Overview

overview

10

Static

static

7

f12b3682-6...781961

ubuntu-22.04-amd64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f12b3682-6fff-4026-bc66-3b156c781961

  • Size

    3.7MB

  • Sample

    240703-dj4f9sycrq

  • MD5

    8b40a86b19a8f3ffec80bcc8e03dc5dd

  • SHA1

    21017440a86a230e780d8e851ff42c268d292f64

  • SHA256

    3afc8270bfe909376568076567dd7bcab398e766457d5945a3966d224d8c34ab

  • SHA512

    c50cbceba5e101ba091a31563e30b8dbe7985d3c0cc64b56362474c91d93187ec282fe265ff877183de7bd8f83e80fbe4c3e68de0e312ae142364a8ae4c9274c

  • SSDEEP

    98304:AMAAK4W7MRThAHouqB/cyzN7NCx4sdXVAcFXbPSwasS:2D4WSecXEVBPSwa7

Score
10/10
kaitenxmrigantivmbotnetlinuxminerpersistenceupx

Malware Config

Targets

    • Target

      f12b3682-6fff-4026-bc66-3b156c781961

    • Size

      3.7MB

    • MD5

      8b40a86b19a8f3ffec80bcc8e03dc5dd

    • SHA1

      21017440a86a230e780d8e851ff42c268d292f64

    • SHA256

      3afc8270bfe909376568076567dd7bcab398e766457d5945a3966d224d8c34ab

    • SHA512

      c50cbceba5e101ba091a31563e30b8dbe7985d3c0cc64b56362474c91d93187ec282fe265ff877183de7bd8f83e80fbe4c3e68de0e312ae142364a8ae4c9274c

    • SSDEEP

      98304:AMAAK4W7MRThAHouqB/cyzN7NCx4sdXVAcFXbPSwasS:2D4WSecXEVBPSwa7

    Score
    10/10
    kaitenxmrigantivmbotnetminerpersistenceupx

    • Detects Kaiten/Tsunami Payload

    • Detects Kaiten/Tsunami payload

    • Kaiten/Tsunami

      Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.

      botnetkaiten

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

      antivm

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

      persistence

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Writes file to system bin folder

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Boot or Logon Autostart Execution

2
T1547

Hijack Execution Flow

1
T1574

Privilege Escalation

Scheduled Task/Job

1
T1053

Boot or Logon Autostart Execution

2
T1547

Hijack Execution Flow

1
T1574

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Hijack Execution Flow

1
T1574

Credential Access

Discovery

Virtualization/Sandbox Evasion

2
T1497

System Network Connections Discovery

1
T1049

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks