327245987d3ebeb3a3
-
Filesize
3.9MB
MD51371a2ca243dc0cd5fae198d69f44708
SHA1f7921b63d2b3f7587f192a5708e339e6a9b1f2f6
SHA25613607684da4fc4c2493996ff4ffe2347a806cb13b905d97bec815d5bf33824da
SHA51284aa7f461c8ebcdd5434f6be119217b9a51ea08c46b0b1ae1e9f0f4081dd77364c552beab8511719b8727972c46c25ab8769faccd65f8b21d6d591ee7a7d4b13