General

  • Target

    xmr_linux_amd64 (1)

  • Size

    9.3MB

  • Sample

    241022-qghg8swgnc

  • MD5

    30ed78992f6bfe3b10a1687950a46933

  • SHA1

    11738358a01cae7cc1665903344656cc024bfca7

  • SHA256

    a5045141162aebd4305f7eb40b3ca5ae76f2841c7d06bf65e9aa29d9ae3688a3

  • SHA512

    a2e771bd3dcaec8fe2bdf2a08915db840f685bbf29d04e2bb4b9919e2dfbcf92368a7a9cf78096b1382d4864fad1ec6a270a4b82f05ce68109d0e42f816d3f1a

  • SSDEEP

    49152:VpG6uvlGxmRazlSg7SYQJHyQJRHOVYggfvwMui0VPo5mX7XEcLUH/41rKSkR7N4G:XeMhyTQQrD4vVVimfk/FFiIEXMKQYC3

Malware Config

Targets

    • Target

      xmr_linux_amd64 (1)

    • Size

      9.3MB

    • MD5

      30ed78992f6bfe3b10a1687950a46933

    • SHA1

      11738358a01cae7cc1665903344656cc024bfca7

    • SHA256

      a5045141162aebd4305f7eb40b3ca5ae76f2841c7d06bf65e9aa29d9ae3688a3

    • SHA512

      a2e771bd3dcaec8fe2bdf2a08915db840f685bbf29d04e2bb4b9919e2dfbcf92368a7a9cf78096b1382d4864fad1ec6a270a4b82f05ce68109d0e42f816d3f1a

    • SSDEEP

      49152:VpG6uvlGxmRazlSg7SYQJHyQJRHOVYggfvwMui0VPo5mX7XEcLUH/41rKSkR7N4G:XeMhyTQQrD4vVVimfk/FFiIEXMKQYC3

    • XMRig Miner payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Executes dropped EXE

    • Modifies hosts file

      Adds to hosts file used for mapping hosts to IP addresses.

    • OS Credential Dumping

      Adversaries may attempt to dump credentials to use it in password cracking.

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Reads list of loaded kernel modules

      Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

MITRE ATT&CK Enterprise v15

Tasks