Overview

overview

10

Static

static

1

xs.jpg

ubuntu-18.04-amd64

10

xs.jpg

debian-9-armhf

10

xs.jpg

debian-9-mips

10

xs.jpg

debian-9-mipsel

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    xs.jpg

  • Size

    5KB

  • Sample

    240122-wm8t9sbgfq

  • MD5

    30f950242f01e4e8503da91dbb2d5fdc

  • SHA1

    cb9909bebcbc056e05e74b9c3c3b33a6a7a47659

  • SHA256

    b1570e2b2c9d957d943fb37f266ec48a51bee9db0a39dcd15ceb884384f8f6a1

  • SHA512

    229364a466b0a7cdb47a3061a36336c6426ebe06a747788967080a79ebf902b41a38f4870dbc5396afbdd8b75a42273f81ed131f133ffa3be68a3bf364e4a0d2

  • SSDEEP

    96:uou4dH1Yl9iaV4GmNdCvasvagaevagvaGvaV1FtIxH7YmJE7N7MDMtBPXSEKydtu:ndVM9iazmNdCvXvDfvZvNvW1LIxH7Ym/

Score
10/10
xmrigxmrig_linuxantivmevasionlinuxminerpersistencerootkit

Malware Config

Targets

    • Target

      xs.jpg

    • Size

      5KB

    • MD5

      30f950242f01e4e8503da91dbb2d5fdc

    • SHA1

      cb9909bebcbc056e05e74b9c3c3b33a6a7a47659

    • SHA256

      b1570e2b2c9d957d943fb37f266ec48a51bee9db0a39dcd15ceb884384f8f6a1

    • SHA512

      229364a466b0a7cdb47a3061a36336c6426ebe06a747788967080a79ebf902b41a38f4870dbc5396afbdd8b75a42273f81ed131f133ffa3be68a3bf364e4a0d2

    • SSDEEP

      96:uou4dH1Yl9iaV4GmNdCvasvagaevagvaGvaV1FtIxH7YmJE7N7MDMtBPXSEKydtu:ndVM9iazmNdCvXvDfvZvNvW1LIxH7Ym/

    Score
    10/10
    xmrig_linuxantivmminerpersistencerootkitxmrigevasion

    • XMRig Miner payload

      miner

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig_linux

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Modifies the dynamic linker configuration file

      Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

      persistence

    • Deletes Audit logs

      Deletes logs related to the Linux Audit framework.

      evasion

    • Deletes system logs

      Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

      evasion

    • Executes dropped EXE

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

      rootkit

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

      antivm

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

      antivm

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

      persistence

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Reads CPU attributes

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Modifies Bash startup script

      persistence
    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks