General

  • Target

    cb.sh

  • Size

    15KB

  • Sample

    250223-xhpfhavjgv

  • MD5

    c7342692de0728c7497409486b521b88

  • SHA1

    1b113769719557cd7676fc67e0343c545356539b

  • SHA256

    24d92e90b4dc2dc6391e29be2a3e2395a4b93013baf0312b4fdda1adbd8b3753

  • SHA512

    df690001ce2b8683c05a116a7e409ea2c6dc11be04846ce6e5f63752da8ea3e3b49d50c0d440e70f2e816cd2e192b67cc8bdd3d21b5a35af1ba6b17d6821af33

  • SSDEEP

    384:r5JxgzLuqlH2wx2vUaQa5/eN86704s80ooJQYgykWT4yCtvUsDjdWOoJwB:trgXux7YJDj8OoJwB

Malware Config

Targets

    • Target

      cb.sh

    • Size

      15KB

    • MD5

      c7342692de0728c7497409486b521b88

    • SHA1

      1b113769719557cd7676fc67e0343c545356539b

    • SHA256

      24d92e90b4dc2dc6391e29be2a3e2395a4b93013baf0312b4fdda1adbd8b3753

    • SHA512

      df690001ce2b8683c05a116a7e409ea2c6dc11be04846ce6e5f63752da8ea3e3b49d50c0d440e70f2e816cd2e192b67cc8bdd3d21b5a35af1ba6b17d6821af33

    • SSDEEP

      384:r5JxgzLuqlH2wx2vUaQa5/eN86704s80ooJQYgykWT4yCtvUsDjdWOoJwB:trgXux7YJDj8OoJwB

    • Kinsing

      Kinsing is a loader written in Golang.

    • Kinsing Rootkit

      Rootkit reuses the publicly available BEURK rootkit.

    • Kinsing Rootkit payload

    • Kinsing family

    • Kinsing payload

    • Kinsing_rootkit family

    • Modifies the dynamic linker configuration file

      Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Reads list of loaded kernel modules

      Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

MITRE ATT&CK Enterprise v15

Tasks