Resubmissions
07-03-2024 09:45
240307-lrdjtage46 10Analysis
-
max time kernel
299s -
max time network
258s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240221-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
07-03-2024 09:45
Behavioral task
behavioral1
Sample
kswapd0
Resource
ubuntu2004-amd64-20240221-en
ubuntu-20.04-amd64
9 signatures
300 seconds
General
-
Target
kswapd0
-
Size
2.1MB
-
MD5
8da798989b6e48fb211674b652119a8c
-
SHA1
ffe36761ebc571f086d06e8a3b5cb3adc5ce8deb
-
SHA256
8acfbcd3da37b25ae2f2d88115c4b1b05c75e2e9face918e3f21fa10cc3126b4
-
SHA512
1859b99e1cfa246807d51cec8441b00d0a21251d46198a92b10e7bcf3a4d764a48ba54953da2d79cdbb2d9e29d95d2a6c86c2a34e0968409dbedf9baff807f3b
-
SSDEEP
49152:XNcjlR90c88OeWSUiyLspBFLKb52pzTduYRSt4rxIugUWsfCfbws:9WPQheWvi9TKV29TdjxICWeCTws
Score
10/10
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Attempts to change immutable files 2 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
Processes:
chattrchattrpid Process 1493 chattr 1495 chattr -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
kswapd0description ioc Process File opened for reading /proc/cpuinfo kswapd0 -
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
Processes:
kswapd0description ioc Process File opened for reading /sys/devices/virtual/dmi/id/product_name kswapd0 File opened for reading /sys/devices/virtual/dmi/id/board_vendor kswapd0 File opened for reading /sys/devices/virtual/dmi/id/bios_vendor kswapd0 File opened for reading /sys/devices/virtual/dmi/id/sys_vendor kswapd0 -
Reads CPU attributes 1 TTPs 45 IoCs
Processes:
kswapd0description ioc Process File opened for reading /sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/online kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/topology/core_cpus kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq kswapd0 File opened for reading /sys/devices/system/cpu/possible kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/size kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/size kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/type kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/type kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/id kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/level kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/level kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/id kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/topology/cluster_cpus kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/topology/package_cpus kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/level kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/type kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cpu_capacity kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/id kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/id kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/base_frequency kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/topology/die_cpus kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/level kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/type kswapd0 -
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
Processes:
kswapd0description ioc Process File opened for reading /sys/devices/virtual/dmi/id/product_version kswapd0 File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor kswapd0 File opened for reading /sys/devices/virtual/dmi/id/chassis_type kswapd0 File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag kswapd0 File opened for reading /sys/devices/virtual/dmi/id/bios_version kswapd0 File opened for reading /sys/devices/virtual/dmi/id/board_name kswapd0 File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag kswapd0 File opened for reading /sys/devices/virtual/dmi/id/chassis_serial kswapd0 File opened for reading /sys/devices/virtual/dmi/id/bios_date kswapd0 File opened for reading /sys/devices/virtual/dmi/id/product_serial kswapd0 File opened for reading /sys/devices/virtual/dmi/id/chassis_version kswapd0 File opened for reading /sys/devices/virtual/dmi/id/product_uuid kswapd0 File opened for reading /sys/devices/virtual/dmi/id/board_version kswapd0 File opened for reading /sys/devices/virtual/dmi/id/board_serial kswapd0 -
Enumerates kernel/hardware configuration 1 TTPs 24 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
kswapd0modprobedescription ioc Process File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages kswapd0 File opened for reading /sys/devices/system/node/node0/access1/initiators kswapd0 File opened for reading /sys/devices/system/node/node0/access0/initiators/write_bandwidth kswapd0 File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages