Overview

overview

10

Static

static

1

script_mal...6c1.sh

ubuntu-18.04-amd64

9

script_mal...6c1.sh

debian-9-armhf

9

script_mal...6c1.sh

debian-9-mips

9

script_mal...6c1.sh

debian-9-mipsel

9

script_malware/1.sh

ubuntu-18.04-amd64

10

script_malware/1.sh

debian-9-armhf

7

script_malware/1.sh

debian-9-mips

7

script_malware/1.sh

debian-9-mipsel

7

script_mal...459.sh

ubuntu-18.04-amd64

7

script_mal...459.sh

debian-9-armhf

7

script_mal...459.sh

debian-9-mips

7

script_mal...459.sh

debian-9-mipsel

7

script_mal...ux.elf

ubuntu-22.04-amd64

3

script_mal...da.elf

ubuntu-22.04-amd64

3

script_malware/23.sh

ubuntu-18.04-amd64

3

script_malware/23.sh

debian-9-armhf

3

script_malware/23.sh

debian-9-mips

3

script_malware/23.sh

debian-9-mipsel

3

script_malware/404

ubuntu-18.04-amd64

script_malware/404

debian-9-armhf

script_malware/404

debian-9-mips

script_malware/404

debian-9-mipsel

script_mal...c5b.py

windows7-x64

3

script_mal...c5b.py

windows10-2004-x64

3

script_mal...006.sh

ubuntu-18.04-amd64

10

script_mal...006.sh

debian-9-armhf

7

script_mal...006.sh

debian-9-mips

7

script_mal...006.sh

debian-9-mipsel

7

script_mal...oPy.sh

ubuntu-18.04-amd64

7

script_mal...oPy.sh

debian-9-armhf

7

script_mal...oPy.sh

debian-9-mips

7

script_mal...oPy.sh

debian-9-mipsel

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    script_malware.zip

  • Size

    4.4MB

  • Sample

    241206-rejsyswrgj

  • MD5

    cabc07f288cc71b7447d6098ce3bb245

  • SHA1

    2ff090c33470e3c8c2c10888ba0de5539c5126d1

  • SHA256

    78276bd481a04c29109fbbd8313701e5b814165fa4b48515ec4489ccfda93107

  • SHA512

    7aef8936dd1f734d20a9ab251ab46c22bcaa4c2a012387b7e9fce48e9d870926981c22cf3fac87c2b3bd0ae6f6efe084aaefd15fe229cd1bf085a55e0322dd80

  • SSDEEP

    98304:OUCcwlITgiAybrbTWITgJbyvVqUCcwlITgiAybrbTWITgJbyvVvM:pCcCEgiAsTHsyPCcCEgiAsTHsyhM

Score
10/10
xmrig_linuxantivmdefense_evasiondiscoveryevasionexectionexecutionlinuxminerpersistenceprivilege_escalatioprivilege_escalationrootkit

Malware Config

Targets

    • Target

      script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh

    • Size

      11KB

    • MD5

      07b7746b922cf7d7fa821123a226ed36

    • SHA1

      bf2df8f2813ef4e2cf61ea193e091b808aa854c7

    • SHA256

      063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1

    • SHA512

      ad29993a88c996f96fdc5c01fda89400b1e27228c58445d181dc6af974a171ee36e014d90aa8e09de6d83e4bfd12d167eb361bd52b6d194af6f249a6812019cb

    • SSDEEP

      192:Xws08k5tkd5DFPSV3n7/e867jNKvSbRXA8kWmk4lkCIkvUgoaES8DSWOlA+1esP:XQwL4/e867USbRXA8kWT4yCtvUgDjdWi

    Score
    9/10
    defense_evasiondiscoveryexectionexecutionpersistenceprivilege_escalatioprivilege_escalationrootkitantivm

    • Modifies the dynamic linker configuration file

      Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

      exectionpersistenceprivilege_escalationdefense_evasion

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

      defense_evasion

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

      defense_evasion

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

      rootkit

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      executionpersistenceprivilege_escalatio

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

      persistenceprivilege_escalation
    behavioral1behavioral2behavioral3behavioral4

    • Target

      script_malware/1.sh

    • Size

      35KB

    • MD5

      2550990d2d52581b213e7c9305c392d3

    • SHA1

      f7f069915c9b97550dc1fb6cf631f6222416dcf5

    • SHA256

      8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006

    • SHA512

      a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50

    • SSDEEP

      768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z

    Score
    10/10
    xmrig_linuxdefense_evasiondiscoveryevasionexecutionminerpersistenceprivilege_escalatioprivilege_escalationrootkit

    • Xmrig_linux family

      xmrig_linux

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig_linux

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

      defense_evasion

    • Deletes system logs

      Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

      evasion

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

      defense_evasion

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

      rootkit

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

      privilege_escalationdefense_evasion

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      executionpersistenceprivilege_escalatio

    • Disables AppArmor

      Disables AppArmor security module.

    • Disables SELinux

      Disables SELinux security module.

      defense_evasion

    • Enumerates running processes

      Discovers information about currently running processes on the system

    behavioral5behavioral6behavioral7behavioral8

    • Target

      script_malware/10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459.sh

    • Size

      3KB

    • MD5

      d0d36f169f1458806053aae482af5010

    • SHA1

      e603944aceb5c0885a8627de12f36b159bbf2f05

    • SHA256

      10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459

    • SHA512

      982abe39731d8cc852c25650740ff73975c10d19027eccf610401260e2f508334f1de656f8dd332fa698dccc9f7d3bda610c8b9e84d276036a6e9408d826229a

    Score
    7/10
    defense_evasiondiscovery

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

      defense_evasion

    • Enumerates running processes

      Discovers information about currently running processes on the system

    behavioral10behavioral11behavioral12behavioral9

    • Target

      script_malware/164f8295_linux.elf

    • Size

      5.1MB

    • MD5

      c850f6816459e3364b2a54239642101b

    • SHA1

      30c60f18279ed5fd36e3ac2d3ba5ddbdc5d1f624

    • SHA256

      21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da

    • SHA512

      be7eaec0e4847a422ab7b52af7f0493e2390973077500f4faab38cb0dafd9d651346aee13bb9e5a4fb936e3cc3f83c7db598121df37be9ff6cda2dadf59ccb2f

    • SSDEEP

      98304:nxygRxtJ8tcZe32l/+jMSXYTU4BcoPfa8/X:Stc0kbSXWJ

    Score
    3/10
    discovery
    behavioral13

    • Target

      script_malware/21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da.elf

    • Size

      5.1MB

    • MD5

      c850f6816459e3364b2a54239642101b

    • SHA1

      30c60f18279ed5fd36e3ac2d3ba5ddbdc5d1f624

    • SHA256

      21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da

    • SHA512

      be7eaec0e4847a422ab7b52af7f0493e2390973077500f4faab38cb0dafd9d651346aee13bb9e5a4fb936e3cc3f83c7db598121df37be9ff6cda2dadf59ccb2f

    • SSDEEP

      98304:nxygRxtJ8tcZe32l/+jMSXYTU4BcoPfa8/X:Stc0kbSXWJ

    Score
    3/10
    discovery
    behavioral14

    • Target

      script_malware/23.sh

    • Size

      287B

    • MD5

      aa0772cff70daa00d44a201b28ef6b08

    • SHA1

      d129e51acd50ed4ff87672dca4975ed313ae9ad9

    • SHA256

      a55e9eb1cb4dc2cb8d1a697d329b3a76e18b949308e16ef50aafca1e08123939

    • SHA512

      9d2654a7c7634909117d65b0d60bee51e2b9f2de320c2dfc7a30b36f182e2a44b21be91c3dd73fabd4d0cbff7fbc6c18a712cfd41fdcf51cf06ef4a39fe846b1

    Score
    3/10
    discovery
    behavioral15behavioral16behavioral17behavioral18

    • Target

      script_malware/404

    • Size

      26KB

    • MD5

      e53cf00cf16d5e645103a266959ce5b7

    • SHA1

      d145edc39d2b5ab2392a989734ef28af77f74f7e

    • SHA256

      0fb9eb96a08f9ad3400f89749d32f3e44362346ec7fca9bd5e9ba85022e5ebc1

    • SHA512

      30b31e6b89f8f1eb92de62a2ba90ab299e060e11a91ef069927f045506dc73d0a276adf3966b4525164488bc8779b4a1a48f005513d9ba9f92916d04ec26f50a

    • SSDEEP

      192:phe97oGORlRQ4CR1ydi5DAomxCdsjnbP19+9Uc3gHNgWW1kSNPWW0wnENfICSo4M:iWBLZCRwdkzzsjT1TtE1dIfICSoTx9k2

    Score
    3/10
    discovery
    behavioral19behavioral20behavioral21behavioral22

    • Target

      script_malware/864d7bcd96f8cf35b9e372b6508bc6ef1a704eaaa03c34bd79577b057aebec5b.py

    • Size

      38KB

    • MD5

      02e98c71545c8345d28920fbc4f99c28

    • SHA1

      a09e2b273c4cb323d4ea424ae456d9dbc9fc43f0

    • SHA256

      864d7bcd96f8cf35b9e372b6508bc6ef1a704eaaa03c34bd79577b057aebec5b

    • SHA512

      62ca71f1028be36e9afa5d26c8f11471d6679658b8b3db7b2db696f093a2a9d5e616a7b3c336a18c143c5c73908259eb4ca2f4af66d3ee56a5dc4ee358d2f530

    • SSDEEP

      768:Jkcso0KfNBqjxvcG4DRINIUBqKENI1gJkOpvUBL6GYJ5jHQES8Z80foQy2aCrhX:ueNB40xbUBqKEix2vLzwES8Z80foQ9X

    Score
    3/10
    discovery
    behavioral23behavioral24

    • Target

      script_malware/8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006.sh

    • Size

      35KB

    • MD5

      2550990d2d52581b213e7c9305c392d3

    • SHA1

      f7f069915c9b97550dc1fb6cf631f6222416dcf5

    • SHA256

      8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006

    • SHA512

      a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50

    • SSDEEP

      768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z

    Score
    10/10
    xmrig_linuxdefense_evasiondiscoveryevasionexecutionminerpersistenceprivilege_escalatioprivilege_escalationrootkit

    • Xmrig_linux family

      xmrig_linux

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig_linux

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

      defense_evasion

    • Deletes system logs

      Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

      evasion

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

      defense_evasion

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

      rootkit

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

      privilege_escalationdefense_evasion

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      executionpersistenceprivilege_escalatio

    • Disables AppArmor

      Disables AppArmor security module.

    • Disables SELinux

      Disables SELinux security module.

      defense_evasion

    • Enumerates running processes

      Discovers information about currently running processes on the system

    behavioral25behavioral26behavioral27behavioral28

    • Target

      script_malware/SnOoPy.sh

    • Size

      2KB

    • MD5

      f0664749e65d26335de79a90c7074d00

    • SHA1

      0deb03914ba232314b5214803dd97b94c1c9d9e5

    • SHA256

      57ad07730428c1412ba43f4470c2074f4f0ef4e6eb5fcd24c9e19e49028e455a

    • SHA512

      b605e84c23dad423a5e585c49957b0ade5f8764681f010fc1d192c81f677e4a849872db8afedd262e740f648aca18649a89420a54a02f1f1bd594c2125c2b6ff

    Score
    7/10
    defense_evasiondiscovery

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

      defense_evasion
    behavioral29behavioral30behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Shared Modules

1
T1129

Persistence

Boot or Logon Autostart Execution

1
T1547

XDG Autostart Entries

1
T1547.013

Create or Modify System Process

1
T1543

Systemd Service

1
T1543.002

Hijack Execution Flow

1
T1574

Dynamic Linker Hijacking

1
T1574.006

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

Boot or Logon Autostart Execution

1
T1547

XDG Autostart Entries

1
T1547.013

Create or Modify System Process

1
T1543

Systemd Service

1
T1543.002

Hijack Execution Flow

1
T1574

Dynamic Linker Hijacking

1
T1574.006

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

File and Directory Permissions Modification

1
T1222

Linux and Mac File and Directory Permissions Modification

1
T1222.002

Hijack Execution Flow

1
T1574

Dynamic Linker Hijacking

1
T1574.006

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

Clear Linux or Mac System Logs

1
T1070.002

Virtualization/Sandbox Evasion

1
T1497

System Checks

1
T1497.001

Credential Access

Discovery

Process Discovery

1
T1057

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Virtualization/Sandbox Evasion

1
T1497

System Checks

1
T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

Score
1/10

behavioral1

defense_evasiondiscoveryexectionexecutionpersistenceprivilege_escalatioprivilege_escalationrootkit
Score
9/10

behavioral2

antivmdefense_evasiondiscoveryexectionexecutionpersistenceprivilege_escalatioprivilege_escalation
Score
9/10

behavioral3

defense_evasiondiscoveryexectionexecutionpersistenceprivilege_escalatioprivilege_escalation
Score
9/10

behavioral4

defense_evasiondiscoveryexectionexecutionpersistenceprivilege_escalatioprivilege_escalation
Score
9/10

behavioral5

xmrig_linuxdefense_evasiondiscoveryevasionexecutionminerpersistenceprivilege_escalatioprivilege_escalationrootkit
Score
10/10

behavioral6

defense_evasiondiscoveryevasionprivilege_escalation
Score
7/10

behavioral7

defense_evasiondiscoveryexecutionpersistenceprivilege_escalatioprivilege_escalation
Score
7/10

behavioral8

defense_evasiondiscoveryexecutionpersistenceprivilege_escalatioprivilege_escalation
Score
7/10

behavioral9

defense_evasiondiscovery
Score
7/10

behavioral10

defense_evasiondiscovery
Score
7/10

behavioral11

defense_evasiondiscovery
Score
7/10

behavioral12

defense_evasiondiscovery
Score
7/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

discovery
Score
3/10

behavioral24

Score
3/10

behavioral25

xmrig_linuxdefense_evasiondiscoveryevasionexecutionminerpersistenceprivilege_escalatioprivilege_escalationrootkit
Score
10/10

behavioral26

defense_evasiondiscoveryevasionprivilege_escalation
Score
7/10

behavioral27

defense_evasiondiscoveryexecutionpersistenceprivilege_escalatioprivilege_escalation
Score
7/10

behavioral28

defense_evasiondiscoveryexecutionpersistenceprivilege_escalatioprivilege_escalation
Score
7/10

behavioral29

defense_evasiondiscovery
Score
7/10

behavioral30

defense_evasiondiscovery
Score
7/10

behavioral31

defense_evasiondiscovery
Score
7/10

behavioral32

defense_evasiondiscovery
Score
7/10