Overview
overview
10Static
static
10xm.gz
windows7-x64
3xm.gz
windows10-2004-x64
7sample.tar
windows7-x64
3sample.tar
windows10-2004-x64
7aarch64
ubuntu-18.04-amd64
6create
ubuntu-18.04-amd64
7create
debian-9-armhf
7create
debian-9-mips
1create
debian-9-mipsel
1hide
ubuntu-18.04-amd64
1hide.c
windows7-x64
3hide.c
windows10-2004-x64
3init
ubuntu-18.04-amd64
3mining
ubuntu-18.04-amd64
6mining
debian-9-armhf
6mining
debian-9-mips
6mining
debian-9-mipsel
6mkcfg
ubuntu-18.04-amd64
1mkcfg
debian-9-armhf
1mkcfg
debian-9-mips
1mkcfg
debian-9-mipsel
1start
ubuntu-18.04-amd64
10start
debian-9-armhf
1start
debian-9-mips
1start
debian-9-mipsel
1x86_64
ubuntu-18.04-amd64
6Analysis
-
max time kernel
12s -
platform
debian-9_mips -
resource
debian9-mipsbe-20231215-en -
resource tags
arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
20/12/2023, 05:19
Behavioral task
behavioral1
Sample
xm.gz
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
xm.gz
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
sample.tar
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral4
Sample
sample.tar
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
aarch64
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral6
Sample
create
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral7
Sample
create
Resource
debian9-armhf-20231215-en
debian-9-armhf
Behavioral task
behavioral8
Sample
create
Resource
debian9-mipsbe-20231215-en
debian-9-mips
Behavioral task
behavioral9
Sample
create
Resource
debian9-mipsel-20231215-en
debian-9-mipsel
Behavioral task
behavioral10
Sample
hide
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral11
Sample
hide.c
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral12
Sample
hide.c
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
init
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral14
Sample
mining
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral15
Sample
mining
Resource
debian9-armhf-20231215-en
debian-9-armhf
Behavioral task
behavioral16
Sample
mining
Resource
debian9-mipsbe-20231215-en
debian-9-mips
Behavioral task
behavioral17
Sample
mining
Resource
debian9-mipsel-20231215-en
debian-9-mipsel
Behavioral task
behavioral18
Sample
mkcfg
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral19
Sample
mkcfg
Resource
debian9-armhf-20231215-en
debian-9-armhf
Behavioral task
behavioral20
Sample
mkcfg
Resource
debian9-mipsbe-20231215-en
debian-9-mips
Behavioral task
behavioral21
Sample
mkcfg
Resource
debian9-mipsel-20231215-en
debian-9-mipsel
Behavioral task
behavioral22
Sample
start
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral23
Sample
start
Resource
debian9-armhf-20231215-en
debian-9-armhf
Behavioral task
behavioral24
Sample
start
Resource
debian9-mipsbe-20231215-en
debian-9-mips
Behavioral task
behavioral25
Sample
start
Resource
debian9-mipsel-20231215-en
debian-9-mipsel
Behavioral task
behavioral26
Sample
x86_64
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
General
-
Target
mining
-
Size
355B
-
MD5
8674ce902ffedf49ae4be47baabcc2c0
-
SHA1
441ecd5d3a928125e10a0b6b19f7eed31cfd4476
-
SHA256
8f93a7dd12dbd84749cb5cf675cd8371bd732655a8d048f269d8e88e8136e2e3
-
SHA512
8428b05454cc9a6ccc3ddea862d9f38b6f10f542ebf6f784b2f7027a985f1adc9bf7c69d3306b6d4d1896af9ec8e7fe1e1d9291c60652c46d7e5126a2d2e3380
Malware Config
Signatures
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 1 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/37/stat ps File opened for reading /proc/350/status ps File opened for reading /proc/692/stat ps File opened for reading /proc/6/stat ps File opened for reading /proc/21/cmdline ps File opened for reading /proc/76/status ps File opened for reading /proc/388/cmdline ps File opened for reading /proc/80/cmdline ps File opened for reading /proc/103/status ps File opened for reading /proc/113/stat ps File opened for reading /proc/477/stat ps File opened for reading /proc/4/cmdline ps File opened for reading /proc/69/status ps File opened for reading /proc/477/cmdline ps File opened for reading /proc/726/cmdline ps File opened for reading /proc/6/cmdline ps File opened for reading /proc/70/stat ps File opened for reading /proc/724/stat ps File opened for reading /proc/70/status ps File opened for reading /proc/73/status ps File opened for reading /proc/690/stat ps File opened for reading /proc/727/stat ps File opened for reading /proc/36/stat ps File opened for reading /proc/146/stat ps File opened for reading /proc/350/stat ps File opened for reading /proc/728/cmdline ps File opened for reading /proc/687/cmdline ps File opened for reading /proc/9/cmdline ps File opened for reading /proc/77/cmdline ps File opened for reading /proc/80/status ps File opened for reading /proc/509/cmdline ps File opened for reading /proc/350/cmdline ps File opened for reading /proc/3/stat ps File opened for reading /proc/353/stat ps File opened for reading /proc/718/cmdline ps File opened for reading /proc/stat ps File opened for reading /proc/19/status ps File opened for reading /proc/165/cmdline ps File opened for reading /proc/388/status ps File opened for reading /proc/37/status ps File opened for reading /proc/1/cmdline ps File opened for reading /proc/696/status ps File opened for reading /proc/meminfo ps File opened for reading /proc/1/status ps File opened for reading /proc/688/status ps File opened for reading /proc/19/cmdline ps File opened for reading /proc/36/cmdline ps File opened for reading /proc/321/stat ps File opened for reading /proc/349/cmdline ps File opened for reading /proc/727/status ps File opened for reading /proc/8/stat ps File opened for reading /proc/693/stat ps File opened for reading /proc/696/stat ps File opened for reading /proc/716/status ps File opened for reading /proc/24/cmdline ps File opened for reading /proc/141/status ps File opened for reading /proc/687/stat ps File opened for reading /proc/509/stat ps File opened for reading /proc/75/stat ps File opened for reading /proc/80/stat ps File opened for reading /proc/165/stat ps File opened for reading /proc/373/stat ps File opened for reading /proc/6/status ps File opened for reading /proc/17/status ps -
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/logs mining File opened for modification /tmp/ra.pid Process not Found
Processes
-
/tmp/mining/tmp/mining1⤵
- Writes file to tmp directory
PID:716 -
/tmp/init/tmp/init2⤵PID:719
-
-
/bin/unameuname -m2⤵PID:723
-
-
/bin/psps -ef2⤵
- Reads CPU attributes
- Reads runtime system information
PID:724
-
-
/bin/grepgrep "sendmail: accepting connections"2⤵PID:725
-
-
/bin/grepgrep -v grep2⤵PID:726
-
-
/usr/bin/awkawk "{print \$2}"2⤵PID:727
-
-
/usr/bin/headhead -12⤵PID:728
-