Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

7f65f1d3cc...ebe.sh

ubuntu-18.04-amd64

10

7f65f1d3cc...ebe.sh

debian-9-armhf

10

7f65f1d3cc...ebe.sh

debian-9-mips

10

7f65f1d3cc...ebe.sh

debian-9-mipsel

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7f65f1d3cc38298c0b27c6f307b51a578619a16f12d3e8c662c3b7e290d08ebe.sh

  • Size

    15KB

  • Sample

    250224-dnhqcszlgk

  • MD5

    34ac9486a95651a465a5fc6039c2819a

  • SHA1

    274290fc9187e8f3504aec78ea1ef8984b5099d3

  • SHA256

    7f65f1d3cc38298c0b27c6f307b51a578619a16f12d3e8c662c3b7e290d08ebe

  • SHA512

    9c886b2976fc624ada4d5ed34f662a7aff682bae4bb4f37a519d50bd94ef019924a96aeb4b84fbee3136114e4f8d6ce5626d40b123622f3ceeb06de9969b9409

  • SSDEEP

    384:r5JxgzLuqlH2wx2vUaQa5/eN86704s80ooJQYgykWT4yCtvUsDjdWOoJwN:trgXux7YJDj8OoJwN

Score
10/10
kinsingkinsing_rootkitantivmdefense_evasiondiscoveryexectionexecutionlinuxloaderpersistenceprivilege_escalationrootkit

Malware Config

Targets

    • Target

      7f65f1d3cc38298c0b27c6f307b51a578619a16f12d3e8c662c3b7e290d08ebe.sh

    • Size

      15KB

    • MD5

      34ac9486a95651a465a5fc6039c2819a

    • SHA1

      274290fc9187e8f3504aec78ea1ef8984b5099d3

    • SHA256

      7f65f1d3cc38298c0b27c6f307b51a578619a16f12d3e8c662c3b7e290d08ebe

    • SHA512

      9c886b2976fc624ada4d5ed34f662a7aff682bae4bb4f37a519d50bd94ef019924a96aeb4b84fbee3136114e4f8d6ce5626d40b123622f3ceeb06de9969b9409

    • SSDEEP

      384:r5JxgzLuqlH2wx2vUaQa5/eN86704s80ooJQYgykWT4yCtvUsDjdWOoJwN:trgXux7YJDj8OoJwN

    Score
    10/10
    kinsingkinsing_rootkitantivmdefense_evasiondiscoveryexectionexecutionloaderpersistenceprivilege_escalationrootkit

    • Kinsing

      Kinsing is a loader written in Golang.

      loaderkinsing

    • Kinsing Rootkit

      Rootkit reuses the publicly available BEURK rootkit.

      rootkitkinsing_rootkit

    • Kinsing Rootkit payload

    • Kinsing family

      kinsing

    • Kinsing payload

    • Kinsing_rootkit family

      kinsing_rootkit

    • Modifies the dynamic linker configuration file

      Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

      exectionpersistenceprivilege_escalationdefense_evasion

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

      defense_evasion

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

      defense_evasion

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

      rootkit

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

      privilege_escalationdefense_evasion

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      executionpersistenceprivilege_escalation

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

      persistenceprivilege_escalation

    • Reads list of loaded kernel modules

      Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

      defense_evasion
    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Shared Modules

1
T1129

Persistence

Boot or Logon Autostart Execution

1
T1547

XDG Autostart Entries

1
T1547.013

Create or Modify System Process

1
T1543

Systemd Service

1
T1543.002

Hijack Execution Flow

1
T1574

Dynamic Linker Hijacking

1
T1574.006

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

Boot or Logon Autostart Execution

1
T1547

XDG Autostart Entries

1
T1547.013

Create or Modify System Process

1
T1543

Systemd Service

1
T1543.002

Hijack Execution Flow

1
T1574

Dynamic Linker Hijacking

1
T1574.006

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

File and Directory Permissions Modification

1
T1222

Linux and Mac File and Directory Permissions Modification

1
T1222.002

Hijack Execution Flow

1
T1574

Dynamic Linker Hijacking

1
T1574.006

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Virtualization/Sandbox Evasion

2
T1497

System Checks

1
T1497.001

Credential Access

Discovery

Process Discovery

1
T1057

System Information Discovery

2
T1082

System Network Configuration Discovery

1
T1016

Virtualization/Sandbox Evasion

2
T1497

System Checks

1
T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.