General

  • Target

    Tcp1000gbps.sh

  • Size

    1KB

  • Sample

    250603-bgn8fsxvez

  • MD5

    08416a1ef9a5bfcc77131c34af46204f

  • SHA1

    a937aae1f87e2d8c6399c3a7ae875a229a796491

  • SHA256

    15b63c1681574153b1da9bb4a969c9f76efc65583a0833ee9c3bf72d2d2f79c0

  • SHA512

    9e50edb014f7cc16c272a0babf7e222313fa51aed091a6db70019a48386b6dd2282620b24c21b6905319b532af30a582afb54ad5b49cb8353f5d7edfd1173d44

Malware Config

Targets

    • Target

      Tcp1000gbps.sh

    • Size

      1KB

    • MD5

      08416a1ef9a5bfcc77131c34af46204f

    • SHA1

      a937aae1f87e2d8c6399c3a7ae875a229a796491

    • SHA256

      15b63c1681574153b1da9bb4a969c9f76efc65583a0833ee9c3bf72d2d2f79c0

    • SHA512

      9e50edb014f7cc16c272a0babf7e222313fa51aed091a6db70019a48386b6dd2282620b24c21b6905319b532af30a582afb54ad5b49cb8353f5d7edfd1173d44

    • XMRig Miner payload

    • Xmrig family

    • Xmrig_linux family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Writes file to system bin folder

MITRE ATT&CK Enterprise v16

Tasks