General

  • Target

    2636f4d5fa29c3747036d385c3eee167aba1aad58c29597d21df7e42c6149a35.elf

  • Size

    1KB

  • Sample

    241019-bm46vsyalb

  • MD5

    a3a1adfcbc6207f3e6e0c35d3cf03904

  • SHA1

    f10f7793d4d78120395d11d7020ab626995e2c01

  • SHA256

    2636f4d5fa29c3747036d385c3eee167aba1aad58c29597d21df7e42c6149a35

  • SHA512

    d66495bda3366633baed9e80dafb494bbe39cccb331a1b031c239650866489d6e45db7a9e5f3fe4e951e3f321d9eb9a0c7abf00ede54f6548c4235b9ef3debf9

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Targets

    • Target

      2636f4d5fa29c3747036d385c3eee167aba1aad58c29597d21df7e42c6149a35.elf

    • Size

      1KB

    • MD5

      a3a1adfcbc6207f3e6e0c35d3cf03904

    • SHA1

      f10f7793d4d78120395d11d7020ab626995e2c01

    • SHA256

      2636f4d5fa29c3747036d385c3eee167aba1aad58c29597d21df7e42c6149a35

    • SHA512

      d66495bda3366633baed9e80dafb494bbe39cccb331a1b031c239650866489d6e45db7a9e5f3fe4e951e3f321d9eb9a0c7abf00ede54f6548c4235b9ef3debf9

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • XMRig Miner payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Executes dropped EXE

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Uses Polkit to run commands

      Uses Polkit pkexec as a proxy to execute commands, possibly to bypass security restrictions.

MITRE ATT&CK Enterprise v15

Tasks