Overview

overview

10

Static

static

10

a400031547...7185fa

ubuntu-18.04-amd64

10

a400031547...7185fa

debian-9-armhf

10

a400031547...7185fa

debian-9-mips

10

a400031547...7185fa

debian-9-mipsel

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa

  • Size

    34KB

  • Sample

    240410-qc7assbh4t

  • MD5

    54130adf66d5bfa4e4b9f04b3933e493

  • SHA1

    1c5f5986b92e3392d4cfaa531c88cd06b5cfd361

  • SHA256

    a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa

  • SHA512

    dc9a8b01fc16686fed8d82a89147cd614a8c6f5a20aa324fd8922cca0a0aa3bf03c2d1407bd5028789864b1a429a31b2bf904a07101bca9d5c76488ec69da82d

  • SSDEEP

    768:dBxlT2wDGWvWCrESA+FylT4hxXpGdKI3oB6kX7sdrCIZMfXxK2eJ5tLW:YDSA+Fyl1dRoZ7q9W

Score
10/10
xmrigxmrig_linuxantivmlinuxminerpersistence

Malware Config

Targets

    • Target

      a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa

    • Size

      34KB

    • MD5

      54130adf66d5bfa4e4b9f04b3933e493

    • SHA1

      1c5f5986b92e3392d4cfaa531c88cd06b5cfd361

    • SHA256

      a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa

    • SHA512

      dc9a8b01fc16686fed8d82a89147cd614a8c6f5a20aa324fd8922cca0a0aa3bf03c2d1407bd5028789864b1a429a31b2bf904a07101bca9d5c76488ec69da82d

    • SSDEEP

      768:dBxlT2wDGWvWCrESA+FylT4hxXpGdKI3oB6kX7sdrCIZMfXxK2eJ5tLW:YDSA+Fyl1dRoZ7q9W

    Score
    10/10
    xmrigantivmminerpersistencexmrig_linux

    • XMRig Miner payload

      miner

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig_linux

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Modifies the dynamic linker configuration file

      Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

      persistence

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

      persistence

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

      antivm

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

      antivm

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Write file to user bin folder

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks