General
-
Target
sys.x86_64
-
Size
3.7MB
-
Sample
240413-rs973aeb28
-
MD5
2bb292f0f9d28c5865cdfe601a082db6
-
SHA1
e63ae8ef41496526bc59b04704e961472cabcc95
-
SHA256
f878420a69fe3947bc79f8eca2c11418140a4a79380c6d18d4c907c9ccbc71f7
-
SHA512
9026d43054f269b4c6e8758cfec571f9028269ce0275cbb41cb92e753dfe7f0b22f6b7b0e04ecb2cc58d3acef00fe2d3492f12d9b18e8a908ab3c288ea8d50a1
-
SSDEEP
98304:LifkEQ5YQoProHC2ZXWw16hGkLTlPXW0XH:LYkEHbQRZX/O9ZO03
Malware Config
Targets
-
-
Target
sys.x86_64
-
Size
3.7MB
-
MD5
2bb292f0f9d28c5865cdfe601a082db6
-
SHA1
e63ae8ef41496526bc59b04704e961472cabcc95
-
SHA256
f878420a69fe3947bc79f8eca2c11418140a4a79380c6d18d4c907c9ccbc71f7
-
SHA512
9026d43054f269b4c6e8758cfec571f9028269ce0275cbb41cb92e753dfe7f0b22f6b7b0e04ecb2cc58d3acef00fe2d3492f12d9b18e8a908ab3c288ea8d50a1
-
SSDEEP
98304:LifkEQ5YQoProHC2ZXWw16hGkLTlPXW0XH:LYkEHbQRZX/O9ZO03
-
XMRig Miner payload
-
Contacts a large (167911) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Deletes itself
-
Executes dropped EXE
-
Attempts to change immutable files
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Checks CPU configuration
Checks CPU information which indicate if the system is a virtual machine.
-
Checks hardware identifiers (DMI)
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates active TCP sockets
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
Writes file to system bin folder
-