Overview

overview

10

Static

static

1

c6ff3a097a...945.sh

ubuntu-18.04-amd64

10

c6ff3a097a...945.sh

debian-9-armhf

7

c6ff3a097a...945.sh

debian-9-mips

10

c6ff3a097a...945.sh

debian-9-mipsel

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c6ff3a097ab737ce4430fb07453ca117c717a3156c0e4e2adfa56f98ba6d2945.sh

  • Size

    35KB

  • Sample

    250224-d6rqzs1jz8

  • MD5

    eb54cfa840c7551a2a3c2d9be10328a8

  • SHA1

    ee608d22837423e48fe6eb50da354516154a3e28

  • SHA256

    c6ff3a097ab737ce4430fb07453ca117c717a3156c0e4e2adfa56f98ba6d2945

  • SHA512

    f1ac28c1903ffca49efaa14fa1a1b0fbb92e0cb9d264c6a5c12e16f2b6dd064d44f04224351cf377c25c6b2807b553b35c5508cb1d6624436b718dc2b35176f6

  • SSDEEP

    768:b87mzQ5VFNcDAFLcIwgnoYq0xFBvgmuNytIuz:bOVF+D6cIwgoszz

Score
10/10
kinsingxmrig_linuxantivmdefense_evasiondiscoveryexecutionlinuxloaderminerpersistenceprivilege_escalationrootkit

Malware Config

Targets

    • Target

      c6ff3a097ab737ce4430fb07453ca117c717a3156c0e4e2adfa56f98ba6d2945.sh

    • Size

      35KB

    • MD5

      eb54cfa840c7551a2a3c2d9be10328a8

    • SHA1

      ee608d22837423e48fe6eb50da354516154a3e28

    • SHA256

      c6ff3a097ab737ce4430fb07453ca117c717a3156c0e4e2adfa56f98ba6d2945

    • SHA512

      f1ac28c1903ffca49efaa14fa1a1b0fbb92e0cb9d264c6a5c12e16f2b6dd064d44f04224351cf377c25c6b2807b553b35c5508cb1d6624436b718dc2b35176f6

    • SSDEEP

      768:b87mzQ5VFNcDAFLcIwgnoYq0xFBvgmuNytIuz:bOVF+D6cIwgoszz

    Score
    10/10
    kinsingxmrig_linuxantivmdefense_evasiondiscoveryexecutionloaderminerpersistenceprivilege_escalationrootkit

    • Kinsing

      Kinsing is a loader written in Golang.

      loaderkinsing

    • Kinsing family

      kinsing

    • Kinsing payload

    • Xmrig_linux family

      xmrig_linux

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig_linux

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

      defense_evasion

    • Deletes system logs

      Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

      defense_evasion

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

      defense_evasion

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

      rootkit

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

      privilege_escalationdefense_evasion

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      executionpersistenceprivilege_escalation

    • Disables AppArmor

      Disables AppArmor security module.

    • Disables SELinux

      Disables SELinux security module.

      defense_evasion

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads list of loaded kernel modules

      Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

      defense_evasion
    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Persistence

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

File and Directory Permissions Modification

1
T1222

Linux and Mac File and Directory Permissions Modification

1
T1222.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

Clear Linux or Mac System Logs

1
T1070.002

Virtualization/Sandbox Evasion

2
T1497

System Checks

1
T1497.001

Credential Access

Discovery

Process Discovery

1
T1057

System Information Discovery

2
T1082

System Network Configuration Discovery

1
T1016

Virtualization/Sandbox Evasion

2
T1497

System Checks

1
T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.