xmrig

Sharing

General

Target

hoze样本.zip
Size

7.6MB
Sample

241126-pwt9xa1pdt
MD5

8bb80dc9058ea755ff166d45fbcdbdcf
SHA1

e49e083725dcd42fba86a57959ea2cae6c7aed57
SHA256

747091fd60a9c41ff26d3878bac923c9c14b5472238874754577e14d47b8cba7
SHA512

87dab1c4e11517538113fddfd22877817455a99a0664c340c56417e9f46d4165ac7236307710378db1016628e664871f2a7db2fd48c752c17fc09370abed7226
SSDEEP

196608:8Qz8WgK/p06m121FaxrhZeeWDLAfVPKRWC9:tz5gK/m6mw1U2Dc4EA

Score

10^/10

Malware Config

Targets

- Target
  
  样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8
- Size
  
  1023KB
- MD5
  
  069ad3938c3f9c049f670a8eb49dc1d8
- SHA1
  
  f4fd0c87a18d45ab4b642f32a94673c949ab7caf
- SHA256
  
  84d4b99f0d98900b4eadb7e107bf54196f2e5796d8707ebf0dcd76f5b6693295
- SHA512
  
  3c627883f53082face65b22d353c1926c4d4f4de008cf41cf2a3326762ad080dd95324f2fd35c3f60c069df4fb2c510d4fa07b26cbc404678f8a655c884beedb
- SSDEEP
  
  12288:SBgtRmLBGYhFcueTIqRe/w/Yt6myOP7/x7L15k7bKrHNq9EnE:SQRmLBTFcueTIie/wgB/x7LFLNq9
Score

7^/10

defense_evasion discovery execution persistence privilege_escalatio
- File and Directory Permissions Modification
  Adversaries may modify file or directory permissions to evade defenses.
  defense_evasion
- Attempts to change immutable files
  Modifies inode attributes on the filesystem to allow changing of immutable files.
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  execution persistence privilege_escalatio
- Enumerates running processes
  Discovers information about currently running processes on the system
behavioral1
- Target
  
  样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B
- Size
  
  1020KB
- MD5
  
  42693670c71a529a11e81943f5b36c5b
- SHA1
  
  9026cc25786215bba3bc06c4875f7da410425f8c
- SHA256
  
  eb2329422e52901d0bea0c0fcc4b3a6d1923ef278a96d2a14ab1839882cd0ecf
- SHA512
  
  a92d9bd9cd4c1c81a2e8042a9b7c31badba5e033743f34fb851b60350c5833afb246c64fc982112afecad9b1fc48bfdeab16a7bda169b4a635a8922549067d82
- SSDEEP
  
  12288:ztLJzlNZDaY9FnavUIqEhgvmKe36myOP7/67LN5kwrHNq9EnE:zvxNZD7FnavUILhgvJeb/67LFLNq9
Score

6^/10

discovery
- Enumerates running processes
  Discovers information about currently running processes on the system
behavioral2
- Target
  
  样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383
- Size
  
  1.0MB
- MD5
  
  73f9917255a953eb749f5a3c90e3b383
- SHA1
  
  c8e392cf523aca7e2df62f72d68c83829f0c085d
- SHA256
  
  c5c11802623d02ba9b1c2c7a52579dbf0c3aa4c87ae6fc85cbfcd71dffffec27
- SHA512
  
  65b8946b67d42003272690266ccddb59ce715edd16eb6e67e8c3e2b34bb9e092ec736900432efbc1c70777c831742f820b61de8098a6438005641df4f3ddbe46
- SSDEEP
  
  12288:fbS+JhtEBBYYFkfciIqELZ3OlN6myOP7/i7L95k2rHNq9EnE:fXJ/EBJFkfciIjLZ3Ih/i7LbLNq9
Score

8^/10

antivm credential_access defense_evasion discovery execution persistence privilege_escalatio privilege_escalation
- Modifies password files for system users/ groups
  Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.
  persistence credential_access defense_evasion
- File and Directory Permissions Modification
  Adversaries may modify file or directory permissions to evade defenses.
  defense_evasion
- Modifies PAM framework files
  Modifies Linux PAM framework files, possibly to intercept credentials.
  persistence credential_access defense_evasion
- OS Credential Dumping
  Adversaries may attempt to dump credentials to use it in password cracking.
  credential_access
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  Abuse sudo or cached sudo credentials to execute code.
  privilege_escalation defense_evasion
- Adds a user to the system
- Attempts to change immutable files
  Modifies inode attributes on the filesystem to allow changing of immutable files.
- Checks hardware identifiers (DMI)
  Checks DMI information which indicate if the system is a virtual machine.
  antivm
- Checks mountinfo of local process
  Checks mountinfo of running processes which indicate if it is running in chroot jail.
  antivm
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  execution persistence privilege_escalatio
- Deletes log files
  Deletes log files on the system.
  defense_evasion
- Enumerates running processes
  Discovers information about currently running processes on the system
- Modifies special file permissions
  Adds special setuid and/ or setgid bits on a file, possibly to elevate privileges.
  defense_evasion privilege_escalation
- Write file to user bin folder
  persistence
- Reads process memory
  Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
  credential_access
behavioral3
- Target
  
  样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973
- Size
  
  990KB
- MD5
  
  cdafefedb4709959b4260435dc6f5973
- SHA1
  
  9c54fa7b42fb4f25e6dbc995741661cee1bd8141
- SHA256
  
  cb7d520296116df898c01bb9e94c05efcaa38dffb14354f42b62262c5b147e34
- SHA512
  
  391bf2745abbac6ccd8eee0c7e3ea62daec185ac997d8a8cb0c918c733defdc701ff0ba44d727a3619a9be0e2070e0e34e8ceb2e1cceca889cb0f94b92c2e404
- SSDEEP
  
  24576:bNAp09HLyf/Jck/sGjeXFAGqkkdagwGKLUU:bip0Byf/Jck/sGjYBlEwGK
Score

1^/10
behavioral4
- Target
  
  样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8
- Size
  
  8KB
- MD5
  
  9c8a5ef51cf8a89f5f00498a5a776db8
- SHA1
  
  2c0e74dff734f88893f95d0cb78ede1c1e49c3a8
- SHA256
  
  c63d1164454a56c39eb1726cd77e18bd4faca84a719073c61c49d0135e83d29b
- SHA512
  
  9924bd7f8002e84c01405a9bc83435b1dea81744bf472dfa7f59dde222148ee18007b2fe666e4996b6961eda9a8d8662529df20f01957ddcd1a6b4c6f3ac5239
- SSDEEP
  
  96:oK8jK4TgZmQznnTnULBrWuji8LtVtU+UACM3nUO3VqIWyLlcOiO/U4lGyXPh/moF:kOmKnrULsafdUJM3UOze32
Score

1^/10
behavioral5 behavioral6 behavioral7 behavioral8
- Target
  
  样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7
- Size
  
  2KB
- MD5
  
  e4cc1a7f992909e8509520fdd6c9a3f7
- SHA1
  
  2978a46c0be87a65e4371c0682329fbda7f631b0
- SHA256
  
  5b6783965bcab2350aa9559c6f4c08fe44d7ae764ac8fbdcb7722056a2b000d3
- SHA512
  
  20e14b888f90e5f5ee3c560326f16be46dfded9cf992a8436295d0318c41336109cc9750e9f3b9e5461cd95fc226da9619af0b65fdcf9093c289df983cb5040b
Score

6^/10

discovery
- Enumerates running processes
  Discovers information about currently running processes on the system
behavioral10 behavioral11 behavioral12 behavioral9
- Target
  
  样本/Linux/挖矿程序/9D099882A24757AC5033B0C675FECBE5
- Size
  
  5.9MB
- MD5
  
  9d099882a24757ac5033b0c675fecbe5
- SHA1
  
  1c1b1a4608918b6e95065c86b4a338e245ab36b2
- SHA256
  
  fb86120a4a1b13b29957eb5f95f7857cf9e469514fc20d25fad02ae87bf99091
- SHA512
  
  a59a855b10c0b0a0f84cfdfa89ae004c76be08a4879761d588810ef2e5f247298be63e3cd60dd2510ab35e3f3653fa4423ffb579c17f7b3e09ac47c5d4aeb9d0
- SSDEEP
  
  98304:h5ge1EgVtDw6pvf0pttZppppppZppppRlclclJGToGToGTCaqOpU6cXTpKDL4xW+:hNrD2irwCYM5qDv
Score

10^/10

xmrig_linux miner
- Xmrig_linux family
  xmrig_linux
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig_linux
behavioral13
- Target
  
  1AAF1A9F7877DC2C899D910A52F67F31
- Size
  
  9.0MB
- MD5
  
  2cd3e15d8f618f931e792b95d263df89
- SHA1
  
  d35b6ce9a0c6ead507d3a7450c3c58cf6cef87a8
- SHA256
  
  81c8b6f32d5669cbd7ce434c16c0cb6b5d3a23478fee0db97e0ce7110dcc1d88
- SHA512
  
  73887b21b91ba845164ccaa0cabf3d0b00670a65be7ccbba3bf0dce4b8d8ee281105466d2145378ec04968a4ff6ce46768f25122ff2f3fd380a75b817c2f1223
- SSDEEP
  
  98304:oBsfnIxQ4uBKu4IRFHF5ge1EgVtDw6pvf0pttZppppppZppppRlclclJGToGToGM:oBNoBRnNrD2irwCYM5qDvFDt
Score

1^/10
behavioral14 behavioral15
- Target
  
  xrx/chattr
- Size
  
  35KB
- MD5
  
  a074fef55aacf28bd6d7a5b2f5a99fc9
- SHA1
  
  2217b96394209dac95f75bdbd78f97f48a2c7f5d
- SHA256
  
  34a4f26cb133ab9bfaf9339e73b3421f88b3cf2ae7b59be0a186b19f8dd3fb66
- SHA512
  
  4c1899197719512f4088253bb8579f139f8a21a67f8f801009c1a3137335ca677d1ef43cebd6d3b05f45fb20b5fe3561798f9a8a720a82442382d620109abf14
- SSDEEP
  
  768:5TPE/yJQgRjt7wEYp2EeggGPVyzErU2np:xjQgVt8EYp2ETPoorUq
Score

1^/10
behavioral16
- Target
  
  xrx/init.sh
- Size
  
  1020KB
- MD5
  
  42693670c71a529a11e81943f5b36c5b
- SHA1
  
  9026cc25786215bba3bc06c4875f7da410425f8c
- SHA256
  
  eb2329422e52901d0bea0c0fcc4b3a6d1923ef278a96d2a14ab1839882cd0ecf
- SHA512
  
  a92d9bd9cd4c1c81a2e8042a9b7c31badba5e033743f34fb851b60350c5833afb246c64fc982112afecad9b1fc48bfdeab16a7bda169b4a635a8922549067d82
- SSDEEP
  
  12288:ztLJzlNZDaY9FnavUIqEhgvmKe36myOP7/67LN5kwrHNq9EnE:zvxNZD7FnavUILhgvJeb/67LFLNq9
Score

6^/10

discovery
- Enumerates running processes
  Discovers information about currently running processes on the system
behavioral17
- Target
  
  xrx/init0
- Size
  
  1.0MB
- MD5
  
  73f9917255a953eb749f5a3c90e3b383
- SHA1
  
  c8e392cf523aca7e2df62f72d68c83829f0c085d
- SHA256
  
  c5c11802623d02ba9b1c2c7a52579dbf0c3aa4c87ae6fc85cbfcd71dffffec27
- SHA512
  
  65b8946b67d42003272690266ccddb59ce715edd16eb6e67e8c3e2b34bb9e092ec736900432efbc1c70777c831742f820b61de8098a6438005641df4f3ddbe46
- SSDEEP
  
  12288:fbS+JhtEBBYYFkfciIqELZ3OlN6myOP7/i7L95k2rHNq9EnE:fXJ/EBJFkfciIjLZ3Ih/i7LbLNq9
Score

8^/10

antivm credential_access defense_evasion discovery execution persistence privilege_escalatio privilege_escalation
- Adds new SSH keys
  Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.
  persistence privilege_escalation
- Modifies password files for system users/ groups
  Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.
  persistence credential_access defense_evasion
- File and Directory Permissions Modification
  Adversaries may modify file or directory permissions to evade defenses.
  defense_evasion
- Modifies PAM framework files
  Modifies Linux PAM framework files, possibly to intercept credentials.
  persistence credential_access defense_evasion
- OS Credential Dumping
  Adversaries may attempt to dump credentials to use it in password cracking.
  credential_access
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  Abuse sudo or cached sudo credentials to execute code.
  privilege_escalation defense_evasion
- Adds a user to the system
- Attempts to change immutable files
  Modifies inode attributes on the filesystem to allow changing of immutable files.
- Checks hardware identifiers (DMI)
  Checks DMI information which indicate if the system is a virtual machine.
  antivm
- Checks mountinfo of local process
  Checks mountinfo of running processes which indicate if it is running in chroot jail.
  antivm
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  execution persistence privilege_escalatio
- Deletes log files
  Deletes log files on the system.
  defense_evasion
- Enumerates running processes
  Discovers information about currently running processes on the system
- Modifies special file permissions
  Adds special setuid and/ or setgid bits on a file, possibly to elevate privileges.
  defense_evasion privilege_escalation
- Write file to user bin folder
  persistence
- Reads process memory
  Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
  credential_access
behavioral18
- Target
  
  xrx/scp
- Size
  
  63B
- MD5
  
  7e21ae4da5edbbe4adaeacd5f7c1ece6
- SHA1
  
  f5574230833e98e010ecea9ceb027c2981f57488
- SHA256
  
  fc26873006164decacbcfb01d246b54539b786b404be0bb1a5cde5263031663a
- SHA512
  
  113ca3b1217fa477acd003d65faac8913e805281ae7f664a7a91d6195c0e354831645238f98c6c9d7fe622587065e1db5e7d2a2385ad32ff17b6644832563b1c
Score

1^/10
behavioral19 behavioral20 behavioral21 behavioral22
- Target
  
  xrx/secure
- Size
  
  1023KB
- MD5
  
  069ad3938c3f9c049f670a8eb49dc1d8
- SHA1
  
  f4fd0c87a18d45ab4b642f32a94673c949ab7caf
- SHA256
  
  84d4b99f0d98900b4eadb7e107bf54196f2e5796d8707ebf0dcd76f5b6693295
- SHA512
  
  3c627883f53082face65b22d353c1926c4d4f4de008cf41cf2a3326762ad080dd95324f2fd35c3f60c069df4fb2c510d4fa07b26cbc404678f8a655c884beedb
- SSDEEP
  
  12288:SBgtRmLBGYhFcueTIqRe/w/Yt6myOP7/x7L15k7bKrHNq9EnE:SQRmLBTFcueTIie/wgB/x7LFLNq9
Score

7^/10

defense_evasion discovery execution persistence privilege_escalatio
- File and Directory Permissions Modification
  Adversaries may modify file or directory permissions to evade defenses.
  defense_evasion
- Attempts to change immutable files
  Modifies inode attributes on the filesystem to allow changing of immutable files.
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  execution persistence privilege_escalatio
- Enumerates running processes
  Discovers information about currently running processes on the system
behavioral23
- Target
  
  xrx/uninstall.sh
- Size
  
  2KB
- MD5
  
  e4cc1a7f992909e8509520fdd6c9a3f7
- SHA1
  
  2978a46c0be87a65e4371c0682329fbda7f631b0
- SHA256
  
  5b6783965bcab2350aa9559c6f4c08fe44d7ae764ac8fbdcb7722056a2b000d3
- SHA512
  
  20e14b888f90e5f5ee3c560326f16be46dfded9cf992a8436295d0318c41336109cc9750e9f3b9e5461cd95fc226da9619af0b65fdcf9093c289df983cb5040b
Score

6^/10

discovery
- Enumerates running processes
  Discovers information about currently running processes on the system
behavioral24 behavioral25 behavioral26 behavioral27
- Target
  
  xrx/xrx
- Size
  
  5.9MB
- MD5
  
  9d099882a24757ac5033b0c675fecbe5
- SHA1
  
  1c1b1a4608918b6e95065c86b4a338e245ab36b2
- SHA256
  
  fb86120a4a1b13b29957eb5f95f7857cf9e469514fc20d25fad02ae87bf99091
- SHA512
  
  a59a855b10c0b0a0f84cfdfa89ae004c76be08a4879761d588810ef2e5f247298be63e3cd60dd2510ab35e3f3653fa4423ffb579c17f7b3e09ac47c5d4aeb9d0
- SSDEEP
  
  98304:h5ge1EgVtDw6pvf0pttZppppppZppppRlclclJGToGToGTCaqOpU6cXTpKDL4xW+:hNrD2irwCYM5qDv
Score

6^/10

antivm discovery
- Checks hardware identifiers (DMI)
  Checks DMI information which indicate if the system is a virtual machine.
  antivm
- Reads hardware information
  Accesses system info like serial numbers, manufacturer names etc.
  discovery
behavioral28