Overview
overview
10Static
static
10xm.gz
windows7-x64
3xm.gz
windows10-2004-x64
7sample.tar
windows7-x64
3sample.tar
windows10-2004-x64
7aarch64
ubuntu-18.04-amd64
6create
ubuntu-18.04-amd64
7create
debian-9-armhf
7create
debian-9-mips
1create
debian-9-mipsel
1hide
ubuntu-18.04-amd64
1hide.c
windows7-x64
3hide.c
windows10-2004-x64
3init
ubuntu-18.04-amd64
3mining
ubuntu-18.04-amd64
6mining
debian-9-armhf
6mining
debian-9-mips
6mining
debian-9-mipsel
6mkcfg
ubuntu-18.04-amd64
1mkcfg
debian-9-armhf
1mkcfg
debian-9-mips
1mkcfg
debian-9-mipsel
1start
ubuntu-18.04-amd64
10start
debian-9-armhf
1start
debian-9-mips
1start
debian-9-mipsel
1x86_64
ubuntu-18.04-amd64
6Analysis
-
max time kernel
14s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20231215-en -
resource tags
arch:mipselimage:debian9-mipsel-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
20-12-2023 05:19
Behavioral task
behavioral1
Sample
xm.gz
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
xm.gz
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
sample.tar
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral4
Sample
sample.tar
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
aarch64
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral6
Sample
create
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral7
Sample
create
Resource
debian9-armhf-20231215-en
debian-9-armhf
Behavioral task
behavioral8
Sample
create
Resource
debian9-mipsbe-20231215-en
debian-9-mips
Behavioral task
behavioral9
Sample
create
Resource
debian9-mipsel-20231215-en
debian-9-mipsel
Behavioral task
behavioral10
Sample
hide
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral11
Sample
hide.c
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral12
Sample
hide.c
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
init
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral14
Sample
mining
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral15
Sample
mining
Resource
debian9-armhf-20231215-en
debian-9-armhf
Behavioral task
behavioral16
Sample
mining
Resource
debian9-mipsbe-20231215-en
debian-9-mips
Behavioral task
behavioral17
Sample
mining
Resource
debian9-mipsel-20231215-en
debian-9-mipsel
Behavioral task
behavioral18
Sample
mkcfg
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral19
Sample
mkcfg
Resource
debian9-armhf-20231215-en
debian-9-armhf
Behavioral task
behavioral20
Sample
mkcfg
Resource
debian9-mipsbe-20231215-en
debian-9-mips
Behavioral task
behavioral21
Sample
mkcfg
Resource
debian9-mipsel-20231215-en
debian-9-mipsel
Behavioral task
behavioral22
Sample
start
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral23
Sample
start
Resource
debian9-armhf-20231215-en
debian-9-armhf
Behavioral task
behavioral24
Sample
start
Resource
debian9-mipsbe-20231215-en
debian-9-mips
Behavioral task
behavioral25
Sample
start
Resource
debian9-mipsel-20231215-en
debian-9-mipsel
Behavioral task
behavioral26
Sample
x86_64
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
General
-
Target
mining
-
Size
355B
-
MD5
8674ce902ffedf49ae4be47baabcc2c0
-
SHA1
441ecd5d3a928125e10a0b6b19f7eed31cfd4476
-
SHA256
8f93a7dd12dbd84749cb5cf675cd8371bd732655a8d048f269d8e88e8136e2e3
-
SHA512
8428b05454cc9a6ccc3ddea862d9f38b6f10f542ebf6f784b2f7027a985f1adc9bf7c69d3306b6d4d1896af9ec8e7fe1e1d9291c60652c46d7e5126a2d2e3380
Malware Config
Signatures
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 1 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/meminfo ps File opened for reading /proc/10/cmdline ps File opened for reading /proc/13/stat ps File opened for reading /proc/74/stat ps File opened for reading /proc/103/stat ps File opened for reading /proc/142/status ps File opened for reading /proc/20/stat ps File opened for reading /proc/72/stat ps File opened for reading /proc/698/stat ps File opened for reading /proc/1/status ps File opened for reading /proc/71/stat ps File opened for reading /proc/734/stat ps File opened for reading /proc/9/stat ps File opened for reading /proc/21/stat ps File opened for reading /proc/114/stat ps File opened for reading /proc/404/status ps File opened for reading /proc/531/cmdline ps File opened for reading /proc/36/status ps File opened for reading /proc/325/status ps File opened for reading /proc/326/stat ps File opened for reading /proc/381/stat ps File opened for reading /proc/692/stat ps File opened for reading /proc/78/status ps File opened for reading /proc/149/status ps File opened for reading /proc/353/status ps File opened for reading /proc/351/cmdline ps File opened for reading /proc/7/status ps File opened for reading /proc/24/status ps File opened for reading /proc/531/status ps File opened for reading /proc/16/cmdline ps File opened for reading /proc/22/cmdline ps File opened for reading /proc/81/cmdline ps File opened for reading /proc/2/status ps File opened for reading /proc/24/cmdline ps File opened for reading /proc/368/status ps File opened for reading /proc/self/stat ps File opened for reading /proc/9/cmdline ps File opened for reading /proc/73/status ps File opened for reading /proc/103/status ps File opened for reading /proc/18/stat ps File opened for reading /proc/70/status ps File opened for reading /proc/693/status ps File opened for reading /proc/9/status ps File opened for reading /proc/695/cmdline ps File opened for reading /proc/734/cmdline ps File opened for reading /proc/36/stat ps File opened for reading /proc/695/status ps File opened for reading /proc/3/cmdline ps File opened for reading /proc/18/cmdline ps File opened for reading /proc/351/stat ps File opened for reading /proc/19/status ps File opened for reading /proc/23/stat ps File opened for reading /proc/114/status ps File opened for reading /proc/695/stat ps File opened for reading /proc/22/stat ps File opened for reading /proc/149/stat ps File opened for reading /proc/353/stat ps File opened for reading /proc/3/status ps File opened for reading /proc/582/cmdline ps File opened for reading /proc/37/stat ps File opened for reading /proc/354/status ps File opened for reading /proc/719/status ps File opened for reading /proc/730/stat ps File opened for reading /proc/self/maps awk -
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/logs mining File opened for modification /tmp/ra.pid Process not Found
Processes
-
/tmp/mining/tmp/mining1⤵
- Writes file to tmp directory
PID:720 -
/tmp/init/tmp/init2⤵PID:728
-
-
/bin/unameuname -m2⤵PID:729
-
-
/bin/psps -ef2⤵
- Reads CPU attributes
- Reads runtime system information
PID:730
-
-
/bin/grepgrep "sendmail: accepting connections"2⤵PID:731
-
-
/bin/grepgrep -v grep2⤵PID:732
-
-
/usr/bin/awkawk "{print \$2}"2⤵
- Reads runtime system information
PID:733
-
-
/usr/bin/headhead -12⤵PID:734
-