Overview

overview

10

Static

static

10

xm.gz

windows7-x64

3

xm.gz

windows10-2004-x64

7

sample.tar

windows7-x64

3

sample.tar

windows10-2004-x64

7

aarch64

ubuntu-18.04-amd64

6

create

ubuntu-18.04-amd64

7

create

debian-9-armhf

7

create

debian-9-mips

1

create

debian-9-mipsel

1

hide

ubuntu-18.04-amd64

1

hide.c

windows7-x64

3

hide.c

windows10-2004-x64

3

init

ubuntu-18.04-amd64

3

mining

ubuntu-18.04-amd64

6

mining

debian-9-armhf

6

mining

debian-9-mips

6

mining

debian-9-mipsel

6

mkcfg

ubuntu-18.04-amd64

1

mkcfg

debian-9-armhf

1

mkcfg

debian-9-mips

1

mkcfg

debian-9-mipsel

1

start

ubuntu-18.04-amd64

10

start

debian-9-armhf

1

start

debian-9-mips

1

start

debian-9-mipsel

1

x86_64

ubuntu-18.04-amd64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    xm.jpg

  • Size

    3.9MB

  • Sample

    231220-fzvkeageb9

  • MD5

    1371a2ca243dc0cd5fae198d69f44708

  • SHA1

    f7921b63d2b3f7587f192a5708e339e6a9b1f2f6

  • SHA256

    13607684da4fc4c2493996ff4ffe2347a806cb13b905d97bec815d5bf33824da

  • SHA512

    84aa7f461c8ebcdd5434f6be119217b9a51ea08c46b0b1ae1e9f0f4081dd77364c552beab8511719b8727972c46c25ab8769faccd65f8b21d6d591ee7a7d4b13

  • SSDEEP

    98304:EtPSdi6EM62kXoADzDtDSyKSgXBesozngrcLFoZYWjiDRUPGD:EtFMXQoAf5DNgXksoPFoC+idvD

Score
10/10
xmrigantivmlinuxminerpersistence

Malware Config

Targets

    • Target

      xm.jpg

    • Size

      3.9MB

    • MD5

      1371a2ca243dc0cd5fae198d69f44708

    • SHA1

      f7921b63d2b3f7587f192a5708e339e6a9b1f2f6

    • SHA256

      13607684da4fc4c2493996ff4ffe2347a806cb13b905d97bec815d5bf33824da

    • SHA512

      84aa7f461c8ebcdd5434f6be119217b9a51ea08c46b0b1ae1e9f0f4081dd77364c552beab8511719b8727972c46c25ab8769faccd65f8b21d6d591ee7a7d4b13

    • SSDEEP

      98304:EtPSdi6EM62kXoADzDtDSyKSgXBesozngrcLFoZYWjiDRUPGD:EtFMXQoAf5DNgXksoPFoC+idvD

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

    • Target

      sample

    • Size

      9.2MB

    • MD5

      1c0e4eed997020aa05e6b2c107a169ae

    • SHA1

      aaaec2f2e3dcbb7cd00bcc197d6e432dde4ae88e

    • SHA256

      9aec808e1209de34afa1659dcfcd5cd218076f53dee7959388a377ab0625ef06

    • SHA512

      ac18e8976fb583292386841c3cc313e11436fba810ca16b69524949f37a1e3df05093ffb9592ad07638b39e9f94941b5f9cca49828d7d09ca3ec7e194e860774

    • SSDEEP

      196608:mYK2IZ79KzcDPdUGZuhXDYK2IZ79KzcDPdUGZuhX:mYX6kStyzYX6kSty

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral3behavioral4

    • Target

      aarch64

    • Size

      4.6MB

    • MD5

      1ba3f6f197a8ddd84cf30e29eed01ae9

    • SHA1

      e63b06246de680ac8357fb2d2fb467c630b85dd2

    • SHA256

      bbcdffd6fa3b1370dfc091bfd3bfca38be013f72f94af7ef29466d911c9604d8

    • SHA512

      818f671bbe14e3b863511fc13fd83bf30fdf6c89240431d96b4d85105d99552c16f3e90ff52f90ce2e1cb3a14df37be6f99203eeb24ff0327245987d3ebeb3a3

    • SSDEEP

      98304:0ALYK2IB3zOA9/iPkI0p8C7vJxdUGZ2KS55rZhhWI4:HYK2IZ79KzcDPdUGZuhX

    Score
    6/10
    antivm

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

      antivm

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

      antivm

    • Reads CPU attributes

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    behavioral5

    • Target

      create

    • Size

      669B

    • MD5

      18d2b80638dc8ed90e86c7caf316fe43

    • SHA1

      887f50f37a7e57abd113153becd5d8e36a780b19

    • SHA256

      d6a88499031026e3216ac733dd5b6365d597fa91599d33ec10a65cbb72e229b8

    • SHA512

      1ab557c50377097f1b4f59bacea66de1b569ea8e341d47155919d2996157f71e078e3a4b474ef005c7320e4eb46199fdda01dcffe5df6973778059466c0f2cec

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    behavioral6behavioral7behavioral8behavioral9

    • Target

      hide

    • Size

      17KB

    • MD5

      0bb4618c041fdb18c2e115b65bc5401f

    • SHA1

      d9d039df279c4cdcceba347630a5fbdd296fca22

    • SHA256

      3f1e584ca9393a3f635d8a8573e5b7f863df0dc092911de03bffc2d4ab4f8b53

    • SHA512

      7dfc744f8aa5d571db704a56d6f5d5bda4b1889b1829a1cdbcc0272d059dc9fa1d2055e56c47ffb39851f175bbde41a6b137a1175cb7ad06eb64c601302538cf

    • SSDEEP

      192:RlEw1ktJKd7q6GIc1Ut4o3W4Ijl1LwxOXE/NabtULSi:fk+7TScIDD

    Score
    1/10
    behavioral10

    • Target

      hide.c

    • Size

      8KB

    • MD5

      0ea36d63bdc19596106ffab97991e916

    • SHA1

      3f0884d86a24ae678ea6e4f13a3f1dc1aced8a0d

    • SHA256

      b1f5032c0abab0e185b90a5cacaecd6af2d10974ea2a8f9676732413bcff1424

    • SHA512

      2decede4480cdd408bb37d7a82f229ce4c51923690f91ddbb7dc2e5faf17aad50d083a439ec05e021e0309bf845354146dc3aa50c7845c55fedaedab0fa78912

    • SSDEEP

      96:ViUsLKDZd6ubi/9L4PLMtNuJ7tS8/Xjfo5:ViULD9i/duQY/XM5

    Score
    3/10
    behavioral11behavioral12

    • Target

      init

    • Size

      41KB

    • MD5

      3d7964550b662754985bae37e0ee427b

    • SHA1

      3de28ccabe03f53cc4f534c96337ece4878d7a0e

    • SHA256

      03fab42e0825e6c35b803a125d63191dcf819f48bc9152180379b6c598632075

    • SHA512

      75849f318fa46c8415fac9bded6b0bcecc2762cbb3b2c63d0d27794bfaaf8803fff3b67919758a2b7d534f30ea0a4010e828615a09d64f562820e111b00ea7c3

    • SSDEEP

      768:SKRCujM9DdD7jBnNNfVQxsRq0e0t7KzPhfs4dckgPQMSaMyOB7jVCRPlNpiKVvI:SKRnKhjBNxVQxsRq0e0t7KzPhfs4dckc

    Score
    3/10
    behavioral13

    • Target

      mining

    • Size

      355B

    • MD5

      8674ce902ffedf49ae4be47baabcc2c0

    • SHA1

      441ecd5d3a928125e10a0b6b19f7eed31cfd4476

    • SHA256

      8f93a7dd12dbd84749cb5cf675cd8371bd732655a8d048f269d8e88e8136e2e3

    • SHA512

      8428b05454cc9a6ccc3ddea862d9f38b6f10f542ebf6f784b2f7027a985f1adc9bf7c69d3306b6d4d1896af9ec8e7fe1e1d9291c60652c46d7e5126a2d2e3380

    Score
    6/10

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    behavioral14behavioral15behavioral16behavioral17

    • Target

      mkcfg

    • Size

      2KB

    • MD5

      b586844bb52809b9dd6c5982347e27e0

    • SHA1

      1aa9693db7bd01099d3022c5d697b601a938e205

    • SHA256

      a86693407c7ec7a73e1f0e39ae7727f8bdbbc690cbaedeb3817f04cb9f87a57c

    • SHA512

      2a3c4031b987178e8b93ced37794d2b2803ffb595b431f05b25793fd4874d8059d9499b8c00ca5abeb7524bba3c4d23a3a5cf2091a811c79224803f7a5f440f0

    Score
    1/10
    behavioral18behavioral19behavioral20behavioral21

    • Target

      start

    • Size

      176B

    • MD5

      fe2ac6ae76a359f127213790c460496f

    • SHA1

      df036a0088e1f418cb6e618fae06cf6282e79452

    • SHA256

      0f1e5ab87d39835c6c28f242e68f7855a57813ef8e3e07091eee4f4d4f7ef78d

    • SHA512

      8e41371af2cca37fff463fa1fff44db1cb462c8bf65f93f0ba0779adcfb4c812e411baf00bd67a2e7c92ddb27d65894bb18e205d6ca0e588c81219ba1b272889

    Score
    10/10
    xmrigminer

    • XMRig Miner payload

      miner

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig
    behavioral22behavioral23behavioral24behavioral25

    • Target

      x86_64

    • Size

      4.6MB

    • MD5

      1ba3f6f197a8ddd84cf30e29eed01ae9

    • SHA1

      e63b06246de680ac8357fb2d2fb467c630b85dd2

    • SHA256

      bbcdffd6fa3b1370dfc091bfd3bfca38be013f72f94af7ef29466d911c9604d8

    • SHA512

      818f671bbe14e3b863511fc13fd83bf30fdf6c89240431d96b4d85105d99552c16f3e90ff52f90ce2e1cb3a14df37be6f99203eeb24ff0327245987d3ebeb3a3

    • SSDEEP

      98304:0ALYK2IB3zOA9/iPkI0p8C7vJxdUGZ2KS55rZhhWI4:HYK2IZ79KzcDPdUGZuhX

    Score
    6/10
    antivm

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

      antivm

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

      antivm

    • Reads CPU attributes

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    behavioral26

MITRE ATT&CK Enterprise v15

Tasks