Overview

overview

10

Static

static

1

6c7dccc2dd...fa6.sh

ubuntu-18.04-amd64

10

6c7dccc2dd...fa6.sh

debian-9-armhf

10

6c7dccc2dd...fa6.sh

debian-9-mips

10

6c7dccc2dd...fa6.sh

debian-9-mipsel

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6c7dccc2dd1f572db4ef853c81f88ac291f87025ff8c8f94a7d020b5730a7fa6.sh

  • Size

    15KB

  • Sample

    250224-dgv24szkfm

  • MD5

    492fabefcc0ff5eaea8d33b88a00b59f

  • SHA1

    67462b1ed4c17bfc373a7bc031834e7e1c811b5a

  • SHA256

    6c7dccc2dd1f572db4ef853c81f88ac291f87025ff8c8f94a7d020b5730a7fa6

  • SHA512

    fc41d904d513769ee8f50c932239621de3e0f3709494609c16e3b853edb7fe32ceee89094594bbc70ded76089ad76b178b6343693c9e733992fc1e48905f3562

  • SSDEEP

    384:r5JxgzLuqlH2wx2vUaQa5/eN86704s80ooJQYgykWT4yCtvUsDjdWOoJwl:trgXux7YJDj8OoJwl

Score
10/10
kinsingkinsing_rootkitantivmdefense_evasiondiscoveryexectionexecutionlinuxloaderpersistenceprivilege_escalationrootkit

Malware Config

Targets

    • Target

      6c7dccc2dd1f572db4ef853c81f88ac291f87025ff8c8f94a7d020b5730a7fa6.sh

    • Size

      15KB

    • MD5

      492fabefcc0ff5eaea8d33b88a00b59f

    • SHA1

      67462b1ed4c17bfc373a7bc031834e7e1c811b5a

    • SHA256

      6c7dccc2dd1f572db4ef853c81f88ac291f87025ff8c8f94a7d020b5730a7fa6

    • SHA512

      fc41d904d513769ee8f50c932239621de3e0f3709494609c16e3b853edb7fe32ceee89094594bbc70ded76089ad76b178b6343693c9e733992fc1e48905f3562

    • SSDEEP

      384:r5JxgzLuqlH2wx2vUaQa5/eN86704s80ooJQYgykWT4yCtvUsDjdWOoJwl:trgXux7YJDj8OoJwl

    Score
    10/10
    kinsingkinsing_rootkitantivmdefense_evasiondiscoveryexectionexecutionloaderpersistenceprivilege_escalationrootkit

    • Kinsing

      Kinsing is a loader written in Golang.

      loaderkinsing

    • Kinsing Rootkit

      Rootkit reuses the publicly available BEURK rootkit.

      rootkitkinsing_rootkit

    • Kinsing Rootkit payload

    • Kinsing family

      kinsing

    • Kinsing payload

    • Kinsing_rootkit family

      kinsing_rootkit

    • Modifies the dynamic linker configuration file

      Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

      exectionpersistenceprivilege_escalationdefense_evasion

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

      defense_evasion

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

      defense_evasion

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

      rootkit

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

      privilege_escalationdefense_evasion

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      executionpersistenceprivilege_escalation

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

      persistenceprivilege_escalation

    • Reads list of loaded kernel modules

      Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

      defense_evasion
    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Shared Modules

1
T1129

Persistence

Boot or Logon Autostart Execution

1
T1547

XDG Autostart Entries

1
T1547.013

Create or Modify System Process

1
T1543

Systemd Service

1
T1543.002

Hijack Execution Flow

1
T1574

Dynamic Linker Hijacking

1
T1574.006

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

Boot or Logon Autostart Execution

1
T1547

XDG Autostart Entries

1
T1547.013

Create or Modify System Process

1
T1543

Systemd Service

1
T1543.002

Hijack Execution Flow

1
T1574

Dynamic Linker Hijacking

1
T1574.006

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

File and Directory Permissions Modification

1
T1222

Linux and Mac File and Directory Permissions Modification

1
T1222.002

Hijack Execution Flow

1
T1574

Dynamic Linker Hijacking

1
T1574.006

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Virtualization/Sandbox Evasion

2
T1497

System Checks

1
T1497.001

Credential Access

Discovery

Process Discovery

1
T1057

System Information Discovery

2
T1082

System Network Configuration Discovery

1
T1016

Virtualization/Sandbox Evasion

2
T1497

System Checks

1
T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.