xmrig | 9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28

General

Target

SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
Size

1.7MB
MD5

44de739950eb4a8a3552b4e1987e8ec2
SHA1

0ae049aab363fb8d2e164150dffbafd332725e00
SHA256

9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28
SHA512

92ec17d3929b16353b40b29eefb5ad1de26621a20dc1c065e7cd9f294a9763844ff8673730d00f1a255ad4d42e06a1fb3171822db59dd20c639d3ff691256a7c
SSDEEP

49152:njEflQ/573nydbeONLwFCRTrgcSzNpZWPU6B:jEflQRTydb/ZwGrwzNpCB

Score

10^/10

xmrig antivm miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1494-1-0x0000000000400000-0x0000000000acfb60-memory.dmp	xmrig

Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.

Processes:

SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf

description ioc process

File opened for modification /etc/hosts SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf

description	ioc	process
File opened for modification	/etc/hosts	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

Processes:

SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/virtual/dmi/id/product_version	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/virtual/dmi/id/board_version	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/virtual/dmi/id/board_name	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf

description ioc process

File opened for reading /proc/cpuinfo SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf

description	ioc	process
File opened for reading	/proc/cpuinfo	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf

Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/system/cpu/possible	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf

Enumerates kernel/hardware configuration 1 TTPs 63 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf

description	ioc	process
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/id	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/node/devices/node0/cpumap	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/id	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cpu_capacity	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/kernel/mm/hugepages	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/system/node/online	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/node/devices/node0/meminfo	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/thread_siblings	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/dax/devices	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/virtual/dmi/id	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/id	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/node/devices/node0/hugepages	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_siblings	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/node/devices/node0/access1/initiators	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/firmware/dmi/tables/DMI	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/id	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

Processes:

SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elfmount

description	ioc	process
File opened for reading	/proc/driver/nvidia/gpus	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/mounts	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/proc/self/cpuset	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
File opened for reading	/proc/meminfo	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf

/tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
/tmp/SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf
1⤵
- Modifies hosts file
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1494

/bin/sh
sh -c "rm -f /etc/hosts.old"
2⤵
PID:1498

/bin/rm
rm -f /etc/hosts.old
3⤵
PID:1499

/bin/sh
sh -c "mount --bind /proc/1 /proc/1502"
2⤵
PID:1503

/bin/mount
mount --bind /proc/1 /proc/1502
3⤵
- Reads runtime system information
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/hosts
Filesize
219B

MD5
f483993c70d12ecfd5a5fe3ed5b10244

SHA1
386b3c58555b1337c5a2496efdb7436295256796

SHA256
908b62e9f94cc492b2ad465bfae5ba6bb5cfffd9ad7af21cdb79821ee118f409

SHA512
c60a7528f3d5b5b97d79c7973153cb7a915de04fd717e9ca7c8bdf4093a747146d405c15d47f822dc1b72bcd87b19ab276e9069c3f41bc5bb4dbfd88fd469aaa

Download Submit
/run/mountinfo
Filesize
16B

MD5
653d149c30cfe9f06aaa1be6fd083928

SHA1
64d67d009efa44f08307d3161db27e94248692cc

SHA256
a3f2fde8269f814a0342ce24b00b74117d4f1a41f4b47c805b2eae7a9e604514

SHA512
2fdfc43da5d5c8f2059416006c517f6dea22303bf42bf23c8252ea57755e22919787472ca46ff0547c3af358c7fc1d5cc403c15e7f94ebd3678d74810d1db0f5

Download Submit
/run/mountinfo.log
Filesize
1KB

MD5
7bde0ccdccecfdd774b99b9c32b6b9c0

SHA1
305958ce5abf33e97631a977a6ec9e5612e14b20

SHA256
7be67248ba0500d5d6017b01e34cbeb87636d71b2d7a94e521e262d790be61ff

SHA512
1c3678d2a2d55aae5457added80933067bf8819038274597de28b5cef36c4feddf224a1ece8dbf7f10a6bb7f43fd2dd9d94840cfcde9de1c293b1051079a0e74

Download Submit
memory/1494-1-0x0000000000400000-0x0000000000acfb60-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads