xmrig | fb21030439fe9aa31f4a31c9ba37798b594c42119afd1339a0379c283b3699f4

Analysis

max time kernel
305s
max time network
295s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
07/01/2024, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample
Size

5.7MB
MD5

b3039abf2ad5202f4a9363b418002351
SHA1

0ceb8ffb0be23b808b534d744440f4367e17b9c5
SHA256

787e2c94e6d9ce5ec01f5cbe9ee2518431eca8523155526d6dc85934c9c5787c
SHA512

8b1a1003a021d0f69b9295f496bf550932ce85b096ca7057632756348da1354c2b104ff36e901b27def030b79749c8fc7f54163d6195e5e0cb9b357353ee654e
SSDEEP

49152:wCe/ydXZSrb/TJvO90dL3BmAFd4A64nsfJvaWi9sglz/KbwLjFfiawr1eAOkzDIK:3eidO9suPF+NL4FiBnIrb3rE

Score

10^/10

xmrig antivm evasion miner rootkit upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral1/memory/1603-1-0x0000000000400000-0x0000000000bb1680-memory.dmp	xmrig
behavioral1/memory/1630-2-0x0000000000400000-0x0000000000bb1680-memory.dmp	xmrig
behavioral1/memory/1645-3-0x0000000000400000-0x0000000000bb1680-memory.dmp	xmrig

Executes dropped EXE 3 IoCs

ioc	pid	Process
/tmp/kdevtmpfsi	1603	kdevtmpfsi
/tmp/kdevtmpfsi	1630	kdevtmpfsi
/tmp/kdevtmpfsi	1645	kdevtmpfsi

Loads a kernel module 1 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

ioc	pid	Process
/lib/modules/4.15.0-213-generic/kernel/arch/x86/kernel/msr.ko	1621	modprobe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-3.dat	upx

Checks CPU configuration 1 TTPs 4 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	kdevtmpfsi
File opened for reading	/proc/cpuinfo	sample
File opened for reading	/proc/cpuinfo	kdevtmpfsi
File opened for reading	/proc/cpuinfo	kdevtmpfsi

Checks hardware identifiers (DMI) 1 TTPs 12 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_name	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_name	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	kdevtmpfsi

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 13 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	kdevtmpfsi
File opened for reading	/sys/devices/system/cpu/types	kdevtmpfsi
File opened for reading	/sys/devices/system/cpu/possible	kdevtmpfsi
File opened for reading	/sys/devices/system/cpu/types	kdevtmpfsi
File opened for reading	/sys/devices/system/cpu/types	kdevtmpfsi
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kdevtmpfsi
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kdevtmpfsi
File opened for reading	/sys/devices/system/cpu/possible	kdevtmpfsi
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/possible	kdevtmpfsi

Reads hardware information 1 TTPs 42 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_name	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_name	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_name	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	kdevtmpfsi

Reads list of loaded kernel modules 1 TTPs 1 IoCs

Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

evasion

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/modules	sample

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/bus/dax/devices	kdevtmpfsi
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	kdevtmpfsi
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	kdevtmpfsi
File opened for reading	/sys/bus/dax/devices	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/devices/system/cpu	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	kdevtmpfsi
File opened for reading	/sys/devices/system/node/online	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/hugepages	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/thread_siblings	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/thread_siblings	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/hugepages	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	kdevtmpfsi
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/access1/initiators	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	kdevtmpfsi
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/kernel/mm/hugepages	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_siblings	kdevtmpfsi
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	kdevtmpfsi
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/hugepages	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	kdevtmpfsi

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/650/fd	sample
File opened for reading	/proc/1152/stat	sample
File opened for reading	/proc/22/stat	Process not Found
File opened for reading	/proc/89/cmdline	pkill
File opened for reading	/proc/448/stat	sample
File opened for reading	/proc/19/cmdline	pkill
File opened for reading	/proc/28/cmdline	pkill
File opened for reading	/proc/166/cmdline	pkill
File opened for reading	/proc/524/status	pkill
File opened for reading	/proc/159/cmdline	pkill
File opened for reading	/proc/1354/status	pkill
File opened for reading	/proc/1193/status	pkill
File opened for reading	/proc/197/cmdline	pkill
File opened for reading	/proc/81/status	pkill
File opened for reading	/proc/956/status	pkill
File opened for reading	/proc/635/status	pkill
File opened for reading	/proc/859/cmdline	pkill
File opened for reading	/proc/954/cmdline	pkill
File opened for reading	/proc/19/status	pkill
File opened for reading	/proc/sys/kernel/osrelease	pkill
File opened for reading	/proc/1147/cmdline	pkill
File opened for reading	/proc/26/status	pkill
File opened for reading	/proc/161/fd	sample
File opened for reading	/proc/1058/stat	sample
File opened for reading	/proc/15/status	pkill
File opened for reading	/proc/589/stat	sample
File opened for reading	/proc/486/status	pkill
File opened for reading	/proc/335/status	pkill
File opened for reading	/proc/509/stat	sample
File opened for reading	/proc/1122/stat	sample
File opened for reading	/proc/198/stat	Process not Found
File opened for reading	/proc/meminfo	kdevtmpfsi
File opened for reading	/proc/7/status	pkill
File opened for reading	/proc/7/stat	sample
File opened for reading	/proc/154/stat	sample
File opened for reading	/proc/160/fd	sample
File opened for reading	/proc/1122/fd	sample
File opened for reading	/proc/964/fd	Process not Found
File opened for reading	/proc/949/cmdline	pkill
File opened for reading	/proc/1177/cmdline	pkill
File opened for reading	/proc/534/status	pkill
File opened for reading	/proc/516/cmdline	pkill
File opened for reading	/proc/1558/cmdline	pkill
File opened for reading	/proc/8/fd	Process not Found
File opened for reading	/proc/7/status	pkill
File opened for reading	/proc/623/cmdline	pkill
File opened for reading	/proc/859/status	pkill
File opened for reading	/proc/78/status	pkill
File opened for reading	/proc/641/cmdline	pkill
File opened for reading	/proc/1/environ	sample
File opened for reading	/proc/1291/stat	sample
File opened for reading	/proc/1354/fd	Process not Found
File opened for reading	/proc/1143/cmdline	pkill
File opened for reading	/proc/509/cmdline	pkill
File opened for reading	/proc/1153/stat	sample
File opened for reading	/proc/1151/fd	Process not Found
File opened for reading	/proc/1458/status	pkill
File opened for reading	/proc/451/cmdline	pkill
File opened for reading	/proc/131/cmdline	pkill
File opened for reading	/proc/431/cmdline	pkill
File opened for reading	/proc/15/status	pkill
File opened for reading	/proc/1557/fd	sample
File opened for reading	/proc/81/fd	Process not Found
File opened for reading	/proc/12/status	pkill

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.ICEd-unix/2348293019	Process not Found
File opened for modification	/tmp/.ICEd-unix/JsoyF	Process not Found
File opened for modification	/tmp/.ICEd-unix/uuid	sample
File opened for modification	/tmp/kdevtmpfsi	Process not Found
File opened for modification	/tmp/.ICEd-unix/1593060831	Process not Found
File opened for modification	/tmp/.ICEd-unix/3858279210	Process not Found

/tmp/sample
/tmp/sample
1⤵
PID:1570
- /tmp/sample
  /tmp/sample
  2⤵
  - Checks CPU configuration
  - Reads list of loaded kernel modules
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1574

/bin/sh
sh -c "pkill -f kdevtmpfsi"
1⤵
PID:1596
- /usr/bin/pkill
  pkill -f kdevtmpfsi
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1597

/bin/sh
sh -c "pkill -f kdevtmpfsi"
1⤵
PID:1598
- /usr/bin/pkill
  pkill -f kdevtmpfsi
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1599

/bin/sh
sh -c "chmod +x /tmp/kdevtmpfsi"
1⤵
PID:1600
- /bin/chmod
  chmod +x /tmp/kdevtmpfsi
  2⤵
  PID:1601

/bin/sh
sh -c "/tmp/kdevtmpfsi &"
1⤵
PID:1602

/tmp/kdevtmpfsi
/tmp/kdevtmpfsi
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1603

/bin/sh
sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"
1⤵
PID:1620
- /sbin/modprobe
  /sbin/modprobe msr "allow_writes=on"
  2⤵
  - Loads a kernel module
  PID:1621

/bin/sh
sh -c "pkill -f kdevtmpfsi"
1⤵
PID:1625
- /usr/bin/pkill
  pkill -f kdevtmpfsi
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1626

/bin/sh
sh -c "chmod +x /tmp/kdevtmpfsi"
1⤵
PID:1627
- /bin/chmod
  chmod +x /tmp/kdevtmpfsi
  2⤵
  PID:1628

/bin/sh
sh -c "/tmp/kdevtmpfsi &"
1⤵
PID:1629

/tmp/kdevtmpfsi
/tmp/kdevtmpfsi
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
PID:1630

/bin/sh
sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"
1⤵
PID:1637
- /sbin/modprobe
  /sbin/modprobe msr "allow_writes=on"
  2⤵
  PID:1638

/bin/sh
sh -c "pkill -f kdevtmpfsi"
1⤵
PID:1640
- /usr/bin/pkill
  pkill -f kdevtmpfsi
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1641

/bin/sh
sh -c "chmod +x /tmp/kdevtmpfsi"
1⤵
PID:1642
- /bin/chmod
  chmod +x /tmp/kdevtmpfsi
  2⤵
  PID:1643

/bin/sh
sh -c "/tmp/kdevtmpfsi &"
1⤵
PID:1644

/tmp/kdevtmpfsi
/tmp/kdevtmpfsi
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
PID:1645

/bin/sh
sh -c "chmod +x /tmp/.ICEd-unix/JsoyF"
1⤵
PID:1653

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.ICEd-unix/2348293019

Filesize
4B

MD5
e4873aa9a05cc5ed839561d121516766

SHA1
cc0152ff71fc8243f70c8e8478bd7de2aa387e2c

SHA256
c4c9f099e7a471df3389eeb1a1487cf95b5a46e997bf9614e3229114b6787dc6

SHA512
1186c52e6c56d3b4d4c9d587c4cd2c627c00752dfd8973ccb340117308ecdc7e3fa64ad00be8538f5cd52ca5a80a27b1d362a69345f8fbbe862fa3e9fba0cd2d

Download Submit
/tmp/.ICEd-unix/uuid

Filesize
36B

MD5
eb941e9e756368f466de0cde7980ee58

SHA1
78a15983983f0f6874208d0ae7a50fd731f6a837

SHA256
a5361e503b35b469c4ff2437f2b2f1975f9d76b7869b6484b22fd78b53d016c9

SHA512
9beff0bfd1175259dc43e2aa6f8599f29dc7afbe311a01ce81981fec65be33bce4fe048528d727e8b3fd648e339a781482c516abb742d602a33c62b3bc207094

Download Submit
/tmp/kdevtmpfsi

Filesize
2.0MB

MD5
c82bb3c68f7a033b407aa3f53827b7fd

SHA1
6296e8ed40e430480791bf7b4fcdafde5f834837

SHA256
6fc94d8aecc538b1d099a429fb68ac20d7b6ae8b3c7795ae72dd2b7107690b8f

SHA512
0412482bf1eaaf0c1fd795dd1253f3466db46f1d528297f4d9455dd59117097b4f53583405d77dd7bcc9ffc123cf65d5470f23e6075cbb61b01709f324347df5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads