Overview

overview

10

Static

static

7

1fcc2061f7...1175e5

ubuntu-22.04-amd64

1

1fcc2061f7...1175e5

ubuntu-22.04-amd64

1

d8a12c3974...b8561a

ubuntu-20.04-amd64

10

d8a12c3974...b8561a

ubuntu-22.04-amd64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    17931866188.zip

  • Size

    5.4MB

  • Sample

    240625-g2e36svajh

  • MD5

    3bdf728d47d7deab6b51549f9641c3f4

  • SHA1

    85fd63e3d47408cac352634213441493206d75c0

  • SHA256

    e74418466797c11a2fea1fa024403b0e6bf46d568e5bfa6fe304c524708f1f8c

  • SHA512

    284116ebfa00f38b0ae98ed30ff4071f1b4b6487ec33591566fc3f99ff43b0912c35edb975feddceb5a192e9472db612971a18d552c40edcd655ee0fa281561a

  • SSDEEP

    98304:7kU0hQPIXub1B9nLWGQ1rfy1oAld3okyxZKqiscqPCnD7f2iiENYOGaYMbuzcTUW:7kU0nuhaRbyD3XyxZZAVNYNa9buzt12j

Score
10/10
kaitenxmrigantivmbotnetinfostealerlinuxminerpersistencerootkitupx

Malware Config

Targets

    • Target

      1fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5

    • Size

      2.3MB

    • MD5

      b9f096559e923787ebb1288c93ce2902

    • SHA1

      94851bcc8f9c651bcda0ff33d17356cb0b16cf12

    • SHA256

      1fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5

    • SHA512

      ce5f09737d0b7191e3b646ed6111bb0ce97544d280223f327c4f4cc652dc840fed639bc0462b88a7f87d071066e302be7980f14faca1f5e6e9bf732637db22be

    • SSDEEP

      49152:hjYpLCWvHFiMBiBFjrhrlzr18t7LxcAk4u7prrRQx:MvlNiPt9y7LxXk5prrA

    Score
    1/10
    behavioral1behavioral2

    • Target

      d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a

    • Size

      3.2MB

    • MD5

      396a812c15bd9809d0c8f438b8517827

    • SHA1

      6a8eb0ee0a05cede17a50ec04b0a549d70325dcb

    • SHA256

      d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a

    • SHA512

      83ba44b59c9aa517887d27de612b646a17e1b0e372e216e279f188a75e12759b27f181509287e08e79aa34872b59b711fc8efd014b463f58934f762a8d70e948

    • SSDEEP

      98304:EenYv0GcTOR0aUripytWEGYk91lRujZv9I:bYoOjGhnGPLlqZvW

    Score
    10/10
    kaitenxmrigantivmbotnetinfostealerminerpersistencerootkitupx

    • Detects Kaiten/Tsunami Payload

    • Detects Kaiten/Tsunami payload

    • Kaiten/Tsunami

      Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.

      botnetkaiten

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

      rootkit

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

      infostealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

      antivm

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

      persistence

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Writes file to system bin folder

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Boot or Logon Autostart Execution

2
T1547

Hijack Execution Flow

1
T1574

Privilege Escalation

Scheduled Task/Job

1
T1053

Boot or Logon Autostart Execution

2
T1547

Hijack Execution Flow

1
T1574

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Hijack Execution Flow

1
T1574

Credential Access

Discovery

Virtualization/Sandbox Evasion

2
T1497

System Network Connections Discovery

1
T1049

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks