Resubmissions
26-11-2024 09:24
241126-ldj5favnby 10Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
26-11-2024 09:24
Static task
static1
Behavioral task
behavioral1
Sample
udeb
Resource
ubuntu2204-amd64-20240729-en
ubuntu-22.04-amd64
16 signatures
150 seconds
General
-
Target
udeb
-
Size
6.9MB
-
MD5
701eb0067af1d07ca8dae2380f8501fe
-
SHA1
432f0a8848a049467dc023a213515b067444147b
-
SHA256
64329f551dc7f337ef25e81d71ea8ad1b436cd320361a5e03c629dce086f761e
-
SHA512
faef2fa7d5ebc2a2117a61b6019a226fcff9caa518413a31042968ce78b7d3e7ca3a572a4ef61041820accf161b13140d75f5146670fc04fac980a984411337b
-
SSDEEP
98304:P4UcNQeb7GWYv8EZVVfk1DU8CsCUsRiKq4MPP:wfLvGWcZYUFPUQ+PP
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/fstream-3.dat family_xmrig behavioral1/files/fstream-3.dat xmrig -
Xmrig family
-
Xmrig_linux family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Modifies the dynamic linker configuration file 2 TTPs 1 IoCs
Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.
Processes:
udebdescription ioc Process File opened for modification /etc/ld.so.preload udeb -
Executes dropped EXE 1 IoCs
Processes:
cleantaskxioc pid Process /tmp/cleantaskx 1597 cleantaskx -
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
Processes:
cleantaskxdescription ioc Process File opened for reading /sys/devices/virtual/dmi/id/sys_vendor cleantaskx File opened for reading /sys/devices/virtual/dmi/id/product_name cleantaskx File opened for reading /sys/devices/virtual/dmi/id/board_vendor cleantaskx File opened for reading /sys/devices/virtual/dmi/id/bios_vendor cleantaskx -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
Processes:
cleantaskxdescription ioc Process File opened for reading /sys/devices/virtual/dmi/id/chassis_type cleantaskx File opened for reading /sys/devices/virtual/dmi/id/chassis_serial cleantaskx File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag cleantaskx File opened for reading /sys/devices/virtual/dmi/id/bios_version cleantaskx File opened for reading /sys/devices/virtual/dmi/id/bios_date cleantaskx File opened for reading /sys/devices/virtual/dmi/id/product_serial cleantaskx File opened for reading /sys/devices/virtual/dmi/id/product_uuid cleantaskx File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor cleantaskx File opened for reading /sys/devices/virtual/dmi/id/chassis_version cleantaskx File opened for reading /sys/devices/virtual/dmi/id/product_version cleantaskx File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag cleantaskx File opened for reading /sys/devices/virtual/dmi/id/board_name cleantaskx File opened for reading /sys/devices/virtual/dmi/id/board_version cleantaskx File opened for reading /sys/devices/virtual/dmi/id/board_serial cleantaskx -
Write file to user bin folder 1 IoCs
Processes:
udebdescription ioc Process File opened for modification /usr/bin/mslog/tools.tar udeb -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
cleantaskxdescription ioc Process File opened for reading /proc/cpuinfo cleantaskx -
Reads CPU attributes 1 TTPs 55 IoCs
Processes:
cleantaskxpgreppgreppgreppgreppgreppgreppgreppgreppgreppgrepdescription ioc Process File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/size cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq cleantaskx File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size cleantaskx File opened for reading /sys/devices/system/cpu/possible cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/id cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/level cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map cleantaskx File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/cpu0/topology/core_cpus cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/id cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/type cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/id cleantaskx File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/level cleantaskx File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/cpu0/topology/cluster_cpus cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/level cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size cleantaskx File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/online cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/size cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/base_frequency cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cpu_capacity cleantaskx File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/type cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/topology/package_cpus cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/type cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map cleantaskx File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/cpu0/topology/die_cpus cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/level cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/type cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/id cleantaskx File opened for reading /sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map cleantaskx -
Enumerates kernel/hardware configuration 1 TTPs 28 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
cleantaskxudebdescription ioc Process File opened for reading /sys/devices/cpu_core/cpus cleantaskx File opened for reading /sys/devices/system/node/online cleantaskx File opened for reading /sys/fs/cgroup/cgroup.controllers cleantaskx File opened for reading /sys/devices/cpu_atom/cpus cleantaskx File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages cleantaskx File opened for reading /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages cleantaskx File opened for reading /sys/devices/system/node/node0/hugepages cleantaskx File opened for reading /sys/devices/system/node/node0/access1/initiators cleantaskx File opened for reading /sys/devices/system/node/node0/access0/initiators/write_bandwidth cleantaskx File opened for reading /sys/firmware/dmi/tables/DMI cleantaskx File opened for reading /sys/fs/cgroup/cpuset.cpus.effective cleantaskx File opened for reading /sys/kernel/mm/hugepages cleantaskx File opened for reading /sys/devices/system/node/node0/meminfo cleantaskx File opened for reading /sys/bus/dax/devices cleantaskx File opened for reading /sys/devices/system/node/node0/access0/initiators/read_latency cleantaskx File opened for reading /sys/devices/system/node/node0/access0/initiators/write_latency cleantaskx File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size udeb File opened for reading /sys/bus/soc/devices cleantaskx File opened for reading /sys/fs/cgroup/cpuset.mems.effective cleantaskx File opened for reading /sys/devices/system/node/node0/access0/initiators/read_bandwidth cleantaskx File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages cleantaskx File opened for reading /sys/devices/system/node/node0/cpumap cleantaskx File opened for reading /sys/devices/virtual/dmi/id cleantaskx File opened for reading /sys/firmware/dmi/tables/smbios_entry_point cleantaskx File opened for reading /sys/devices/system/cpu cleantaskx File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages cleantaskx File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages cleantaskx File opened for reading /sys/devices/system/node/node0/access0/initiators cleantaskx -
Processes:
pgreppgreppgreppgreppgreppgreppgreppgreppgreppgrepdescription ioc Process File opened for reading /proc/1320/cmdline pgrep File opened for reading /proc/119/status pgrep File opened for reading /proc/110/status pgrep File opened for reading /proc/587/status pgrep File opened for reading /proc/377/cmdline pgrep File opened for reading /proc/196/cmdline pgrep File opened for reading /proc/2/cmdline pgrep File opened for reading /proc/746/status pgrep File opened for reading /proc/74/cmdline pgrep File opened for reading /proc/588/status pgrep File opened for reading /proc/1165/status pgrep File opened for reading /proc/79/cmdline pgrep File opened for reading /proc/990/cmdline pgrep File opened for reading /proc/737/status pgrep File opened for reading /proc/3/status pgrep File opened for reading /proc/81/cmdline pgrep File opened for reading /proc/991/status pgrep File opened for reading /proc/634/cmdline pgrep File opened for reading /proc/18/status pgrep File opened for reading /proc/11/cmdline pgrep File opened for reading /proc/83/cmdline pgrep File opened for reading /proc/21/cmdline pgrep File opened for reading /proc/634/cmdline pgrep File opened for reading /proc/225/cmdline pgrep File opened for reading /proc/263/cmdline pgrep File opened for reading /proc/1166/cmdline pgrep File opened for reading /proc/588/status pgrep File opened for reading /proc/24/status pgrep File opened for reading /proc/962/cmdline pgrep File opened for reading /proc/26/cmdline pgrep File opened for reading /proc/979/cmdline pgrep File opened for reading /proc/11/status pgrep File opened for reading /proc/1276/cmdline pgrep File opened for reading /proc/8/status pgrep File opened for reading /proc/22/status pgrep File opened for reading /proc/196/cmdline pgrep File opened for reading /proc/865/status pgrep File opened for reading /proc/21/cmdline pgrep File opened for reading /proc/1569/status pgrep File opened for reading /proc/1162/cmdline pgrep File opened for reading /proc/101/cmdline pgrep File opened for reading /proc/770/status pgrep File opened for reading /proc/1102/cmdline pgrep File opened for reading /proc/89/cmdline pgrep File opened for reading /proc/113/status pgrep File opened for reading /proc/1113/status pgrep File opened for reading /proc/98/cmdline pgrep File opened for reading /proc/702/status pgrep File opened for reading /proc/971/status pgrep File opened for reading /proc/962/status pgrep File opened for reading /proc/1179/cmdline pgrep File opened for reading /proc/377/cmdline pgrep File opened for reading /proc/218/status pgrep File opened for reading /proc/79/status pgrep File opened for reading /proc/990/cmdline pgrep File opened for reading /proc/207/cmdline pgrep File opened for reading /proc/218/cmdline pgrep File opened for reading /proc/225/status pgrep File opened for reading /proc/640/cmdline pgrep File opened for reading /proc/1056/cmdline pgrep File opened for reading /proc/1160/status pgrep File opened for reading /proc/79/cmdline pgrep File opened for reading /proc/1057/cmdline pgrep File opened for reading /proc/635/cmdline pgrep -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
Processes:
tartarudebdescription ioc Process File opened for modification /tmp/.cfg/udeb tar File opened for modification /tmp/.cfg/libsimplesshd.so tar File opened for modification /tmp/.cfg/rcu_scheb tar File opened for modification /tmp/.cfg/udeb tar File opened for modification /tmp/cleantaskx udeb File opened for modification /tmp/.cfg/tools.tar udeb File opened for modification /tmp/.cfg/libsimplesshd.so tar File opened for modification /tmp/.cfg/rcu_scheb tar -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 4 Go-http-client/1.1
Processes
-
/tmp/udeb/tmp/udeb1⤵
- Modifies the dynamic linker configuration file
- Write file to user bin folder
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:1569 -
/usr/bin/pgreppgrep -x taskxclean2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1573
-
-
/usr/bin/pgreppgrep -x netmonxd2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1574
-
-
/usr/bin/pgreppgrep -x workproc2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1575
-
-
/usr/bin/pgreppgrep -x checkxutil2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1576
-
-
/usr/bin/pgreppgrep -x logxwatch2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1577
-
-
/usr/bin/pgreppgrep -x sysxhelper2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1578
-
-
/usr/bin/pgreppgrep -x maintxd2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1579
-
-
/usr/bin/pgreppgrep -x procxmanager2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1580
-
-
/usr/bin/pgreppgrep -x xmonitord2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1581
-
-
/usr/bin/pgreppgrep -x cleantaskx2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1582
-
-
/usr/bin/tartar -xvf /tmp/.cfg/tools.tar -C /tmp/.cfg2⤵
- Writes file to tmp directory
PID:1593 -
/usr/local/sbin/gzipgzip -d3⤵PID:1594
-
-
/usr/local/bin/gzipgzip -d3⤵PID:1594
-
-
/usr/sbin/gzipgzip -d3⤵PID:1594
-
-
/usr/bin/gzipgzip -d3⤵PID:1594
-
-
-
/usr/bin/tartar -xvf /tmp/.cfg/tools.tar -C /tmp/.cfg2⤵
- Writes file to tmp directory
PID:1595 -
/usr/local/sbin/gzipgzip -d3⤵PID:1596
-
-
/usr/local/bin/gzipgzip -d3⤵PID:1596
-
-
/usr/sbin/gzipgzip -d3⤵PID:1596
-
-
/usr/bin/gzipgzip -d3⤵PID:1596
-
-
-
/tmp/cleantaskx/tmp/cleantaskx2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1597
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD525baf54d805568e1d4ee2604a7a01ee9
SHA14e8a555060b73f6bfc3ca7e3d006378735593ba0
SHA2565d5c99dc751a1b42a84fbb214c94b2910717bd702adc49be4ea94d7f2c8e9f79
SHA512867457eceb313968301276c6e289a83f03b1fd7aaf0e542550ad8308f8f6bb9da35133de86574846ce0c0c642b0c71345b4bd86c27ea3eabcb45574f9200010d
-
Filesize
7.4MB
MD52c7dbb4d16bd8eca6203f76041ba9c5b
SHA1f1b592a9481b2897d1bf73ee4202c15fe804841d
SHA256516e39a4705d774a512725311b22f62b1b008dc42ea71fc9afec15105bf468a9
SHA512323a07fccc1ed45043b018c6b0bf8b91a208b136ea0819eed44818a128d8a5228d1d77e05d3c5c1a9ba80f744a2e515665ddb4b8aaa387d9cace9e52be7f0b6d
-
Filesize
7.1MB
MD5cfc9867852bca14216a8fbf198d1583e
SHA1e3360c5697e43463322e79fcacd3492960057f19
SHA25606d5426ddb4bc170c7471a6f3879c5be24612c06a78b2124d23ac5fb31845913
SHA5123bfb3e8cabab75d78f84698f7c88b94da0bb72fd28787e843e69c980e5dee6526604fbc11dec2f3fdf1be85883333a2c7fef24b1f5d71d051258fd13355961f8
-
Filesize
6.9MB
MD5379fdaee1c0dfd529f0c77d466cf0ab5
SHA15b90f5ea0d117e189e88656bd0ea3d3984d84e39
SHA2565ceed97220541558df9161f99ddb16266bde1bf57a95e23c81f92f6c5dc424df
SHA512a6764ddb05d36500b84852950e608db1ba99b92a4534375a34fb4c70407b7924c2465b233ddf427fc0c23de7466cd155c7626cbb41085e303eda86acccc74581
-
Filesize
6.9MB
MD5c43fb27880f6586eafc93701c4b7ab0f
SHA1382084a075626f1d5c7add636d2cdf042c6d32f9
SHA2563eb065f4e0491a2d862373cd633684521af9158555db668124dbb8685b6dc579
SHA51262e832c6c54274af2e860f854d4ea47412951729b97f5c13608cb32653e13d33965218a252429883cf8719e91d5aa6cf473fb58c869d974725ad64b9060f0462