Analysis

  • max time kernel
    73s
  • max time network
    40s
  • platform
    debian-12_mipsel
  • resource
    debian12-mipsel-20240221-en
  • resource tags

    arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
  • submitted
    30-10-2024 07:15

General

  • Target

    runnb.sh

  • Size

    213B

  • MD5

    a1189543e2f98f6696c6d857b899ab0a

  • SHA1

    30b167128357a05cb5ae4d8bd386d63839d99c4d

  • SHA256

    a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6

  • SHA512

    472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef

Malware Config

Signatures

  • OS Credential Dumping 1 TTPs 1 IoCs

    Adversaries may attempt to dump credentials to use it in password cracking.

  • Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

    Abuse sudo or cached sudo credentials to execute code.

  • Reads CPU attributes 1 TTPs 1 IoCs
  • Reads runtime system information 10 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/runnb.sh
    /tmp/runnb.sh
    1⤵
      PID:740
      • /usr/bin/sudo
        sudo apt install wget
        2⤵
        • OS Credential Dumping
        • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
        • Reads runtime system information
        PID:746
        • /usr/sbin/sendmail
          sendmail -t
          3⤵
          • Reads runtime system information
          PID:762
          • /usr/sbin/exim4
            /usr/sbin/exim4 -Mc 1t620M-0000CI-0s
            4⤵
            • Reads CPU attributes
            PID:783
        • /usr/bin/apt
          apt install wget
          3⤵
          • Reads runtime system information
          PID:769
          • /usr/bin/dpkg
            /usr/bin/dpkg --print-foreign-architectures
            4⤵
            • Reads runtime system information
            PID:778
          • /usr/bin/dpkg
            /usr/bin/dpkg --print-foreign-architectures
            4⤵
            • Reads runtime system information
            PID:790

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /var/mail/user

      Filesize

      858B

      MD5

      76c8ebbfcb350662321a6f78670dac3f

      SHA1

      4fd10f9347cee1c9438faf2d593c329960da8b1f

      SHA256

      fe5ca81e01dc0538ed92a0367b0da7ba74c0633742341d5b9cfe304e77ccd4d1

      SHA512

      cf7d262cc83e25dc7e66dcfa6a9014f15c6956404d6401e2772d3bf1ba88d284016f9df5a13ccc44c2a3b71e795d8b1cde7a225ce53f11a4e36ebe6a22224a1b

    • /var/spool/exim4/input/1t620M-0000CI-0s-D

      Filesize

      157B

      MD5

      5b8c503f46014eb85203376e16faba9b

      SHA1

      88cac9816fe83d6f409f3f7f98e3e035c457cd84

      SHA256

      95aa79d178aa318ff3c6e758f3960da130bd131d64af193649e3be601efe87b3

      SHA512

      c27858c5539f4a7bf9e6d3477ef025a2c2cd2145a50d38c906d82332b0302fc0ac7839365249a1a305059053c369dead371980e76f8a59135ec096b4cc83471d

    • /var/spool/exim4/input/1t620M-0000CI-0s-J

      Filesize

      34B

      MD5

      d7d96d63d643a4ce3e408eba7dfcedc5

      SHA1

      c53607f95c5c57beafc1d8266646797a035f76ea

      SHA256

      21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

      SHA512

      703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

    • /var/spool/exim4/input/hdr.1t620M-0000CI-0s

      Filesize

      1007B

      MD5

      9e253dd8dc19510539f23096c0be219b

      SHA1

      8d52b72f9307efe1a1271f43265bf2a353182974

      SHA256

      6599ee731d11f2ba350a485cba438256fc11f0ca7dce322d285bdf1e6dc78d3d

      SHA512

      a0bfa71e3d8a4985860d2c50e3d845371ad191680c8fd4a9faed9125b0d9fd15de2ff10134779a7c26f26c06e69a9a86ef235b2bbb23b3dfcc0ee54423522eb7

    • /var/spool/exim4/msglog/1t620M-0000CI-0s

      Filesize

      89B

      MD5

      f4c7668194877f964157ab21a7613b8e

      SHA1

      d1525a8d970dfd508f5e3c9bb3e1989a89184ffd

      SHA256

      0331285acb6bb02d8033e4f2bd3647216f8489fbc90fd73c31170d312472ee93

      SHA512

      b2365cb2d605e005f9a80da41499cacf8f56dc61873aee31ef1e65052524bd4177fa2504a83c22af5e08e8e24ac5f56991914172113e9ab40035ab733cb9d450

    • /var/spool/exim4/msglog/1t620M-0000CI-0s

      Filesize

      288B

      MD5

      5467eb0205483b065de2789643d21e9e

      SHA1

      d1c9686f55b5a3f2f8699a5ec94093e2f19532e1

      SHA256

      9a0d314dfdca2964a936c33367f96b348334c4166a7fb8d94fc8333d48f22bb1

      SHA512

      23aa7cc64975d3fd054b207504206531379a9e23b6e800f5983a81e9bebe50b06f26c8ef0569ef664f250ea3327cb9a5fdd9955df046adb3083040c6c507542d