Overview

overview

10

Static

static

1

be0fe6a134...22a.sh

ubuntu-18.04-amd64

7

be0fe6a134...22a.sh

debian-9-armhf

7

be0fe6a134...22a.sh

debian-9-mips

10

be0fe6a134...22a.sh

debian-9-mipsel

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    be0fe6a1344b052d4f61cca910f7d26ad02d283f280014eeca0d1cc729e6822a.zip

  • Size

    10KB

  • Sample

    240114-r58vrsceg5

  • MD5

    b93f6725102b6d79ca24970df54eb963

  • SHA1

    e985c8556967b9a14f0ddbe44f1181af8f4b0c14

  • SHA256

    00092d44dfb2f709dd9a2a618ce43bae530a1f274bde4d18da57fc40f72d7f0e

  • SHA512

    98c25a3947f2d00c9e6d58678a595924dfd5e3aa00e0fd68874b99c877178196bb52c3b73a000705c8f28aa1372b1a95b78c4675ccc80bc7f002f4757827ffaf

  • SSDEEP

    192:vHHdrtJbvj/JB2jKzpxp/mo6JHqNIZsqt7bVysurilcfhT97XkWGWdMq87PJXdg:PHdXzaKzFmo6JEEdysuriKV5XUAjIJ6

Score
10/10
xmrig_linuxevasionlinuxminerpersistencerootkitupx

Malware Config

Targets

    • Target

      be0fe6a1344b052d4f61cca910f7d26ad02d283f280014eeca0d1cc729e6822a.sh

    • Size

      46KB

    • MD5

      f0b071a68f96f23c329aa35145a6d405

    • SHA1

      e80968b1833d4968da34d30ff49974bb69035535

    • SHA256

      be0fe6a1344b052d4f61cca910f7d26ad02d283f280014eeca0d1cc729e6822a

    • SHA512

      550093803f4931a1cd2d9c4f0e20dbfe4fcfd1170f04fcd0b76af9d508db18baa3131589c3caaf601509946a525ab731bdf00618fd03017056625d95969477d3

    • SSDEEP

      768:bxlT2wDuWvWi7vFNcuFkc2zq0x3UKnicZuiR/amT8p:86F+Lc2/FicfSmT8p

    Score
    10/10
    evasionrootkitxmrig_linuxminerpersistenceupx

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig_linux

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

      persistence

    • Changes its process name

    • Deletes system logs

      Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

      evasion

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

      rootkit

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Deletes log files

      Deletes log files on the system.

    • Disables AppArmor

      Disables AppArmor security module.

    • Disables SELinux

      Disables SELinux security module.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

      persistence

    • Reads CPU attributes

    • Write file to user bin folder

    • Writes file to system bin folder

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks