xmrig | 6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b

Analysis

max time kernel
149s
max time network
147s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240522.1-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
30-08-2024 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Linux.MinerZS.18234.26199
Size

14.0MB
MD5

648effa354b3cbaad87b45f48d59c616
SHA1

0194637f1e83c2efc8bcda8d20c446805698c7bc
SHA256

6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b
SHA512

7ed0b6abeda6b3682bb94fbce8c5eeddf6206db23a87c11d606ea2f84a7606420ed47290317b5d9cb4d99f5c07943b8a7a548671d4c73106d6fbd48cd37bc146
SSDEEP

98304:zpU9MTfASNlnewCIoxAlfVG9bnY+Zx+A:zG9GfASNlnewChxAxVWbY

Score

10^/10

xmrig antivm evasion miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/files/fstream-3.dat	xmrig

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/kdevtmpfsi	1587	kdevtmpfsi

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	kdevtmpfsi

Enumerates running processes
Discovers information about currently running processes on the system

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/board_name	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	kdevtmpfsi

Reads list of loaded kernel modules 1 TTPs 1 IoCs

Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

evasion

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/modules	SecuriteInfo.com.Linux.MinerZS.18234.26199

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	kdevtmpfsi
File opened for reading	/proc/cpuinfo	SecuriteInfo.com.Linux.MinerZS.18234.26199

Reads CPU attributes 1 TTPs 3 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kdevtmpfsi
File opened for reading	/sys/devices/system/cpu/possible	kdevtmpfsi

Enumerates kernel/hardware configuration 1 TTPs 53 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/msr/initstate	modprobe
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/book_siblings	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	kdevtmpfsi
File opened for reading	/sys/kernel/mm/hugepages	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/cpumap	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	kdevtmpfsi
File opened for reading	/sys/bus/node/devices	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/hugepages	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/meminfo	kdevtmpfsi
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	kdevtmpfsi
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	SecuriteInfo.com.Linux.MinerZS.18234.26199
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	kdevtmpfsi
File opened for reading	/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-1048576kB/nr_hugepages	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/online	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	kdevtmpfsi
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	kdevtmpfsi
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	kdevtmpfsi
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	SecuriteInfo.com.Linux.MinerZS.18234.26199

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/224/cmdline	pkill
File opened for reading	/proc/314/cmdline	pkill
File opened for reading	/proc/984/cmdline	pkill
File opened for reading	/proc/83/status	pkill
File opened for reading	/proc/89/cmdline	pkill
File opened for reading	/proc/163/cmdline	pkill
File opened for reading	/proc/639/cmdline	pkill
File opened for reading	/proc/408/status	pkill
File opened for reading	/proc/845/status	pkill
File opened for reading	/proc/19/cmdline	pkill
File opened for reading	/proc/102/cmdline	pkill
File opened for reading	/proc/1279/status	pkill
File opened for reading	/proc/1394/status	pkill
File opened for reading	/proc/1045/cmdline	pkill
File opened for reading	/proc/1181/status	pkill
File opened for reading	/proc/22/cmdline	pkill
File opened for reading	/proc/223/status	pkill
File opened for reading	/proc/223/cmdline	pkill
File opened for reading	/proc/17/status	pkill
File opened for reading	/proc/26/status	pkill
File opened for reading	/proc/1232/status	pkill
File opened for reading	/proc/1588/status	SecuriteInfo.com.Linux.MinerZS.18234.26199
File opened for reading	/proc/93/status	pkill
File opened for reading	/proc/377/status	pkill
File opened for reading	/proc/589/cmdline	pkill
File opened for reading	/proc/1318/status	pkill
File opened for reading	/proc/796/cmdline	pkill
File opened for reading	/proc/1181/cmdline	pkill
File opened for reading	/proc/27/status	pkill
File opened for reading	/proc/94/cmdline	pkill
File opened for reading	/proc/634/status	pkill
File opened for reading	/proc/722/status	pkill
File opened for reading	/proc/845/cmdline	pkill
File opened for reading	/proc/1160/cmdline	pkill
File opened for reading	/proc/1279/cmdline	pkill
File opened for reading	/proc/408/cmdline	pkill
File opened for reading	/proc/585/status	pkill
File opened for reading	/proc/1183/status	pkill
File opened for reading	/proc/17/cmdline	pkill
File opened for reading	/proc/83/cmdline	pkill
File opened for reading	/proc/1014/status	pkill
File opened for reading	/proc/1160/status	pkill
File opened for reading	/proc/1257/cmdline	pkill
File opened for reading	/proc/1363/status	pkill
File opened for reading	/proc/20/cmdline	pkill
File opened for reading	/proc/640/status	pkill
File opened for reading	/proc/664/status	pkill
File opened for reading	/proc/1054/cmdline	pkill
File opened for reading	/proc/73/status	pkill
File opened for reading	/proc/78/status	pkill
File opened for reading	/proc/24/cmdline	pkill
File opened for reading	/proc/1057/status	pkill
File opened for reading	/proc/1287/status	pkill
File opened for reading	/proc/993/cmdline	pkill
File opened for reading	/proc/1352/cmdline	pkill
File opened for reading	/proc/82/status	pkill
File opened for reading	/proc/88/cmdline	pkill
File opened for reading	/proc/609/status	pkill
File opened for reading	/proc/992/status	pkill
File opened for reading	/proc/415/cmdline	pkill
File opened for reading	/proc/521/status	pkill
File opened for reading	/proc/25/status	pkill
File opened for reading	/proc/225/status	pkill
File opened for reading	/proc/735/status	pkill

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.ICEd-unix/968682821	SecuriteInfo.com.Linux.MinerZS.18234.26199
File opened for modification	/tmp/.ICEd-unix/uuid	SecuriteInfo.com.Linux.MinerZS.18234.26199
File opened for modification	/tmp/kdevtmpfsi	SecuriteInfo.com.Linux.MinerZS.18234.26199

/tmp/SecuriteInfo.com.Linux.MinerZS.18234.26199
/tmp/SecuriteInfo.com.Linux.MinerZS.18234.26199
1⤵
- Enumerates kernel/hardware configuration
PID:1561
- /usr/bin/getconf
  /usr/bin/getconf CLK_TCK
  2⤵
  PID:1565
- /tmp/SecuriteInfo.com.Linux.MinerZS.18234.26199
  /tmp/SecuriteInfo.com.Linux.MinerZS.18234.26199
  2⤵
  - Reads list of loaded kernel modules
  - Checks CPU configuration
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1566
- - /usr/bin/getconf
    /usr/bin/getconf CLK_TCK
    3⤵
    PID:1573
- - /usr/bin/sh
    sh -c "pkill -f kdevtmpfsi"
    3⤵
    PID:1582
  - - /usr/bin/pkill
      pkill -f kdevtmpfsi
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1583
- - /usr/bin/sh
    sh -c "chmod +x /tmp/kdevtmpfsi"
    3⤵
    PID:1584
  - - /usr/bin/chmod
      chmod +x /tmp/kdevtmpfsi
      4⤵
      PID:1585
- - /usr/bin/sh
    sh -c "/tmp/kdevtmpfsi &"
    3⤵
    PID:1586

/tmp/kdevtmpfsi
/tmp/kdevtmpfsi
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1587
- /bin/sh
  sh -c "/sbin/modprobe msr > /dev/null 2>&1"
  2⤵
  PID:1594
- - /sbin/modprobe
    /sbin/modprobe msr
    3⤵
    - Enumerates kernel/hardware configuration
    PID:1595

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.ICEd-unix/968682821

Filesize
4B

MD5
894b77f805bd94d292574c38c5d628d5

SHA1
1784f0e37c1fdd6200c1e8b28e8caae5402e74e0

SHA256
d24eac45e69be063cc0053eb02650954eec62c314c405e564a4d11e951392e75

SHA512
605b8ee18c6bd7c9d489faa803dc4c00fed6e7a4b21a9a69ba7b429642a06d7fe42e5fd45162f72fff76f1ec518c5840399c97d4ab0f7633651d35e2b19f2e05

Download Submit
/tmp/.ICEd-unix/uuid

Filesize
36B

MD5
5a02274879ac5b2c46306a91070dfa80

SHA1
19b888cda8512a4d09a6f8738ca7c81e69986ebf

SHA256
605e9483cfc71d314b167c916a66beaf48ee49b94483aeb41a67853a7cdef12c

SHA512
4f2c2e726f7ebfadd227b79a108d4119e7d8897e892c5959a59cfa35c6166f9dc19751564150a1cd9252914540ac51437d6d5c29e5ad4f37b25549c43d3d3ee7

Download Submit
/tmp/kdevtmpfsi

Filesize
3.7MB

MD5
8c6681daba966addd295ad89bf5146af

SHA1
64c558567e9566a6ecb1e97000a63d079348bf4c

SHA256
dd603db3e2c0800d5eaa262b6b8553c68deaa486b545d4965df5dc43217cc839

SHA512
a94ea9f61481d8d42e38c86067c258d830f6c899e032cd69f1769006ae24bf3be7f1b0071d51ae4d304740129919de113515eac3b7460123e1e01fe949bb6e4e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads