General

  • Target

    pg.sh

  • Size

    36KB

  • Sample

    250603-wgfxasfm6s

  • MD5

    d51663e1d465c328c0ff8512880af535

  • SHA1

    9fe65d138888cabb196ba38bbdeabc854c2adbbf

  • SHA256

    fc5370dafe589e64d45fa8da975e000ee1df5163a0b1804e24c97197c9b3351f

  • SHA512

    7e631002eb20a37c354e044f2d57d9d2bcd0bfaa78cd58bf6d87b44c2d62ce68e0086dd65e89b72c23973f223352e3ed3cc16fdc538fb80712c4f0f225140eea

  • SSDEEP

    768:bq7mzQ5VFNcDAFLcIwgnoYq0xFBWytfwu3:bEVF+D6cIwgos1d3

Malware Config

Targets

    • Target

      pg.sh

    • Size

      36KB

    • MD5

      d51663e1d465c328c0ff8512880af535

    • SHA1

      9fe65d138888cabb196ba38bbdeabc854c2adbbf

    • SHA256

      fc5370dafe589e64d45fa8da975e000ee1df5163a0b1804e24c97197c9b3351f

    • SHA512

      7e631002eb20a37c354e044f2d57d9d2bcd0bfaa78cd58bf6d87b44c2d62ce68e0086dd65e89b72c23973f223352e3ed3cc16fdc538fb80712c4f0f225140eea

    • SSDEEP

      768:bq7mzQ5VFNcDAFLcIwgnoYq0xFBWytfwu3:bEVF+D6cIwgos1d3

    • Kinsing

      Kinsing is a loader written in Golang.

    • Kinsing family

    • Kinsing payload

    • Xmrig_linux family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Deletes system logs

      Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Disables AppArmor

      Disables AppArmor security module.

    • Disables SELinux

      Disables SELinux security module.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads list of loaded kernel modules

      Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

MITRE ATT&CK Enterprise v16

Tasks