Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
28s -
max time network
38s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20231215-en -
resource tags
arch:mipselimage:debian9-mipsel-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
20/12/2023, 05:14
Static task
static1
Behavioral task
behavioral1
Sample
ai.sh
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral2
Sample
ai.sh
Resource
debian9-armhf-20231215-en
Behavioral task
behavioral3
Sample
ai.sh
Resource
debian9-mipsbe-20231215-en
Behavioral task
behavioral4
Sample
ai.sh
Resource
debian9-mipsel-20231215-en
General
-
Target
ai.sh
-
Size
831B
-
MD5
b1a64a7afeda8fc66076eae49bdb6267
-
SHA1
0d840e800c0dac1d51f8a243056e94ed385c3a98
-
SHA256
9d5036d204e6598fd4c4ac93688c9acdec3d6a1e4d14018ec16db955f3ee8b24
-
SHA512
619c55b6f6d222c8a831a441205b75359976d9d80ba01734640d81b96a32e2b263448e16be8d3dad9afb1c78ebcd717cbc8dbefe134fc593f079a931140c67fa
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 1 IoCs
resource yara_rule behavioral4/files/fstream-6.dat family_kaiten2 -
Detects Kaiten/Tsunami payload 1 IoCs
resource yara_rule behavioral4/files/fstream-6.dat family_kaiten -
XMRig Miner payload 2 IoCs
resource yara_rule behavioral4/files/fstream-3.dat family_xmrig behavioral4/files/fstream-3.dat xmrig -
Executes dropped EXE 7 IoCs
ioc pid Process /var/tmp/.22/start 742 start /var/tmp/.22/hide 744 hide /var/tmp/.22/create 746 create /var/tmp/.22/auto 755 auto /var/tmp/.22/init 758 init /var/tmp/.22/mining 762 mining /var/tmp/.22/init 764 init -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.RIkBNe crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 2 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online pkill -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/9/status pkill File opened for reading /proc/4/status ps File opened for reading /proc/6/cmdline ps File opened for reading /proc/232/cmdline ps File opened for reading /proc/2/status pkill File opened for reading /proc/8/cmdline pkill File opened for reading /proc/77/status pkill File opened for reading /proc/328/stat ps File opened for reading /proc/582/stat ps File opened for reading /proc/770/status ps File opened for reading /proc/filesystems crontab File opened for reading /proc/2/cmdline ps File opened for reading /proc/20/cmdline ps File opened for reading /proc/37/status ps File opened for reading /proc/76/status ps File opened for reading /proc/325/stat ps File opened for reading /proc/761/status pkill File opened for reading /proc/19/cmdline ps File opened for reading /proc/695/stat ps File opened for reading /proc/1/cmdline pkill File opened for reading /proc/17/cmdline pkill File opened for reading /proc/23/cmdline pkill File opened for reading /proc/70/status pkill File opened for reading /proc/582/status pkill File opened for reading /proc/544/stat ps File opened for reading /proc/695/cmdline ps File opened for reading /proc/6/status pkill File opened for reading /proc/76/status pkill File opened for reading /proc/232/status pkill File opened for reading /proc/7/stat ps File opened for reading /proc/9/stat ps File opened for reading /proc/762/stat ps File opened for reading /proc/767/status ps File opened for reading /proc/76/cmdline pkill File opened for reading /proc/78/cmdline pkill File opened for reading /proc/400/status ps File opened for reading /proc/77/cmdline pkill File opened for reading /proc/81/cmdline pkill File opened for reading /proc/uptime ps File opened for reading /proc/527/cmdline ps File opened for reading /proc/767/stat ps File opened for reading /proc/700/cmdline pkill File opened for reading /proc/23/status ps File opened for reading /proc/24/status ps File opened for reading /proc/150/stat ps File opened for reading /proc/322/stat ps File opened for reading /proc/527/stat ps File opened for reading /proc/700/stat ps File opened for reading /proc/2/cmdline pkill File opened for reading /proc/150/status pkill File opened for reading /proc/21/cmdline ps File opened for reading /proc/71/cmdline ps File opened for reading /proc/771/cmdline ps File opened for reading /proc/3/cmdline pkill File opened for reading /proc/83/cmdline pkill File opened for reading /proc/320/status pkill File opened for reading /proc/698/status pkill File opened for reading /proc/18/status ps File opened for reading /proc/770/stat ps File opened for reading /proc/71/status pkill File opened for reading /proc/15/cmdline ps File opened for reading /proc/115/cmdline ps File opened for reading /proc/382/cmdline ps File opened for reading /proc/116/status ps -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/sh-thd.6Has9e ai.sh
Processes
-
/tmp/ai.sh/tmp/ai.sh1⤵
- Writes file to tmp directory
PID:711 -
/bin/grepgrep EST2⤵PID:722
-
-
/bin/grepgrep 94.241.140.1772⤵PID:723
-
-
/bin/grepgrep 802⤵PID:726
-
-
/bin/mkdirmkdir -p /var/tmp/.222⤵PID:729
-
-
/bin/tartar -xf xm.jpg2⤵PID:737
-
/usr/local/sbin/gzipgzip -d3⤵PID:739
-
-
/usr/local/bin/gzipgzip -d3⤵PID:739
-
-
/usr/sbin/gzipgzip -d3⤵PID:739
-
-
/usr/bin/gzipgzip -d3⤵PID:739
-
-
/sbin/gzipgzip -d3⤵PID:739
-
-
/bin/gzipgzip -d3⤵PID:739
-
-
-
/bin/chmodchmod +x start2⤵PID:741
-
-
/var/tmp/.22/start./start2⤵
- Executes dropped EXE
PID:742 -
/bin/unameuname -m3⤵PID:743
-
-
/var/tmp/.22/hide./hide3⤵
- Executes dropped EXE
PID:744
-
-
/var/tmp/.22/create./create3⤵
- Executes dropped EXE
PID:746 -
/bin/catcat auto4⤵PID:748
-
-
/usr/bin/crontabcrontab cronjobs4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:749
-
-
/bin/rmrm -f cronjobs4⤵PID:751
-
-
/usr/bin/crontabcrontab -l4⤵PID:752
-
-
/bin/chmodchmod u+x auto init.d4⤵PID:753
-
-
/bin/shsh -c "./auto > /dev/null 2>&1 &"4⤵PID:754
-
-
/bin/rmrm -f aarch64 x86_64 hide.c init.c start create4⤵PID:756
-
-
-
-
/usr/bin/base64base64 -d1⤵PID:718
-
/bin/catcat1⤵PID:736
-
/var/tmp/.22/auto./auto1⤵
- Executes dropped EXE
PID:755 -
/var/tmp/.22/init.d/var/tmp/.22/init.d2⤵PID:757
-
/var/tmp/.22/init./init3⤵
- Executes dropped EXE
PID:758
-
-
-
/bin/chmodchmod 755 auto hide init init.d logs mining mkcfg xm.jpg2⤵PID:760
-
-
/usr/bin/pkillpkill -9 init2⤵
- Reads CPU attributes
- Reads runtime system information
PID:761
-
-
/var/tmp/.22/mining./mining1⤵
- Executes dropped EXE
PID:762 -
/var/tmp/.22/init/var/tmp/.22/init2⤵
- Executes dropped EXE
PID:764
-
-
/bin/unameuname -m2⤵PID:766
-
-
/bin/psps -ef2⤵
- Reads CPU attributes
- Reads runtime system information
PID:767
-
-
/bin/grepgrep "sendmail: accepting connections"2⤵PID:768
-
-
/bin/grepgrep -v grep2⤵PID:769
-
-
/usr/bin/awkawk "{print \$2}"2⤵PID:770
-
-
/usr/bin/headhead -12⤵PID:771
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5d73b6cacb30d623ccbb82cb8b3489476
SHA183a9395088a8885f45dfb4de5dc509aa74bb5164
SHA2561a6177c310e4ddd1526252e4fcecfa3c78a440760f4adae90e4b2d60ad3000c5
SHA51294e1949188ff086eec6dbc72dc01967f5c952928399db92656d65dc30f767e188f1a43f9558ffcf0fffaf38a522b335e6509228330780a97f09432c1b50f5941
-
Filesize
266B
MD5e165276b0243975af35e09ae112ea1ae
SHA1a9a6370b3f457bf0b01115c31ba71f83cd21111b
SHA2560bff2762490a418588c440a07c1c67d3c4494c8e6fbd3e4df8840a16a4971645
SHA51270e49370dd561c2226c9504d0f265b87026689eb98630167dfbefc6920c7cc81de6e3ede289a7bd5831cd7fecba33e1fefa85234116e954b7311a14b8db62fab
-
Filesize
4.6MB
MD51ba3f6f197a8ddd84cf30e29eed01ae9
SHA1e63b06246de680ac8357fb2d2fb467c630b85dd2
SHA256bbcdffd6fa3b1370dfc091bfd3bfca38be013f72f94af7ef29466d911c9604d8
SHA512818f671bbe14e3b863511fc13fd83bf30fdf6c89240431d96b4d85105d99552c16f3e90ff52f90ce2e1cb3a14df37be6f99203eeb24ff0327245987d3ebeb3a3
-
Filesize
13B
MD5814dd64cc10a8383fa795113ba6fc201
SHA1bfd109586b63447862882cacc5e1560cbbc5d759
SHA2562d6b8ac13c7c35eb920dbdb703537e379bd275089a090aa2043bdcd4db6ae319
SHA51222d94b78f5079941c475999bb38a56b7f3253e503a349157f4a8da1afe77385253a9adf2e046bed99e258bce423195bcd9a518fbc1de622aa09dd052284f448e
-
Filesize
237B
MD531dd8df9646ec4ba759bb9bab05d50d2
SHA156d64851b676586beaab6b385e270855815e95bd
SHA2565b1574e562a37087c472f214870d022e7ca80de38a601f6b16893cc2a398071f
SHA512ae95c5016b6ccbd94a0700801bd31f113e366a1f54460a1c102f694a52d703fde19242a8bd886a854494b679793344ae123d1cd9086e97254122e8bd51d5ffb0
-
Filesize
669B
MD518d2b80638dc8ed90e86c7caf316fe43
SHA1887f50f37a7e57abd113153becd5d8e36a780b19
SHA256d6a88499031026e3216ac733dd5b6365d597fa91599d33ec10a65cbb72e229b8
SHA5121ab557c50377097f1b4f59bacea66de1b569ea8e341d47155919d2996157f71e078e3a4b474ef005c7320e4eb46199fdda01dcffe5df6973778059466c0f2cec
-
Filesize
44B
MD598b58e548a19a44729a7d714872f9c40
SHA1e547c6d88e92e35b5ebec931f0437aa1ea5885ac
SHA2560bf4705afed32cc558a79fc696d1a4f9d58fa5e50a6cf4debd7ef0fba4e4016a
SHA512a1892a0e42d614dfda33ba377e59227f9c1fb1f88d1378e45f3620ddfa4150def0b453e26289c9056c5a24f07909ce0d04fe607c1f41d05b087358a6c62f7e28
-
Filesize
84B
MD5376ad2f12d602894f51b5af852cd66fe
SHA154817f1951a10091d576fe3adbd1ded616227087
SHA2569a90d545850ccd6839475a2409fc65db6a7261e3f4c9c0b9a005bee4539941be
SHA512dee880479e82fc7d4627e1aec389b16fdfa5c64921da048b23ca7ccc6d60271118230eb0487831a5d1509cc291504a897e552a680997db99db78bd181084c019
-
Filesize
17KB
MD50bb4618c041fdb18c2e115b65bc5401f
SHA1d9d039df279c4cdcceba347630a5fbdd296fca22
SHA2563f1e584ca9393a3f635d8a8573e5b7f863df0dc092911de03bffc2d4ab4f8b53
SHA5127dfc744f8aa5d571db704a56d6f5d5bda4b1889b1829a1cdbcc0272d059dc9fa1d2055e56c47ffb39851f175bbde41a6b137a1175cb7ad06eb64c601302538cf
-
Filesize
41KB
MD53d7964550b662754985bae37e0ee427b
SHA13de28ccabe03f53cc4f534c96337ece4878d7a0e
SHA25603fab42e0825e6c35b803a125d63191dcf819f48bc9152180379b6c598632075
SHA51275849f318fa46c8415fac9bded6b0bcecc2762cbb3b2c63d0d27794bfaaf8803fff3b67919758a2b7d534f30ea0a4010e828615a09d64f562820e111b00ea7c3
-
Filesize
355B
MD58674ce902ffedf49ae4be47baabcc2c0
SHA1441ecd5d3a928125e10a0b6b19f7eed31cfd4476
SHA2568f93a7dd12dbd84749cb5cf675cd8371bd732655a8d048f269d8e88e8136e2e3
SHA5128428b05454cc9a6ccc3ddea862d9f38b6f10f542ebf6f784b2f7027a985f1adc9bf7c69d3306b6d4d1896af9ec8e7fe1e1d9291c60652c46d7e5126a2d2e3380
-
Filesize
2KB
MD5b586844bb52809b9dd6c5982347e27e0
SHA11aa9693db7bd01099d3022c5d697b601a938e205
SHA256a86693407c7ec7a73e1f0e39ae7727f8bdbbc690cbaedeb3817f04cb9f87a57c
SHA5122a3c4031b987178e8b93ced37794d2b2803ffb595b431f05b25793fd4874d8059d9499b8c00ca5abeb7524bba3c4d23a3a5cf2091a811c79224803f7a5f440f0
-
Filesize
176B
MD5fe2ac6ae76a359f127213790c460496f
SHA1df036a0088e1f418cb6e618fae06cf6282e79452
SHA2560f1e5ab87d39835c6c28f242e68f7855a57813ef8e3e07091eee4f4d4f7ef78d
SHA5128e41371af2cca37fff463fa1fff44db1cb462c8bf65f93f0ba0779adcfb4c812e411baf00bd67a2e7c92ddb27d65894bb18e205d6ca0e588c81219ba1b272889
-
Filesize
1.4MB
MD5851e72608e4caf44594714073897813d
SHA1ec4c57c077548690c3bbd45f0a820a150ccf49db
SHA2560124049b38aff1d2f03467f2bb8156ba7ad4b1f9f6bd89a1a11a4ff97bef8e7c
SHA512b3a453de1d310dc2a4ed10ff81f1c288cd331eaac6bbc89bfe62207d1d002eae7ca40efd89a5665b7be0cddbec7b8f505b63421be30d6f8aa8d0276a67f5531e