General
-
Target
22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
-
Size
8.9MB
-
Sample
241008-rj4c6atgqb
-
MD5
656e22c65bf7c04d87b5afbe52b8d800
-
SHA1
0fd199053171fec86be186106eac717c4edae2ad
-
SHA256
22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
-
SHA512
697954f75e391a6cc600b7d40509ac1a1515cb0a4234cc3ae4270beaf7bbc3a3da23a9cd4f25e0eb4f5956d24ca3866e2574dc9493644845aac1063e1e4b0183
-
SSDEEP
196608:WVm8yS4rLDSkQLfkwE7tdQagxldCn588VM2ywSb2VEGCN4:WVm0GSkQLkN773+2MHzaV1C2
Behavioral task
behavioral1
Sample
22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
Resource
ubuntu2404-amd64-20240523-en
Malware Config
Targets
-
-
Target
22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
-
Size
8.9MB
-
MD5
656e22c65bf7c04d87b5afbe52b8d800
-
SHA1
0fd199053171fec86be186106eac717c4edae2ad
-
SHA256
22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
-
SHA512
697954f75e391a6cc600b7d40509ac1a1515cb0a4234cc3ae4270beaf7bbc3a3da23a9cd4f25e0eb4f5956d24ca3866e2574dc9493644845aac1063e1e4b0183
-
SSDEEP
196608:WVm8yS4rLDSkQLfkwE7tdQagxldCn588VM2ywSb2VEGCN4:WVm0GSkQLkN773+2MHzaV1C2
-
Modifies the dynamic linker configuration file
Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.
-
XMRig Miner payload
-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
Indicator Removal: Clear Command History
Adversaries may remove indicators of compromise from the host to evade detection.
-
Deletes itself
-
Executes dropped EXE
-
Checks hardware identifiers (DMI)
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Creates/modifies environment variables
Creating/modifying environment variables is a common persistence mechanism.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies special file permissions
Adds special setuid and/ or setgid bits on a file, possibly to elevate privileges.
-
Modifies systemd
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
Reads list of loaded kernel modules
Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
-
Writes file to system bin folder
-
Indicator Removal: Timestomp
Adversaries may remove indicators of compromise from the host to evade detection.
-
Modifies Bash startup script
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Unix Shell
1Scheduled Task/Job
1Cron
1Shared Modules
1Persistence
Boot or Logon Autostart Execution
2XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
2Dynamic Linker Hijacking
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Privilege Escalation
Abuse Elevation Control Mechanism
1Setuid and Setgid
1Boot or Logon Autostart Execution
2XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
2Dynamic Linker Hijacking
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Defense Evasion
Abuse Elevation Control Mechanism
1Setuid and Setgid
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Hijack Execution Flow
2Dynamic Linker Hijacking
1Path Interception by PATH Environment Variable
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2Clear Command History
1Timestomp
1Virtualization/Sandbox Evasion
3System Checks
2