Extracted

• • Target

    script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh

  • Size

    11KB

  • MD5

    07b7746b922cf7d7fa821123a226ed36

  • SHA1

    bf2df8f2813ef4e2cf61ea193e091b808aa854c7

  • SHA256

    063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1

  • SHA512

    ad29993a88c996f96fdc5c01fda89400b1e27228c58445d181dc6af974a171ee36e014d90aa8e09de6d83e4bfd12d167eb361bd52b6d194af6f249a6812019cb

  • SSDEEP

    192:Xws08k5tkd5DFPSV3n7/e867jNKvSbRXA8kWmk4lkCIkvUgoaES8DSWOlA+1esP:XQwL4/e867USbRXA8kWT4yCtvUgDjdWi

  Score

  9^/10

  infostealerpersistencerootkit

  • Modifies the dynamic linker configuration file

    Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

    persistence

  • Flushes firewall rules

    Flushes/ disables firewall rules inside the Linux kernel.

  • Loads a kernel module

    Loads a Linux kernel module, potentially to achieve persistence

    rootkit

  • Reads EFI boot settings

    Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    infostealer

  • Attempts to change immutable files

    Modifies inode attributes on the filesystem to allow changing of immutable files.

  • Creates/modifies Cron job

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies systemd

    Adds/ modifies systemd service files. Likely to achieve persistence.

    persistence

  • Reads CPU attributes

  behavioral1

• • Target

    script_malware/1.sh

  • Size

    35KB

  • MD5

    2550990d2d52581b213e7c9305c392d3

  • SHA1

    f7f069915c9b97550dc1fb6cf631f6222416dcf5

  • SHA256

    8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006

  • SHA512

    a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50

  • SSDEEP

    768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z

  Score

  10^/10

  xmrigantivmevasioninfostealerminerpersistencerootkitupx

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Deletes system logs

    Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

    evasion

  • Executes dropped EXE

  • Flushes firewall rules

    Flushes/ disables firewall rules inside the Linux kernel.

  • Loads a kernel module

    Loads a Linux kernel module, potentially to achieve persistence

    rootkit

  • Reads EFI boot settings

    Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    infostealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Attempts to change immutable files

    Modifies inode attributes on the filesystem to allow changing of immutable files.

  • Checks CPU configuration

    Checks CPU information which indicate if the system is a virtual machine.

    antivm

  • Checks hardware identifiers (DMI)

    Checks DMI information which indicate if the system is a virtual machine.

    antivm

  • Creates/modifies Cron job

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads CPU attributes

  • Reads hardware information

    Accesses system info like serial numbers, manufacturer names etc.

  • Reads list of loaded kernel modules

    Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

    evasion
  behavioral2

• • Target

    script_malware/10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459.sh

  • Size

    3KB

  • MD5

    d0d36f169f1458806053aae482af5010

  • SHA1

    e603944aceb5c0885a8627de12f36b159bbf2f05

  • SHA256

    10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459

  • SHA512

    982abe39731d8cc852c25650740ff73975c10d19027eccf610401260e2f508334f1de656f8dd332fa698dccc9f7d3bda610c8b9e84d276036a6e9408d826229a

  Score

  7^/10

  evasion

  • Deletes Audit logs

    Deletes logs related to the Linux Audit framework.

    evasion

  • Deletes log files

    Deletes log files on the system.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads CPU attributes

  • Reads hardware information

    Accesses system info like serial numbers, manufacturer names etc.

  • Reads network interface configuration

    Fetches information about one or more active network interfaces.

  behavioral3

• • Target

    script_malware/164f8295_linux.elf

  • Size

    5.1MB

  • MD5

    c850f6816459e3364b2a54239642101b

  • SHA1

    30c60f18279ed5fd36e3ac2d3ba5ddbdc5d1f624

  • SHA256

    21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da

  • SHA512

    be7eaec0e4847a422ab7b52af7f0493e2390973077500f4faab38cb0dafd9d651346aee13bb9e5a4fb936e3cc3f83c7db598121df37be9ff6cda2dadf59ccb2f

  • SSDEEP

    98304:nxygRxtJ8tcZe32l/+jMSXYTU4BcoPfa8/X:Stc0kbSXWJ

  Score

  1^/10
  behavioral4

• • Target

    script_malware/21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da.elf

  • Size

    5.1MB

  • MD5

    c850f6816459e3364b2a54239642101b

  • SHA1

    30c60f18279ed5fd36e3ac2d3ba5ddbdc5d1f624

  • SHA256

    21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da

  • SHA512

    be7eaec0e4847a422ab7b52af7f0493e2390973077500f4faab38cb0dafd9d651346aee13bb9e5a4fb936e3cc3f83c7db598121df37be9ff6cda2dadf59ccb2f

  • SSDEEP

    98304:nxygRxtJ8tcZe32l/+jMSXYTU4BcoPfa8/X:Stc0kbSXWJ

  Score

  1^/10
  behavioral5

• • Target

    script_malware/23.sh

  • Size

    287B

  • MD5

    aa0772cff70daa00d44a201b28ef6b08

  • SHA1

    d129e51acd50ed4ff87672dca4975ed313ae9ad9

  • SHA256

    a55e9eb1cb4dc2cb8d1a697d329b3a76e18b949308e16ef50aafca1e08123939

  • SHA512

    9d2654a7c7634909117d65b0d60bee51e2b9f2de320c2dfc7a30b36f182e2a44b21be91c3dd73fabd4d0cbff7fbc6c18a712cfd41fdcf51cf06ef4a39fe846b1

  Score

  10^/10

  xorddosantivmbotnetdownloaderinfostealerpersistence

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos

  • XorDDoS payload

  • Deletes itself

  • Executes dropped EXE

  • Reads EFI boot settings

    Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    infostealer

  • Checks CPU configuration

    Checks CPU information which indicate if the system is a virtual machine.

    antivm

  • Creates/modifies Cron job

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence

  • Modifies init.d

    Adds/modifies system service, likely for persistence.

    persistence

  • Write file to user bin folder

  behavioral6

• • Target

    script_malware/404

  • Size

    26KB

  • MD5

    e53cf00cf16d5e645103a266959ce5b7

  • SHA1

    d145edc39d2b5ab2392a989734ef28af77f74f7e

  • SHA256

    0fb9eb96a08f9ad3400f89749d32f3e44362346ec7fca9bd5e9ba85022e5ebc1

  • SHA512

    30b31e6b89f8f1eb92de62a2ba90ab299e060e11a91ef069927f045506dc73d0a276adf3966b4525164488bc8779b4a1a48f005513d9ba9f92916d04ec26f50a

  • SSDEEP

    192:phe97oGORlRQ4CR1ydi5DAomxCdsjnbP19+9Uc3gHNgWW1kSNPWW0wnENfICSo4M:iWBLZCRwdkzzsjT1TtE1dIfICSoTx9k2

  Score

  1^/10
  behavioral7

• • Target

    script_malware/864d7bcd96f8cf35b9e372b6508bc6ef1a704eaaa03c34bd79577b057aebec5b.py

  • Size

    38KB

  • MD5

    02e98c71545c8345d28920fbc4f99c28

  • SHA1

    a09e2b273c4cb323d4ea424ae456d9dbc9fc43f0

  • SHA256

    864d7bcd96f8cf35b9e372b6508bc6ef1a704eaaa03c34bd79577b057aebec5b

  • SHA512

    62ca71f1028be36e9afa5d26c8f11471d6679658b8b3db7b2db696f093a2a9d5e616a7b3c336a18c143c5c73908259eb4ca2f4af66d3ee56a5dc4ee358d2f530

  • SSDEEP

    768:Jkcso0KfNBqjxvcG4DRINIUBqKENI1gJkOpvUBL6GYJ5jHQES8Z80foQy2aCrhX:ueNB40xbUBqKEix2vLzwES8Z80foQ9X

  Score

  1^/10
  behavioral8

• • Target

    script_malware/8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006.sh

  • Size

    35KB

  • MD5

    2550990d2d52581b213e7c9305c392d3

  • SHA1

    f7f069915c9b97550dc1fb6cf631f6222416dcf5

  • SHA256

    8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006

  • SHA512

    a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50

  • SSDEEP

    768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z

  Score

  10^/10

  kinsingxmrig_linuxantivmevasioninfostealerloaderminerpersistencerootkitupx

  • Kinsing

    Kinsing is a loader written in Golang.

    loaderkinsing

  • Kinsing payload

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig_linux

  • XMRig Miner payload

    miner

  • Changes its process name

  • Deletes system logs

    Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

    evasion

  • Executes dropped EXE

  • Flushes firewall rules

    Flushes/ disables firewall rules inside the Linux kernel.

  • Loads a kernel module

    Loads a Linux kernel module, potentially to achieve persistence

    rootkit

  • Reads EFI boot settings

    Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    infostealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Attempts to change immutable files

    Modifies inode attributes on the filesystem to allow changing of immutable files.

  • Checks CPU configuration

    Checks CPU information which indicate if the system is a virtual machine.

    antivm

  • Checks hardware identifiers (DMI)

    Checks DMI information which indicate if the system is a virtual machine.

    antivm

  • Creates/modifies Cron job

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence

  • Disables AppArmor

    Disables AppArmor security module.

  • Disables SELinux

    Disables SELinux security module.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads CPU attributes

  • Reads hardware information

    Accesses system info like serial numbers, manufacturer names etc.

  • Reads list of loaded kernel modules

    Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

    evasion
  behavioral9

• • Target

    script_malware/SnOoPy.sh

  • Size

    2KB

  • MD5

    f0664749e65d26335de79a90c7074d00

  • SHA1

    0deb03914ba232314b5214803dd97b94c1c9d9e5

  • SHA256

    57ad07730428c1412ba43f4470c2074f4f0ef4e6eb5fcd24c9e19e49028e455a

  • SHA512

    b605e84c23dad423a5e585c49957b0ade5f8764681f010fc1d192c81f677e4a849872db8afedd262e740f648aca18649a89420a54a02f1f1bd594c2125c2b6ff

  Score

  1^/10
  behavioral10

• • Target

    script_malware/a423a2a11c1904e42dc8630064e252ac4568220417a9ae072a557131e9386617.sh

  • Size

    677B

  • MD5

    0d60923ea49eff0f3624cd2fa2eb4b47

  • SHA1

    96c5fb1d27bc80c19e3d5804fa32ec4879280f4d

  • SHA256

    a423a2a11c1904e42dc8630064e252ac4568220417a9ae072a557131e9386617

  • SHA512

    3426d42801fedec6c2a2da166098079006fc2b527d9c93c053aa29d635231e246203039de27d7cb7cd0450518ecb40ab9c6b6506295cd096075fab9021055eb3

  Score

  1^/10
  behavioral11

• • Target

    script_malware/a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0.sh

  • Size

    11KB

  • MD5

    22a189e0266e0ad722b7e58923eafab5

  • SHA1

    04d01163b1a8ce62aabbc8636aeeb201a3ff28cc

  • SHA256

    a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0

  • SHA512

    12c98beec2d8d7449b79bd42c61f8a8c1c2bffb786ba0c0badeca69df46b10b535491ea6d9f938d7f47476a79a9021d0852ffefd31fcbfa8346e3c794ff55518

  • SSDEEP

    192:Xws08k5tkQPSV3n7/e867jNKvSbRXA8kWmk4lkCIkvUgoaES8DSWOlA+1esH:XQl4/e867USbRXA8kWT4yCtvUgDjdWO7

  Score

  9^/10

  infostealerpersistencerootkit

  • Modifies the dynamic linker configuration file

    Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

    persistence

  • Executes dropped EXE

  • Flushes firewall rules

    Flushes/ disables firewall rules inside the Linux kernel.

  • Loads a kernel module

    Loads a Linux kernel module, potentially to achieve persistence

    rootkit

  • Reads EFI boot settings

    Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    infostealer

  • Attempts to change immutable files

    Modifies inode attributes on the filesystem to allow changing of immutable files.

  • Creates/modifies Cron job

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Legitimate hosting services abused for malware hosting/C2

  • Modifies systemd

    Adds/ modifies systemd service files. Likely to achieve persistence.

    persistence

  • Reads CPU attributes

  behavioral12

• • Target

    script_malware/aa5a487db37ce176e17c7abbb2b1d460ba926344e46737f2f64b65bf5a4a3e58.sh

  • Size

    4KB

  • MD5

    34de9725e232ba82275bb0dcf9282e16

  • SHA1

    b17403e7dcb992ba8d2b56dd843406264d3910e5

  • SHA256

    aa5a487db37ce176e17c7abbb2b1d460ba926344e46737f2f64b65bf5a4a3e58

  • SHA512

    1e63fe08153e6b3c1b3593fcc070d297a1d0e67ffc3b7f3fc58b71b4b39487f1fe738b863ea5e23c21159b248bc2149a69009ee5372ff17d386effc4f2111fd7

  Score

  7^/10

  evasion

  • Deletes Audit logs

    Deletes logs related to the Linux Audit framework.

    evasion

  • Deletes log files

    Deletes log files on the system.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads CPU attributes

  • Reads hardware information

    Accesses system info like serial numbers, manufacturer names etc.

  • Reads network interface configuration

    Fetches information about one or more active network interfaces.

  behavioral13

• • Target

    script_malware/ae4b7284a9538c66432f02097c3de14e2253d16b6602c4694753468bc14d7d28.sh

  • Size

    3KB

  • MD5

    cf5762eea336cf74a0323d715f72b8b9

  • SHA1

    b40e39adadc5ae4d98fd3900837414797562b1bc

  • SHA256

    ae4b7284a9538c66432f02097c3de14e2253d16b6602c4694753468bc14d7d28

  • SHA512

    35822aafe30d8a14a1ac48d25f6a5eff90c55e18c44df6432bcec962370b6ff1fe06559510090691abb5e4b50594b7067b48f3e582944b07af1c3669fe739c77

  Score

  7^/10

  evasion

  • Deletes Audit logs

    Deletes logs related to the Linux Audit framework.

    evasion

  • Deletes log files

    Deletes log files on the system.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads CPU attributes

  • Reads hardware information

    Accesses system info like serial numbers, manufacturer names etc.

  • Reads network interface configuration

    Fetches information about one or more active network interfaces.

  behavioral14

• • Target

    script_malware/redtail.sh

  • Size

    551B

  • MD5

    9ec39c70dc24d8b1052ea5bf288cbb08

  • SHA1

    4ba674f003cb45986a88df222db6ad42e5102313

  • SHA256

    ef0195a0befc456ced03bdba95223c27dd106fcc2c5bc5617c31512f4b65eaff

  • SHA512

    b736e7740b3e3b533c97c275b47c1022efd1a281ee17ece61e515b2d3a4ed13ab3480e4378484b0abbbb2aa542d99436ea25aef6f2917af185e7989b9f7ff93b

  Score

  N/A
  behavioral15

• • Target

    script_malware/rs.sh

  • Size

    4KB

  • MD5

    1b3a715d9ee7524d75010c628255b7e5

  • SHA1

    e8fcd0dda56bf98f345974089a96f6391964a972

  • SHA256

    edc64c943e577f7a80cd893d045d0b8984ebd3ef5df59d6ef4c497adb877fa9b

  • SHA512

    351213285db6d1d0f12bd82755f521bc57882b69e1af81baa51dc366c94aaac3a180c2a230d582e052a53560f82e0ea0489efb1fd8bbb8476312fa418a425e1c

  • SSDEEP

    96:mhiSGbe3mp35gBzIX0bd0NNFGcrcBc3gjXuc2k:mhiSmeWpJgi0bONNFGzJus

  Score

  6^/10

  • Disables SELinux

    Disables SELinux security module.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads CPU attributes

  behavioral16

• • Target

    script_malware/setup.sh

  • Size

    1KB

  • MD5

    37d7c910159cf1d62dbcf5b7bff399ea

  • SHA1

    90a783bc89f7fbfb52da193849d5d849b9a3a1e6

  • SHA256

    29acfdc8b457d7b56d5eb443fe6d22f8169db3786605e37be0bdac9bfb1503fb

  • SHA512

    dc78fbcfd58d8383842de7eb18b3f9f72b7255db8f670e93230916e98b8f6dbf77f8ba28cd93f9d3f740243adec500e9f245e4ebbb440aa882eff7907e9fe0c0

  Score

  7^/10

  • Executes dropped EXE

  behavioral17

• • Target

    script_malware/shell.elf

  • Size

    207B

  • MD5

    8427bcae96bac624c94ebf3e2f605984

  • SHA1

    45ac1af64f2118702f92b27cb62a2ada4277a16e

  • SHA256

    8841199eadcc4529587ddce865c3ee84de7495ed59b90ec64acfdbb4568562b9

  • SHA512

    6fddb09394661f542eab2566aedabdcf1432d414303fef7af24799f47a6bca8b6a930fa68a4c2d374483f083ab351c484581df66f91a187c34b01951a065307a

  Score

  1^/10
  behavioral18

• • Target

    script_malware/ta.sh

  • Size

    9KB

  • MD5

    83821e27601305f76432759042d2c2a2

  • SHA1

    ad255cce6b52d77b8791d2539667ebcefb5113d1

  • SHA256

    03f1490eb936b54330934b4e677a12b11c3acf2b0e4ca97c6c21ee3dc5a381fb

  • SHA512

    0570993f37ce4a0405f837e7e732f428e783e732c97a8c565bc73475542375bc30c6e2b7791d77566de104b426994571c5e1ae9818655e656aa4ebc62cc61864

  • SSDEEP

    192:R9FFa1GIJz8c104etI1Dd7mf85tunuFc8kIvTKxP4CUqQv2a44rKmmcDK9K7omhA:RjEAem4TNruwrCUqQua44rnm+2v47vGT

  Score

  10^/10

  xmrig_linuxantivminfostealerminerupx

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig_linux

  • Executes dropped EXE

  • Reads EFI boot settings

    Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    infostealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks CPU configuration

    Checks CPU information which indicate if the system is a virtual machine.

    antivm

  • Checks hardware identifiers (DMI)

    Checks DMI information which indicate if the system is a virtual machine.

    antivm

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads CPU attributes

  • Reads hardware information

    Accesses system info like serial numbers, manufacturer names etc.

  behavioral19