Resubmissions

18-07-2024 16:27

240718-tx9s7szdqa 10

18-07-2024 15:45

240718-s7gpqsvgkl 10

Analysis

  • max time kernel
    45s
  • max time network
    52s
  • platform
    debian-12_armhf
  • resource
    debian12-armhf-20240221-en
  • resource tags

    arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
  • submitted
    18-07-2024 15:45

General

  • Target

    28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6

  • Size

    1.1MB

  • MD5

    558f29ecf48e1e1643405823f228008a

  • SHA1

    b869e8de1d5f511196b459abd061028cf5a05741

  • SHA256

    28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6

  • SHA512

    e0928ab208c9987613afd61636a4e0b0ea0c3cc891446c06a1917d6083c1de53725bb1d1cab3ae59b2b9707451bc789e2d163889181114e336cc871917b292fa

  • SSDEEP

    24576:XB0J/zGmU0briuSIxhh/HtYqTdjQeH0s8EWIkQpALmpKaKTY3:Az7pbriuFhh/HtYqTdjNUs6IkQpALmpz

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Contacts a large (38499) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • XMRig Miner payload 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Changes its process name 1 IoCs
  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 20 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 15 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
    /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
    1⤵
    • Checks CPU configuration
    • Reads CPU attributes
    • Enumerates kernel/hardware configuration
    • Reads runtime system information
    PID:706
    • /bin/sh
      sh -c "command -v crontab >/dev/null 2>&1"
      2⤵
        PID:724
      • /bin/sh
        sh -c "crontab -r >/dev/null 2>&1; echo \"@reboot /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6\" | crontab -"
        2⤵
          PID:726
          • /usr/bin/crontab
            crontab -r
            3⤵
              PID:728
            • /usr/bin/crontab
              crontab -
              3⤵
              • Creates/modifies Cron job
              PID:733
          • /bin/sh
            sh -c "iptables -I INPUT -p tcp --dport 57002 -j ACCEPT >/dev/null 2>&1"
            2⤵
              PID:739
            • /bin/sh
              sh -c "command -v php >/dev/null 2>&1"
              2⤵
                PID:741
              • /bin/sh
                sh -c "command -v nginx >/dev/null 2>&1"
                2⤵
                  PID:743
                • /bin/sh
                  sh -c "which apache2"
                  2⤵
                    PID:745
                    • /usr/bin/which
                      which apache2
                      3⤵
                        PID:748
                    • /bin/sh
                      sh -c "which httpd"
                      2⤵
                        PID:751
                        • /usr/bin/which
                          which httpd
                          3⤵
                            PID:753

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /var/spool/cron/crontabs/tmp.dh3rdn

                        Filesize

                        253B

                        MD5

                        6879c3e8677c0570e342faf096c5740b

                        SHA1

                        f9a46a263f7fee487a97da084cb95a721d0c9a26

                        SHA256

                        a77a26d832b7a9a89e6cb4a7a2dc09ad2f6d3bb27b4dccca7440772e07d9e870

                        SHA512

                        7cc3f271729cb06f0690cc8e604ec3e37c6fd4dd1e00564ddeb1316718f505b1607befa0673180fcd2c30749702f6a16f3384f2f804c69a036ab779a1b164969

                      • memory/706-1-0xb6a00000-0xb6d5e3d4-memory.dmp