xmrig_linux | 16601646d8a77944267e1011652f3b0c48a2c245a06986a0a9aca3afb87c7b11

General

Target

xmr_linux_amd64
Size

9.4MB
MD5

355086335423b9c48817e688e111a220
SHA1

b054fc63f8341f2837ad0f94af24ffc980c1ed57
SHA256

16601646d8a77944267e1011652f3b0c48a2c245a06986a0a9aca3afb87c7b11
SHA512

74e4f1933ee573c3f751fb96ec3a7b3db016af9ab7d19f5ef0191d2325feaa4923798aa52a2374efee191da6475e412c542d2c379e0f295f58287a561dfa10f8
SSDEEP

49152:Hu3qHoyXKo3Rhk9DO12pTZjCuXuNZHFWsdK0dpZQI9Y1IbgOSsQVDxTx/pQ5Enjh:O6IqaqqlEc6pCml59S1GEjAPqPhl

Score

10^/10

xmrig_linux antivm credential_access defense_evasion discovery evasion miner privilege_escalation

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
/tmp/xmrig/xmrig-6.22.0/xmrig	family_xmrig
/tmp/xmrig/xmrig-6.22.0/xmrig	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.

Processes:

xmr_linux_amd64

description ioc process

File opened for modification /etc/hosts xmr_linux_amd64

description	ioc	process
File opened for modification	/etc/hosts	xmr_linux_amd64

OS Credential Dumping 1 TTPs 35 IoCs

Adversaries may attempt to dump credentials to use it in password cracking.

credential_access

/etc/passwd and /etc/shadow

T1003.008

Processes:

sudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudo

description	ioc	process
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo
File opened for reading	/etc/shadow	sudo

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 35 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

Processes:

sudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudo

pid	process
1476	sudo
1480	sudo
1615	sudo
1617	sudo
1637	sudo
1484	sudo
1485	sudo
1486	sudo
1633	sudo
1456	sudo
1475	sudo
1481	sudo
1493	sudo
1496	sudo
1634	sudo
1487	sudo
1489	sudo
1499	sudo
1616	sudo
1478	sudo
1479	sudo
1483	sudo
1497	sudo
1477	sudo
1495	sudo
1498	sudo
1632	sudo
1473	sudo
1482	sudo
1491	sudo
1501	sudo
1488	sudo
1490	sudo
1494	sudo
1500	sudo

Enumerates running processes
Discovers information about currently running processes on the system
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

15 raw.githubusercontent.com
16 raw.githubusercontent.com
17 raw.githubusercontent.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
4 api.ipify.org
5 api.ipify.org
Reads list of loaded kernel modules 1 TTPs 1 IoCs
Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
evasion

Virtualization/Sandbox Evasion
T1497

Processes:

xmr_linux_amd64

description ioc process

File opened for reading /proc/modules xmr_linux_amd64
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

xmr_linux_amd64

description ioc process

File opened for reading /proc/cpuinfo xmr_linux_amd64
Reads CPU attributes 1 TTPs 1 IoCs
discovery

System Information Discovery
T1082

Processes:

xmr_linux_amd64

description ioc process

File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq xmr_linux_amd64
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
discovery

System Information Discovery
T1082

Processes:

xmr_linux_amd64

description ioc process

File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size xmr_linux_amd64

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com
17	raw.githubusercontent.com

flow	ioc
3	api.ipify.org
4	api.ipify.org
5	api.ipify.org

description	ioc	process
File opened for reading	/proc/modules	xmr_linux_amd64

description	ioc	process
File opened for reading	/proc/cpuinfo	xmr_linux_amd64

description	ioc	process
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	xmr_linux_amd64

description	ioc	process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	xmr_linux_amd64

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

xmr_linux_amd64sudosudosudosudosudosudosudo

description	ioc	process
File opened for reading	/proc/159/status	xmr_linux_amd64
File opened for reading	/proc/200/cmdline	xmr_linux_amd64
File opened for reading	/proc/406/comm	xmr_linux_amd64
File opened for reading	/proc/1109/cmdline	xmr_linux_amd64
File opened for reading	/proc/1152/status	xmr_linux_amd64
File opened for reading	/proc/89/stat	xmr_linux_amd64
File opened for reading	/proc/134/stat	xmr_linux_amd64
File opened for reading	/proc/89/cmdline	xmr_linux_amd64
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/1631/comm	xmr_linux_amd64
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/24/stat	xmr_linux_amd64
File opened for reading	/proc/165/stat	xmr_linux_amd64
File opened for reading	/proc/172/comm	xmr_linux_amd64
File opened for reading	/proc/1108/cmdline	xmr_linux_amd64
File opened for reading	/proc/1485/cmdline	xmr_linux_amd64
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/73/stat	xmr_linux_amd64
File opened for reading	/proc/15/cmdline	xmr_linux_amd64
File opened for reading	/proc/270/comm	xmr_linux_amd64
File opened for reading	/proc/17/status	xmr_linux_amd64
File opened for reading	/proc/174/comm	xmr_linux_amd64
File opened for reading	/proc/609/cmdline	xmr_linux_amd64
File opened for reading	/proc/976/status	xmr_linux_amd64
File opened for reading	/proc/1100/comm	xmr_linux_amd64
File opened for reading	/proc/167/stat	xmr_linux_amd64
File opened for reading	/proc/1123/stat	xmr_linux_amd64
File opened for reading	/proc/1328/stat	xmr_linux_amd64
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/163/cmdline	xmr_linux_amd64
File opened for reading	/proc/1491/comm	xmr_linux_amd64
File opened for reading	/proc/1630/stat	xmr_linux_amd64
File opened for reading	/proc/162/cmdline	xmr_linux_amd64
File opened for reading	/proc/568/comm	xmr_linux_amd64
File opened for reading	/proc/10/stat	xmr_linux_amd64
File opened for reading	/proc/170/stat	xmr_linux_amd64
File opened for reading	/proc/859/stat	xmr_linux_amd64
File opened for reading	/proc/174/cmdline	xmr_linux_amd64
File opened for reading	/proc/177/comm	xmr_linux_amd64
File opened for reading	/proc/461/cmdline	xmr_linux_amd64
File opened for reading	/proc/980/cmdline	xmr_linux_amd64
File opened for reading	/proc/1098/cmdline	xmr_linux_amd64
File opened for reading	/proc/169/stat	xmr_linux_amd64
File opened for reading	/proc/494/stat	xmr_linux_amd64
File opened for reading	/proc/1132/stat	xmr_linux_amd64
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/1623/comm	xmr_linux_amd64
File opened for reading	/proc/1634/cmdline	xmr_linux_amd64
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/171/stat	xmr_linux_amd64
File opened for reading	/proc/404/stat	xmr_linux_amd64
File opened for reading	/proc/1091/status	xmr_linux_amd64
File opened for reading	/proc/134/comm	xmr_linux_amd64
File opened for reading	/proc/201/status	xmr_linux_amd64
File opened for reading	/proc/518/cmdline	xmr_linux_amd64
File opened for reading	/proc/809/cmdline	xmr_linux_amd64
File opened for reading	/proc/21/stat	xmr_linux_amd64
File opened for reading	/proc/85/stat	xmr_linux_amd64
File opened for reading	/proc/645/stat	xmr_linux_amd64
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/458/stat	xmr_linux_amd64
File opened for reading	/proc/687/stat	xmr_linux_amd64
File opened for reading	/proc/91/comm	xmr_linux_amd64

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

Processes:

xmr_linux_amd64

description	ioc	process
File opened for modification	/tmp/xmrig/xmrig-6.22.0/config.json	xmr_linux_amd64
File opened for modification	/tmp/xmrig/xmrig-6.22.0/xmrig	xmr_linux_amd64

/tmp/xmr_linux_amd64
/tmp/xmr_linux_amd64
1⤵
- Modifies hosts file
- Reads list of loaded kernel modules
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1409

/usr/bin/sudo
sudo -n true
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1456

/usr/bin/true
true
3⤵
PID:1458

/usr/bin/chattr
chattr +i /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
PID:1472

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1473

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1475

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1476

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1477

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1478

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1479

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1480

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1481

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1482

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1483

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1484

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1485

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1486

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1487

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1488

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1489

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1490

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1491

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1493

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1494

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1495

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1496

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1497

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1498

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1499

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1500

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1501

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1615

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1616

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1617

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1632

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1633

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1634

/usr/bin/sudo
sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1637

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Sudo and Sudo Caching

1

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Sudo and Sudo Caching

1

T1548.003

Virtualization/Sandbox Evasion

2

T1497

System Checks

1

T1497.001

Credential Access

OS Credential Dumping

1

T1003

/etc/passwd and /etc/shadow

1

T1003.008

Discovery

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

System Checks

1

T1497.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/config/.config/openbox/autostart

Filesize
90B

MD5
dbc6fcef70ddc428bd6fed92d06902d6

SHA1
f5bf017e726674a6bc954552ba72615de1df1257

SHA256
271572941325c5bb6af86dfd2160a2e1358f7130535f88689a4a92ba2c6309fe

SHA512
0875636d796d3fb3f4a7930b041f70aec60ee2d11bddc22f5b93fb5ba045aa2bf353a8d0c8c789a7258da49ac099ffad8207344fd178aa85749eaf5504c3ad82

Download Submit
/tmp/xmrig/xmrig-6.22.0/config.json

Filesize
4KB

MD5
5c6108e6bc4e612dd59aa1ce9ac909ff

SHA1
b66515c379ee4ebaf312b1d453d147527d3a83b2

SHA256
fa70f1a297f3ed7d2ef75598d4a1da3fb82d68fc14322fdcc0f29c909882a599

SHA512
b69b4b6f73e03f82854f449737a9a24a489b1231681a62a3853037443489ccc52a576f85a5acd4ab21c612c8768f7b0ade6815785293926e195dc93a46d2670b

Download Submit
/tmp/xmrig/xmrig-6.22.0/config.json

Filesize
4KB

MD5
ab6f38fbfc8ccac11a8c354330b80874

SHA1
3b82832738c50b48f6d7cabb8af9404d60c3e08f

SHA256
74d5629905d5dd93bd3d02b3301e5eeee458714e5f9f778895c6af3d7f090d6c

SHA512
de93abd324a307b1a17797ca588515117d41f6d9b06fdff1958ae72dd3e95807fbdb1fa02ef02e099a1ad6ed6a6a819b71cf70763d27f943113a6a9d2e1d2f4f

Download Submit
/tmp/xmrig/xmrig-6.22.0/xmrig

Filesize
9.0MB

MD5
3d1f6bd959a6bdc423d43342dde28b56

SHA1
79266b5cc7c3762998e87411c56b6bd1a573b91f

SHA256
0d861bf1eafe3cd5d47197b2def17efb6853f2d0a5a46cafb289c013c449b33b

SHA512
b660cfad542a18a82f06080a51976ab7a355080572728f814b1b927e6956918b73172ecd58c5a9dcfe1af6759dc8bf9acbaa2595e6c10e0e44e7ade903e87439

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads