Analysis

  • max time kernel
    14s
  • max time network
    16s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240508-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    19-07-2024 13:23

General

  • Target

    xmrig

  • Size

    1.6MB

  • MD5

    36b5b760bb1334e2feb50ae169f19c00

  • SHA1

    6dfcc0dcd64a8e498d3204b568a1679b85dcf314

  • SHA256

    17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f

  • SHA512

    759cc113d7d73bcf62da54ee70fdc49817325f5580eef4fbe8a69d1e1777a2650ee94e4e6f26b1c2e5d777e534a8e961b140b587f0d30d4108de66ba0f7f8322

  • SSDEEP

    49152:ZrkdckdSMUFKV3WAiYT+rhQe+x/tM+imbXWMuV:ZrpkdSzFKVWSKav1TXXs

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Contacts a large (155759) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • XMRig Miner payload 1 IoCs
  • Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads hardware information 1 TTPs 14 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Changes its process name 1 IoCs
  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 45 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 24 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/xmrig
    /tmp/xmrig
    1⤵
    • Checks hardware identifiers (DMI)
    • Reads hardware information
    • Checks CPU configuration
    • Reads CPU attributes
    • Enumerates kernel/hardware configuration
    • Reads runtime system information
    PID:1401
    • /bin/sh
      sh -c "command -v crontab >/dev/null 2>&1"
      2⤵
        PID:1406
      • /bin/sh
        sh -c "crontab -r >/dev/null 2>&1; echo \"@reboot /tmp/xmrig\" | crontab -"
        2⤵
          PID:1407
          • /usr/bin/crontab
            crontab -r
            3⤵
              PID:1408
            • /usr/bin/crontab
              crontab -
              3⤵
              • Creates/modifies Cron job
              PID:1410
          • /bin/sh
            sh -c "iptables -I INPUT -p tcp --dport 56345 -j ACCEPT >/dev/null 2>&1"
            2⤵
              PID:1411
              • /usr/sbin/iptables
                iptables -I INPUT -p tcp --dport 56345 -j ACCEPT
                3⤵
                  PID:1412
              • /bin/sh
                sh -c "command -v php >/dev/null 2>&1"
                2⤵
                  PID:1417
                • /bin/sh
                  sh -c "command -v nginx >/dev/null 2>&1"
                  2⤵
                    PID:1418
                  • /bin/sh
                    sh -c "which apache2"
                    2⤵
                      PID:1419
                      • /usr/bin/which
                        which apache2
                        3⤵
                          PID:1420
                      • /bin/sh
                        sh -c "which httpd"
                        2⤵
                          PID:1421
                          • /usr/bin/which
                            which httpd
                            3⤵
                              PID:1422

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • /var/spool/cron/crontabs/tmp.7DjurP

                          Filesize

                          194B

                          MD5

                          61fee549a8bd5051da647f84c42648dc

                          SHA1

                          72460dd1bafdba52e40d7dd0b0172b24a9cf7d09

                          SHA256

                          b606fbf508b93915420c4eee8e81e757198dbc95538c40d6069dfa123235479b

                          SHA512

                          a45d5319288be26911947b99073f5f4def6f97bcd52f83167e9770adaa0f145ed8043d94c1bf99310cec601a6cdacce0c1bf65e42af9747594b021acd1a93268

                        • memory/1401-1-0x00007fa4cd830000-0x00007fa4cde91750-memory.dmp