General
-
Target
runnb.sh
-
Size
213B
-
Sample
241030-h3gh3azmgm
-
MD5
a1189543e2f98f6696c6d857b899ab0a
-
SHA1
30b167128357a05cb5ae4d8bd386d63839d99c4d
-
SHA256
a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
-
SHA512
472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef
Static task
static1
Behavioral task
behavioral1
Sample
runnb.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral2
Sample
runnb.sh
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral3
Sample
runnb.sh
Resource
debian12-mipsel-20240221-en
Behavioral task
behavioral4
Sample
runnb.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral5
Sample
runnb.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral6
Sample
runnb.sh
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral7
Sample
runnb.sh
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral8
Sample
runnb.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral9
Sample
runnb.sh
Resource
ubuntu2404-amd64-20240523-en
Malware Config
Targets
-
-
Target
runnb.sh
-
Size
213B
-
MD5
a1189543e2f98f6696c6d857b899ab0a
-
SHA1
30b167128357a05cb5ae4d8bd386d63839d99c4d
-
SHA256
a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
-
SHA512
472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef
-
XMRig Miner payload
-
Xmrig family
-
Xmrig_linux family
-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE
-
OS Credential Dumping
Adversaries may attempt to dump credentials to use it in password cracking.
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse sudo or cached sudo credentials to execute code.
-
Checks hardware identifiers (DMI)
Checks DMI information which indicate if the system is a virtual machine.
-
Checks mountinfo of local process
Checks mountinfo of running processes which indicate if it is running in chroot jail.
-
Legitimate hosting services abused for malware hosting/C2
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
Write file to user bin folder
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Indicator Removal
1Clear Linux or Mac System Logs
1Virtualization/Sandbox Evasion
3System Checks
3