General

  • Target

    lr.sh

  • Size

    1KB

  • Sample

    241026-le3yyasfpb

  • MD5

    1299bbbc0b239b8bab45844a17284d25

  • SHA1

    d7f67e2d18f257674bb198430a8537f011357eb3

  • SHA256

    33b79924e996553a4fccbf4a2041a273ee996fed01889d70e5f51b5a41c8d8ac

  • SHA512

    7c2781a9e56b2ca5222cbe79724608ef0113dbaa1b4e8e3bc80000ca58ccf310d51bd11aab875e850cbcd60b7189623ce07680f853ff993d85863221b408e435

Malware Config

Targets

    • Target

      lr.sh

    • Size

      1KB

    • MD5

      1299bbbc0b239b8bab45844a17284d25

    • SHA1

      d7f67e2d18f257674bb198430a8537f011357eb3

    • SHA256

      33b79924e996553a4fccbf4a2041a273ee996fed01889d70e5f51b5a41c8d8ac

    • SHA512

      7c2781a9e56b2ca5222cbe79724608ef0113dbaa1b4e8e3bc80000ca58ccf310d51bd11aab875e850cbcd60b7189623ce07680f853ff993d85863221b408e435

    • XMRig Miner payload

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Executes dropped EXE

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Legitimate hosting services abused for malware hosting/C2

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

MITRE ATT&CK Enterprise v15

Tasks