eecd1655817b07b4dcf843951be0b9e642c119eadd62bc118bb1fd82aa51aa1c

Analysis

max time kernel
24s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
20-03-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adxintrin_b
Size

241KB
MD5

0e51f9a53fb48add6d175fb559d0bad4
SHA1

0eb71ce8dd1e51da43daf4489a9dc8073e37d62c
SHA256

eecd1655817b07b4dcf843951be0b9e642c119eadd62bc118bb1fd82aa51aa1c
SHA512

91276db9ac0517dad59cccb5608107fb95f55ca2e402b8d8ef91096a3f95c8322ba2fd5938b8b83b9f8d7a72d668298739bd494061073862cdeb11e4f6724190
SSDEEP

3072:Joc9NUyVPo4WTLVCZ+5YygA9+HNqITq0HVOedH0O2l9+hoAlUhPu+:ic9XVPo4WTLVCZ+5YJRtlUhPu+

Score

9^/10

persistence

Malware Config

Signatures

Modifies the dynamic linker configuration file 1 TTPs 1 IoCs

Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

persistence

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/etc/ld.so.preload

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 43 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/703/status	pkill
File opened for reading	/proc/382/status	pkill
File opened for reading	/proc/37/status	pkill
File opened for reading	/proc/382/cmdline	pkill
File opened for reading	/proc/4/status	ps
File opened for reading	/proc/72/cmdline	pkill
File opened for reading	/proc/21/stat	ps
File opened for reading	/proc/697/status	ps
File opened for reading	/proc/115/status	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/570/status	ps
File opened for reading	/proc/78/cmdline	ps
File opened for reading	/proc/10/cmdline	pkill
File opened for reading	/proc/13/status	ps
File opened for reading	/proc/7/stat	ps
File opened for reading	/proc/556/cmdline	ps
File opened for reading	/proc/37/cmdline	ps
File opened for reading	/proc/357/cmdline	pkill
File opened for reading	/proc/697/cmdline	ps
File opened for reading	/proc/16/cmdline	ps
File opened for reading	/proc/77/cmdline	ps
File opened for reading	/proc/uptime	ps
File opened for reading	/proc/6/stat	ps
File opened for reading	/proc/2/stat	ps
File opened for reading	/proc/16/cmdline	ps
File opened for reading	/proc/754/cmdline	ps
File opened for reading	/proc/2/cmdline	ps
File opened for reading	/proc/71/cmdline	ps
File opened for reading	/proc/12/status	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/14/stat	ps
File opened for reading	/proc/105/cmdline	pkill
File opened for reading	/proc/stat	ps
File opened for reading	/proc/7/stat	ps
File opened for reading	/proc/791/status	pkill
File opened for reading	/proc/37/stat	ps
File opened for reading	/proc/4/status	ps
File opened for reading	/proc/17/cmdline	ps
File opened for reading	/proc/23/status	pkill
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/71/cmdline	pkill
File opened for reading	/proc/397/cmdline	pkill
File opened for reading	/proc/757/stat	ps
File opened for reading	/proc/13/status	ps
File opened for reading	/proc/814/status	ps
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/373/status	pkill
File opened for reading	/proc/13/cmdline	pkill
File opened for reading	/proc/75/status	ps
File opened for reading	/proc/77/status	pkill
File opened for reading	/proc/18/status	pkill
File opened for reading	/proc/82/status	ps
File opened for reading	/proc/776/stat	ps
File opened for reading	/proc/76/status	ps
File opened for reading	/proc/234/status	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/5/status	pkill
File opened for reading	/proc/77/stat	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/697/status	pkill
File opened for reading	/proc/329/stat	ps
File opened for reading	/proc/23/cmdline	ps
File opened for reading	/proc/710/status	ps
File opened for reading	/proc/374/stat	ps

/tmp/adxintrin_b
/tmp/adxintrin_b
1⤵
PID:703
- /sbin/sysctl
  sysctl "kernel.pid_max=4194304"
  2⤵
  - Reads CPU attributes
  PID:708
- /bin/chmod
  chmod 666 /dev/null
  2⤵
  PID:711
- /bin/chmod
  chmod 755 "/etc/bin/*"
  2⤵
  PID:713
- /usr/bin/basename
  basename /tmp/adxintrin_b
  2⤵
  PID:720
- /bin/grep
  grep -a xfit /root/.bashrc
  2⤵
  PID:721
- /bin/mkdir
  mkdir /tmp
  2⤵
  PID:724
- /bin/chmod
  chmod 755 /etc/ld.so.preload
  2⤵
  PID:726
- /bin/ps
  ps -eaf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:731
- /bin/grep
  grep -v grep
  2⤵
  PID:733
- /bin/grep
  grep spend-secret-key
  2⤵
  PID:732
- /bin/grep
  grep -v defunct
  2⤵
  PID:734
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:736
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:739
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:739
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:739
- - /usr/bin/kill
    kill -9
    3⤵
    PID:739
- - /sbin/kill
    kill -9
    3⤵
    PID:739
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:739
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:735
- /bin/grep
  grep -- "\\-\\-algo"
  2⤵
  PID:742
- /bin/grep
  grep -v grep
  2⤵
  PID:743
- /bin/ps
  ps -eaf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:741
- /bin/grep
  grep -v defunct
  2⤵
  PID:744
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:745
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:746
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:748
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:748
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:748
- - /usr/bin/kill
    kill -9
    3⤵
    PID:748
- - /sbin/kill
    kill -9
    3⤵
    PID:748
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:748
- /bin/grep
  grep -- "\\-\\-url"
  2⤵
  PID:751
- /bin/grep
  grep -v grep
  2⤵
  PID:752
- /bin/ps
  ps -eaf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:750
- /bin/grep
  grep -v defunct
  2⤵
  PID:753
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:754
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:755
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:758
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:758
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:758
- - /usr/bin/kill
    kill -9
    3⤵
    PID:758
- - /sbin/kill
    kill -9
    3⤵
    PID:758
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:758
- /bin/grep
  grep -- "\\-\\-donate-level"
  2⤵
  PID:761
- /bin/grep
  grep -v grep
  2⤵
  PID:762
- /bin/ps
  ps -eaf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:760
- /bin/grep
  grep -v defunct
  2⤵
  PID:763
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:764
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:765
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:766
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:766
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:766
- - /usr/bin/kill
    kill -9
    3⤵
    PID:766
- - /sbin/kill
    kill -9
    3⤵
    PID:766
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:766
- /bin/grep
  grep minerd
  2⤵
  PID:768
- /bin/grep
  grep -v grep
  2⤵
  PID:769
- /bin/grep
  grep -v defunct
  2⤵
  PID:770
- /bin/ps
  ps -eaf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:767
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:771
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:772
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:774
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:774
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:774
- - /usr/bin/kill
    kill -9
    3⤵
    PID:774
- - /sbin/kill
    kill -9
    3⤵
    PID:774
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:774
- /bin/grep
  grep xmr
  2⤵
  PID:776
- /bin/grep
  grep -v grep
  2⤵
  PID:777
- /bin/ps
  ps -eaf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:775
- /bin/grep
  grep -v defunct
  2⤵
  PID:778
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:779
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:780
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:781
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:781
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:781
- - /usr/bin/kill
    kill -9
    3⤵
    PID:781
- - /sbin/kill
    kill -9
    3⤵
    PID:781
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:781
- /bin/grep
  grep cryptonight
  2⤵
  PID:783
- /bin/grep
  grep -v grep
  2⤵
  PID:784
- /bin/ps
  ps -eaf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:782
- /bin/grep
  grep -v defunct
  2⤵
  PID:785
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:786
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:787
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:788
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:788
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:788
- - /usr/bin/kill
    kill -9
    3⤵
    PID:788
- - /sbin/kill
    kill -9
    3⤵
    PID:788
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:788
- /usr/bin/pkill
  pkill -9 xmrig
  2⤵
  - Reads CPU attributes
  PID:789
- /usr/bin/pkill
  pkill -f xmrig
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:790
- /usr/bin/pkill
  pkill -f Loopback
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:791
- /usr/bin/pkill
  pkill -f apaceha
  2⤵
  - Reads CPU attributes
  PID:792
- /usr/bin/pkill
  pkill -f cryptonight
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:793
- /usr/bin/pkill
  pkill -f stratum
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:794
- /usr/bin/pkill
  pkill -f minerd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:795
- /usr/bin/pkill
  pkill -9 log-rotate
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:796
- /usr/bin/pkill
  pkill -9 warmun
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:797
- /usr/bin/pkill
  pkill -9 kinettd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:798
- /usr/bin/find
  find /root -maxdepth 2 -name "*kill*"
  2⤵
  PID:799
- /usr/bin/chattr
  chattr -aui /etc/cron.daily/xbash
  2⤵
  PID:800
- /usr/bin/chattr
  chattr -aui /etc/cron.hourly/xbash
  2⤵
  PID:801
- /bin/grep
  grep -v grep
  2⤵
  PID:803
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:802
- /bin/grep
  grep top.sh
  2⤵
  PID:804
- /bin/grep
  grep -v grep
  2⤵
  PID:806
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:805
- /bin/grep
  grep ds_agent
  2⤵
  PID:807
- /bin/grep
  grep -v grep
  2⤵
  PID:809
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:808
- /bin/grep
  grep vm-agent
  2⤵
  PID:810
- /bin/grep
  grep -v grep
  2⤵
  PID:812
- /bin/grep
  grep mysqll
  2⤵
  PID:813
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:811
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:814
- /bin/grep
  grep -v grep
  2⤵
  PID:815
- /bin/grep
  grep linux_client
  2⤵
  PID:816
- /bin/ps
  ps -eaf
  2⤵
  - Reads CPU attributes
  PID:817
- /bin/grep
  grep linux_client
  2⤵
  PID:818
- /bin/grep
  grep -v grep
  2⤵
  PID:819
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:820
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:821
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:822
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:822
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:822
- - /usr/bin/kill
    kill -9
    3⤵
    PID:822
- - /sbin/kill
    kill -9
    3⤵
    PID:822
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:822
- /bin/grep
  grep -v grep
  2⤵
  PID:824
- /bin/grep
  grep edr_agent
  2⤵
  PID:825
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:823
- /bin/grep
  grep -v grep
  2⤵
  PID:827
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:826
- /bin/grep
  grep edr_agent
  2⤵
  PID:828
- /bin/grep
  grep -v grep
  2⤵
  PID:830
- /bin/grep
  grep xs_agent
  2⤵
  PID:831
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:829
- /bin/grep
  grep -v grep
  2⤵
  PID:833
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:832
- /bin/grep
  grep cwpp_agent
  2⤵
  PID:834
- /bin/grep
  grep -v grep
  2⤵
  PID:836
- /bin/grep
  grep ds_agent
  2⤵
  PID:837
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:835
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  PID:838
- /bin/grep
  grep -v grep
  2⤵
  PID:839
- /bin/grep
  grep guard_client
  2⤵
  PID:840
- /bin/grep
  grep -v grep
  2⤵
  PID:842
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  PID:841
- /bin/grep
  grep qaxsafe
  2⤵
  PID:843
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:844
- /bin/grep
  grep -v grep
  2⤵
  PID:845
- /bin/grep
  grep clamav
  2⤵
  PID:846
- /bin/grep
  grep -v grep
  2⤵
  PID:848
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  PID:847
- /bin/grep
  grep 360safed
  2⤵
  PID:849
- /bin/grep
  grep -v grep
  2⤵
  PID:851
- /bin/grep
  grep eppagent
  2⤵
  PID:852
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:850
- /bin/rm
  rm -rf "/home/*/.local/share/Trash/*/**"
  2⤵
  PID:855
- /bin/rm
  rm -rf "/root/.local/share/Trash/*/**"
  2⤵
  PID:856
- /bin/rm
  rm -rf /usr/share/man/cs /usr/share/man/da /usr/share/man/de /usr/share/man/es /usr/share/man/fi /usr/share/man/fr /usr/share/man/hu /usr/share/man/id /usr/share/man/it /usr/share/man/ja /usr/share/man/ko /usr/share/man/nl /usr/share/man/pl /usr/share/man/pt /usr/share/man/ru /usr/share/man/sl /usr/share/man/sv /usr/share/man/tr
  2⤵
  PID:858
- /bin/rm
  rm -rf /usr/share/man/pt_BR /usr/share/man/zh_CN /usr/share/man/zh_TW
  2⤵
  PID:861
- /bin/rm
  rm -rf "/core.*"
  2⤵
  PID:863
- /bin/rm
  rm -fr /root/install
  2⤵
  PID:864
- /bin/rm
  rm -fr /boot/xmrig
  2⤵
  PID:865
- /bin/rm
  rm -fr /root/xmrig
  2⤵
  PID:867
- /bin/rm
  rm -fr /kinettd
  2⤵
  PID:868
- /usr/bin/pkill
  pkill -9 abrtd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:870
- /bin/cp
  cp -f /etc/cron.daily/xbash /etc/cron.hourly/anacron
  2⤵
  PID:873
- /bin/cp
  cp -f /etc/cron.daily/xbash /etc/cron.weekly/cron
  2⤵
  PID:874
- /bin/chmod
  chmod 755 /etc/cron.hourly/anacron
  2⤵
  PID:877
- /bin/chmod
  chmod 755 /etc/cron.weekly/cron
  2⤵
  PID:878
- /usr/bin/arch
  arch
  2⤵
  PID:879
- /usr/bin/arch
  arch
  2⤵
  PID:880
- /usr/bin/arch
  arch
  2⤵
  PID:882
- /bin/cat
  cat /dev/null
  2⤵
  PID:883
- /bin/rm
  rm -fr /root/gcclib
  2⤵
  PID:885
- /bin/rm
  rm -fr /usr/spirit
  2⤵
  PID:886
- /bin/rm
  rm -fr /root/tmp
  2⤵
  PID:887
- /bin/rm
  rm -fr /var/lib/libgcc_a.tar.gz
  2⤵
  PID:888
- /bin/rm
  rm -fr /etc/cron.daily/xbash
  2⤵
  PID:890

/usr/bin/dirname
dirname /tmp/adxintrin_b
1⤵
PID:717

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads