Malware Analysis Report

2024-10-24 21:47

Sample ID 240520-158pfahd22
Target SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
SHA256 9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28
Tags
upx xmrig antivm miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28

Threat Level: Known bad

The file SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf was found to be: Known bad.

Malicious Activity Summary

upx xmrig antivm miner

xmrig

XMRig Miner payload

UPX packed file

Modifies hosts file

Checks hardware identifiers (DMI)

Reads hardware information

Checks CPU configuration

Reads CPU attributes

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 22:15

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 22:15

Reported

2024-05-20 22:17

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

149s

Max time network

128s

Command Line

[/tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf]

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Modifies hosts file

Description Indicator Process Target
File opened for modification /etc/hosts /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/product_name /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/board_vendor /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_vendor /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/sys_vendor /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A

Reads hardware information

Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/product_serial /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/board_serial /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/product_version /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/board_version /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_serial /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_date /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_version /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_version /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/product_uuid /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/board_name /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_type /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/system/cpu/possible /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/id /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/node/devices/node0/cpumap /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/fs/cgroup/cpuset/cpuset.mems /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/id /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/type /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/size /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cpu_capacity /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/kernel/mm/hugepages /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/system/node/online /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/node/devices/node0/meminfo /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_bandwidth /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/type /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/physical_package_id /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/size /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/fs/cgroup/cpuset/cpuset.cpus /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/thread_siblings /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/dax/devices /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/fs/cgroup/unified/cgroup.controllers /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/virtual/dmi/id /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/id /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/firmware/dmi/tables/smbios_entry_point /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/level /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/size /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/node/devices/node0/hugepages /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_latency /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_siblings /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_id /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/level /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/level /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/node/devices/node0/access1/initiators /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/firmware/dmi/tables/DMI /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/id /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/level /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/type /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/die_cpus /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/driver/nvidia/gpus /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /proc/filesystems /bin/mount N/A
File opened for reading /proc/mounts /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /proc/self/cpuset /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A
File opened for reading /proc/meminfo /tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf N/A

Processes

/tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf

[/tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf]

/bin/sh

[sh -c rm -f /etc/hosts.old]

/bin/rm

[rm -f /etc/hosts.old]

/bin/sh

[sh -c mount --bind /proc/1 /proc/1502]

/bin/mount

[mount --bind /proc/1 /proc/1502]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 o.softgoldinformation.com udp
RU 46.17.41.146:3334 o.softgoldinformation.com tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.3:443 tcp
RU 46.17.41.146:3334 o.softgoldinformation.com tcp
RU 194.87.106.49:3334 o.softgoldinformation.com tcp
RU 194.87.106.49:3334 o.softgoldinformation.com tcp
RU 194.87.106.49:6666 o.softgoldinformation.com tcp
RU 194.87.106.49:6666 o.softgoldinformation.com tcp
RU 46.17.41.146:6666 o.softgoldinformation.com tcp
RU 46.17.41.146:6666 o.softgoldinformation.com tcp
US 1.1.1.1:53 o.softprojectcode.com udp
RU 194.87.106.49:3333 o.softgoldinformation.com tcp
RU 194.87.106.49:3333 o.softgoldinformation.com tcp
RU 46.17.41.146:3333 o.softgoldinformation.com tcp
RU 46.17.41.146:3333 o.softgoldinformation.com tcp
US 1.1.1.1:53 rtm.softgoldinformation.com udp
RU 194.87.106.49:53126 rtm.softgoldinformation.com tcp
RU 194.87.106.49:53126 rtm.softgoldinformation.com tcp
RU 194.87.69.16:53126 rtm.softgoldinformation.com tcp
RU 194.87.69.16:53126 rtm.softgoldinformation.com tcp
RU 46.17.41.146:53126 rtm.softgoldinformation.com tcp
RU 46.17.41.146:53126 rtm.softgoldinformation.com tcp
US 1.1.1.1:53 rtm.softprojectcode.com udp
RU 46.17.41.146:8990 rtm.softgoldinformation.com tcp
US 1.1.1.1:53 rtm.softgoldinformation.com udp
RU 194.87.106.49:8990 rtm.softgoldinformation.com tcp

Files

/etc/hosts

MD5 f483993c70d12ecfd5a5fe3ed5b10244
SHA1 386b3c58555b1337c5a2496efdb7436295256796
SHA256 908b62e9f94cc492b2ad465bfae5ba6bb5cfffd9ad7af21cdb79821ee118f409
SHA512 c60a7528f3d5b5b97d79c7973153cb7a915de04fd717e9ca7c8bdf4093a747146d405c15d47f822dc1b72bcd87b19ab276e9069c3f41bc5bb4dbfd88fd469aaa

memory/1494-1-0x0000000000400000-0x0000000000acfb60-memory.dmp

/run/mountinfo

MD5 653d149c30cfe9f06aaa1be6fd083928
SHA1 64d67d009efa44f08307d3161db27e94248692cc
SHA256 a3f2fde8269f814a0342ce24b00b74117d4f1a41f4b47c805b2eae7a9e604514
SHA512 2fdfc43da5d5c8f2059416006c517f6dea22303bf42bf23c8252ea57755e22919787472ca46ff0547c3af358c7fc1d5cc403c15e7f94ebd3678d74810d1db0f5

/run/mountinfo.log

MD5 7bde0ccdccecfdd774b99b9c32b6b9c0
SHA1 305958ce5abf33e97631a977a6ec9e5612e14b20
SHA256 7be67248ba0500d5d6017b01e34cbeb87636d71b2d7a94e521e262d790be61ff
SHA512 1c3678d2a2d55aae5457added80933067bf8819038274597de28b5cef36c4feddf224a1ece8dbf7f10a6bb7f43fd2dd9d94840cfcde9de1c293b1051079a0e74