General
-
Target
pg.sh
-
Size
35KB
-
Sample
240228-t5z9qsge8w
-
MD5
2550990d2d52581b213e7c9305c392d3
-
SHA1
f7f069915c9b97550dc1fb6cf631f6222416dcf5
-
SHA256
8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006
-
SHA512
a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50
-
SSDEEP
768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z
Static task
static1
Behavioral task
behavioral1
Sample
pg.sh
Resource
ubuntu2004-amd64-20240221-en
Malware Config
Targets
-
-
Target
pg.sh
-
Size
35KB
-
MD5
2550990d2d52581b213e7c9305c392d3
-
SHA1
f7f069915c9b97550dc1fb6cf631f6222416dcf5
-
SHA256
8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006
-
SHA512
a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50
-
SSDEEP
768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z
-
Kinsing payload
-
XMRig Miner payload
-
Changes its process name
-
Deletes system logs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
-
Executes dropped EXE
-
Flushes firewall rules
Flushes/ disables firewall rules inside the Linux kernel.
-
Reads EFI boot settings
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
-
Attempts to change immutable files
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Checks CPU configuration
Checks CPU information which indicate if the system is a virtual machine.
-
Checks hardware identifiers (DMI)
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Disables AppArmor
Disables AppArmor security module.
-
Disables SELinux
Disables SELinux security module.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Reads CPU attributes
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
Reads list of loaded kernel modules
Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
-