General
-
Target
350b239fa38c1bb84bed3acddf4485ae2d4dcb03b0d7c7e7f9445cbf22ab2225.sh
-
Size
15KB
-
Sample
250224-cw29asyrgn
-
MD5
b38e09a2e0e6f35314851fc924bb471c
-
SHA1
058422489f9b2922001a5554e1a9f0614ff83df8
-
SHA256
350b239fa38c1bb84bed3acddf4485ae2d4dcb03b0d7c7e7f9445cbf22ab2225
-
SHA512
454ef43873182a0510836eb63ce90c105e30ae7b8dbebd9b39515907ed6035d911d4cada914d31e21817f819426c084b627d422fecc2d74af1962299f411a9d2
-
SSDEEP
384:r5JxgzLuqlH2wx2vUaQa5/eN86704s80ooJQYgykWT4yCtvUsDjdWOoJwH:trgXux7YJDj8OoJwH
Static task
static1
Behavioral task
behavioral1
Sample
350b239fa38c1bb84bed3acddf4485ae2d4dcb03b0d7c7e7f9445cbf22ab2225.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
350b239fa38c1bb84bed3acddf4485ae2d4dcb03b0d7c7e7f9445cbf22ab2225.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
350b239fa38c1bb84bed3acddf4485ae2d4dcb03b0d7c7e7f9445cbf22ab2225.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
350b239fa38c1bb84bed3acddf4485ae2d4dcb03b0d7c7e7f9445cbf22ab2225.sh
Resource
debian9-mipsel-20240729-en
Malware Config
Targets
-
-
Target
350b239fa38c1bb84bed3acddf4485ae2d4dcb03b0d7c7e7f9445cbf22ab2225.sh
-
Size
15KB
-
MD5
b38e09a2e0e6f35314851fc924bb471c
-
SHA1
058422489f9b2922001a5554e1a9f0614ff83df8
-
SHA256
350b239fa38c1bb84bed3acddf4485ae2d4dcb03b0d7c7e7f9445cbf22ab2225
-
SHA512
454ef43873182a0510836eb63ce90c105e30ae7b8dbebd9b39515907ed6035d911d4cada914d31e21817f819426c084b627d422fecc2d74af1962299f411a9d2
-
SSDEEP
384:r5JxgzLuqlH2wx2vUaQa5/eN86704s80ooJQYgykWT4yCtvUsDjdWOoJwH:trgXux7YJDj8OoJwH
-
Kinsing Rootkit payload
-
Kinsing family
-
Kinsing payload
-
Kinsing_rootkit family
-
Xmrig family
-
Modifies the dynamic linker configuration file
Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.
-
XMRig Miner payload
-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse sudo or cached sudo credentials to execute code.
-
Attempts to change immutable files
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Checks hardware identifiers (DMI)
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies systemd
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
Reads list of loaded kernel modules
Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Hijack Execution Flow
1Dynamic Linker Hijacking
1Scheduled Task/Job
1Cron
1Privilege Escalation
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1Boot or Logon Autostart Execution
1XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Hijack Execution Flow
1Dynamic Linker Hijacking
1Scheduled Task/Job
1Cron
1Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Hijack Execution Flow
1Dynamic Linker Hijacking
1Impair Defenses
1Disable or Modify System Firewall
1Virtualization/Sandbox Evasion
3System Checks
2