Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240508-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    21-05-2024 01:29

General

  • Target

    9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf

  • Size

    1.7MB

  • MD5

    44de739950eb4a8a3552b4e1987e8ec2

  • SHA1

    0ae049aab363fb8d2e164150dffbafd332725e00

  • SHA256

    9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28

  • SHA512

    92ec17d3929b16353b40b29eefb5ad1de26621a20dc1c065e7cd9f294a9763844ff8673730d00f1a255ad4d42e06a1fb3171822db59dd20c639d3ff691256a7c

  • SSDEEP

    49152:njEflQ/573nydbeONLwFCRTrgcSzNpZWPU6B:jEflQRTydb/ZwGrwzNpCB

Score
10/10

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 1 IoCs
  • Modifies hosts file 1 IoCs

    Adds to hosts file used for mapping hosts to IP addresses.

  • Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

  • Reads hardware information 1 TTPs 14 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 2 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 5 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf
    /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf
    1⤵
    • Modifies hosts file
    • Checks hardware identifiers (DMI)
    • Reads hardware information
    • Checks CPU configuration
    • Reads CPU attributes
    • Enumerates kernel/hardware configuration
    • Reads runtime system information
    PID:1439
    • /bin/sh
      sh -c "rm -f /etc/hosts.old"
      2⤵
        PID:1440
        • /usr/bin/rm
          rm -f /etc/hosts.old
          3⤵
            PID:1441
        • /bin/sh
          sh -c "mount --bind /proc/1 /proc/1462"
          2⤵
            PID:1463
            • /usr/bin/mount
              mount --bind /proc/1 /proc/1462
              3⤵
              • Reads runtime system information
              PID:1464

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /etc/hosts

          Filesize

          219B

          MD5

          f483993c70d12ecfd5a5fe3ed5b10244

          SHA1

          386b3c58555b1337c5a2496efdb7436295256796

          SHA256

          908b62e9f94cc492b2ad465bfae5ba6bb5cfffd9ad7af21cdb79821ee118f409

          SHA512

          c60a7528f3d5b5b97d79c7973153cb7a915de04fd717e9ca7c8bdf4093a747146d405c15d47f822dc1b72bcd87b19ab276e9069c3f41bc5bb4dbfd88fd469aaa

        • /run/mountinfo

          Filesize

          16B

          MD5

          9c04f0801e03b177d9971401716ba4cc

          SHA1

          0b0b078d2c57ad1eab944790d2ae810f3186664b

          SHA256

          16536e15b5ba5a9905313be37ab4e618b25b372381d0f58c3be6b57d8d9bf077

          SHA512

          92a5592a8ba10c2860eb540778185e98dbfadb0eba41f51aa85e3ccff7e2ed04a2c4415c161198d920d86ffd30eec2de6aad30269a12857e79e33f27b46702b1

        • /run/mountinfo.log

          Filesize

          1KB

          MD5

          f1134f2ac1be5824ee1480c14fe7d983

          SHA1

          775ed5eedb6197b24652b7106ce8a1bb24726934

          SHA256

          e50bdee6b0da71276f2731883adfa62f1e7566ed381bf4768361ef066e96b60a

          SHA512

          094b48329b45457bb78e0bbc1369e8e5b0e7b530145047b3b752f4c62bd4349c9db38523dc5386d9e4e5aa00c7280b6a8af35bc8e0a46890f77c0f014010337d

        • memory/1439-1-0x0000000000400000-0x0000000000acfb60-memory.dmp