Malware Analysis Report

2025-01-02 07:04

Sample ID 241126-ldj5favnby
Target udeb
SHA256 64329f551dc7f337ef25e81d71ea8ad1b436cd320361a5e03c629dce086f761e
Tags
xmrig xmrig_linux antivm defense_evasion discovery exection miner persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64329f551dc7f337ef25e81d71ea8ad1b436cd320361a5e03c629dce086f761e

Threat Level: Known bad

The file udeb was found to be: Known bad.

Malicious Activity Summary

xmrig xmrig_linux antivm defense_evasion discovery exection miner persistence privilege_escalation

Xmrig family

XMRig Miner payload

Xmrig_linux family

xmrig

Modifies the dynamic linker configuration file

Executes dropped EXE

Checks hardware identifiers (DMI)

Enumerates running processes

Reads hardware information

Write file to user bin folder

Reads CPU attributes

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

Enumerates kernel/hardware configuration

GoLang User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-26 09:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 09:24

Reported

2024-11-26 09:27

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

149s

Max time network

150s

Command Line

[/tmp/udeb]

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Xmrig_linux family

xmrig_linux

xmrig

miner xmrig_linux

Modifies the dynamic linker configuration file

exection persistence privilege_escalation defense_evasion
Description Indicator Process Target
File opened for modification /etc/ld.so.preload /tmp/udeb N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/cleantaskx /tmp/cleantaskx N/A

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/sys_vendor /tmp/cleantaskx N/A
File opened for reading /sys/devices/virtual/dmi/id/product_name /tmp/cleantaskx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_vendor /tmp/cleantaskx N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_vendor /tmp/cleantaskx N/A

Enumerates running processes

Reads hardware information

discovery
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/chassis_type /tmp/cleantaskx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_serial /tmp/cleantaskx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag /tmp/cleantaskx N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_version /tmp/cleantaskx N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_date /tmp/cleantaskx N/A
File opened for reading /sys/devices/virtual/dmi/id/product_serial /tmp/cleantaskx N/A
File opened for reading /sys/devices/virtual/dmi/id/product_uuid /tmp/cleantaskx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor /tmp/cleantaskx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_version /tmp/cleantaskx N/A
File opened for reading /sys/devices/virtual/dmi/id/product_version /tmp/cleantaskx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag /tmp/cleantaskx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_name /tmp/cleantaskx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_version /tmp/cleantaskx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_serial /tmp/cleantaskx N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/bin/mslog/tools.tar /tmp/udeb N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/cleantaskx N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/size /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/possible /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/id /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/level /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/core_cpus /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/id /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/type /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/id /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/level /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/cluster_cpus /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/level /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/online /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/size /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/base_frequency /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cpu_capacity /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/type /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/package_cpus /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/type /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/die_cpus /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/level /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/type /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/id /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map /tmp/cleantaskx N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/devices/cpu_core/cpus /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/node/online /tmp/cleantaskx N/A
File opened for reading /sys/fs/cgroup/cgroup.controllers /tmp/cleantaskx N/A
File opened for reading /sys/devices/cpu_atom/cpus /tmp/cleantaskx N/A
File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages /tmp/cleantaskx N/A
File opened for reading /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/node/node0/hugepages /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/node/node0/access1/initiators /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/node/node0/access0/initiators/write_bandwidth /tmp/cleantaskx N/A
File opened for reading /sys/firmware/dmi/tables/DMI /tmp/cleantaskx N/A
File opened for reading /sys/fs/cgroup/cpuset.cpus.effective /tmp/cleantaskx N/A
File opened for reading /sys/kernel/mm/hugepages /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/node/node0/meminfo /tmp/cleantaskx N/A
File opened for reading /sys/bus/dax/devices /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/node/node0/access0/initiators/read_latency /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/node/node0/access0/initiators/write_latency /tmp/cleantaskx N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/udeb N/A
File opened for reading /sys/bus/soc/devices /tmp/cleantaskx N/A
File opened for reading /sys/fs/cgroup/cpuset.mems.effective /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/node/node0/access0/initiators/read_bandwidth /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/node/node0/cpumap /tmp/cleantaskx N/A
File opened for reading /sys/devices/virtual/dmi/id /tmp/cleantaskx N/A
File opened for reading /sys/firmware/dmi/tables/smbios_entry_point /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/cpu /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages /tmp/cleantaskx N/A
File opened for reading /sys/devices/system/node/node0/access0/initiators /tmp/cleantaskx N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1320/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/119/status /usr/bin/pgrep N/A
File opened for reading /proc/110/status /usr/bin/pgrep N/A
File opened for reading /proc/587/status /usr/bin/pgrep N/A
File opened for reading /proc/377/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/196/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/746/status /usr/bin/pgrep N/A
File opened for reading /proc/74/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/588/status /usr/bin/pgrep N/A
File opened for reading /proc/1165/status /usr/bin/pgrep N/A
File opened for reading /proc/79/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/990/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/737/status /usr/bin/pgrep N/A
File opened for reading /proc/3/status /usr/bin/pgrep N/A
File opened for reading /proc/81/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/991/status /usr/bin/pgrep N/A
File opened for reading /proc/634/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/18/status /usr/bin/pgrep N/A
File opened for reading /proc/11/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/83/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/21/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/634/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/225/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/263/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1166/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/588/status /usr/bin/pgrep N/A
File opened for reading /proc/24/status /usr/bin/pgrep N/A
File opened for reading /proc/962/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/26/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/979/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/11/status /usr/bin/pgrep N/A
File opened for reading /proc/1276/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/8/status /usr/bin/pgrep N/A
File opened for reading /proc/22/status /usr/bin/pgrep N/A
File opened for reading /proc/196/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/865/status /usr/bin/pgrep N/A
File opened for reading /proc/21/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1569/status /usr/bin/pgrep N/A
File opened for reading /proc/1162/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/101/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/770/status /usr/bin/pgrep N/A
File opened for reading /proc/1102/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/89/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/113/status /usr/bin/pgrep N/A
File opened for reading /proc/1113/status /usr/bin/pgrep N/A
File opened for reading /proc/98/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/702/status /usr/bin/pgrep N/A
File opened for reading /proc/971/status /usr/bin/pgrep N/A
File opened for reading /proc/962/status /usr/bin/pgrep N/A
File opened for reading /proc/1179/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/377/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/218/status /usr/bin/pgrep N/A
File opened for reading /proc/79/status /usr/bin/pgrep N/A
File opened for reading /proc/990/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/207/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/218/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/225/status /usr/bin/pgrep N/A
File opened for reading /proc/640/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1056/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1160/status /usr/bin/pgrep N/A
File opened for reading /proc/79/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1057/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/635/cmdline /usr/bin/pgrep N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.cfg/udeb /usr/bin/tar N/A
File opened for modification /tmp/.cfg/libsimplesshd.so /usr/bin/tar N/A
File opened for modification /tmp/.cfg/rcu_scheb /usr/bin/tar N/A
File opened for modification /tmp/.cfg/udeb /usr/bin/tar N/A
File opened for modification /tmp/cleantaskx /tmp/udeb N/A
File opened for modification /tmp/.cfg/tools.tar /tmp/udeb N/A
File opened for modification /tmp/.cfg/libsimplesshd.so /usr/bin/tar N/A
File opened for modification /tmp/.cfg/rcu_scheb /usr/bin/tar N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

/tmp/udeb

[/tmp/udeb]

/usr/bin/pgrep

[pgrep -x taskxclean]

/usr/bin/pgrep

[pgrep -x netmonxd]

/usr/bin/pgrep

[pgrep -x workproc]

/usr/bin/pgrep

[pgrep -x checkxutil]

/usr/bin/pgrep

[pgrep -x logxwatch]

/usr/bin/pgrep

[pgrep -x sysxhelper]

/usr/bin/pgrep

[pgrep -x maintxd]

/usr/bin/pgrep

[pgrep -x procxmanager]

/usr/bin/pgrep

[pgrep -x xmonitord]

/usr/bin/pgrep

[pgrep -x cleantaskx]

/usr/bin/tar

[tar -xvf /tmp/.cfg/tools.tar -C /tmp/.cfg]

/usr/local/sbin/gzip

[gzip -d]

/usr/local/bin/gzip

[gzip -d]

/usr/sbin/gzip

[gzip -d]

/usr/bin/gzip

[gzip -d]

/usr/bin/tar

[tar -xvf /tmp/.cfg/tools.tar -C /tmp/.cfg]

/usr/local/sbin/gzip

[gzip -d]

/usr/local/bin/gzip

[gzip -d]

/usr/sbin/gzip

[gzip -d]

/usr/bin/gzip

[gzip -d]

/tmp/cleantaskx

[/tmp/cleantaskx]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 vvnnmm.com udp
US 8.8.8.8:53 vvnnmm.com udp
DE 78.47.77.125:80 vvnnmm.com tcp
US 8.8.8.8:53 proxy.customerbon.com udp
US 8.8.8.8:53 proxy.customerbon.com udp
LT 93.123.39.55:443 proxy.customerbon.com tcp
DE 49.13.232.203:443 proxy.customerbon.com tcp
US 8.8.8.8:53 proxy.customerbon.com udp
LT 93.123.39.55:443 proxy.customerbon.com tcp
DE 49.13.232.203:443 proxy.customerbon.com tcp
US 8.8.8.8:53 proxy.customerbon.com udp
DE 49.13.232.203:443 proxy.customerbon.com tcp
FI 5.223.46.216:443 tcp
US 8.8.8.8:53 hk.salvium.gfwroute.com udp
US 8.8.8.8:53 hk.salvium.gfwroute.com udp
HK 64.120.114.165:1230 hk.salvium.gfwroute.com tcp
US 8.8.8.8:53 proxy.customerbon.com udp
DE 49.13.232.203:443 proxy.customerbon.com tcp
US 8.8.8.8:53 proxy.customerbon.com udp
HK 47.242.195.217:443 proxy.customerbon.com tcp

Files

/tmp/.cfg/tools.tar

MD5 cfc9867852bca14216a8fbf198d1583e
SHA1 e3360c5697e43463322e79fcacd3492960057f19
SHA256 06d5426ddb4bc170c7471a6f3879c5be24612c06a78b2124d23ac5fb31845913
SHA512 3bfb3e8cabab75d78f84698f7c88b94da0bb72fd28787e843e69c980e5dee6526604fbc11dec2f3fdf1be85883333a2c7fef24b1f5d71d051258fd13355961f8

/tmp/.cfg/libsimplesshd.so

MD5 25baf54d805568e1d4ee2604a7a01ee9
SHA1 4e8a555060b73f6bfc3ca7e3d006378735593ba0
SHA256 5d5c99dc751a1b42a84fbb214c94b2910717bd702adc49be4ea94d7f2c8e9f79
SHA512 867457eceb313968301276c6e289a83f03b1fd7aaf0e542550ad8308f8f6bb9da35133de86574846ce0c0c642b0c71345b4bd86c27ea3eabcb45574f9200010d

/tmp/.cfg/rcu_scheb

MD5 2c7dbb4d16bd8eca6203f76041ba9c5b
SHA1 f1b592a9481b2897d1bf73ee4202c15fe804841d
SHA256 516e39a4705d774a512725311b22f62b1b008dc42ea71fc9afec15105bf468a9
SHA512 323a07fccc1ed45043b018c6b0bf8b91a208b136ea0819eed44818a128d8a5228d1d77e05d3c5c1a9ba80f744a2e515665ddb4b8aaa387d9cace9e52be7f0b6d

/tmp/.cfg/udeb

MD5 379fdaee1c0dfd529f0c77d466cf0ab5
SHA1 5b90f5ea0d117e189e88656bd0ea3d3984d84e39
SHA256 5ceed97220541558df9161f99ddb16266bde1bf57a95e23c81f92f6c5dc424df
SHA512 a6764ddb05d36500b84852950e608db1ba99b92a4534375a34fb4c70407b7924c2465b233ddf427fc0c23de7466cd155c7626cbb41085e303eda86acccc74581

/tmp/.cfg/udeb

MD5 c43fb27880f6586eafc93701c4b7ab0f
SHA1 382084a075626f1d5c7add636d2cdf042c6d32f9
SHA256 3eb065f4e0491a2d862373cd633684521af9158555db668124dbb8685b6dc579
SHA512 62e832c6c54274af2e860f854d4ea47412951729b97f5c13608cb32653e13d33965218a252429883cf8719e91d5aa6cf473fb58c869d974725ad64b9060f0462