xmrig_linux | 105e32c8ef13d4d001923c1a43a8849d069fc4adebe48e5e6a9e726eb605ce31

Analysis

max time kernel
1s
max time network
478s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
15-04-2024 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.rsync/a/stop
Size

703B
MD5

ff77f6a6f72a80258f484c99fdeb4626
SHA1

36aa94b0ca1ced83d1a24f954f7e2113727797ef
SHA256

d3bf59b23ca07761b6a13739894fec5516a47e388ea3cae9f54a076c0be81c54
SHA512

4f18f5e91f2c791b27d5121a852f7457ba6c3e5193b510868dc412325978a96a60b303c0c1713fc13856c8827a39ee1c0476fb19b397f59a474e13b0896c003d

Score

10^/10

xmrig_linux miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

Attempts to change immutable files 1 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

chattr

pid	Process
1491	chattr

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 12 IoCs

System Information Discovery

T1082

Processes:

pkillpkillpkillpspkillpkillpspspspkillpsps

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pskillallkillallpspkillpkillpkillpskillallkillallpkillpspspkillpspkill

description	ioc	Process
File opened for reading	/proc/585/cmdline	ps
File opened for reading	/proc/175/stat	killall
File opened for reading	/proc/1440/stat	killall
File opened for reading	/proc/1440/cmdline	ps
File opened for reading	/proc/975/cmdline	pkill
File opened for reading	/proc/4/status	pkill
File opened for reading	/proc/75/stat	killall
File opened for reading	/proc/1418/status	pkill
File opened for reading	/proc/270/status	ps
File opened for reading	/proc/1423/cmdline	ps
File opened for reading	/proc/1426/stat	killall
File opened for reading	/proc/102/stat	killall
File opened for reading	/proc/1316/status	pkill
File opened for reading	/proc/10/cmdline	ps
File opened for reading	/proc/79/cmdline	ps
File opened for reading	/proc/168/status	pkill
File opened for reading	/proc/1421/cmdline	ps
File opened for reading	/proc/86/cmdline	ps
File opened for reading	/proc/82/status	pkill
File opened for reading	/proc/73/cmdline	ps
File opened for reading	/proc/276/cmdline	ps
File opened for reading	/proc/401/status	pkill
File opened for reading	/proc/20/cmdline	pkill
File opened for reading	/proc/270/cmdline	pkill
File opened for reading	/proc/1238/status	pkill
File opened for reading	/proc/172/status	pkill
File opened for reading	/proc/453/stat	ps
File opened for reading	/proc/3/cmdline	pkill
File opened for reading	/proc/176/stat	killall
File opened for reading	/proc/1037/cmdline	ps
File opened for reading	/proc/547/cmdline	pkill
File opened for reading	/proc/1104/status	ps
File opened for reading	/proc/1058/cmdline	ps
File opened for reading	/proc/488/cmdline	pkill
File opened for reading	/proc/1425/cmdline	ps
File opened for reading	/proc/1477/cmdline	ps
File opened for reading	/proc/1291/status	pkill
File opened for reading	/proc/539/stat	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/272/status	ps
File opened for reading	/proc/73/status	pkill
File opened for reading	/proc/74/status	ps
File opened for reading	/proc/165/cmdline	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/694/cmdline	pkill
File opened for reading	/proc/170/status	ps
File opened for reading	/proc/1081/stat	killall
File opened for reading	/proc/5/status	ps
File opened for reading	/proc/813/stat	ps
File opened for reading	/proc/16/cmdline	pkill
File opened for reading	/proc/1000/status	pkill
File opened for reading	/proc/679/status	pkill
File opened for reading	/proc/1143/cmdline	pkill
File opened for reading	/proc/162/stat	killall
File opened for reading	/proc/74/cmdline	pkill
File opened for reading	/proc/1/status	ps
File opened for reading	/proc/1084/status	ps
File opened for reading	/proc/788/stat	ps
File opened for reading	/proc/547/status	ps
File opened for reading	/proc/16/cmdline	ps
File opened for reading	/proc/788/status	ps
File opened for reading	/proc/1120/cmdline	ps
File opened for reading	/proc/1304/cmdline	ps
File opened for reading	/proc/159/cmdline	pkill

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

stop

description	ioc	Process
File opened for modification	/tmp/.rsync/a/.proc	stop

/tmp/.rsync/a/stop
/tmp/.rsync/a/stop
1⤵
- Writes file to tmp directory
PID:1490
- /usr/bin/chattr
  chattr -ia "~/.xmrig.json"
  2⤵
  - Attempts to change immutable files
  PID:1491
- /usr/bin/rm
  rm -rf "~/.xmrig.json"
  2⤵
  PID:1492
- /usr/bin/pkill
  pkill -9 cron
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1493
- /usr/bin/killall
  killall -9 cron
  2⤵
  - Reads runtime system information
  PID:1497
- /usr/bin/pkill
  pkill -9 kswapd0
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1504
- /usr/bin/killall
  killall -9 kswapd0
  2⤵
  PID:1505
- /usr/bin/pkill
  pkill -9 ld-linux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1513
- /usr/bin/killall
  killall -9 ld-linux
  2⤵
  PID:1515
- /usr/bin/pkill
  pkill -9 Donald
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1521
- /usr/bin/killall
  killall -9 Donald
  2⤵
  - Reads runtime system information
  PID:1522
- /usr/bin/pkill
  pkill -9 xmr
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1528
- /usr/bin/killall
  killall -9 xmr
  2⤵
  - Reads runtime system information
  PID:1529
- /usr/bin/pkill
  pkill -9 xm64
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1540
- /usr/bin/killall
  killall -9 xm64
  2⤵
  - Reads runtime system information
  PID:1541
- /usr/bin/rm
  rm -rf .proc
  2⤵
  PID:1547

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1502

/usr/bin/grep
grep -v grep
1⤵
PID:1501

/usr/bin/grep
grep cron
1⤵
PID:1500

/usr/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1499

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1510

/usr/bin/grep
grep -v grep
1⤵
PID:1509

/usr/bin/grep
grep kswapd0
1⤵
PID:1508

/usr/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1507

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1520

/usr/bin/grep
grep -v grep
1⤵
PID:1519

/usr/bin/grep
grep ld-linux
1⤵
PID:1518

/usr/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1517

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1527

/usr/bin/grep
grep -v grep
1⤵
PID:1526

/usr/bin/grep
grep Donald
1⤵
PID:1525

/usr/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1524

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1537

/usr/bin/grep
grep -v grep
1⤵
PID:1536

/usr/bin/grep
grep xmr
1⤵
PID:1535

/usr/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1534

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1546

/usr/bin/grep
grep -v grep
1⤵
PID:1545

/usr/bin/grep
grep xm64
1⤵
PID:1544

/usr/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1543

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads