Resubmissions

28-02-2024 16:39

240228-t5z9qsge8w 10

05-02-2024 16:30

240205-tzsygacbb5 7

General

  • Target

    pg.sh

  • Size

    35KB

  • Sample

    240228-t5z9qsge8w

  • MD5

    2550990d2d52581b213e7c9305c392d3

  • SHA1

    f7f069915c9b97550dc1fb6cf631f6222416dcf5

  • SHA256

    8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006

  • SHA512

    a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50

  • SSDEEP

    768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z

Malware Config

Targets

    • Target

      pg.sh

    • Size

      35KB

    • MD5

      2550990d2d52581b213e7c9305c392d3

    • SHA1

      f7f069915c9b97550dc1fb6cf631f6222416dcf5

    • SHA256

      8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006

    • SHA512

      a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50

    • SSDEEP

      768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z

    • Kinsing

      Kinsing is a loader written in Golang.

    • Kinsing payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Changes its process name

    • Deletes system logs

      Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Disables AppArmor

      Disables AppArmor security module.

    • Disables SELinux

      Disables SELinux security module.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Reads CPU attributes

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Reads list of loaded kernel modules

      Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

MITRE ATT&CK Enterprise v15

Tasks