Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20240522.1-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    20-10-2024 15:13

General

  • Target

    kinsing

  • Size

    5.7MB

  • MD5

    b3039abf2ad5202f4a9363b418002351

  • SHA1

    0ceb8ffb0be23b808b534d744440f4367e17b9c5

  • SHA256

    787e2c94e6d9ce5ec01f5cbe9ee2518431eca8523155526d6dc85934c9c5787c

  • SHA512

    8b1a1003a021d0f69b9295f496bf550932ce85b096ca7057632756348da1354c2b104ff36e901b27def030b79749c8fc7f54163d6195e5e0cb9b357353ee654e

  • SSDEEP

    49152:wCe/ydXZSrb/TJvO90dL3BmAFd4A64nsfJvaWi9sglz/KbwLjFfiawr1eAOkzDIK:3eidO9suPF+NL4FiBnIrb3rE

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 1 IoCs
  • File and Directory Permissions Modification 1 TTPs 2 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads hardware information 1 TTPs 14 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Reads list of loaded kernel modules 1 TTPs 1 IoCs

    Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 5 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 63 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/kinsing
    /tmp/kinsing
    1⤵
    • Enumerates kernel/hardware configuration
    PID:1555
    • /tmp/kinsing
      /tmp/kinsing
      2⤵
      • Reads list of loaded kernel modules
      • Checks CPU configuration
      • Enumerates kernel/hardware configuration
      • Reads runtime system information
      • Writes file to tmp directory
      PID:1559
      • /usr/bin/sh
        sh -c "pkill -f kdevtmpfsi"
        3⤵
          PID:1586
          • /usr/bin/pkill
            pkill -f kdevtmpfsi
            4⤵
            • Reads CPU attributes
            • Reads runtime system information
            PID:1587
        • /usr/bin/sh
          sh -c "pkill -f kdevtmpfsi"
          3⤵
            PID:1592
            • /usr/bin/pkill
              pkill -f kdevtmpfsi
              4⤵
              • Reads CPU attributes
              • Reads runtime system information
              PID:1593
          • /usr/bin/sh
            sh -c "chmod +x /tmp/kdevtmpfsi"
            3⤵
            • File and Directory Permissions Modification
            PID:1594
            • /usr/bin/chmod
              chmod +x /tmp/kdevtmpfsi
              4⤵
              • File and Directory Permissions Modification
              PID:1595
          • /usr/bin/sh
            sh -c "/tmp/kdevtmpfsi &"
            3⤵
              PID:1596
        • /tmp/kdevtmpfsi
          /tmp/kdevtmpfsi
          1⤵
          • Executes dropped EXE
          • Checks hardware identifiers (DMI)
          • Reads hardware information
          • Checks CPU configuration
          • Reads CPU attributes
          • Enumerates kernel/hardware configuration
          PID:1597

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/.ICEd-unix/3807250317

          Filesize

          4B

          MD5

          9c19a2aa1d84e04b0bd4bc888792bd1e

          SHA1

          037880d210451b590c3a5229ea350645724e7e15

          SHA256

          191024c47d6c2b3c24a570326b7e29f09652ec8bc2bb1779d95783e8753d12db

          SHA512

          fbc7830e289b19696b7b6e01ae6d7e5403d144d417e380e47c29ea17db59c765ae7aa4a47cf885b6af0df831a8c98d5f99a40c35d121854ba273dd4afab24f93

        • /tmp/.ICEd-unix/uuid

          Filesize

          36B

          MD5

          f3873ff36d51282d10c577982e701dce

          SHA1

          17f41ee117e16c1d82648e34a5ca6ed3ba34506b

          SHA256

          6d8ad7891d61b9ec454f31292ff5e0497a914df9938802542f7ce25c41248942

          SHA512

          c9e390950edee1d2e7eb94a77a500837d8c31a06580ff6fa2bb3e30d8012558813594b71d0059d2faf52e35789bc95d4b1a7536724aee1b866454f4edca95157

        • /tmp/kdevtmpfsi

          Filesize

          2.0MB

          MD5

          c82bb3c68f7a033b407aa3f53827b7fd

          SHA1

          6296e8ed40e430480791bf7b4fcdafde5f834837

          SHA256

          6fc94d8aecc538b1d099a429fb68ac20d7b6ae8b3c7795ae72dd2b7107690b8f

          SHA512

          0412482bf1eaaf0c1fd795dd1253f3466db46f1d528297f4d9455dd59117097b4f53583405d77dd7bcc9ffc123cf65d5470f23e6075cbb61b01709f324347df5

        • memory/1597-1-0x0000000000400000-0x0000000000bb1680-memory.dmp