Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
tr.sh
-
Size
35KB
-
Sample
250223-xf2caawmx7
-
MD5
8b6d30367ca7a863b08a841c02aaf55f
-
SHA1
049ca108d9162d2edd986df5d8ef8e7dbd6b1c35
-
SHA256
6500a2f596046773ff769e86ec030374b461433ddb0a650dfed4667e797f2b94
-
SHA512
1bb12944f92d2f233e2e8c0878f98fd12d984e9d76499a0716a24d36b2bc244f6a59cbaf84a4d50465268669291c09937c13e1c7775445f53f619e2f4320298d
-
SSDEEP
768:b87mzQ5VFNcDAFLcIwgnoYq0xFBvgmuNyt0uz:bOVF+D6cIwgosPz
Static task
static1
Behavioral task
behavioral1
Sample
tr.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
tr.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
tr.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
tr.sh
Resource
debian9-mipsel-20240226-en
Malware Config
Targets
-
-
Target
tr.sh
-
Size
35KB
-
MD5
8b6d30367ca7a863b08a841c02aaf55f
-
SHA1
049ca108d9162d2edd986df5d8ef8e7dbd6b1c35
-
SHA256
6500a2f596046773ff769e86ec030374b461433ddb0a650dfed4667e797f2b94
-
SHA512
1bb12944f92d2f233e2e8c0878f98fd12d984e9d76499a0716a24d36b2bc244f6a59cbaf84a4d50465268669291c09937c13e1c7775445f53f619e2f4320298d
-
SSDEEP
768:b87mzQ5VFNcDAFLcIwgnoYq0xFBvgmuNyt0uz:bOVF+D6cIwgosPz
-
Kinsing family
-
Kinsing payload
-
Xmrig family
-
Xmrig_linux family
-
XMRig Miner payload
-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
Deletes system logs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
-
Executes dropped EXE
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse sudo or cached sudo credentials to execute code.
-
Attempts to change immutable files
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Checks hardware identifiers (DMI)
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Disables AppArmor
Disables AppArmor security module.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
Reads list of loaded kernel modules
Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1Scheduled Task/Job
1Cron
1Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Indicator Removal
1Clear Linux or Mac System Logs
1Virtualization/Sandbox Evasion
3System Checks
2