General

  • Target

    1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40

  • Size

    46KB

  • Sample

    241020-sln7pawgqn

  • MD5

    150dc9ae7c5729552ec2e92a7bc49095

  • SHA1

    2aed6d97f2c3400e1eb7e136e245a6f45ef4ae1f

  • SHA256

    1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40

  • SHA512

    13c40ba893a9f7a0f3e674400025f65e041e91f09b6def779078e391e35a3dedaf55742e68ae0b9b6f3c9120c1628266fb16348b674e988d146ed3d7b2c3f9c7

  • SSDEEP

    768:bxlT2wDuWvWi7JFNcuFkc2zq0x3UKnicZuiR/amT8z:8wF+Lc2/FicfSmT8z

Malware Config

Targets

    • Target

      1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40

    • Size

      46KB

    • MD5

      150dc9ae7c5729552ec2e92a7bc49095

    • SHA1

      2aed6d97f2c3400e1eb7e136e245a6f45ef4ae1f

    • SHA256

      1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40

    • SHA512

      13c40ba893a9f7a0f3e674400025f65e041e91f09b6def779078e391e35a3dedaf55742e68ae0b9b6f3c9120c1628266fb16348b674e988d146ed3d7b2c3f9c7

    • SSDEEP

      768:bxlT2wDuWvWi7JFNcuFkc2zq0x3UKnicZuiR/amT8z:8wF+Lc2/FicfSmT8z

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Deletes system logs

      Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Deletes log files

      Deletes log files on the system.

    • Disables AppArmor

      Disables AppArmor security module.

    • Disables SELinux

      Disables SELinux security module.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Write file to user bin folder

    • Writes file to system bin folder

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks