Overview

overview

10

Static

static

7

sys.x86_64

ubuntu-18.04-amd64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sys.x86_64

  • Size

    3.7MB

  • Sample

    240413-rs973aeb28

  • MD5

    2bb292f0f9d28c5865cdfe601a082db6

  • SHA1

    e63ae8ef41496526bc59b04704e961472cabcc95

  • SHA256

    f878420a69fe3947bc79f8eca2c11418140a4a79380c6d18d4c907c9ccbc71f7

  • SHA512

    9026d43054f269b4c6e8758cfec571f9028269ce0275cbb41cb92e753dfe7f0b22f6b7b0e04ecb2cc58d3acef00fe2d3492f12d9b18e8a908ab3c288ea8d50a1

  • SSDEEP

    98304:LifkEQ5YQoProHC2ZXWw16hGkLTlPXW0XH:LYkEHbQRZX/O9ZO03

Score
10/10
xmrigantivmdiscoverylinuxminerpersistencerootkitupx

Malware Config

Targets

    • Target

      sys.x86_64

    • Size

      3.7MB

    • MD5

      2bb292f0f9d28c5865cdfe601a082db6

    • SHA1

      e63ae8ef41496526bc59b04704e961472cabcc95

    • SHA256

      f878420a69fe3947bc79f8eca2c11418140a4a79380c6d18d4c907c9ccbc71f7

    • SHA512

      9026d43054f269b4c6e8758cfec571f9028269ce0275cbb41cb92e753dfe7f0b22f6b7b0e04ecb2cc58d3acef00fe2d3492f12d9b18e8a908ab3c288ea8d50a1

    • SSDEEP

      98304:LifkEQ5YQoProHC2ZXWw16hGkLTlPXW0XH:LYkEHbQRZX/O9ZO03

    Score
    10/10
    xmrigantivmdiscoveryminerpersistencerootkitupx

    • XMRig Miner payload

      miner

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Contacts a large (167911) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Deletes itself

    • Executes dropped EXE

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

      rootkit

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

      antivm

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

      antivm

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Writes file to system bin folder

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Hijack Execution Flow

1
T1574

Privilege Escalation

Scheduled Task/Job

1
T1053

Hijack Execution Flow

1
T1574

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Hijack Execution Flow

1
T1574

Credential Access

Discovery

Network Service Discovery

2
T1046

Virtualization/Sandbox Evasion

2
T1497

System Network Connections Discovery

1
T1049

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks