Analysis
-
max time kernel
149s -
max time network
149s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240522.1-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
20-10-2024 15:13
General
-
Target
kinsing
-
Size
5.7MB
-
MD5
b3039abf2ad5202f4a9363b418002351
-
SHA1
0ceb8ffb0be23b808b534d744440f4367e17b9c5
-
SHA256
787e2c94e6d9ce5ec01f5cbe9ee2518431eca8523155526d6dc85934c9c5787c
-
SHA512
8b1a1003a021d0f69b9295f496bf550932ce85b096ca7057632756348da1354c2b104ff36e901b27def030b79749c8fc7f54163d6195e5e0cb9b357353ee654e
-
SSDEEP
49152:wCe/ydXZSrb/TJvO90dL3BmAFd4A64nsfJvaWi9sglz/KbwLjFfiawr1eAOkzDIK:3eidO9suPF+NL4FiBnIrb3rE
Malware Config
Signatures
-
XMRig Miner payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1597-1-0x0000000000400000-0x0000000000bb1680-memory.dmp xmrig -
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
shchmodpid process 1594 sh 1595 chmod -
Executes dropped EXE 1 IoCs
Processes:
kdevtmpfsiioc pid process /tmp/kdevtmpfsi 1597 kdevtmpfsi -
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
Processes:
kdevtmpfsidescription ioc process File opened for reading /sys/devices/virtual/dmi/id/sys_vendor kdevtmpfsi File opened for reading /sys/devices/virtual/dmi/id/product_name kdevtmpfsi File opened for reading /sys/devices/virtual/dmi/id/board_vendor kdevtmpfsi File opened for reading /sys/devices/virtual/dmi/id/bios_vendor kdevtmpfsi -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
Processes:
kdevtmpfsidescription ioc process File opened for reading /sys/devices/virtual/dmi/id/chassis_serial kdevtmpfsi File opened for reading /sys/devices/virtual/dmi/id/product_version kdevtmpfsi File opened for reading /sys/devices/virtual/dmi/id/board_name kdevtmpfsi File opened for reading /sys/devices/virtual/dmi/id/board_serial kdevtmpfsi File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor kdevtmpfsi File opened for reading /sys/devices/virtual/dmi/id/chassis_type kdevtmpfsi File opened for reading /sys/devices/virtual/dmi/id/product_uuid kdevtmpfsi File opened for reading /sys/devices/virtual/dmi/id/board_version kdevtmpfsi File opened for reading /sys/devices/virtual/dmi/id/bios_date kdevtmpfsi File opened for reading /sys/devices/virtual/dmi/id/product_serial kdevtmpfsi File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag kdevtmpfsi File opened for reading /sys/devices/virtual/dmi/id/chassis_version kdevtmpfsi File opened for reading /sys/devices/virtual/dmi/id/bios_version kdevtmpfsi File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag kdevtmpfsi -
Reads list of loaded kernel modules 1 TTPs 1 IoCs
Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
Processes:
kinsingdescription ioc process File opened for reading /proc/modules kinsing -
Processes:
resource yara_rule /tmp/kdevtmpfsi upx -
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
kinsingkdevtmpfsidescription ioc process File opened for reading /proc/cpuinfo kinsing File opened for reading /proc/cpuinfo kdevtmpfsi -
Reads CPU attributes 1 TTPs 5 IoCs
Processes:
pkillpkillkdevtmpfsidescription ioc process File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online kdevtmpfsi File opened for reading /sys/devices/system/cpu/types kdevtmpfsi File opened for reading /sys/devices/system/cpu/possible kdevtmpfsi -
Enumerates kernel/hardware configuration 1 TTPs 63 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
kdevtmpfsikinsingkinsingdescription ioc process File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map kdevtmpfsi File opened for reading /sys/bus/node/devices/node0/meminfo kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/type kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type kdevtmpfsi File opened for reading /sys/fs/cgroup/cgroup.controllers kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/topology/die_cpus kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency kdevtmpfsi File opened for reading /sys/devices/system/node/online kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/level kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map kdevtmpfsi File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map kdevtmpfsi File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-1048576kB/nr_hugepages kdevtmpfsi File opened for reading /sys/bus/dax/devices/target_node kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/level kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/topology/package_cpus kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/type kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/size kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq kdevtmpfsi File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_bandwidth kdevtmpfsi File opened for reading /sys/devices/virtual/dmi/id kdevtmpfsi File opened for reading /sys/bus/cpu/devices kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_cpus kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map kdevtmpfsi File opened for reading /sys/devices/system/cpu kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_id kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map kdevtmpfsi File opened for reading /sys/kernel/mm/hugepages kdevtmpfsi File opened for reading /sys/bus/dax/devices kdevtmpfsi File opened for reading /sys/fs/cgroup/cpuset.cpus.effective kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/type kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/size kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition kdevtmpfsi File opened for reading /sys/bus/node/devices/node0/access1/initiators kdevtmpfsi File opened for reading /sys/bus/node/devices/node0/access0/initiators kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/topology/physical_package_id kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition kdevtmpfsi File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_latency kdevtmpfsi File opened for reading /sys/firmware/dmi/tables/smbios_entry_point kdevtmpfsi File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages kdevtmpfsi File opened for reading /sys/bus/node/devices/node0/hugepages kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/level kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map kdevtmpfsi File opened for reading /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages kdevtmpfsi File opened for reading /sys/bus/node/devices/node0/cpumap kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/level kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets kdevtmpfsi File opened for reading /sys/fs/cgroup/cpuset.mems.effective kdevtmpfsi File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map kdevtmpfsi File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size kinsing File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size kinsing File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/size kdevtmpfsi File opened for reading /sys/bus/dax/target_node kdevtmpfsi File opened for reading /sys/firmware/dmi/tables/DMI kdevtmpfsi -
Processes:
pkillpkillkinsingdescription ioc process File opened for reading /proc/1260/status pkill File opened for reading /proc/990/cmdline pkill File opened for reading /proc/313/fd kinsing File opened for reading /proc/1178/cmdline pkill File opened for reading /proc/858/stat kinsing File opened for reading /proc/1178/fd kinsing File opened for reading /proc/2/status pkill File opened for reading /proc/593/status pkill File opened for reading /proc/1156/status pkill File opened for reading /proc/26/fd kinsing File opened for reading /proc/593/stat kinsing File opened for reading /proc/1175/fd kinsing File opened for reading /proc/1246/fd kinsing File opened for reading /proc/90/status pkill File opened for reading /proc/1165/status pkill File opened for reading /proc/262/status pkill File opened for reading /proc/640/cmdline pkill File opened for reading /proc/758/fd kinsing File opened for reading /proc/1158/fd kinsing File opened for reading /proc/14/cmdline pkill File opened for reading /proc/1109/cmdline pkill File opened for reading /proc/1252/cmdline pkill File opened for reading /proc/79/stat kinsing File opened for reading /proc/88/fd kinsing File opened for reading /proc/1046/cmdline pkill File opened for reading /proc/1229/cmdline pkill File opened for reading /proc/20/status pkill File opened for reading /proc/89/status pkill File opened for reading /proc/425/status pkill File opened for reading /proc/1165/status pkill File opened for reading /proc/664/stat kinsing File opened for reading /proc/1109/stat kinsing File opened for reading /proc/1237/status pkill File opened for reading /proc/425/cmdline pkill File opened for reading /proc/501/cmdline pkill File opened for reading /proc/592/fd kinsing File opened for reading /proc/758/stat kinsing File opened for reading /proc/1157/stat kinsing File opened for reading /proc/78/status pkill File opened for reading /proc/80/cmdline pkill File opened for reading /proc/17/fd kinsing File opened for reading /proc/215/fd kinsing File opened for reading /proc/203/cmdline pkill File opened for reading /proc/827/cmdline pkill File opened for reading /proc/76/cmdline pkill File opened for reading /proc/221/cmdline pkill File opened for reading /proc/1378/status pkill File opened for reading /proc/770/fd kinsing File opened for reading /proc/956/stat kinsing File opened for reading /proc/1378/cmdline pkill File opened for reading /proc/1450/status pkill File opened for reading /proc/1156/cmdline pkill File opened for reading /proc/uptime pkill File opened for reading /proc/1101/fd kinsing File opened for reading /proc/101/cmdline pkill File opened for reading /proc/75/cmdline pkill File opened for reading /proc/4/fd kinsing File opened for reading /proc/962/fd kinsing File opened for reading /proc/1073/cmdline pkill File opened for reading /proc/1543/status pkill File opened for reading /proc/1183/cmdline pkill File opened for reading /proc/1185/status pkill File opened for reading /proc/1109/fd kinsing File opened for reading /proc/1144/fd kinsing -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
kinsingdescription ioc process File opened for modification /tmp/.ICEd-unix/uuid kinsing File opened for modification /tmp/kdevtmpfsi kinsing File opened for modification /tmp/.ICEd-unix/3807250317 kinsing
Processes
-
/tmp/kinsing/tmp/kinsing1⤵
- Enumerates kernel/hardware configuration
PID:1555 -
/tmp/kinsing/tmp/kinsing2⤵
- Reads list of loaded kernel modules
- Checks CPU configuration
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1559 -
/usr/bin/shsh -c "pkill -f kdevtmpfsi"3⤵PID:1586
-
/usr/bin/pkillpkill -f kdevtmpfsi4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1587 -
/usr/bin/shsh -c "pkill -f kdevtmpfsi"3⤵PID:1592
-
/usr/bin/pkillpkill -f kdevtmpfsi4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1593 -
/usr/bin/shsh -c "chmod +x /tmp/kdevtmpfsi"3⤵
- File and Directory Permissions Modification
PID:1594 -
/usr/bin/chmodchmod +x /tmp/kdevtmpfsi4⤵
- File and Directory Permissions Modification
PID:1595 -
/usr/bin/shsh -c "/tmp/kdevtmpfsi &"3⤵PID:1596
-
/tmp/kdevtmpfsi/tmp/kdevtmpfsi1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1597
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
3System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD59c19a2aa1d84e04b0bd4bc888792bd1e
SHA1037880d210451b590c3a5229ea350645724e7e15
SHA256191024c47d6c2b3c24a570326b7e29f09652ec8bc2bb1779d95783e8753d12db
SHA512fbc7830e289b19696b7b6e01ae6d7e5403d144d417e380e47c29ea17db59c765ae7aa4a47cf885b6af0df831a8c98d5f99a40c35d121854ba273dd4afab24f93
-
Filesize
36B
MD5f3873ff36d51282d10c577982e701dce
SHA117f41ee117e16c1d82648e34a5ca6ed3ba34506b
SHA2566d8ad7891d61b9ec454f31292ff5e0497a914df9938802542f7ce25c41248942
SHA512c9e390950edee1d2e7eb94a77a500837d8c31a06580ff6fa2bb3e30d8012558813594b71d0059d2faf52e35789bc95d4b1a7536724aee1b866454f4edca95157
-
Filesize
2.0MB
MD5c82bb3c68f7a033b407aa3f53827b7fd
SHA16296e8ed40e430480791bf7b4fcdafde5f834837
SHA2566fc94d8aecc538b1d099a429fb68ac20d7b6ae8b3c7795ae72dd2b7107690b8f
SHA5120412482bf1eaaf0c1fd795dd1253f3466db46f1d528297f4d9455dd59117097b4f53583405d77dd7bcc9ffc123cf65d5470f23e6075cbb61b01709f324347df5