Malware Analysis Report

2024-10-24 21:45

Sample ID 240521-bwp4aseb8v
Target 9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf
SHA256 9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28
Tags
upx xmrig antivm miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28

Threat Level: Known bad

The file 9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf was found to be: Known bad.

Malicious Activity Summary

upx xmrig antivm miner

xmrig

XMRig Miner payload

UPX packed file

Modifies hosts file

Checks hardware identifiers (DMI)

Reads hardware information

Checks CPU configuration

Reads CPU attributes

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 01:29

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 01:29

Reported

2024-05-21 01:32

Platform

ubuntu2004-amd64-20240508-en

Max time kernel

149s

Max time network

140s

Command Line

[/tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf]

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Modifies hosts file

Description Indicator Process Target
File opened for modification /etc/hosts /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/product_name /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/board_vendor /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_vendor /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/sys_vendor /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A

Reads hardware information

Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/product_uuid /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/board_version /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/board_serial /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_type /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/board_name /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_date /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/product_version /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_version /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/product_serial /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_version /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_serial /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/system/cpu/possible /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_id /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/level /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/firmware/dmi/tables/smbios_entry_point /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/fs/cgroup/cpuset/cpuset.mems /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/node/devices/node0/meminfo /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/dax/target_node /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/type /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/fs/cgroup/unified/cgroup.controllers /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/level /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/type /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/level /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_cpus /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_bandwidth /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/size /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/size /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/id /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/kernel/mm/hugepages /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/node/devices/node0/access1/initiators /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/level /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/virtual/dmi/id /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/id /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/system/node/online /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/dax/devices/target_node /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/id /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/die_cpus /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/physical_package_id /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/size /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/firmware/dmi/tables/DMI /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/fs/cgroup/cpuset/cpuset.cpus /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/node/devices/node0/hugepages /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/package_cpus /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/dax/devices /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/id /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cpu_capacity /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/node/devices/node0/cpumap /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_latency /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/type /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/driver/nvidia/gpus /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /proc/filesystems /usr/bin/mount N/A
File opened for reading /proc/mounts /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /proc/self/cpuset /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A
File opened for reading /proc/meminfo /tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf N/A

Processes

/tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf

[/tmp/9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28.elf]

/bin/sh

[sh -c rm -f /etc/hosts.old]

/usr/bin/rm

[rm -f /etc/hosts.old]

/bin/sh

[sh -c mount --bind /proc/1 /proc/1462]

/usr/bin/mount

[mount --bind /proc/1 /proc/1462]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 o.softgoldinformation.com udp
RU 46.17.41.146:3334 o.softgoldinformation.com tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
RU 46.17.41.146:3334 o.softgoldinformation.com tcp
RU 194.87.106.49:3334 o.softgoldinformation.com tcp
RU 194.87.106.49:3334 o.softgoldinformation.com tcp
RU 194.87.106.49:6666 o.softgoldinformation.com tcp
RU 194.87.106.49:6666 o.softgoldinformation.com tcp
RU 46.17.41.146:6666 o.softgoldinformation.com tcp
RU 46.17.41.146:6666 o.softgoldinformation.com tcp
US 1.1.1.1:53 o.softprojectcode.com udp
RU 194.87.106.49:3333 o.softgoldinformation.com tcp
RU 194.87.106.49:3333 o.softgoldinformation.com tcp
RU 46.17.41.146:3333 o.softgoldinformation.com tcp
RU 46.17.41.146:3333 o.softgoldinformation.com tcp
US 1.1.1.1:53 rtm.softgoldinformation.com udp
RU 194.87.69.16:53126 rtm.softgoldinformation.com tcp
RU 194.87.69.16:53126 rtm.softgoldinformation.com tcp
RU 194.87.106.49:53126 rtm.softgoldinformation.com tcp
RU 194.87.106.49:53126 rtm.softgoldinformation.com tcp
RU 46.17.41.146:53126 rtm.softgoldinformation.com tcp
RU 46.17.41.146:53126 rtm.softgoldinformation.com tcp
US 1.1.1.1:53 rtm.softprojectcode.com udp
RU 46.17.41.146:8990 rtm.softgoldinformation.com tcp
US 1.1.1.1:53 rtm.softgoldinformation.com udp
RU 194.87.106.49:8990 rtm.softgoldinformation.com tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp

Files

/etc/hosts

MD5 f483993c70d12ecfd5a5fe3ed5b10244
SHA1 386b3c58555b1337c5a2496efdb7436295256796
SHA256 908b62e9f94cc492b2ad465bfae5ba6bb5cfffd9ad7af21cdb79821ee118f409
SHA512 c60a7528f3d5b5b97d79c7973153cb7a915de04fd717e9ca7c8bdf4093a747146d405c15d47f822dc1b72bcd87b19ab276e9069c3f41bc5bb4dbfd88fd469aaa

memory/1439-1-0x0000000000400000-0x0000000000acfb60-memory.dmp

/run/mountinfo

MD5 9c04f0801e03b177d9971401716ba4cc
SHA1 0b0b078d2c57ad1eab944790d2ae810f3186664b
SHA256 16536e15b5ba5a9905313be37ab4e618b25b372381d0f58c3be6b57d8d9bf077
SHA512 92a5592a8ba10c2860eb540778185e98dbfadb0eba41f51aa85e3ccff7e2ed04a2c4415c161198d920d86ffd30eec2de6aad30269a12857e79e33f27b46702b1

/run/mountinfo.log

MD5 f1134f2ac1be5824ee1480c14fe7d983
SHA1 775ed5eedb6197b24652b7106ce8a1bb24726934
SHA256 e50bdee6b0da71276f2731883adfa62f1e7566ed381bf4768361ef066e96b60a
SHA512 094b48329b45457bb78e0bbc1369e8e5b0e7b530145047b3b752f4c62bd4349c9db38523dc5386d9e4e5aa00c7280b6a8af35bc8e0a46890f77c0f014010337d