Analysis
-
max time kernel
14s -
max time network
16s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
19-07-2024 13:23
Behavioral task
behavioral1
Sample
xmrig
Resource
ubuntu2004-amd64-20240508-en
General
-
Target
xmrig
-
Size
1.6MB
-
MD5
36b5b760bb1334e2feb50ae169f19c00
-
SHA1
6dfcc0dcd64a8e498d3204b568a1679b85dcf314
-
SHA256
17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f
-
SHA512
759cc113d7d73bcf62da54ee70fdc49817325f5580eef4fbe8a69d1e1777a2650ee94e4e6f26b1c2e5d777e534a8e961b140b587f0d30d4108de66ba0f7f8322
-
SSDEEP
49152:ZrkdckdSMUFKV3WAiYT+rhQe+x/tM+imbXWMuV:ZrpkdSzFKVWSKav1TXXs
Malware Config
Signatures
-
Contacts a large (155759) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
XMRig Miner payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1401-1-0x00007fa4cd830000-0x00007fa4cde91750-memory.dmp xmrig -
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
Processes:
xmrigdescription ioc process File opened for reading /sys/devices/virtual/dmi/id/product_name xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/sys_vendor xmrig -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.7DjurP crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
Processes:
xmrigdescription ioc process File opened for reading /sys/devices/virtual/dmi/id/product_version xmrig File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_version xmrig File opened for reading /sys/devices/virtual/dmi/id/product_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/product_uuid xmrig File opened for reading /sys/devices/virtual/dmi/id/board_name xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_date xmrig File opened for reading /sys/devices/virtual/dmi/id/board_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/board_version xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_type xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_version xmrig -
Changes its process name 1 IoCs
Processes:
description ioc pid Changes the process name, possibly in an attempt to hide itself bash 1402 -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
xmrigdescription ioc process File opened for reading /proc/cpuinfo xmrig -
Reads CPU attributes 1 TTPs 45 IoCs
Processes:
xmrigdescription ioc process File opened for reading /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/level xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/topology/cluster_cpus xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/type xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/level xmrig File opened for reading /sys/devices/system/cpu/cpu0/topology/core_cpus xmrig File opened for reading /sys/devices/system/cpu/cpu0/topology/package_cpus xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/level xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/type xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/size xmrig File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id xmrig File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/level xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets xmrig File opened for reading /sys/devices/system/cpu/cpu0/cpu_capacity xmrig File opened for reading /sys/devices/system/cpu/possible xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition xmrig File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/base_frequency xmrig File opened for reading /sys/devices/system/cpu/online xmrig File opened for reading /sys/devices/system/cpu/cpu0/topology/die_cpus xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/id xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/type xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/id xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/id xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/size xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/id xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/type xmrig -
Enumerates kernel/hardware configuration 1 TTPs 24 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
xmrigdescription ioc process File opened for reading /sys/fs/cgroup/cpuset/cpuset.mems xmrig File opened for reading /sys/kernel/mm/hugepages xmrig File opened for reading /sys/devices/system/node/node0/access0/initiators/read_bandwidth xmrig File opened for reading /sys/devices/system/node/node0/access0/initiators/read_latency xmrig File opened for reading /sys/devices/cpu_core/cpus xmrig File opened for reading /sys/devices/system/node/online xmrig File opened for reading /sys/devices/system/node/node0/access0/initiators xmrig File opened for reading /sys/devices/virtual/dmi/id xmrig File opened for reading /sys/firmware/dmi/tables/DMI xmrig File opened for reading /sys/bus/dax/devices xmrig File opened for reading /sys/devices/system/node/node0/access1/initiators xmrig File opened for reading /sys/bus/soc/devices xmrig File opened for reading /sys/fs/cgroup/unified/cgroup.controllers xmrig File opened for reading /sys/fs/cgroup/cpuset/cpuset.cpus xmrig File opened for reading /sys/devices/cpu_atom/cpus xmrig File opened for reading /sys/devices/system/node/node0/meminfo xmrig File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages xmrig File opened for reading /sys/devices/system/node/node0/access0/initiators/write_latency xmrig File opened for reading /sys/firmware/dmi/tables/smbios_entry_point xmrig File opened for reading /sys/devices/system/cpu xmrig File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages xmrig File opened for reading /sys/devices/system/node/node0/cpumap xmrig File opened for reading /sys/devices/system/node/node0/hugepages xmrig File opened for reading /sys/devices/system/node/node0/access0/initiators/write_bandwidth xmrig -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
xmrigdescription ioc process File opened for reading /proc/22/cmdline xmrig File opened for reading /proc/91/cmdline xmrig File opened for reading /proc/1025/cmdline xmrig File opened for reading /proc/242/cmdline xmrig File opened for reading /proc/1350/cmdline xmrig File opened for reading /proc/923/cmdline xmrig File opened for reading /proc/159/cmdline xmrig File opened for reading /proc/447/cmdline xmrig File opened for reading /proc/917/cmdline xmrig File opened for reading /proc/163/cmdline xmrig File opened for reading /proc/1073/cmdline xmrig File opened for reading /proc/930/cmdline xmrig File opened for reading /proc/1051/cmdline xmrig File opened for reading /proc/driver/nvidia/gpus xmrig File opened for reading /proc/440/cmdline xmrig File opened for reading /proc/1034/cmdline xmrig File opened for reading /proc/166/cmdline xmrig File opened for reading /proc/1323/cmdline xmrig File opened for reading /proc/1340/cmdline xmrig File opened for reading /proc/614/cmdline xmrig File opened for reading /proc/8/cmdline xmrig File opened for reading /proc/300/cmdline xmrig File opened for reading /proc/451/cmdline xmrig File opened for reading /proc/170/cmdline xmrig File opened for reading /proc/73/cmdline xmrig File opened for reading /proc/162/cmdline xmrig File opened for reading /proc/398/cmdline xmrig File opened for reading /proc/791/cmdline xmrig File opened for reading /proc/988/cmdline xmrig File opened for reading /proc/1072/cmdline xmrig File opened for reading /proc/21/cmdline xmrig File opened for reading /proc/171/cmdline xmrig File opened for reading /proc/616/cmdline xmrig File opened for reading /proc/74/cmdline xmrig File opened for reading /proc/81/cmdline xmrig File opened for reading /proc/169/cmdline xmrig File opened for reading /proc/1345/cmdline xmrig File opened for reading /proc/1346/cmdline xmrig File opened for reading /proc/1352/cmdline xmrig File opened for reading /proc/cmdline xmrig File opened for reading /proc/501/cmdline xmrig File opened for reading /proc/1071/cmdline xmrig File opened for reading /proc/1104/cmdline xmrig File opened for reading /proc/1206/cmdline xmrig File opened for reading /proc/1343/cmdline xmrig File opened for reading /proc/82/cmdline xmrig File opened for reading /proc/16/cmdline xmrig File opened for reading /proc/1348/cmdline xmrig File opened for reading /proc/927/cmdline xmrig File opened for reading /proc/175/cmdline xmrig File opened for reading /proc/75/cmdline xmrig File opened for reading /proc/mounts xmrig File opened for reading /proc/9/cmdline xmrig File opened for reading /proc/1361/cmdline xmrig File opened for reading /proc/20/cmdline xmrig File opened for reading /proc/631/cmdline xmrig File opened for reading /proc/781/cmdline xmrig File opened for reading /proc/534/cmdline xmrig File opened for reading /proc/941/cmdline xmrig File opened for reading /proc/14/cmdline xmrig File opened for reading /proc/1107/cmdline xmrig File opened for reading /proc/1129/cmdline xmrig File opened for reading /proc/86/cmdline xmrig File opened for reading /proc/176/cmdline xmrig
Processes
-
/tmp/xmrig/tmp/xmrig1⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1401 -
/bin/shsh -c "command -v crontab >/dev/null 2>&1"2⤵PID:1406
-
/bin/shsh -c "crontab -r >/dev/null 2>&1; echo \"@reboot /tmp/xmrig\" | crontab -"2⤵PID:1407
-
/usr/bin/crontabcrontab -r3⤵PID:1408
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
PID:1410 -
/bin/shsh -c "iptables -I INPUT -p tcp --dport 56345 -j ACCEPT >/dev/null 2>&1"2⤵PID:1411
-
/usr/sbin/iptablesiptables -I INPUT -p tcp --dport 56345 -j ACCEPT3⤵PID:1412
-
/bin/shsh -c "command -v php >/dev/null 2>&1"2⤵PID:1417
-
/bin/shsh -c "command -v nginx >/dev/null 2>&1"2⤵PID:1418
-
/bin/shsh -c "which apache2"2⤵PID:1419
-
/usr/bin/whichwhich apache23⤵PID:1420
-
/bin/shsh -c "which httpd"2⤵PID:1421
-
/usr/bin/whichwhich httpd3⤵PID:1422
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
194B
MD561fee549a8bd5051da647f84c42648dc
SHA172460dd1bafdba52e40d7dd0b0172b24a9cf7d09
SHA256b606fbf508b93915420c4eee8e81e757198dbc95538c40d6069dfa123235479b
SHA512a45d5319288be26911947b99073f5f4def6f97bcd52f83167e9770adaa0f145ed8043d94c1bf99310cec601a6cdacce0c1bf65e42af9747594b021acd1a93268