xmrig_linux | 0dcfa54a7e8a4e631ef466670ce604a61f3b0e8b3e9cf72c943278c0f77c31a2

Analysis

max time kernel
0s
max time network
133s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
05/04/2024, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
Size

2.5MB
MD5

c76b11be6fdeb10b7fccd678b42a7c97
SHA1

e205276a72a6ae17adac5a4ed10123117e5a4e0f
SHA256

0dcfa54a7e8a4e631ef466670ce604a61f3b0e8b3e9cf72c943278c0f77c31a2
SHA512

1fc1ea1acd43d43fd4ee5b2d362246db95a36b16b3fa66c79466d96115a2c265f6b61602aa74e2f15e1aeef0bfa47ce6826bd7088ec53908cc5f103408d72a65
SSDEEP

49152:oIgrtR1Vl3vrk0c6wOu4hMs9jvlOQhmRYSoXFIz9MZeaFquFUTf80MGIDY9G:oIYtR1VK0c6wOu4PJ1wYTUA0M2G

Score

10^/10

xmrig_linux antivm miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	Y1dsewLQ	1560	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118

Deletes itself 1 IoCs

pid	Process
1560	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/virtual/dmi/id/product_name	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118

Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/system/cpu/possible	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/virtual/dmi/id/board_name	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/virtual/dmi/id/product_version	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/virtual/dmi/id/board_version	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118

Enumerates kernel/hardware configuration 1 TTPs 49 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/thread_siblings	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/node/devices/node0/meminfo	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/system/node/online	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/kernel/mm/hugepages	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/devices/virtual/dmi/id	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/dax/devices	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_siblings	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/node/devices/node0/hugepages	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/node/devices/node0/cpumap	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/mounts	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/proc/self/cpuset	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/proc/meminfo	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
File opened for reading	/proc/driver/nvidia/gpus	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.X11-unix/11	c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118

/tmp/c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
/tmp/c76b11be6fdeb10b7fccd678b42a7c97_JaffaCakes118
1⤵
- Changes its process name
- Deletes itself
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.X11-unix/11

Filesize
5B

MD5
9039319d032a0febf1a9548e8a02b98b

SHA1
3a360108f2492e11d9874760dbe30e1d395a2411

SHA256
5d7611d5935edd152bfb53cb0eb6050771def03e0a1a6223afb8301109bfd536

SHA512
5c123b72972ed5a03987b3e5400f7b5a28836c9dbc1097762567734437f7bb98ebb88633433f414f02601c6fad91176607bb16bf0bf011a9ce71fd4388fba6ee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads