Analysis

  • max time kernel
    55s
  • max time network
    55s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240508-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    22-10-2024 13:13

General

  • Target

    xmr_linux_amd64 (1)

  • Size

    9.3MB

  • MD5

    30ed78992f6bfe3b10a1687950a46933

  • SHA1

    11738358a01cae7cc1665903344656cc024bfca7

  • SHA256

    a5045141162aebd4305f7eb40b3ca5ae76f2841c7d06bf65e9aa29d9ae3688a3

  • SHA512

    a2e771bd3dcaec8fe2bdf2a08915db840f685bbf29d04e2bb4b9919e2dfbcf92368a7a9cf78096b1382d4864fad1ec6a270a4b82f05ce68109d0e42f816d3f1a

  • SSDEEP

    49152:VpG6uvlGxmRazlSg7SYQJHyQJRHOVYggfvwMui0VPo5mX7XEcLUH/41rKSkR7N4G:XeMhyTQQrD4vVVimfk/FFiIEXMKQYC3

Malware Config

Signatures

  • XMRig Miner payload 2 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Executes dropped EXE 11 IoCs
  • Modifies hosts file 1 IoCs

    Adds to hosts file used for mapping hosts to IP addresses.

  • OS Credential Dumping 1 TTPs 12 IoCs

    Adversaries may attempt to dump credentials to use it in password cracking.

  • Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 12 IoCs

    Abuse sudo or cached sudo credentials to execute code.

  • Checks hardware identifiers (DMI) 1 TTPs 44 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads hardware information 1 TTPs 64 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Reads list of loaded kernel modules 1 TTPs 1 IoCs

    Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

  • Checks CPU configuration 1 TTPs 12 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 64 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 2 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/xmr_linux_amd64 (1)
    "/tmp/xmr_linux_amd64 (1)"
    1⤵
    • Modifies hosts file
    • Reads list of loaded kernel modules
    • Checks CPU configuration
    • Reads runtime system information
    • Writes file to tmp directory
    PID:1408
    • /usr/bin/sudo
      sudo -n true
      2⤵
      • OS Credential Dumping
      • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
      PID:1451
      • /usr/bin/true
        true
        3⤵
          PID:1452
      • /usr/bin/sudo
        sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
        2⤵
        • OS Credential Dumping
        • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
        • Reads runtime system information
        PID:1459
        • /tmp/xmrig/xmrig-6.22.0/xmrig
          /tmp/xmrig/xmrig-6.22.0/xmrig
          3⤵
          • Executes dropped EXE
          • Checks hardware identifiers (DMI)
          • Reads hardware information
          • Checks CPU configuration
          • Reads CPU attributes
          • Enumerates kernel/hardware configuration
          • Reads runtime system information
          PID:1460
      • /usr/bin/sudo
        sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
        2⤵
        • OS Credential Dumping
        • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
        PID:1467
        • /tmp/xmrig/xmrig-6.22.0/xmrig
          /tmp/xmrig/xmrig-6.22.0/xmrig
          3⤵
          • Executes dropped EXE
          • Checks hardware identifiers (DMI)
          • Reads hardware information
          • Checks CPU configuration
          • Reads CPU attributes
          • Enumerates kernel/hardware configuration
          PID:1468
      • /usr/bin/sudo
        sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
        2⤵
        • OS Credential Dumping
        • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
        PID:1474
        • /tmp/xmrig/xmrig-6.22.0/xmrig
          /tmp/xmrig/xmrig-6.22.0/xmrig
          3⤵
          • Executes dropped EXE
          • Checks hardware identifiers (DMI)
          • Reads hardware information
          • Checks CPU configuration
          • Reads CPU attributes
          • Enumerates kernel/hardware configuration
          PID:1475
      • /usr/bin/sudo
        sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
        2⤵
        • OS Credential Dumping
        • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
        • Reads runtime system information
        PID:1482
        • /tmp/xmrig/xmrig-6.22.0/xmrig
          /tmp/xmrig/xmrig-6.22.0/xmrig
          3⤵
          • Executes dropped EXE
          • Checks hardware identifiers (DMI)
          • Reads hardware information
          • Checks CPU configuration
          • Reads CPU attributes
          • Enumerates kernel/hardware configuration
          PID:1483
      • /usr/bin/sudo
        sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
        2⤵
        • OS Credential Dumping
        • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
        PID:1489
        • /tmp/xmrig/xmrig-6.22.0/xmrig
          /tmp/xmrig/xmrig-6.22.0/xmrig
          3⤵
          • Executes dropped EXE
          • Checks hardware identifiers (DMI)
          • Reads hardware information
          • Checks CPU configuration
          • Reads CPU attributes
          • Enumerates kernel/hardware configuration
          PID:1490
      • /usr/bin/sudo
        sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
        2⤵
        • OS Credential Dumping
        • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
        PID:1496
        • /tmp/xmrig/xmrig-6.22.0/xmrig
          /tmp/xmrig/xmrig-6.22.0/xmrig
          3⤵
          • Executes dropped EXE
          • Checks hardware identifiers (DMI)
          • Reads hardware information
          • Checks CPU configuration
          • Reads CPU attributes
          • Enumerates kernel/hardware configuration
          • Reads runtime system information
          PID:1497
      • /usr/bin/sudo
        sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
        2⤵
        • OS Credential Dumping
        • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
        PID:1520
        • /tmp/xmrig/xmrig-6.22.0/xmrig
          /tmp/xmrig/xmrig-6.22.0/xmrig
          3⤵
          • Executes dropped EXE
          • Checks hardware identifiers (DMI)
          • Reads hardware information
          • Checks CPU configuration
          • Reads CPU attributes
          • Enumerates kernel/hardware configuration
          • Reads runtime system information
          PID:1521
      • /usr/bin/sudo
        sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
        2⤵
        • OS Credential Dumping
        • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
        PID:1528
        • /tmp/xmrig/xmrig-6.22.0/xmrig
          /tmp/xmrig/xmrig-6.22.0/xmrig
          3⤵
          • Executes dropped EXE
          • Checks hardware identifiers (DMI)
          • Reads hardware information
          • Checks CPU configuration
          • Reads CPU attributes
          • Enumerates kernel/hardware configuration
          PID:1529
      • /usr/bin/sudo
        sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
        2⤵
        • OS Credential Dumping
        • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
        PID:1536
        • /tmp/xmrig/xmrig-6.22.0/xmrig
          /tmp/xmrig/xmrig-6.22.0/xmrig
          3⤵
          • Executes dropped EXE
          • Checks hardware identifiers (DMI)
          • Reads hardware information
          • Checks CPU configuration
          • Reads CPU attributes
          • Enumerates kernel/hardware configuration
          • Reads runtime system information
          PID:1537
      • /usr/bin/sudo
        sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
        2⤵
        • OS Credential Dumping
        • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
        PID:1543
        • /tmp/xmrig/xmrig-6.22.0/xmrig
          /tmp/xmrig/xmrig-6.22.0/xmrig
          3⤵
          • Executes dropped EXE
          • Checks hardware identifiers (DMI)
          • Reads hardware information
          • Checks CPU configuration
          • Reads CPU attributes
          • Enumerates kernel/hardware configuration
          • Reads runtime system information
          PID:1544
      • /usr/bin/sudo
        sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
        2⤵
        • OS Credential Dumping
        • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
        • Reads runtime system information
        PID:1550
        • /tmp/xmrig/xmrig-6.22.0/xmrig
          /tmp/xmrig/xmrig-6.22.0/xmrig
          3⤵
          • Executes dropped EXE
          • Checks hardware identifiers (DMI)
          • Reads hardware information
          • Checks CPU configuration
          • Reads CPU attributes
          • Enumerates kernel/hardware configuration
          PID:1551

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /config/.config/openbox/autostart

      Filesize

      90B

      MD5

      dbc6fcef70ddc428bd6fed92d06902d6

      SHA1

      f5bf017e726674a6bc954552ba72615de1df1257

      SHA256

      271572941325c5bb6af86dfd2160a2e1358f7130535f88689a4a92ba2c6309fe

      SHA512

      0875636d796d3fb3f4a7930b041f70aec60ee2d11bddc22f5b93fb5ba045aa2bf353a8d0c8c789a7258da49ac099ffad8207344fd178aa85749eaf5504c3ad82

    • /tmp/xmrig/xmrig-6.22.0/config.json

      Filesize

      4KB

      MD5

      5c6108e6bc4e612dd59aa1ce9ac909ff

      SHA1

      b66515c379ee4ebaf312b1d453d147527d3a83b2

      SHA256

      fa70f1a297f3ed7d2ef75598d4a1da3fb82d68fc14322fdcc0f29c909882a599

      SHA512

      b69b4b6f73e03f82854f449737a9a24a489b1231681a62a3853037443489ccc52a576f85a5acd4ab21c612c8768f7b0ade6815785293926e195dc93a46d2670b

    • /tmp/xmrig/xmrig-6.22.0/config.json

      Filesize

      4KB

      MD5

      a0a58ef6abbe3c966204eb8e96739b96

      SHA1

      e90191ea7b63401a84e2633f9367add4d9c6c230

      SHA256

      86bc0a9034ed2052fa4b9f5dc4119b6aec0dad40623506dcfe3b5bdd405bcf5f

      SHA512

      60a858a4589569f0a3f475860a7d3ee009314014a9052399d5231ba9021a8164de8f466cbde4c4843813fb60e96b1d90003039ea608f35ef476902ac1859da5a

    • /tmp/xmrig/xmrig-6.22.0/xmrig

      Filesize

      9.0MB

      MD5

      3d1f6bd959a6bdc423d43342dde28b56

      SHA1

      79266b5cc7c3762998e87411c56b6bd1a573b91f

      SHA256

      0d861bf1eafe3cd5d47197b2def17efb6853f2d0a5a46cafb289c013c449b33b

      SHA512

      b660cfad542a18a82f06080a51976ab7a355080572728f814b1b927e6956918b73172ecd58c5a9dcfe1af6759dc8bf9acbaa2595e6c10e0e44e7ade903e87439