General

  • Target

    SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf

  • Size

    3.2MB

  • Sample

    241011-x8c56avajr

  • MD5

    396a812c15bd9809d0c8f438b8517827

  • SHA1

    6a8eb0ee0a05cede17a50ec04b0a549d70325dcb

  • SHA256

    d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a

  • SHA512

    83ba44b59c9aa517887d27de612b646a17e1b0e372e216e279f188a75e12759b27f181509287e08e79aa34872b59b711fc8efd014b463f58934f762a8d70e948

  • SSDEEP

    98304:EenYv0GcTOR0aUripytWEGYk91lRujZv9I:bYoOjGhnGPLlqZvW

Malware Config

Targets

    • Target

      SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf

    • Size

      3.2MB

    • MD5

      396a812c15bd9809d0c8f438b8517827

    • SHA1

      6a8eb0ee0a05cede17a50ec04b0a549d70325dcb

    • SHA256

      d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a

    • SHA512

      83ba44b59c9aa517887d27de612b646a17e1b0e372e216e279f188a75e12759b27f181509287e08e79aa34872b59b711fc8efd014b463f58934f762a8d70e948

    • SSDEEP

      98304:EenYv0GcTOR0aUripytWEGYk91lRujZv9I:bYoOjGhnGPLlqZvW

    • Detects Kaiten/Tsunami Payload

    • Detects Kaiten/Tsunami payload

    • Kaiten/Tsunami

      Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Writes file to system bin folder

    • Security Software Discovery

      Adversaries may attempt to discover installed security software and its configurations.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks