Overview

overview

10

Static

static

1

ee2a183834...92A.sh

ubuntu-24.04-amd64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ee2a1838344c1b22dcea81766204f3692A.sh

  • Size

    6KB

  • Sample

    241104-x5zvravmgy

  • MD5

    5e2f203cb513bf4b210ac61b009df327

  • SHA1

    c77e72660d9034fe26137b040a3f073b7725d233

  • SHA256

    07f9edc6e718ebcbead64e0a2afda717f9296e76a2a5654c2b50ad7e76cd4106

  • SHA512

    7a3519c73104a327731dfa3a8507b72ea95d77f6eb8980bb072aad98c6955f11961d9716cb587cd8173fd9aa359158b91d6d59262cda496b80b32a822acd3247

  • SSDEEP

    192:4prsOPBNttuJzzCdEifVHsmVHyC3Kx7OW81nFZBh2A7o7oNcoTuwFoFxuF0y:esOPBNttuJzzC3VHsmVHyCax7M1nFZBV

Score
10/10
xmrigxmrig_linuxantivmcredential_accessdefense_evasiondiscoverylinuxminerpersistenceprivilege_escalation

Malware Config

Targets

    • Target

      ee2a1838344c1b22dcea81766204f3692A.sh

    • Size

      6KB

    • MD5

      5e2f203cb513bf4b210ac61b009df327

    • SHA1

      c77e72660d9034fe26137b040a3f073b7725d233

    • SHA256

      07f9edc6e718ebcbead64e0a2afda717f9296e76a2a5654c2b50ad7e76cd4106

    • SHA512

      7a3519c73104a327731dfa3a8507b72ea95d77f6eb8980bb072aad98c6955f11961d9716cb587cd8173fd9aa359158b91d6d59262cda496b80b32a822acd3247

    • SSDEEP

      192:4prsOPBNttuJzzCdEifVHsmVHyC3Kx7OW81nFZBh2A7o7oNcoTuwFoFxuF0y:esOPBNttuJzzC3VHsmVHyCax7M1nFZBV

    Score
    10/10
    xmrigxmrig_linuxantivmcredential_accessdefense_evasiondiscoveryminerpersistenceprivilege_escalation

    • XMRig Miner payload

      miner

    • Xmrig family

      xmrig

    • Xmrig_linux family

      xmrig_linux

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

      defense_evasion

    • Executes dropped EXE

    • OS Credential Dumping

      Adversaries may attempt to dump credentials to use it in password cracking.

      credential_access

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

      privilege_escalationdefense_evasion

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

      antivm

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

      persistence

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

      discovery
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Boot or Logon Initialization Scripts

1
T1037

RC Scripts

1
T1037.004

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

Boot or Logon Autostart Execution

1
T1547

Boot or Logon Initialization Scripts

1
T1037

RC Scripts

1
T1037.004

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

File and Directory Permissions Modification

1
T1222

Linux and Mac File and Directory Permissions Modification

1
T1222.002

Virtualization/Sandbox Evasion

2
T1497

System Checks

2
T1497.001

Credential Access

OS Credential Dumping

1
T1003

/etc/passwd and /etc/shadow

1
T1003.008

Discovery

Process Discovery

1
T1057

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

Virtualization/Sandbox Evasion

2
T1497

System Checks

2
T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks