Overview

overview

10

Static

static

1

5c75e6f27c...kes118

ubuntu-18.04-amd64

10

5c75e6f27c...kes118

debian-9-armhf

7

5c75e6f27c...kes118

debian-9-mips

7

5c75e6f27c...kes118

debian-9-mipsel

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118

  • Size

    41KB

  • Sample

    240331-ygds2sah82

  • MD5

    5c75e6f27cc568187e4b7a6371c61181

  • SHA1

    b485da0e29adf4b1c34e9b833f0aba7e7b40655d

  • SHA256

    1e39f5f7d640646d7b219aedb10f8db7e89279597c59f3a8944fcee1b9827dda

  • SHA512

    bbd352c6fc2f2e0dd1db3c81eff5499ed45f1c70bb37a536aac39cebc4b89964c8fd584272c5fb0690bd26cde961a55602b3dabef7adc9cb11d01bbfbad94282

  • SSDEEP

    768:o7+FNcuFVc2zV0xvfK4urZuishkZBxWJY:bF+Ec20/url/xWJY

Score
10/10
xmrig_linuxevasionlinuxminerpersistencerootkit

Malware Config

Targets

    • Target

      5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118

    • Size

      41KB

    • MD5

      5c75e6f27cc568187e4b7a6371c61181

    • SHA1

      b485da0e29adf4b1c34e9b833f0aba7e7b40655d

    • SHA256

      1e39f5f7d640646d7b219aedb10f8db7e89279597c59f3a8944fcee1b9827dda

    • SHA512

      bbd352c6fc2f2e0dd1db3c81eff5499ed45f1c70bb37a536aac39cebc4b89964c8fd584272c5fb0690bd26cde961a55602b3dabef7adc9cb11d01bbfbad94282

    • SSDEEP

      768:o7+FNcuFVc2zV0xvfK4urZuishkZBxWJY:bF+Ec20/url/xWJY

    Score
    10/10
    xmrig_linuxevasionminerpersistencerootkit

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig_linux

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

      persistence

    • Changes its process name

    • Deletes system logs

      Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

      evasion

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

      rootkit

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Deletes log files

      Deletes log files on the system.

    • Disables AppArmor

      Disables AppArmor security module.

    • Disables SELinux

      Disables SELinux security module.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

      persistence

    • Reads CPU attributes

    • Write file to user bin folder

    • Writes file to system bin folder

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks