Overview

overview

10

Static

static

1

py.sh

ubuntu-18.04-amd64

10

py.sh

debian-9-armhf

10

py.sh

debian-9-mips

10

py.sh

debian-9-mipsel

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    py.sh

  • Size

    15KB

  • Sample

    250223-xf2m2svjex

  • MD5

    d2484b28c1e002017e8c2d44c93e39ed

  • SHA1

    739c10e99c5e87c7303f8059280468d1e0bf0981

  • SHA256

    5afcd6676866ec08eb69891ac9e85119df2253230400f36453dd77c12ab172cf

  • SHA512

    cae0e8d861d5b380baba2ed819df7250db08e692cae327c0765b3fae46896ecf8483ac72789ded669e1fc4b2b53ca5aff96a67c00a450324b01bc30908250f45

  • SSDEEP

    384:r5JxgzLuqlH2wx2vUaQa5/eN86704s80ooJQYgykWT4yCtvUsDjdWOoJw9:trgXux7YJDj8OoJw9

Score
10/10
kinsingkinsing_rootkitxmrigantivmdefense_evasiondiscoveryexectionexecutionlinuxloaderminerpersistenceprivilege_escalationrootkitupx

Malware Config

Targets

    • Target

      py.sh

    • Size

      15KB

    • MD5

      d2484b28c1e002017e8c2d44c93e39ed

    • SHA1

      739c10e99c5e87c7303f8059280468d1e0bf0981

    • SHA256

      5afcd6676866ec08eb69891ac9e85119df2253230400f36453dd77c12ab172cf

    • SHA512

      cae0e8d861d5b380baba2ed819df7250db08e692cae327c0765b3fae46896ecf8483ac72789ded669e1fc4b2b53ca5aff96a67c00a450324b01bc30908250f45

    • SSDEEP

      384:r5JxgzLuqlH2wx2vUaQa5/eN86704s80ooJQYgykWT4yCtvUsDjdWOoJw9:trgXux7YJDj8OoJw9

    Score
    10/10
    kinsingkinsing_rootkitxmrigantivmdefense_evasiondiscoveryexectionexecutionloaderminerpersistenceprivilege_escalationrootkitupx

    • Kinsing

      Kinsing is a loader written in Golang.

      loaderkinsing

    • Kinsing Rootkit

      Rootkit reuses the publicly available BEURK rootkit.

      rootkitkinsing_rootkit

    • Kinsing Rootkit payload

    • Kinsing family

      kinsing

    • Kinsing payload

    • Kinsing_rootkit family

      kinsing_rootkit

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Modifies the dynamic linker configuration file

      Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

      exectionpersistenceprivilege_escalationdefense_evasion

    • XMRig Miner payload

      miner

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

      defense_evasion

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

      defense_evasion

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

      rootkit

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

      privilege_escalationdefense_evasion

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

      antivm

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      executionpersistenceprivilege_escalation

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

      persistenceprivilege_escalation

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

      discovery

    • Reads list of loaded kernel modules

      Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Shared Modules

1
T1129

Persistence

Boot or Logon Autostart Execution

1
T1547

XDG Autostart Entries

1
T1547.013

Create or Modify System Process

1
T1543

Systemd Service

1
T1543.002

Hijack Execution Flow

1
T1574

Dynamic Linker Hijacking

1
T1574.006

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

Boot or Logon Autostart Execution

1
T1547

XDG Autostart Entries

1
T1547.013

Create or Modify System Process

1
T1543

Systemd Service

1
T1543.002

Hijack Execution Flow

1
T1574

Dynamic Linker Hijacking

1
T1574.006

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

File and Directory Permissions Modification

1
T1222

Linux and Mac File and Directory Permissions Modification

1
T1222.002

Hijack Execution Flow

1
T1574

Dynamic Linker Hijacking

1
T1574.006

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Virtualization/Sandbox Evasion

3
T1497

System Checks

2
T1497.001

Credential Access

Discovery

Process Discovery

1
T1057

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

Virtualization/Sandbox Evasion

3
T1497

System Checks

2
T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks