xmrig | a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa

Analysis

max time kernel
15s
max time network
150s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
10-04-2024 13:08

Target

a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa
Size

34KB
MD5

54130adf66d5bfa4e4b9f04b3933e493
SHA1

1c5f5986b92e3392d4cfaa531c88cd06b5cfd361
SHA256

a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa
SHA512

dc9a8b01fc16686fed8d82a89147cd614a8c6f5a20aa324fd8922cca0a0aa3bf03c2d1407bd5028789864b1a429a31b2bf904a07101bca9d5c76488ec69da82d
SSDEEP

768:dBxlT2wDGWvWCrESA+FylT4hxXpGdKI3oB6kX7sdrCIZMfXxK2eJ5tLW:YDSA+Fyl1dRoZ7q9W

Score

10^/10

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/files/fstream-6.dat	family_xmrig
behavioral1/files/fstream-6.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Modifies the dynamic linker configuration file 1 TTPs 1 IoCs

Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

Hijack Execution Flow

Processes:

a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa

description	ioc	Process
File opened for modification	/etc/ld.so.preload	a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa

Adds new SSH keys 2 IoCs

Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

Processes:

a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa

description	ioc	Process
File opened for modification	/root/.ssh/authorized_keys	a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa
File opened for modification	/root/.ssh/authorized_keys2