xmrig_linux | 105e32c8ef13d4d001923c1a43a8849d069fc4adebe48e5e6a9e726eb605ce31

Analysis

max time kernel
29s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
07-03-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.rsync/a/a
Size

2KB
MD5

b067abc476505eea79d2233ee3585626
SHA1

15f7c9af535f4390b14ba03ddb990c732212dde8
SHA256

ed9330e1594e73097dc6c8bf9f157de0d3799171a1967aaa43f9cd8629092f07
SHA512

95211823aadc69ca8145339188cf90094afb28948ec8729fd4e208fdb0bff4fa3a5435574a12c51618c87916e3ecccfa8c4621b4e6f26c8c42ec8dd13a285fab

Score

10^/10

xmrig_linux antivm miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

Executes dropped EXE 1 IoCs

Processes:

upd

ioc	pid	Process
/tmp/.rsync/a/upd	704	upd

Attempts to change immutable files 1 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

chattr

pid	Process
707	chattr

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

grepgrep

description	ioc	Process
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 13 IoCs

System Information Discovery

T1082

Processes:

pspkillpssysctlpkillpspspspkillpkillpkillpkillps

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

description	ioc
File opened for reading	/sys/devices/system/node

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspskillallpskillallpkillkillallpspspkillkillallpspkillpkillpkillpkillkillallkillall

description	ioc	Process
File opened for reading	/proc/165/status	ps
File opened for reading	/proc/688/status	ps
File opened for reading	/proc/165/stat	killall
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/43/cmdline	ps
File opened for reading	/proc/76/cmdline	pkill
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/20/status	ps
File opened for reading	/proc/288/cmdline	ps
File opened for reading	/proc/715/status	ps
File opened for reading	/proc/97/status	pkill
File opened for reading	/proc/279/stat	killall
File opened for reading	/proc/737/cmdline	ps
File opened for reading	/proc/107/cmdline	ps
File opened for reading	/proc/666/cmdline	ps
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/446/status	ps
File opened for reading	/proc/108/status	ps
File opened for reading	/proc/41/status	pkill
File opened for reading	/proc/688/cmdline	pkill
File opened for reading	/proc/8/stat	ps
File opened for reading	/proc/14/status	ps
File opened for reading	/proc/14/status	pkill
File opened for reading	/proc/11/status	pkill
File opened for reading	/proc/497/stat	ps
File opened for reading	/proc/23/stat	ps
File opened for reading	/proc/322/cmdline	pkill
File opened for reading	/proc/6/status	ps
File opened for reading	/proc/12/status	ps
File opened for reading	/proc/11/status	pkill
File opened for reading	/proc/19/cmdline	pkill
File opened for reading	/proc/25/cmdline	pkill
File opened for reading	/proc/filesystems	pkill
File opened for reading	/proc/655/stat	killall
File opened for reading	/proc/279/cmdline	ps
File opened for reading	/proc/661/status	ps
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/15/cmdline	ps
File opened for reading	/proc/41/stat	killall
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/322/stat	killall
File opened for reading	/proc/13/cmdline	ps
File opened for reading	/proc/165/stat	ps
File opened for reading	/proc/663/status	pkill
File opened for reading	/proc/331/status	ps
File opened for reading	/proc/165/stat	killall
File opened for reading	/proc/8/cmdline	pkill
File opened for reading	/proc/14/cmdline	pkill
File opened for reading	/proc/142/stat	killall
File opened for reading	/proc/42/cmdline	ps
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/226/cmdline	pkill
File opened for reading	/proc/323/status	ps
File opened for reading	/proc/27/status	ps
File opened for reading	/proc/146/stat	killall
File opened for reading	/proc/27/stat	killall
File opened for reading	/proc/660/status	ps
File opened for reading	/proc/729/stat	ps
File opened for reading	/proc/446/status	pkill
File opened for reading	/proc/43/cmdline	ps
File opened for reading	/proc/105/status	ps
File opened for reading	/proc/107/stat	ps
File opened for reading	/proc/2/cmdline	ps

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

Processes:

astoprun

description	ioc	Process
File opened for modification	/tmp/.rsync/a/dir.dir	a
File opened for modification	/tmp/.rsync/a/upd	a
File opened for modification	/tmp/.rsync/a/.proc	stop
File opened for modification	/tmp/.rsync/a/dir.dir	run
File opened for modification	/tmp/.rsync/a/bash.pid	run

/tmp/.rsync/a/a
/tmp/.rsync/a/a
1⤵
- Writes file to tmp directory
PID:683
- /usr/bin/crontab
  crontab -r
  2⤵
  PID:685
- /bin/cat
  cat dir.dir
  2⤵
  PID:692
- /usr/bin/id
  id -u
  2⤵
  PID:693
- /sbin/modprobe
  modprobe msr "allow_writes=on"
  2⤵
  PID:695
- /bin/grep
  grep -E "AMD Ryzen|AMD EPYC" /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:696
- /bin/grep
  grep Intel /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:697
- /usr/bin/nproc
  nproc
  2⤵
  PID:698
- /sbin/sysctl
  sysctl -w "vm.nr_hugepages=1"
  2⤵
  - Reads CPU attributes
  PID:699
- /usr/bin/find
  find "/sys/devices/system/node/node*" -maxdepth 0 -type d
  2⤵
  PID:701
- /bin/chmod
  chmod u+x upd
  2⤵
  PID:702
- /bin/chmod
  chmod 777 a dir.dir init0 kswapd0 run stop upd
  2⤵
  PID:703
- /tmp/.rsync/a/upd
  ./upd
  2⤵
  - Executes dropped EXE
  PID:704
- - /tmp/.rsync/a/run
    ./run
    3⤵
    - Writes file to tmp directory
    PID:705
  - - /tmp/.rsync/a/stop
      ./stop
      4⤵
      Writes file to tmp directory
      PID:706
    - - /usr/bin/chattr
        
        chattr -ia "~/.xmrig.json"
        5⤵
        Attempts to change immutable files
        
        PID:707
    - - /bin/rm
        
        rm -rf "~/.xmrig.json"
        5⤵
        
        PID:708
    - - /usr/bin/pkill
        
        pkill -9 cron
        5⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:709
    - - /usr/bin/killall
        
        killall -9 cron
        5⤵
        Reads runtime system information
        
        PID:711
    - - /usr/bin/pkill
        
        pkill -9 kswapd0
        5⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:717
    - - /usr/bin/killall
        
        killall -9 kswapd0
        5⤵
        Reads runtime system information
        
        PID:718
    - - /usr/bin/pkill
        
        pkill -9 ld-linux
        5⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:724
    - - /usr/bin/killall
        
        killall -9 ld-linux
        5⤵
        Reads runtime system information
        
        PID:725
    - - /usr/bin/pkill
        
        pkill -9 Donald
        5⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:733
    - - /usr/bin/killall
        
        killall -9 Donald
        5⤵
        Reads runtime system information
        
        PID:735
    - - /usr/bin/pkill
        
        pkill -9 xmr
        5⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:743
    - - /usr/bin/killall
        
        killall -9 xmr
        5⤵
        Reads runtime system information
        
        PID:749
    - - /usr/bin/pkill
        
        pkill -9 xm64
        5⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:757
    - - /usr/bin/killall
        
        killall -9 xm64
        5⤵
        Reads runtime system information
        
        PID:759
    - - /bin/rm
        
        rm -rf .proc
        5⤵
        
        PID:767
  - - /bin/sleep
      sleep 10
      4⤵
      PID:769
  - - /bin/cat
      cat dir.dir
      4⤵
      PID:827
  - - /usr/bin/nohup
      nohup ./kswapd0
      4⤵
      PID:828

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:713

/bin/grep
grep cron
1⤵
PID:714

/bin/grep
grep -v grep
1⤵
PID:715

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:716

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:720

/bin/grep
grep kswapd0
1⤵
PID:721

/bin/grep
grep -v grep
1⤵
PID:722

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:723

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:727

/bin/grep
grep ld-linux
1⤵
PID:728

/bin/grep
grep -v grep
1⤵
PID:729

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:730

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:738

/bin/grep
grep Donald
1⤵
PID:739

/bin/grep
grep -v grep
1⤵
PID:740

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:741

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:751

/bin/grep
grep xmr
1⤵
PID:752

/bin/grep
grep -v grep
1⤵
PID:753

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:754

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:762

/bin/grep
grep xm64
1⤵
PID:763

/bin/grep
grep -v grep
1⤵
PID:764

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:765

/tmp/.rsync/a/kswapd0
./kswapd0
1⤵
PID:828

/bin/sh
/bin/sh ./kswapd0
1⤵
PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.rsync/a/bash.pid

Filesize
4B

MD5
9e0c9fbe684c115ea5223e35e3c4c6be

SHA1
f342f444f2c7ecce487ce37d31eab50b7655e5e5

SHA256
ac02f8e59b39769bce3a413b06ca1ca1b52d785bd6d8768b1a7ff21ce21c5e69

SHA512
b010b13c8bf70debd87bc8d3fb7dde453692b45a2f1554d1a2fd7db9e81603620192c9c10bbaafa67c7096108614b8966f5531dc3b5ebd01f6b7d2f184ba6941

Download Submit
/tmp/.rsync/a/dir.dir

Filesize
14B

MD5
b3d878adcf4672bbd1f31cffac10c769

SHA1
ce5798837933ece35a7e26a0a3dc06cab19c6275

SHA256
ea5fce19c5fbbbc6c3c36eb9e8e295dfb525e9669aafaf8abe9ddb4e00e345c7

SHA512
019d21a618b3ccc70c0c7ede225cbbb704e2b448048586c44c74c81a747129da9f3f9675f2a29363af320d2684974a1ff00ac608c53de4458aeacd3ed4f9da2c

Download Submit
/tmp/.rsync/a/upd

Filesize
175B

MD5
a136fbe534c2487d3c89bd6a26847bd0

SHA1
11b9362ba79b67dd5d5baf7cf11e0003f049d6e0

SHA256
419a443ff93475ef3abb6e71e5a94e56aea8b7c1f1c4402b3662425815432d46

SHA512
85047cf9d22037d2581ae41275107b243c0bb3259b57fe46bd3fd04a1abe75a7fdeace8a9eae1fae31349a00183206b40259ab3957db8f4f16a79e67133485e9

Download Submit