General

  • Target

    fc5370dafe589e64d45fa8da975e000ee1df5163a0b1804e24c97197c9b3351f.zip

  • Size

    7KB

  • Sample

    250604-chxrnazjy2

  • MD5

    09fe49d9a7c85e61e59b56650ffb0c6b

  • SHA1

    8817b8d9670b94248f08b036e4d169cf8522f46f

  • SHA256

    29fe0de49b8b12754368e89736b5ed6499c4de81eb2aa841a1a7835d47995b07

  • SHA512

    b66e3def6d3cc17b4e776e191a4da99b64ead21079334da3b39c54ecda7815926412ac85a8b4c65131a3f6a51f9440d02e35ea0c158d1e47b46045a7bd02e543

  • SSDEEP

    192:PHXhgQ/qP+WsKJP6hPokGI1tBhr8Me0/ZfOQKR:PHXQ96hPIyD4+ZfOn

Malware Config

Targets

    • Target

      fc5370dafe589e64d45fa8da975e000ee1df5163a0b1804e24c97197c9b3351f.sh

    • Size

      36KB

    • MD5

      d51663e1d465c328c0ff8512880af535

    • SHA1

      9fe65d138888cabb196ba38bbdeabc854c2adbbf

    • SHA256

      fc5370dafe589e64d45fa8da975e000ee1df5163a0b1804e24c97197c9b3351f

    • SHA512

      7e631002eb20a37c354e044f2d57d9d2bcd0bfaa78cd58bf6d87b44c2d62ce68e0086dd65e89b72c23973f223352e3ed3cc16fdc538fb80712c4f0f225140eea

    • SSDEEP

      768:bq7mzQ5VFNcDAFLcIwgnoYq0xFBWytfwu3:bEVF+D6cIwgos1d3

    • Kinsing

      Kinsing is a loader written in Golang.

    • Kinsing family

    • Kinsing payload

    • Xmrig family

    • Xmrig_linux family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Deletes system logs

      Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Disables AppArmor

      Disables AppArmor security module.

    • Disables SELinux

      Disables SELinux security module.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Reads Bash history

      Adversaries may search the bash command history on compromised systems for insecurely stored credentials.

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Reads list of loaded kernel modules

      Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks