General
-
Target
newinit.sh
-
Size
46KB
-
Sample
241208-yxjz1aykfk
-
MD5
d85918fc8a4f927f91d5914a149eabc4
-
SHA1
51e8581f114a18b9e98b0a860a03220f8209eea8
-
SHA256
520e22713960b96051de3d666c4ca1ebe01a9f34ea2281c646474b514a1aab1f
-
SHA512
5f57e8b30a0dd9920c5ae80b55421c9177a015ea1be329c5bd155d93aa41a6dcf73793f95e6ff2ce67a503ea32713fbeaf0be59b8c7924ac19248a4549d1aa69
-
SSDEEP
768:bxlT2wDuWvWi7XFNcuFkc2zq0x3UKnicZuiR/a6X85:8qF+Lc2/FicfS6X85
Malware Config
Targets
-
-
Target
newinit.sh
-
Size
46KB
-
MD5
d85918fc8a4f927f91d5914a149eabc4
-
SHA1
51e8581f114a18b9e98b0a860a03220f8209eea8
-
SHA256
520e22713960b96051de3d666c4ca1ebe01a9f34ea2281c646474b514a1aab1f
-
SHA512
5f57e8b30a0dd9920c5ae80b55421c9177a015ea1be329c5bd155d93aa41a6dcf73793f95e6ff2ce67a503ea32713fbeaf0be59b8c7924ac19248a4549d1aa69
-
SSDEEP
768:bxlT2wDuWvWi7XFNcuFkc2zq0x3UKnicZuiR/a6X85:8qF+Lc2/FicfS6X85
Score10/10-
Xmrig family
-
Xmrig_linux family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Adds new SSH keys
Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.
-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
Deletes system logs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
-
Executes dropped EXE
-
Flushes firewall rules
Flushes/ disables firewall rules inside the Linux kernel.
-
Loads a kernel module
Loads a Linux kernel module, potentially to achieve persistence
-
Writes DNS configuration
Writes data to DNS resolver config file.
-
Attempts to change immutable files
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Checks hardware identifiers (DMI)
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Deletes log files
Deletes log files on the system.
-
Disables AppArmor
Disables AppArmor security module.
-
Disables SELinux
Disables SELinux security module.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies rc script
Adding/modifying system rc scripts is a common persistence mechanism.
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
Write file to user bin folder
-
Writes file to system bin folder
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1SSH Authorized Keys
1Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Scheduled Task/Job
1Cron
1Privilege Escalation
Account Manipulation
1SSH Authorized Keys
1Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Scheduled Task/Job
1Cron
1Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Indicator Removal
2Clear Linux or Mac System Logs
2Virtualization/Sandbox Evasion
2System Checks
2