xmrig | 6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b

General

Target

SecuriteInfo.com.Linux.Miner-ZS.18234.26199
Size

14.0MB
MD5

648effa354b3cbaad87b45f48d59c616
SHA1

0194637f1e83c2efc8bcda8d20c446805698c7bc
SHA256

6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b
SHA512

7ed0b6abeda6b3682bb94fbce8c5eeddf6206db23a87c11d606ea2f84a7606420ed47290317b5d9cb4d99f5c07943b8a7a548671d4c73106d6fbd48cd37bc146
SSDEEP

98304:zpU9MTfASNlnewCIoxAlfVG9bnY+Zx+A:zG9GfASNlnewChxAxVWbY

Score

10^/10

xmrig antivm evasion miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
XMRig Miner payload 1 IoCs
miner

Processes:

resource yara_rule

/tmp/kdevtmpfsi xmrig
Executes dropped EXE 1 IoCs

Processes:

kdevtmpfsi

ioc pid process

/tmp/kdevtmpfsi 2538 kdevtmpfsi

resource	yara_rule
/tmp/kdevtmpfsi	xmrig

ioc	pid	process
/tmp/kdevtmpfsi	2538	kdevtmpfsi

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

kdevtmpfsi

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_name	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	kdevtmpfsi

Enumerates running processes
Discovers information about currently running processes on the system

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

Processes:

kdevtmpfsi

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_name	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	kdevtmpfsi

Reads list of loaded kernel modules 1 TTPs 1 IoCs
Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
evasion

Virtualization/Sandbox Evasion
T1497

Processes:

SecuriteInfo.com.Linux.Miner-ZS.18234.26199

description ioc process

File opened for reading /proc/modules SecuriteInfo.com.Linux.Miner-ZS.18234.26199
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

kdevtmpfsiSecuriteInfo.com.Linux.Miner-ZS.18234.26199

description ioc process

File opened for reading /proc/cpuinfo kdevtmpfsi
File opened for reading /proc/cpuinfo SecuriteInfo.com.Linux.Miner-ZS.18234.26199

description	ioc	process
File opened for reading	/proc/modules	SecuriteInfo.com.Linux.Miner-ZS.18234.26199

description	ioc	process
File opened for reading	/proc/cpuinfo	kdevtmpfsi
File opened for reading	/proc/cpuinfo	SecuriteInfo.com.Linux.Miner-ZS.18234.26199

Reads CPU attributes 1 TTPs 3 IoCs

System Information Discovery

T1082

Processes:

pkillkdevtmpfsi

description	ioc	process
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/online	kdevtmpfsi
File opened for reading	/sys/devices/system/cpu/possible	kdevtmpfsi

Enumerates kernel/hardware configuration 1 TTPs 55 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

kdevtmpfsiSecuriteInfo.com.Linux.Miner-ZS.18234.26199modprobeSecuriteInfo.com.Linux.Miner-ZS.18234.26199pkill

description	ioc	process
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/kernel/mm/hugepages	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	kdevtmpfsi
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	SecuriteInfo.com.Linux.Miner-ZS.18234.26199
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/hugepages	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/module/msr/initstate	modprobe
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id	kdevtmpfsi
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	SecuriteInfo.com.Linux.Miner-ZS.18234.26199
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages	kdevtmpfsi
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/online	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/meminfo	kdevtmpfsi
File opened for reading	/sys/bus/node/devices	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/book_siblings	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-1048576kB/nr_hugepages	kdevtmpfsi
File opened for reading	/sys/module/compression	modprobe
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	kdevtmpfsi
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/cpumap	kdevtmpfsi
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	kdevtmpfsi

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pkill

description	ioc	process
File opened for reading	/proc/23/status	pkill
File opened for reading	/proc/47/stat	pkill
File opened for reading	/proc/1061/cgroup	pkill
File opened for reading	/proc/202/status	pkill
File opened for reading	/proc/418/ctty	pkill
File opened for reading	/proc/794/cmdline	pkill
File opened for reading	/proc/821/cgroup	pkill
File opened for reading	/proc/1084/ctty	pkill
File opened for reading	/proc/1980/ctty	pkill
File opened for reading	/proc/2184/cmdline	pkill
File opened for reading	/proc/63/cmdline	pkill
File opened for reading	/proc/79/ctty	pkill
File opened for reading	/proc/511/stat	pkill
File opened for reading	/proc/1402/cgroup	pkill
File opened for reading	/proc/1990/cgroup	pkill
File opened for reading	/proc/2245/cmdline	pkill
File opened for reading	/proc/2508/ctty	pkill
File opened for reading	/proc/197/status	pkill
File opened for reading	/proc/1959/cmdline	pkill
File opened for reading	/proc/2141/cgroup	pkill
File opened for reading	/proc/2218/stat	pkill
File opened for reading	/proc/2133/ctty	pkill
File opened for reading	/proc/29/cgroup	pkill
File opened for reading	/proc/191/status	pkill
File opened for reading	/proc/10/ctty	pkill
File opened for reading	/proc/1710/stat	pkill
File opened for reading	/proc/1959/status	pkill
File opened for reading	/proc/1968/status	pkill
File opened for reading	/proc/2012/cgroup	pkill
File opened for reading	/proc/2508/cgroup	pkill
File opened for reading	/proc/898/cmdline	pkill
File opened for reading	/proc/1949/stat	pkill
File opened for reading	/proc/2224/cmdline	pkill
File opened for reading	/proc/2257/stat	pkill
File opened for reading	/proc/48/ctty	pkill
File opened for reading	/proc/65/status	pkill
File opened for reading	/proc/274/cgroup	pkill
File opened for reading	/proc/2496/cgroup	pkill
File opened for reading	/proc/52/ctty	pkill
File opened for reading	/proc/54/ctty	pkill
File opened for reading	/proc/275/cgroup	pkill
File opened for reading	/proc/432/cmdline	pkill
File opened for reading	/proc/1402/ctty	pkill
File opened for reading	/proc/1976/cgroup	pkill
File opened for reading	/proc/43/status	pkill
File opened for reading	/proc/593/cgroup	pkill
File opened for reading	/proc/1122/cmdline	pkill
File opened for reading	/proc/1958/status	pkill
File opened for reading	/proc/2496/status	pkill
File opened for reading	/proc/9/cmdline	pkill
File opened for reading	/proc/25/cmdline	pkill
File opened for reading	/proc/1046/stat	pkill
File opened for reading	/proc/1950/status	pkill
File opened for reading	/proc/20/cmdline	pkill
File opened for reading	/proc/50/cgroup	pkill
File opened for reading	/proc/56/cmdline	pkill
File opened for reading	/proc/593/ctty	pkill
File opened for reading	/proc/1402/stat	pkill
File opened for reading	/proc/1976/status	pkill
File opened for reading	/proc/45/cmdline	pkill
File opened for reading	/proc/123/cgroup	pkill
File opened for reading	/proc/1990/ctty	pkill
File opened for reading	/proc/1993/stat	pkill
File opened for reading	/proc/2513/status	pkill

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

SecuriteInfo.com.Linux.Miner-ZS.18234.26199

description	ioc	process
File opened for modification	/tmp/.ICEd-unix/uuid	SecuriteInfo.com.Linux.Miner-ZS.18234.26199
File opened for modification	/tmp/kdevtmpfsi	SecuriteInfo.com.Linux.Miner-ZS.18234.26199
File opened for modification	/tmp/.ICEd-unix/834143783	SecuriteInfo.com.Linux.Miner-ZS.18234.26199

/tmp/SecuriteInfo.com.Linux.Miner-ZS.18234.26199
/tmp/SecuriteInfo.com.Linux.Miner-ZS.18234.26199
1⤵
- Enumerates kernel/hardware configuration
PID:2499
- /usr/bin/getconf
  /usr/bin/getconf CLK_TCK
  2⤵
  PID:2503
- /tmp/SecuriteInfo.com.Linux.Miner-ZS.18234.26199
  /tmp/SecuriteInfo.com.Linux.Miner-ZS.18234.26199
  2⤵
  - Reads list of loaded kernel modules
  - Checks CPU configuration
  - Enumerates kernel/hardware configuration
  - Writes file to tmp directory
  PID:2508
- - /usr/bin/getconf
    /usr/bin/getconf CLK_TCK
    3⤵
    PID:2511
- - /usr/bin/sh
    sh -c "pkill -f kdevtmpfsi"
    3⤵
    PID:2533
  - - /usr/bin/pkill
      pkill -f kdevtmpfsi
      4⤵
      Reads CPU attributes
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:2534
- - /usr/bin/sh
    sh -c "chmod +x /tmp/kdevtmpfsi"
    3⤵
    PID:2535
  - - /usr/bin/chmod
      chmod +x /tmp/kdevtmpfsi
      4⤵
      PID:2536
- - /usr/bin/sh
    sh -c "/tmp/kdevtmpfsi &"
    3⤵
    PID:2537

/tmp/kdevtmpfsi
/tmp/kdevtmpfsi
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:2538
- /sbin/modprobe
  /sbin/modprobe msr
  2⤵
  - Enumerates kernel/hardware configuration
  PID:2546

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

3

T1497

Credential Access

Discovery

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

3

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.ICEd-unix/834143783

Filesize
4B

MD5
2aedcba61ca55ceb62d785c6b7f10a83

SHA1
b3a1739aaf1195342c2b34bbaf4e3aaa544ee875

SHA256
9f2ca3ad31656671b9e0bf12509c9e71dac5b8e8834145767f684bf193945d33

SHA512
424a95ea8dd4ca53556fd15272e8010aaa148004e8b37dbab7227ad2c4266ce88571945f4ce8eb944720cca2a9517b3790790090a78d91b492e6b22da1114bac

Download Submit
/tmp/.ICEd-unix/uuid

Filesize
36B

MD5
09b9854235403028d2c9d87a6156420d

SHA1
8de6035cd759abb6bc4e1d8a0834fbbe96c1700a

SHA256
b03c4d8b85f7ab7c8356cbadf169e5c5fe11047fca0e5ad4f57050d18fcb4ddb

SHA512
82f20fcfa46d6355b636be87fbc0d21996a6f871dc5ce070ed92529ceadfa3802e06930ec0f7e9893c3927a1a2b83c087ff524825cd5cfe14f658c6d47fe444d

Download Submit
/tmp/kdevtmpfsi

Filesize
3.7MB

MD5
8c6681daba966addd295ad89bf5146af

SHA1
64c558567e9566a6ecb1e97000a63d079348bf4c

SHA256
dd603db3e2c0800d5eaa262b6b8553c68deaa486b545d4965df5dc43217cc839

SHA512
a94ea9f61481d8d42e38c86067c258d830f6c899e032cd69f1769006ae24bf3be7f1b0071d51ae4d304740129919de113515eac3b7460123e1e01fe949bb6e4e

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads