Analysis Overview
SHA256
28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
Threat Level: Known bad
The file 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
UPX packed file
Creates/modifies Cron job
Enumerates running processes
Checks CPU configuration
Reads CPU attributes
Changes its process name
Enumerates kernel/hardware configuration
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-19 01:22
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-19 01:22
Reported
2024-07-19 01:22
Platform
debian12-armhf-20240221-en
Max time kernel
8s
Max time network
12s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.Xrzipq | /usr/bin/crontab | N/A |
Enumerates running processes
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | bash | N/A | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/package_cpus | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/physical_package_id | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cpufreq/base_frequency | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cpu_capacity | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/core_cpus | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/core_id | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/cluster_cpus | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/die_cpus | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq | /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 | N/A |
Enumerates kernel/hardware configuration
Reads runtime system information
Processes
/tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
[/tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6]
/bin/sh
[sh -c command -v crontab >/dev/null 2>&1]
/bin/sh
[sh -c crontab -r >/dev/null 2>&1; echo "@reboot /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6" | crontab -]
/usr/bin/crontab
[crontab -r]
/usr/bin/crontab
[crontab -]
/bin/sh
[sh -c iptables -I INPUT -p tcp --dport 18178 -j ACCEPT >/dev/null 2>&1]
/bin/sh
[sh -c command -v php >/dev/null 2>&1]
/bin/sh
[sh -c command -v nginx >/dev/null 2>&1]
/bin/sh
[sh -c which apache2]
/usr/bin/which
[which apache2]
/bin/sh
[sh -c which httpd]
/usr/bin/which
[which httpd]
Network
| Country | Destination | Domain | Proto |
| SE | 95.215.19.53:853 | tcp | |
| AU | 1.0.0.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| US | 8.8.4.4:853 | tcp | |
| US | 8.8.8.8:853 | tcp | |
| DE | 217.160.70.42:853 | tcp | |
| NO | 185.181.61.24:853 | tcp | |
| DE | 81.169.136.222:853 | tcp | |
| DE | 80.152.203.134:853 | tcp | |
| FR | 51.158.108.203:853 | tcp | |
| US | 168.235.111.72:853 | tcp | |
| DE | 194.36.144.87:853 | tcp | |
| DE | 152.53.15.127:853 | tcp | |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-4 | udp |
| NL | 164.215.103.47:43782 | tcp | |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-4 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-4 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-4 | udp |
Files
memory/708-1-0xb6a00000-0xb6d5e3d4-memory.dmp
/var/spool/cron/crontabs/tmp.Xrzipq
| MD5 | 2914093b38f4bfe2830ee60a7a82dff7 |
| SHA1 | e628d83f49846e82ac0769d40e04feedb7800eda |
| SHA256 | 76430c7a425ca1ea6ea6c6f207e797e549bc83ea5b6ec5fbf7027a067825b59c |
| SHA512 | 54719fc593d486ebe96acc65ebf3bfa99466804735affaf274d886f975141c9b41e2bd922be284c144edcfe44b5d2761d343e18a3e6ccbdd04a2040cf67c428f |