xmrig | 9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28

Resubmissions

30/04/2024, 12:54

240430-p48r9sfd8w 10

30/04/2024, 12:53

240430-p4y8tsha74 7

Analysis

max time kernel
299s
max time network
295s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
30/04/2024, 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

miner
Size

1.7MB
MD5

44de739950eb4a8a3552b4e1987e8ec2
SHA1

0ae049aab363fb8d2e164150dffbafd332725e00
SHA256

9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28
SHA512

92ec17d3929b16353b40b29eefb5ad1de26621a20dc1c065e7cd9f294a9763844ff8673730d00f1a255ad4d42e06a1fb3171822db59dd20c639d3ff691256a7c
SSDEEP

49152:njEflQ/573nydbeONLwFCRTrgcSzNpZWPU6B:jEflQRTydb/ZwGrwzNpCB

Score

10^/10

xmrig antivm miner rootkit

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral6/memory/1571-1-0x0000000000400000-0x0000000000acfb60-memory.dmp	xmrig

Loads a kernel module 1 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

ioc	pid	Process
/lib/modules/4.15.0-213-generic/kernel/arch/x86/kernel/msr.ko	1605	modprobe

Modifies hosts file 1 IoCs

Adds to hosts file used for mapping hosts to IP addresses.

description	ioc	Process
File opened for modification	/etc/hosts	miner

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	miner
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	miner
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	miner
File opened for reading	/sys/devices/virtual/dmi/id/product_name	miner

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/board_version	miner
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	miner
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	miner
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	miner
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	miner
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	miner
File opened for reading	/sys/devices/virtual/dmi/id/product_version	miner
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	miner
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	miner
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	miner
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	miner
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	miner
File opened for reading	/sys/devices/virtual/dmi/id/board_name	miner
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	miner

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	miner

Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	miner
File opened for reading	/sys/devices/system/cpu/possible	miner

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	miner
File opened for reading	/sys/devices/virtual/dmi/id	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/thread_siblings	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	miner
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	miner
File opened for reading	/sys/bus/node/devices/node0/access1/initiators	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	miner
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	miner
File opened for reading	/sys/bus/cpu/devices	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	miner
File opened for reading	/sys/bus/dax/devices	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	miner
File opened for reading	/sys/bus/node/devices/node0/meminfo	miner
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/id	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/id	miner
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cpu_capacity	miner
File opened for reading	/sys/bus/node/devices/node0/hugepages	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/id	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	miner
File opened for reading	/sys/module/msr/initstate	modprobe
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_siblings	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	miner
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	miner
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	miner
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	miner
File opened for reading	/sys/kernel/mm/hugepages	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	miner
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	miner
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/id	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	miner
File opened for reading	/sys/devices/system/node/online	miner
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	miner
File opened for reading	/sys/bus/node/devices/node0/cpumap	miner
File opened for reading	/sys/firmware/dmi/tables/DMI	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	miner
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	miner

Reads runtime system information 6 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/driver/nvidia/gpus	miner
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/cmdline	modprobe
File opened for reading	/proc/mounts	miner
File opened for reading	/proc/self/cpuset	miner
File opened for reading	/proc/meminfo	miner

/tmp/miner
/tmp/miner
1⤵
- Modifies hosts file
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1571
- /bin/sh
  sh -c "rm -f /etc/hosts.old"
  2⤵
  PID:1575
- - /bin/rm
    rm -f /etc/hosts.old
    3⤵
    PID:1576
- /bin/sh
  sh -c "mount --bind /proc/1 /proc/1596"
  2⤵
  PID:1597
- - /bin/mount
    mount --bind /proc/1 /proc/1596
    3⤵
    - Reads runtime system information
    PID:1598
- /bin/sh
  sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"
  2⤵
  PID:1604
- - /sbin/modprobe
    /sbin/modprobe msr "allow_writes=on"
    3⤵
    - Loads a kernel module
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1605

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/hosts

Filesize
219B

MD5
f483993c70d12ecfd5a5fe3ed5b10244

SHA1
386b3c58555b1337c5a2496efdb7436295256796

SHA256
908b62e9f94cc492b2ad465bfae5ba6bb5cfffd9ad7af21cdb79821ee118f409

SHA512
c60a7528f3d5b5b97d79c7973153cb7a915de04fd717e9ca7c8bdf4093a747146d405c15d47f822dc1b72bcd87b19ab276e9069c3f41bc5bb4dbfd88fd469aaa

Download Submit
/run/mountinfo

Filesize
16B

MD5
f9dd9ba2754748787854c794e74d4e31

SHA1
bd25ec2daaa1de29295717ffa4e6175cffe69fc9

SHA256
0bd9fbee3e2f7b17dc36734ba694dd2f2e76db6695b0cd0fa68a1ebc409c9f76

SHA512
0517045474c211878281e1be23b0da766966428c118e65014ef537d8a35b923c21644171ceb35d9b045fadc446cab21103ad0ef466e977e4c2228db5d4b2c09e

Download Submit
/run/mountinfo.log

Filesize
2KB

MD5
5142e146b4519f90c774eca0322da15b

SHA1
9ba6596a2f3ba3fe37d6895ce9ac915f4b3e8cb1

SHA256
d60c7bea539d2979959daaf80b1c8e2bd5c208f61e6417cdea5a1c13c68e8b60

SHA512
00bb4c41b15d416a54d5e2c72a6b665270ea016531bd6683ba1ba8f3184a09f14fae7cad188ca4267373f40dc09299dce4a7c0ea792622d500285c0da1d3de0c

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads