General

  • Target

    350b239fa38c1bb84bed3acddf4485ae2d4dcb03b0d7c7e7f9445cbf22ab2225.sh

  • Size

    15KB

  • Sample

    250224-cw29asyrgn

  • MD5

    b38e09a2e0e6f35314851fc924bb471c

  • SHA1

    058422489f9b2922001a5554e1a9f0614ff83df8

  • SHA256

    350b239fa38c1bb84bed3acddf4485ae2d4dcb03b0d7c7e7f9445cbf22ab2225

  • SHA512

    454ef43873182a0510836eb63ce90c105e30ae7b8dbebd9b39515907ed6035d911d4cada914d31e21817f819426c084b627d422fecc2d74af1962299f411a9d2

  • SSDEEP

    384:r5JxgzLuqlH2wx2vUaQa5/eN86704s80ooJQYgykWT4yCtvUsDjdWOoJwH:trgXux7YJDj8OoJwH

Malware Config

Targets

    • Target

      350b239fa38c1bb84bed3acddf4485ae2d4dcb03b0d7c7e7f9445cbf22ab2225.sh

    • Size

      15KB

    • MD5

      b38e09a2e0e6f35314851fc924bb471c

    • SHA1

      058422489f9b2922001a5554e1a9f0614ff83df8

    • SHA256

      350b239fa38c1bb84bed3acddf4485ae2d4dcb03b0d7c7e7f9445cbf22ab2225

    • SHA512

      454ef43873182a0510836eb63ce90c105e30ae7b8dbebd9b39515907ed6035d911d4cada914d31e21817f819426c084b627d422fecc2d74af1962299f411a9d2

    • SSDEEP

      384:r5JxgzLuqlH2wx2vUaQa5/eN86704s80ooJQYgykWT4yCtvUsDjdWOoJwH:trgXux7YJDj8OoJwH

    • Kinsing

      Kinsing is a loader written in Golang.

    • Kinsing Rootkit

      Rootkit reuses the publicly available BEURK rootkit.

    • Kinsing Rootkit payload

    • Kinsing family

    • Kinsing payload

    • Kinsing_rootkit family

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Modifies the dynamic linker configuration file

      Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

    • XMRig Miner payload

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Reads list of loaded kernel modules

      Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks