Resubmissions

08-10-2024 14:36

241008-ryjx3a1emk 5

08-10-2024 14:14

241008-rj4c6atgqb 10

General

  • Target

    22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13

  • Size

    8.9MB

  • Sample

    241008-rj4c6atgqb

  • MD5

    656e22c65bf7c04d87b5afbe52b8d800

  • SHA1

    0fd199053171fec86be186106eac717c4edae2ad

  • SHA256

    22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13

  • SHA512

    697954f75e391a6cc600b7d40509ac1a1515cb0a4234cc3ae4270beaf7bbc3a3da23a9cd4f25e0eb4f5956d24ca3866e2574dc9493644845aac1063e1e4b0183

  • SSDEEP

    196608:WVm8yS4rLDSkQLfkwE7tdQagxldCn588VM2ywSb2VEGCN4:WVm0GSkQLkN773+2MHzaV1C2

Malware Config

Targets

    • Target

      22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13

    • Size

      8.9MB

    • MD5

      656e22c65bf7c04d87b5afbe52b8d800

    • SHA1

      0fd199053171fec86be186106eac717c4edae2ad

    • SHA256

      22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13

    • SHA512

      697954f75e391a6cc600b7d40509ac1a1515cb0a4234cc3ae4270beaf7bbc3a3da23a9cd4f25e0eb4f5956d24ca3866e2574dc9493644845aac1063e1e4b0183

    • SSDEEP

      196608:WVm8yS4rLDSkQLfkwE7tdQagxldCn588VM2ywSb2VEGCN4:WVm0GSkQLkN773+2MHzaV1C2

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Modifies the dynamic linker configuration file

      Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

    • XMRig Miner payload

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Indicator Removal: Clear Command History

      Adversaries may remove indicators of compromise from the host to evade detection.

    • Deletes itself

    • Executes dropped EXE

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Disables SELinux

      Disables SELinux security module.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies special file permissions

      Adds special setuid and/ or setgid bits on a file, possibly to elevate privileges.

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Reads list of loaded kernel modules

      Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

    • Writes file to system bin folder

    • Indicator Removal: Timestomp

      Adversaries may remove indicators of compromise from the host to evade detection.

    • Modifies Bash startup script

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks