xmrig | 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6

Analysis

max time kernel
8s
max time network
12s
platform
debian-12_armhf
resource
debian12-armhf-20240221-en
resource tags

arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
19-07-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
Size

1.1MB
MD5

558f29ecf48e1e1643405823f228008a
SHA1

b869e8de1d5f511196b459abd061028cf5a05741
SHA256

28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
SHA512

e0928ab208c9987613afd61636a4e0b0ea0c3cc891446c06a1917d6083c1de53725bb1d1cab3ae59b2b9707451bc789e2d163889181114e336cc871917b292fa
SSDEEP

24576:XB0J/zGmU0briuSIxhh/HtYqTdjQeH0s8EWIkQpALmpKaKTY3:Az7pbriuFhh/HtYqTdjNUs6IkQpALmpz

Score

10^/10

xmrig antivm miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/708-1-0xb6a00000-0xb6d5e3d4-memory.dmp	xmrig

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.Xrzipq	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	bash	726

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6

Reads CPU attributes 1 TTPs 20 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/cpu0/topology/package_cpus	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/topology/physical_package_id	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/base_frequency	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/cpu_capacity	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_cpus	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/topology/cluster_cpus	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/online	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_cpus	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6

Enumerates kernel/hardware configuration 1 TTPs 12 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/cgroup/cgroup.controllers	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/system/cpu	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/cpu_core/cpus	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/class/dmi/id	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/virtual/dmi/id	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/bus/soc/devices	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/fs/cgroup/cpuset.cpus.effective	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/fs/cgroup/cpuset.mems.effective	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/devices/cpu_atom/cpus	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/sys/kernel/mm/hugepages	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/11/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/14/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/24/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/44/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/45/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/214/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/344/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/7/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/759/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/654/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/35/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/752/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/13/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/143/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/322/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/655/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/718/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/57/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/27/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/36/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/4/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/17/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/20/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/31/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/73/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/314/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/706/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/6/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/25/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/42/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/195/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/681/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/self/exe	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/15/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/10/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/29/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/339/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/639/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/665/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/28/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/9/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/23/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/341/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/347/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/684/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/meminfo	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/5/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/26/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/56/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/638/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/mounts	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/18/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/22/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/32/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/704/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/709/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/self/cpuset	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/357/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/46/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/33/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/34/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/260/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
File opened for reading	/proc/332/cmdline	28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6

/tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
/tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
1⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:708
- /bin/sh
  sh -c "command -v crontab >/dev/null 2>&1"
  2⤵
  PID:727
- /bin/sh
  sh -c "crontab -r >/dev/null 2>&1; echo \"@reboot /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6\" | crontab -"
  2⤵
  PID:730
- - /usr/bin/crontab
    crontab -r
    3⤵
    PID:732
- - /usr/bin/crontab
    crontab -
    3⤵
    - Creates/modifies Cron job
    PID:738
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 18178 -j ACCEPT >/dev/null 2>&1"
  2⤵
  PID:744
- /bin/sh
  sh -c "command -v php >/dev/null 2>&1"
  2⤵
  PID:746
- /bin/sh
  sh -c "command -v nginx >/dev/null 2>&1"
  2⤵
  PID:748
- /bin/sh
  sh -c "which apache2"
  2⤵
  PID:750
- - /usr/bin/which
    which apache2
    3⤵
    PID:751
- /bin/sh
  sh -c "which httpd"
  2⤵
  PID:755
- - /usr/bin/which
    which httpd
    3⤵
    PID:758

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/spool/cron/crontabs/tmp.Xrzipq

Filesize
253B

MD5
2914093b38f4bfe2830ee60a7a82dff7

SHA1
e628d83f49846e82ac0769d40e04feedb7800eda

SHA256
76430c7a425ca1ea6ea6c6f207e797e549bc83ea5b6ec5fbf7027a067825b59c

SHA512
54719fc593d486ebe96acc65ebf3bfa99466804735affaf274d886f975141c9b41e2bd922be284c144edcfe44b5d2761d343e18a3e6ccbdd04a2040cf67c428f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads