General
-
Target
fc5370dafe589e64d45fa8da975e000ee1df5163a0b1804e24c97197c9b3351f.zip
-
Size
7KB
-
Sample
250604-chxrnazjy2
-
MD5
09fe49d9a7c85e61e59b56650ffb0c6b
-
SHA1
8817b8d9670b94248f08b036e4d169cf8522f46f
-
SHA256
29fe0de49b8b12754368e89736b5ed6499c4de81eb2aa841a1a7835d47995b07
-
SHA512
b66e3def6d3cc17b4e776e191a4da99b64ead21079334da3b39c54ecda7815926412ac85a8b4c65131a3f6a51f9440d02e35ea0c158d1e47b46045a7bd02e543
-
SSDEEP
192:PHXhgQ/qP+WsKJP6hPokGI1tBhr8Me0/ZfOQKR:PHXQ96hPIyD4+ZfOn
Static task
static1
Behavioral task
behavioral1
Sample
fc5370dafe589e64d45fa8da975e000ee1df5163a0b1804e24c97197c9b3351f.sh
Resource
ubuntu1804-amd64-20250410-en
Behavioral task
behavioral2
Sample
fc5370dafe589e64d45fa8da975e000ee1df5163a0b1804e24c97197c9b3351f.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
fc5370dafe589e64d45fa8da975e000ee1df5163a0b1804e24c97197c9b3351f.sh
Resource
debian9-mipsbe-20250410-en
Behavioral task
behavioral4
Sample
fc5370dafe589e64d45fa8da975e000ee1df5163a0b1804e24c97197c9b3351f.sh
Resource
debian9-mipsel-20240418-en
Malware Config
Targets
-
-
Target
fc5370dafe589e64d45fa8da975e000ee1df5163a0b1804e24c97197c9b3351f.sh
-
Size
36KB
-
MD5
d51663e1d465c328c0ff8512880af535
-
SHA1
9fe65d138888cabb196ba38bbdeabc854c2adbbf
-
SHA256
fc5370dafe589e64d45fa8da975e000ee1df5163a0b1804e24c97197c9b3351f
-
SHA512
7e631002eb20a37c354e044f2d57d9d2bcd0bfaa78cd58bf6d87b44c2d62ce68e0086dd65e89b72c23973f223352e3ed3cc16fdc538fb80712c4f0f225140eea
-
SSDEEP
768:bq7mzQ5VFNcDAFLcIwgnoYq0xFBWytfwu3:bEVF+D6cIwgos1d3
-
Kinsing family
-
Kinsing payload
-
Xmrig family
-
Xmrig_linux family
-
XMRig Miner payload
-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
Deletes system logs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
-
Executes dropped EXE
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse sudo or cached sudo credentials to execute code.
-
Attempts to change immutable files
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Checks hardware identifiers (DMI)
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Disables AppArmor
Disables AppArmor security module.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Reads Bash history
Adversaries may search the bash command history on compromised systems for insecurely stored credentials.
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
Reads list of loaded kernel modules
Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
-
MITRE ATT&CK Enterprise v16
Privilege Escalation
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1Scheduled Task/Job
1Cron
1Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Indicator Removal
1Clear Linux or Mac System Logs
1Virtualization/Sandbox Evasion
3System Checks
2