Analysis

  • max time kernel
    13s
  • max time network
    14s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    18-07-2024 17:02

General

  • Target

    17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f

  • Size

    1.6MB

  • MD5

    36b5b760bb1334e2feb50ae169f19c00

  • SHA1

    6dfcc0dcd64a8e498d3204b568a1679b85dcf314

  • SHA256

    17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f

  • SHA512

    759cc113d7d73bcf62da54ee70fdc49817325f5580eef4fbe8a69d1e1777a2650ee94e4e6f26b1c2e5d777e534a8e961b140b587f0d30d4108de66ba0f7f8322

  • SSDEEP

    49152:ZrkdckdSMUFKV3WAiYT+rhQe+x/tM+imbXWMuV:ZrpkdSzFKVWSKav1TXXs

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Contacts a large (71001) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • XMRig Miner payload 1 IoCs
  • Unexpected DNS network traffic destination 5 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads hardware information 1 TTPs 14 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Changes its process name 1 IoCs
  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 45 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 27 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f
    /tmp/17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f
    1⤵
    • Checks hardware identifiers (DMI)
    • Reads hardware information
    • Checks CPU configuration
    • Reads CPU attributes
    • Enumerates kernel/hardware configuration
    • Reads runtime system information
    PID:2447
    • /bin/sh
      sh -c "command -v crontab >/dev/null 2>&1"
      2⤵
        PID:2450
      • /bin/sh
        sh -c "crontab -r >/dev/null 2>&1; echo \"@reboot /tmp/17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f\" | crontab -"
        2⤵
          PID:2451
          • /usr/bin/crontab
            crontab -r
            3⤵
              PID:2452
            • /usr/bin/crontab
              crontab -
              3⤵
              • Creates/modifies Cron job
              PID:2454
          • /bin/sh
            sh -c "iptables -I INPUT -p tcp --dport 60678 -j ACCEPT >/dev/null 2>&1"
            2⤵
              PID:2455
            • /bin/sh
              sh -c "command -v php >/dev/null 2>&1"
              2⤵
                PID:2456
              • /bin/sh
                sh -c "command -v nginx >/dev/null 2>&1"
                2⤵
                  PID:2457
                • /bin/sh
                  sh -c "which apache2"
                  2⤵
                    PID:2458
                    • /usr/bin/which
                      which apache2
                      3⤵
                        PID:2459
                    • /bin/sh
                      sh -c "which httpd"
                      2⤵
                        PID:2460
                        • /usr/bin/which
                          which httpd
                          3⤵
                            PID:2461

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /var/spool/cron/crontabs/tmp.S97xzT

                        Filesize

                        253B

                        MD5

                        c99d728fe82ad8f72b2c440edb9ac221

                        SHA1

                        54297b991038c2fe9db85f529ebb9f2681f9850f

                        SHA256

                        170a2fca4fab721f64cc4063780776192dd955a27840f889c6eb231c8f36f8e0

                        SHA512

                        0d7ce6cf80f62ce6ed4682c2c58ab5b77b361c13a84d398d9a5f606122a17a7f29c6c05a46b7fb34529f2f75d64d285e5f5eccf550c6dd7b227bbad9337c0456

                      • memory/2447-1-0x00007450c5600000-0x00007450c5c61750-memory.dmp