xmrig_linux | 4d47504db2f3fe6e2afeb25ae3d4d8efd85d77651a5005ce715f4058cc46ef29

Analysis

max time kernel
149s
max time network
147s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
04-06-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

funzi
Size

2.2MB
MD5

99469381a6c59dec28e32519401f7d85
SHA1

3b15039f19219260adf6d79a4c76d25c3224bb1f
SHA256

4d47504db2f3fe6e2afeb25ae3d4d8efd85d77651a5005ce715f4058cc46ef29
SHA512

2610e95501c498816411638b6b5163e1fdfb7243a613ddeb54954d86ba1aac1eb4b7c5a9e7c85c562ef821eabe95e29b353a19ae3795ebe278e2fb9f2d50d6a3
SSDEEP

49152:Uu0quOoMo+Yw+DEAMjjEW1Ky4WbHIPbxCrQaRPeY36BK7OPm:B0q4M8/McZll0EaRPeYKBK7t

Score

10^/10

xmrig_linux antivm miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1447-1-0x0000000000400000-0x0000000000aab0f8-memory.dmp	xmrig

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

funzi

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	funzi
File opened for reading	/sys/devices/virtual/dmi/id/product_name	funzi
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	funzi
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	funzi

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

Processes:

funzi

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	funzi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	funzi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	funzi
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	funzi
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	funzi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	funzi
File opened for reading	/sys/devices/virtual/dmi/id/board_name	funzi
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	funzi
File opened for reading	/sys/devices/virtual/dmi/id/board_version	funzi
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	funzi
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	funzi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	funzi
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	funzi
File opened for reading	/sys/devices/virtual/dmi/id/product_version	funzi

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

funzi

description	ioc	Process
File opened for reading	/proc/cpuinfo	funzi

Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

funzi

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	funzi
File opened for reading	/sys/devices/system/cpu/possible	funzi

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

funzi

description	ioc	Process
File opened for reading	/sys/bus/cpu/devices	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/id	funzi
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	funzi
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/id	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	funzi
File opened for reading	/sys/devices/system/node/online	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cpu_capacity	funzi
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	funzi
File opened for reading	/sys/kernel/mm/hugepages	funzi
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	funzi
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	funzi
File opened for reading	/sys/bus/node/devices/node0/access1/initiators	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	funzi
File opened for reading	/sys/firmware/dmi/tables/DMI	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	funzi
File opened for reading	/sys/bus/node/devices/node0/meminfo	funzi
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	funzi
File opened for reading	/sys/bus/dax/devices/target_node	funzi
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	funzi
File opened for reading	/sys/bus/node/devices/node0/hugepages	funzi
File opened for reading	/sys/bus/dax/devices	funzi
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	funzi
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/id	funzi
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	funzi
File opened for reading	/sys/bus/dax/target_node	funzi
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/cluster_cpus	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/id	funzi
File opened for reading	/sys/devices/virtual/dmi/id	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	funzi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	funzi

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

Processes:

funzi

description	ioc	Process
File opened for reading	/proc/self/exe	funzi
File opened for reading	/proc/mounts	funzi
File opened for reading	/proc/self/cpuset	funzi
File opened for reading	/proc/meminfo	funzi
File opened for reading	/proc/driver/nvidia/gpus	funzi

/tmp/funzi
/tmp/funzi
1⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1447

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/.qucfu.pid

Filesize
4B

MD5
e94f63f579e05cb49c05c2d050ead9c0

SHA1
ecbc54904eb7fe332c5764cbefeee200527ff160

SHA256
57c03210be824f7a26151a1000ae617d5f31a8bdee6001fc05284de407d93e7b

SHA512
71fd9a4702f177fdd97e0b35cfe2d094d52d3279b7a48fe198a9bd0175806eedace805695d3f82cbf15bdc483f6b24e13889d0c38ed817000d418a629bb82895

Download Submit
memory/1447-1-0x0000000000400000-0x0000000000aab0f8-memory.dmp

Download