xmrig | 787e2c94e6d9ce5ec01f5cbe9ee2518431eca8523155526d6dc85934c9c5787c

General

Target

kinsing
Size

5.7MB
MD5

b3039abf2ad5202f4a9363b418002351
SHA1

0ceb8ffb0be23b808b534d744440f4367e17b9c5
SHA256

787e2c94e6d9ce5ec01f5cbe9ee2518431eca8523155526d6dc85934c9c5787c
SHA512

8b1a1003a021d0f69b9295f496bf550932ce85b096ca7057632756348da1354c2b104ff36e901b27def030b79749c8fc7f54163d6195e5e0cb9b357353ee654e
SSDEEP

49152:wCe/ydXZSrb/TJvO90dL3BmAFd4A64nsfJvaWi9sglz/KbwLjFfiawr1eAOkzDIK:3eidO9suPF+NL4FiBnIrb3rE

Score

10^/10

xmrig antivm defense_evasion discovery evasion miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1597-1-0x0000000000400000-0x0000000000bb1680-memory.dmp	xmrig

File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

shchmod

pid process

1594 sh
1595 chmod
Executes dropped EXE 1 IoCs

Processes:

kdevtmpfsi

ioc pid process

/tmp/kdevtmpfsi 1597 kdevtmpfsi

pid	process
1594	sh
1595	chmod

ioc	pid	process
/tmp/kdevtmpfsi	1597	kdevtmpfsi

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

kdevtmpfsi

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_name	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	kdevtmpfsi

Enumerates running processes
Discovers information about currently running processes on the system

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

discovery

System Information Discovery

T1082

Processes:

kdevtmpfsi

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_name	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	kdevtmpfsi

Reads list of loaded kernel modules 1 TTPs 1 IoCs
Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
evasion

Virtualization/Sandbox Evasion
T1497

Processes:

kinsing

description ioc process

File opened for reading /proc/modules kinsing
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

/tmp/kdevtmpfsi upx
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

kinsingkdevtmpfsi

description ioc process

File opened for reading /proc/cpuinfo kinsing
File opened for reading /proc/cpuinfo kdevtmpfsi

description	ioc	process
File opened for reading	/proc/modules	kinsing

resource	yara_rule
/tmp/kdevtmpfsi	upx

description	ioc	process
File opened for reading	/proc/cpuinfo	kinsing
File opened for reading	/proc/cpuinfo	kdevtmpfsi

Reads CPU attributes 1 TTPs 5 IoCs

discovery

System Information Discovery

T1082

Processes:

pkillpkillkdevtmpfsi

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kdevtmpfsi
File opened for reading	/sys/devices/system/cpu/types	kdevtmpfsi
File opened for reading	/sys/devices/system/cpu/possible	kdevtmpfsi

Enumerates kernel/hardware configuration 1 TTPs 63 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

Processes:

kdevtmpfsikinsingkinsing

description	ioc	process
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/meminfo	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	kdevtmpfsi
File opened for reading	/sys/fs/cgroup/cgroup.controllers	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	kdevtmpfsi
File opened for reading	/sys/devices/system/node/online	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-1048576kB/nr_hugepages	kdevtmpfsi
File opened for reading	/sys/bus/dax/devices/target_node	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	kdevtmpfsi
File opened for reading	/sys/devices/virtual/dmi/id	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/devices/system/cpu	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/kernel/mm/hugepages	kdevtmpfsi
File opened for reading	/sys/bus/dax/devices	kdevtmpfsi
File opened for reading	/sys/fs/cgroup/cpuset.cpus.effective	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/access1/initiators	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	kdevtmpfsi
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	kdevtmpfsi
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/hugepages	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages	kdevtmpfsi
File opened for reading	/sys/bus/node/devices/node0/cpumap	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	kdevtmpfsi
File opened for reading	/sys/fs/cgroup/cpuset.mems.effective	kdevtmpfsi
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	kdevtmpfsi
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	kinsing
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	kinsing
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	kdevtmpfsi
File opened for reading	/sys/bus/dax/target_node	kdevtmpfsi
File opened for reading	/sys/firmware/dmi/tables/DMI	kdevtmpfsi

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

pkillpkillkinsing

description	ioc	process
File opened for reading	/proc/1260/status	pkill
File opened for reading	/proc/990/cmdline	pkill
File opened for reading	/proc/313/fd	kinsing
File opened for reading	/proc/1178/cmdline	pkill
File opened for reading	/proc/858/stat	kinsing
File opened for reading	/proc/1178/fd	kinsing
File opened for reading	/proc/2/status	pkill
File opened for reading	/proc/593/status	pkill
File opened for reading	/proc/1156/status	pkill
File opened for reading	/proc/26/fd	kinsing
File opened for reading	/proc/593/stat	kinsing
File opened for reading	/proc/1175/fd	kinsing
File opened for reading	/proc/1246/fd	kinsing
File opened for reading	/proc/90/status	pkill
File opened for reading	/proc/1165/status	pkill
File opened for reading	/proc/262/status	pkill
File opened for reading	/proc/640/cmdline	pkill
File opened for reading	/proc/758/fd	kinsing
File opened for reading	/proc/1158/fd	kinsing
File opened for reading	/proc/14/cmdline	pkill
File opened for reading	/proc/1109/cmdline	pkill
File opened for reading	/proc/1252/cmdline	pkill
File opened for reading	/proc/79/stat	kinsing
File opened for reading	/proc/88/fd	kinsing
File opened for reading	/proc/1046/cmdline	pkill
File opened for reading	/proc/1229/cmdline	pkill
File opened for reading	/proc/20/status	pkill
File opened for reading	/proc/89/status	pkill
File opened for reading	/proc/425/status	pkill
File opened for reading	/proc/1165/status	pkill
File opened for reading	/proc/664/stat	kinsing
File opened for reading	/proc/1109/stat	kinsing
File opened for reading	/proc/1237/status	pkill
File opened for reading	/proc/425/cmdline	pkill
File opened for reading	/proc/501/cmdline	pkill
File opened for reading	/proc/592/fd	kinsing
File opened for reading	/proc/758/stat	kinsing
File opened for reading	/proc/1157/stat	kinsing
File opened for reading	/proc/78/status	pkill
File opened for reading	/proc/80/cmdline	pkill
File opened for reading	/proc/17/fd	kinsing
File opened for reading	/proc/215/fd	kinsing
File opened for reading	/proc/203/cmdline	pkill
File opened for reading	/proc/827/cmdline	pkill
File opened for reading	/proc/76/cmdline	pkill
File opened for reading	/proc/221/cmdline	pkill
File opened for reading	/proc/1378/status	pkill
File opened for reading	/proc/770/fd	kinsing
File opened for reading	/proc/956/stat	kinsing
File opened for reading	/proc/1378/cmdline	pkill
File opened for reading	/proc/1450/status	pkill
File opened for reading	/proc/1156/cmdline	pkill
File opened for reading	/proc/uptime	pkill
File opened for reading	/proc/1101/fd	kinsing
File opened for reading	/proc/101/cmdline	pkill
File opened for reading	/proc/75/cmdline	pkill
File opened for reading	/proc/4/fd	kinsing
File opened for reading	/proc/962/fd	kinsing
File opened for reading	/proc/1073/cmdline	pkill
File opened for reading	/proc/1543/status	pkill
File opened for reading	/proc/1183/cmdline	pkill
File opened for reading	/proc/1185/status	pkill
File opened for reading	/proc/1109/fd	kinsing
File opened for reading	/proc/1144/fd	kinsing

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

kinsing

description	ioc	process
File opened for modification	/tmp/.ICEd-unix/uuid	kinsing
File opened for modification	/tmp/kdevtmpfsi	kinsing
File opened for modification	/tmp/.ICEd-unix/3807250317	kinsing

/tmp/kinsing
/tmp/kinsing
1⤵
- Enumerates kernel/hardware configuration
PID:1555

/tmp/kinsing
/tmp/kinsing
2⤵
- Reads list of loaded kernel modules
- Checks CPU configuration
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1559

/usr/bin/sh
sh -c "pkill -f kdevtmpfsi"
3⤵
PID:1586

/usr/bin/pkill
pkill -f kdevtmpfsi
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1587

/usr/bin/sh
sh -c "pkill -f kdevtmpfsi"
3⤵
PID:1592

/usr/bin/pkill
pkill -f kdevtmpfsi
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1593

/usr/bin/sh
sh -c "chmod +x /tmp/kdevtmpfsi"
3⤵
- File and Directory Permissions Modification
PID:1594

/usr/bin/chmod
chmod +x /tmp/kdevtmpfsi
4⤵
- File and Directory Permissions Modification
PID:1595

/usr/bin/sh
sh -c "/tmp/kdevtmpfsi &"
3⤵
PID:1596

/tmp/kdevtmpfsi
/tmp/kdevtmpfsi
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1597

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Virtualization/Sandbox Evasion

3

T1497

System Checks

2

T1497.001

Credential Access

Discovery

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

3

T1497

System Checks

2

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.ICEd-unix/3807250317

Filesize
4B

MD5
9c19a2aa1d84e04b0bd4bc888792bd1e

SHA1
037880d210451b590c3a5229ea350645724e7e15

SHA256
191024c47d6c2b3c24a570326b7e29f09652ec8bc2bb1779d95783e8753d12db

SHA512
fbc7830e289b19696b7b6e01ae6d7e5403d144d417e380e47c29ea17db59c765ae7aa4a47cf885b6af0df831a8c98d5f99a40c35d121854ba273dd4afab24f93

Download Submit
/tmp/.ICEd-unix/uuid

Filesize
36B

MD5
f3873ff36d51282d10c577982e701dce

SHA1
17f41ee117e16c1d82648e34a5ca6ed3ba34506b

SHA256
6d8ad7891d61b9ec454f31292ff5e0497a914df9938802542f7ce25c41248942

SHA512
c9e390950edee1d2e7eb94a77a500837d8c31a06580ff6fa2bb3e30d8012558813594b71d0059d2faf52e35789bc95d4b1a7536724aee1b866454f4edca95157

Download Submit
/tmp/kdevtmpfsi

Filesize
2.0MB

MD5
c82bb3c68f7a033b407aa3f53827b7fd

SHA1
6296e8ed40e430480791bf7b4fcdafde5f834837

SHA256
6fc94d8aecc538b1d099a429fb68ac20d7b6ae8b3c7795ae72dd2b7107690b8f

SHA512
0412482bf1eaaf0c1fd795dd1253f3466db46f1d528297f4d9455dd59117097b4f53583405d77dd7bcc9ffc123cf65d5470f23e6075cbb61b01709f324347df5

Download Submit
memory/1597-1-0x0000000000400000-0x0000000000bb1680-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads