d84bcfd38f8f2a35702ed52ef90fe9bbe7f6a6fbbf2e05814ed4e137fc5730ca

Analysis

max time kernel
4518s
max time network
134s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221111-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
03-01-2023 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xmrig-6.18.0/xmrig
Size

8.5MB
MD5

c1e65d481af4e6d4bad74cca4e8737cb
SHA1

b3b4772f4c175590750e2dac6d62da23cc97cb07
SHA256

ca52fc8684b345ed2bd1916df7c0b9d3c22441d5b117b1a93a9868caacd032df
SHA512

deab2a4d8e90e22c5623d478fa08115aff588de782d31d3b3971f854319a2d7c6bcdbc6751fd33b9863a9443c9c27a0863629de08e5c7a6adfad334fa8b436bb
SSDEEP

196608:Nitud5lYevL8rD8cq8cgXFeyP3gbCkGduks:Nitud5lYevLY4cXcggW3gbDGdu

Score

9^/10

antivm

Malware Config

Signatures

Attempts to identify hypervisor via CPU configuration 1 TTPs 1 IoCs

Checks CPU information for indicators that the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
/proc/cpuinfo	/proc/cpuinfo	xmrig

Modifies hosts file 1 IoCs

Adds to hosts file used for mapping hosts to IP addresses.

description	ioc
/etc/hosts	/etc/hosts

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc
/etc/resolv.conf	/etc/resolv.conf

Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	xmrig
/sys/devices/system/cpu/possible	/sys/devices/system/cpu/possible	xmrig

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Reads runtime system information 6 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/driver/nvidia/gpus	/proc/driver/nvidia/gpus	xmrig
/proc/cmdline	/proc/cmdline	modprobe
/proc/meminfo	/proc/meminfo	Process not Found
/proc/mounts	/proc/mounts	xmrig
/proc/self/cpuset	/proc/self/cpuset	xmrig
/proc/meminfo	/proc/meminfo	xmrig

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/xmrig-6.18.0/config.json	/tmp/xmrig-6.18.0/config.json	xmrig

/tmp/xmrig-6.18.0/xmrig
/tmp/xmrig-6.18.0/xmrig
1⤵
- Attempts to identify hypervisor via CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:605
- /bin/sh
  sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"
  2⤵
  PID:611
- - /sbin/modprobe
    /sbin/modprobe msr "allow_writes=on"
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

description	ioc	Process
/sys/bus/cpu/devices/cpu0/cache/index3/type	/sys/bus/cpu/devices/cpu0/cache/index3/type	xmrig
/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	xmrig
/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	xmrig
/sys/bus/node/devices/node0/cpumap	/sys/bus/node/devices/node0/cpumap	xmrig
/sys/fs/cgroup/unified/cgroup.controllers	/sys/fs/cgroup/unified/cgroup.controllers	xmrig
/sys/bus/cpu/devices/cpu0/topology/die_cpus	/sys/bus/cpu/devices/cpu0/topology/die_cpus	xmrig
/sys/bus/cpu/devices/cpu0/cache/index0/id	/sys/bus/cpu/devices/cpu0/cache/index0/id	xmrig
/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	xmrig
/sys/bus/node/devices/node0/access0/initiators/read_latency	/sys/bus/node/devices/node0/access0/initiators/read_latency	xmrig
/sys/devices/virtual/dmi/id/product_serial	/sys/devices/virtual/dmi/id/product_serial	xmrig
/sys/devices/virtual/dmi/id/board_vendor	/sys/devices/virtual/dmi/id/board_vendor	xmrig
/sys/devices/virtual/dmi/id/chassis_version	/sys/devices/virtual/dmi/id/chassis_version	xmrig
/sys/fs/cgroup/cpuset//cpuset.cpus	/sys/fs/cgroup/cpuset//cpuset.cpus	xmrig
/sys/bus/cpu/devices	/sys/bus/cpu/devices	xmrig
/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	xmrig
/sys/bus/node/devices/node0/access0/initiators	/sys/bus/node/devices/node0/access0/initiators	xmrig
/sys/fs/cgroup/cpuset//cpuset.mems	/sys/fs/cgroup/cpuset//cpuset.mems	xmrig
/sys/devices/virtual/dmi/id/product_name	/sys/devices/virtual/dmi/id/product_name	xmrig
/sys/devices/virtual/dmi/id/product_uuid	/sys/devices/virtual/dmi/id/product_uuid	xmrig
/sys/devices/virtual/dmi/id/sys_vendor	/sys/devices/virtual/dmi/id/sys_vendor	xmrig
/sys/bus/cpu/devices/cpu0/cache/index0/type	/sys/bus/cpu/devices/cpu0/cache/index0/type	xmrig
/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	xmrig
/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	xmrig
/sys/devices/virtual/dmi/id/chassis_vendor	/sys/devices/virtual/dmi/id/chassis_vendor	xmrig
/sys/firmware/dmi/tables/DMI	/sys/firmware/dmi/tables/DMI	xmrig
/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	Process not Found
/sys/bus/cpu/devices/cpu0/cache/index2/level	/sys/bus/cpu/devices/cpu0/cache/index2/level	xmrig
/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	xmrig
/sys/devices/virtual/dmi/id/board_asset_tag	/sys/devices/virtual/dmi/id/board_asset_tag	xmrig
/sys/devices/virtual/dmi/id/chassis_type	/sys/devices/virtual/dmi/id/chassis_type	xmrig
/sys/devices/virtual/dmi/id/board_name	/sys/devices/virtual/dmi/id/board_name	xmrig
/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	xmrig
/sys/bus/cpu/devices/cpu0/cache/index1/type	/sys/bus/cpu/devices/cpu0/cache/index1/type	xmrig
/sys/bus/cpu/devices/cpu0/cache/index2/size	/sys/bus/cpu/devices/cpu0/cache/index2/size	xmrig
/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	xmrig
/sys/devices/virtual/dmi/id	/sys/devices/virtual/dmi/id	xmrig
/sys/devices/virtual/dmi/id/board_version	/sys/devices/virtual/dmi/id/board_version	xmrig
/sys/devices/virtual/dmi/id/chassis_serial	/sys/devices/virtual/dmi/id/chassis_serial	xmrig
/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	xmrig
/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	xmrig
/sys/kernel/mm/hugepages	/sys/kernel/mm/hugepages	xmrig
/sys/bus/node/devices/node0/access1/initiators	/sys/bus/node/devices/node0/access1/initiators	xmrig
/sys/devices/virtual/dmi/id/bios_version	/sys/devices/virtual/dmi/id/bios_version	xmrig
/sys/module/msr/initstate	/sys/module/msr/initstate	modprobe
/sys/bus/cpu/devices/cpu0/topology/physical_package_id	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	xmrig
/sys/bus/cpu/devices/cpu0/cache/index0/size	/sys/bus/cpu/devices/cpu0/cache/index0/size	xmrig
/sys/bus/cpu/devices/cpu0/cache/index3/size	/sys/bus/cpu/devices/cpu0/cache/index3/size	xmrig
/sys/bus/dax/devices/	/sys/bus/dax/devices/	xmrig
/sys/bus/cpu/devices/cpu0/cache/index2/id	/sys/bus/cpu/devices/cpu0/cache/index2/id	xmrig
/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	xmrig
/sys/bus/cpu/devices/cpu0/topology/core_siblings	/sys/bus/cpu/devices/cpu0/topology/core_siblings	xmrig
/sys/devices/virtual/dmi/id/board_serial	/sys/devices/virtual/dmi/id/board_serial	xmrig
/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	Process not Found
/sys/devices/virtual/dmi/id/product_version	/sys/devices/virtual/dmi/id/product_version	xmrig
/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	xmrig
/sys/devices/system/node/online	/sys/devices/system/node/online	xmrig
/sys/bus/node/devices/node0/hugepages	/sys/bus/node/devices/node0/hugepages	xmrig
/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	xmrig
/sys/firmware/dmi/tables/smbios_entry_point	/sys/firmware/dmi/tables/smbios_entry_point	xmrig
/sys/module/msr/parameters/allow_writes	/sys/module/msr/parameters/allow_writes	xmrig
/sys/bus/cpu/devices/cpu0/topology/thread_siblings	/sys/bus/cpu/devices/cpu0/topology/thread_siblings	xmrig
/sys/bus/cpu/devices/cpu0/cache/index1/id	/sys/bus/cpu/devices/cpu0/cache/index1/id	xmrig
/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	xmrig
/sys/devices/virtual/dmi/id/bios_vendor	/sys/devices/virtual/dmi/id/bios_vendor	xmrig

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads