6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b

Resubmissions

30-08-2024 07:58

240830-jvak8aveqk 10

04-03-2021 13:45

210304-nt1vpdb9aa 9

Analysis

max time kernel
9064s
max time network
132s
platform
linux_amd64
resource
ubuntu-amd64
submitted
04-03-2021 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Linux.Miner-ZS.18234.26199
Size

14.0MB
MD5

648effa354b3cbaad87b45f48d59c616
SHA1

0194637f1e83c2efc8bcda8d20c446805698c7bc
SHA256

6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b
SHA512

7ed0b6abeda6b3682bb94fbce8c5eeddf6206db23a87c11d606ea2f84a7606420ed47290317b5d9cb4d99f5c07943b8a7a548671d4c73106d6fbd48cd37bc146

Score

9^/10

antivm

Malware Config

Signatures

Attempts to identify hypervisor via CPU configuration 1 TTPs 2 IoCs

Checks CPU information for indicators that the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
/proc/cpuinfo	/proc/cpuinfo	kdevtmpfsi
/proc/cpuinfo	/proc/cpuinfo	SecuriteInfo.com.Linux.Miner-ZS.18234.26199

Reads CPU attributes 1 TTPs 5 IoCs

System Information Discovery

T1082

description	ioc	Process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	pkill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kdevtmpfsi
/sys/devices/system/cpu/possible	/sys/devices/system/cpu/possible	kdevtmpfsi
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/19/status	/proc/19/status	pkill
/proc/166/cmdline	/proc/166/cmdline	pkill
/proc/18/stat	/proc/18/stat	ps
/proc/19/cmdline	/proc/19/cmdline	ps
/proc/97/cmdline	/proc/97/cmdline	ps
/proc/16/stat	/proc/16/stat	ps
/proc/17/status	/proc/17/status	ps
/proc/568/stat	/proc/568/stat	ps
/proc/23/status	/proc/23/status	ps
/proc/30/cmdline	/proc/30/cmdline	ps
/proc/84/cmdline	/proc/84/cmdline	ps
/proc/165/status	/proc/165/status	ps
/proc/1/cmdline	/proc/1/cmdline	ps
/proc/11/stat	/proc/11/stat	ps
/proc/35/stat	/proc/35/stat	ps
/proc/237/status	/proc/237/status	ps
/proc/2/status	/proc/2/status	pkill
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	ps
/proc/16/cmdline	/proc/16/cmdline	ps
/proc/344/status	/proc/344/status	ps
/proc/447/status	/proc/447/status	ps
/proc/562/stat	/proc/562/stat	ps
/proc/self/cgroup	/proc/self/cgroup	kdevtmpfsi
/proc/156/status	/proc/156/status	ps
/proc/35/cmdline	/proc/35/cmdline	ps
/proc/97/status	/proc/97/status	ps
/proc/344/cmdline	/proc/344/cmdline	ps
/proc/479/cmdline	/proc/479/cmdline	pkill
/proc/1/status	/proc/1/status	ps
/proc/26/stat	/proc/26/stat	ps
/proc/387/stat	/proc/387/stat	ps
/proc/83/status	/proc/83/status	ps
/proc/11/cmdline	/proc/11/cmdline	pkill
/proc/237/cmdline	/proc/237/cmdline	pkill
/proc/35/stat	/proc/35/stat	ps
/proc/569/status	/proc/569/status	ps
/proc/83/cmdline	/proc/83/cmdline	pkill
/proc/349/status	/proc/349/status	pkill
/proc/162/status	/proc/162/status	ps
/proc/166/stat	/proc/166/stat	ps
/proc/719/status	/proc/719/status	ps
/proc/160/cmdline	/proc/160/cmdline	ps
/proc/443/stat	/proc/443/stat	ps
/proc/27/stat	/proc/27/stat	ps
/proc/166/cmdline	/proc/166/cmdline	ps
/proc/562/cmdline	/proc/562/cmdline	ps
/proc/568/status	/proc/568/status	ps
/proc/416/stat	/proc/416/stat	ps
/proc/9/status	/proc/9/status	pkill
/proc/2/cmdline	/proc/2/cmdline	ps
/proc/6/status	/proc/6/status	ps
/proc/9/status	/proc/9/status	ps
/proc/16/status	/proc/16/status	ps
/proc/77/status	/proc/77/status	ps
/proc/721/cmdline	/proc/721/cmdline	ps
/proc/15/cmdline	/proc/15/cmdline	pkill
/proc/stat	/proc/stat	ps
/proc/82/status	/proc/82/status	ps
/proc/154/cmdline	/proc/154/cmdline	ps
/proc/447/stat	/proc/447/stat	ps
/proc/15/status	/proc/15/status	ps
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	pkill
/proc/152/cmdline	/proc/152/cmdline	pkill
/proc/190/stat	/proc/190/stat	ps

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/.ICEd-unix/uuid	/tmp/.ICEd-unix/uuid	SecuriteInfo.com.Linux.Miner-ZS.18234.26199
/tmp/kdevtmpfsi	/tmp/kdevtmpfsi	Process not Found
/tmp/.ICEd-unix/235240343	/tmp/.ICEd-unix/235240343	SecuriteInfo.com.Linux.Miner-ZS.18234.26199
/tmp/config.json	/tmp/config.json	kdevtmpfsi
/tmp/.ICEd-unix/jjnOI	/tmp/.ICEd-unix/jjnOI	SecuriteInfo.com.Linux.Miner-ZS.18234.26199
/tmp/.ICEd-unix/jjnOI	/tmp/.ICEd-unix/jjnOI	jjnOI
/tmp/.ICEd-unix/jjnOI	/tmp/.ICEd-unix/jjnOI	Process not Found

./SecuriteInfo.com.Linux.Miner-ZS.18234.26199
./SecuriteInfo.com.Linux.Miner-ZS.18234.26199
1⤵
PID:563
- /usr/bin/getconf
  /usr/bin/getconf CLK_TCK
  2⤵
  PID:567
- ./SecuriteInfo.com.Linux.Miner-ZS.18234.26199
  ./SecuriteInfo.com.Linux.Miner-ZS.18234.26199
  2⤵
  - Attempts to identify hypervisor via CPU configuration
  - Writes file to tmp directory
  PID:568
- - /usr/bin/getconf
    /usr/bin/getconf CLK_TCK
    3⤵
    PID:576
- - /bin/sh
    sh -c "pkill -f kdevtmpfsi"
    3⤵
    PID:703
  - - /usr/bin/pkill
      pkill -f kdevtmpfsi
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:704
- - /bin/sh
    sh -c "/tmp/kdevtmpfsi &"
    3⤵
    PID:707
  - - /tmp/kdevtmpfsi
      /tmp/kdevtmpfsi
      4⤵
      Attempts to identify hypervisor via CPU configuration
      Reads CPU attributes
      Enumerates kernel/hardware configuration
      Reads runtime system information
      Writes file to tmp directory
      PID:708

/bin/sh
sh -c "chmod +x /tmp/kdevtmpfsi"
1⤵
PID:705
- /bin/chmod
  chmod +x /tmp/kdevtmpfsi
  2⤵
  PID:706

/bin/sh
sh -c "chmod +x /tmp/.ICEd-unix/jjnOI"
1⤵
PID:716
- /bin/chmod
  chmod +x /tmp/.ICEd-unix/jjnOI
  2⤵
  PID:717

/bin/sh
sh -c /tmp/.ICEd-unix/jjnOI
1⤵
PID:718
- /tmp/.ICEd-unix/jjnOI
  /tmp/.ICEd-unix/jjnOI
  2⤵
  - Writes file to tmp directory
  PID:719
- - /bin/grep
    grep -i "[a]liyun"
    3⤵
    PID:721
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:720
- - /bin/grep
    grep -i "[y]unjing"
    3⤵
    PID:723
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:722

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

description	ioc	Process
/sys/devices/virtual/dmi/id/chassis_version	/sys/devices/virtual/dmi/id/chassis_version	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/topology/book_siblings	/sys/bus/cpu/devices/cpu0/topology/book_siblings	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/topology/thread_siblings	/sys/bus/cpu/devices/cpu0/topology/thread_siblings	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index0/level	/sys/bus/cpu/devices/cpu0/cache/index0/level	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index2/size	/sys/bus/cpu/devices/cpu0/cache/index2/size	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	kdevtmpfsi
/sys/bus/node/devices/node0/cpumap	/sys/bus/node/devices/node0/cpumap	kdevtmpfsi
/sys/bus/node/devices/node0/meminfo	/sys/bus/node/devices/node0/meminfo	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/topology/physical_package_id	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index0/size	/sys/bus/cpu/devices/cpu0/cache/index0/size	kdevtmpfsi
/sys/devices/virtual/dmi/id/bios_date	/sys/devices/virtual/dmi/id/bios_date	kdevtmpfsi
/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	Process not Found
/sys/bus/cpu/devices/cpu0/cache/index3/level	/sys/bus/cpu/devices/cpu0/cache/index3/level	kdevtmpfsi
/sys/devices/virtual/dmi/id/product_uuid	/sys/devices/virtual/dmi/id/product_uuid	kdevtmpfsi
/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	Process not Found
/sys/bus/cpu/devices/cpu0/cache/index0/type	/sys/bus/cpu/devices/cpu0/cache/index0/type	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	kdevtmpfsi
/sys/bus/node/devices/node0/hugepages	/sys/bus/node/devices/node0/hugepages	kdevtmpfsi
/sys/devices/virtual/dmi/id/board_serial	/sys/devices/virtual/dmi/id/board_serial	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/topology/die_cpus	/sys/bus/cpu/devices/cpu0/topology/die_cpus	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/topology/core_id	/sys/bus/cpu/devices/cpu0/topology/core_id	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index3/size	/sys/bus/cpu/devices/cpu0/cache/index3/size	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	kdevtmpfsi
/sys/kernel/mm/hugepages	/sys/kernel/mm/hugepages	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index2/level	/sys/bus/cpu/devices/cpu0/cache/index2/level	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index1/type	/sys/bus/cpu/devices/cpu0/cache/index1/type	kdevtmpfsi
/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	kdevtmpfsi
/sys/devices/virtual/dmi/id/chassis_type	/sys/devices/virtual/dmi/id/chassis_type	kdevtmpfsi
/sys/fs/cgroup/cpuset/cpuset.cpus	/sys/fs/cgroup/cpuset/cpuset.cpus	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	kdevtmpfsi
/sys/devices/virtual/dmi/id/board_name	/sys/devices/virtual/dmi/id/board_name	kdevtmpfsi
/sys/devices/virtual/dmi/id/board_version	/sys/devices/virtual/dmi/id/board_version	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	kdevtmpfsi
/sys/devices/virtual/dmi/id/product_name	/sys/devices/virtual/dmi/id/product_name	kdevtmpfsi
/sys/devices/virtual/dmi/id/board_vendor	/sys/devices/virtual/dmi/id/board_vendor	kdevtmpfsi
/sys/devices/virtual/dmi/id/chassis_asset_tag	/sys/devices/virtual/dmi/id/chassis_asset_tag	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	kdevtmpfsi
/sys/devices/virtual/dmi/id/product_serial	/sys/devices/virtual/dmi/id/product_serial	kdevtmpfsi
/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	kdevtmpfsi
/sys/devices/virtual/dmi/id/product_version	/sys/devices/virtual/dmi/id/product_version	kdevtmpfsi
/sys/devices/virtual/dmi/id/board_asset_tag	/sys/devices/virtual/dmi/id/board_asset_tag	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/topology/core_siblings	/sys/bus/cpu/devices/cpu0/topology/core_siblings	kdevtmpfsi
/sys/devices/virtual/dmi/id	/sys/devices/virtual/dmi/id	kdevtmpfsi
/sys/devices/virtual/dmi/id/chassis_serial	/sys/devices/virtual/dmi/id/chassis_serial	kdevtmpfsi
/sys/devices/virtual/dmi/id/bios_vendor	/sys/devices/virtual/dmi/id/bios_vendor	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index3/type	/sys/bus/cpu/devices/cpu0/cache/index3/type	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	kdevtmpfsi
/sys/bus/node/devices	/sys/bus/node/devices	kdevtmpfsi
/sys/devices/virtual/dmi/id/chassis_vendor	/sys/devices/virtual/dmi/id/chassis_vendor	kdevtmpfsi
/sys/devices/virtual/dmi/id/bios_version	/sys/devices/virtual/dmi/id/bios_version	kdevtmpfsi
/sys/fs/cgroup/cpuset/cpuset.mems	/sys/fs/cgroup/cpuset/cpuset.mems	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	kdevtmpfsi
/sys/devices/virtual/dmi/id/sys_vendor	/sys/devices/virtual/dmi/id/sys_vendor	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/online	/sys/bus/cpu/devices/cpu0/online	kdevtmpfsi
/sys/bus/cpu/devices/cpu0/cache/index1/level	/sys/bus/cpu/devices/cpu0/cache/index1/level	kdevtmpfsi

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads