Overview

overview

10

Static

static

1

272c0be0-3...36.tmp

ubuntu-22.04-amd64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sus.zip

  • Size

    7KB

  • Sample

    250122-wafyqaykfr

  • MD5

    4cff21e4d783a0749a0cbc414d955cf2

  • SHA1

    1763762b9f73d44e7424739d836f2067fd23d45e

  • SHA256

    a5d7a1f2e953c351109901ea206f6e3a5b24a446f9b4aa4a17346c0f05a8e06b

  • SHA512

    da75e863dcf160b1740d036f25e5ac8f95e91809e3387ac89e725fe5a97ecbbbd2e0927f558c36e190a42210294582315cdf44d0b8f8bafed63763f35c8a47df

  • SSDEEP

    192:SwAaUWs1RCSQmwZKbZp8GhMI3YHzcUfs6IDp600n:Swzc1RQzAMlUAzcU0jDp600n

Score
10/10
xmrig_linuxcredential_accessdefense_evasiondiscoveryexecutionlinuxminerpersistenceprivilege_escalation

Malware Config

Targets

    • Target

      272c0be0-3abd-49ec-95e4-72620029f736.tmp

    • Size

      35KB

    • MD5

      f4ec053a3f17ec4bdae8c3570e4241df

    • SHA1

      69663d585c3e698f3044b44aba94d09fdd0382f0

    • SHA256

      2624983c09e22f4395668732d075a15e34d80379904ba20e8e54814ed9ff62b5

    • SHA512

      6da887f2f23ebb4c1309a44fc8af672663e7f413a24e1c09cdd366e2ef26bea2f9190f5b718373811f4b72f0d26440003f7e321a60d8334eb7fbb67938c6ae09

    • SSDEEP

      768:b87mzQ5VFNcDAFLcIwgnoYq0xFBCytguz:bOVF+D6cIwgosXz

    Score
    10/10
    xmrig_linuxcredential_accessdefense_evasiondiscoveryexecutionminerpersistenceprivilege_escalation

    • Xmrig_linux family

      xmrig_linux

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig_linux

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

      defense_evasion

    • Deletes system logs

      Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

      defense_evasion

    • OS Credential Dumping

      Adversaries may attempt to dump credentials to use it in password cracking.

      credential_access

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

      privilege_escalationdefense_evasion

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      executionpersistenceprivilege_escalation

    • Disables AppArmor

      Disables AppArmor security module.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Persistence

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

File and Directory Permissions Modification

1
T1222

Linux and Mac File and Directory Permissions Modification

1
T1222.002

Indicator Removal

1
T1070

Clear Linux or Mac System Logs

1
T1070.002

Credential Access

OS Credential Dumping

1
T1003

/etc/passwd and /etc/shadow

1
T1003.008

Discovery

Process Discovery

1
T1057

System Information Discovery

1
T1082

System Network Configuration Discovery

1
T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks