Analysis
-
max time kernel
197s -
max time network
180s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
22-10-2024 13:42
Static task
static1
Behavioral task
behavioral1
Sample
xmr_linux_amd64
Resource
ubuntu2004-amd64-20240611-en
General
-
Target
xmr_linux_amd64
-
Size
9.4MB
-
MD5
355086335423b9c48817e688e111a220
-
SHA1
b054fc63f8341f2837ad0f94af24ffc980c1ed57
-
SHA256
16601646d8a77944267e1011652f3b0c48a2c245a06986a0a9aca3afb87c7b11
-
SHA512
74e4f1933ee573c3f751fb96ec3a7b3db016af9ab7d19f5ef0191d2325feaa4923798aa52a2374efee191da6475e412c542d2c379e0f295f58287a561dfa10f8
-
SSDEEP
49152:Hu3qHoyXKo3Rhk9DO12pTZjCuXuNZHFWsdK0dpZQI9Y1IbgOSsQVDxTx/pQ5Enjh:O6IqaqqlEc6pCml59S1GEjAPqPhl
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule /tmp/xmrig/xmrig-6.22.0/xmrig family_xmrig /tmp/xmrig/xmrig-6.22.0/xmrig xmrig -
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
Processes:
xmr_linux_amd64description ioc process File opened for modification /etc/hosts xmr_linux_amd64 -
OS Credential Dumping 1 TTPs 35 IoCs
Adversaries may attempt to dump credentials to use it in password cracking.
Processes:
sudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudodescription ioc process File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo -
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 35 IoCs
Abuse sudo or cached sudo credentials to execute code.
Processes:
sudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudopid process 1476 sudo 1480 sudo 1615 sudo 1617 sudo 1637 sudo 1484 sudo 1485 sudo 1486 sudo 1633 sudo 1456 sudo 1475 sudo 1481 sudo 1493 sudo 1496 sudo 1634 sudo 1487 sudo 1489 sudo 1499 sudo 1616 sudo 1478 sudo 1479 sudo 1483 sudo 1497 sudo 1477 sudo 1495 sudo 1498 sudo 1632 sudo 1473 sudo 1482 sudo 1491 sudo 1501 sudo 1488 sudo 1490 sudo 1494 sudo 1500 sudo -
Enumerates running processes
Discovers information about currently running processes on the system
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 15 raw.githubusercontent.com 16 raw.githubusercontent.com 17 raw.githubusercontent.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org 4 api.ipify.org 5 api.ipify.org -
Reads list of loaded kernel modules 1 TTPs 1 IoCs
Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
Processes:
xmr_linux_amd64description ioc process File opened for reading /proc/modules xmr_linux_amd64 -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
xmr_linux_amd64description ioc process File opened for reading /proc/cpuinfo xmr_linux_amd64 -
Reads CPU attributes 1 TTPs 1 IoCs
Processes:
xmr_linux_amd64description ioc process File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq xmr_linux_amd64 -
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
xmr_linux_amd64description ioc process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size xmr_linux_amd64 -
Processes:
xmr_linux_amd64sudosudosudosudosudosudosudodescription ioc process File opened for reading /proc/159/status xmr_linux_amd64 File opened for reading /proc/200/cmdline xmr_linux_amd64 File opened for reading /proc/406/comm xmr_linux_amd64 File opened for reading /proc/1109/cmdline xmr_linux_amd64 File opened for reading /proc/1152/status xmr_linux_amd64 File opened for reading /proc/89/stat xmr_linux_amd64 File opened for reading /proc/134/stat xmr_linux_amd64 File opened for reading /proc/89/cmdline xmr_linux_amd64 File opened for reading /proc/self/stat sudo File opened for reading /proc/1631/comm xmr_linux_amd64 File opened for reading /proc/filesystems sudo File opened for reading /proc/24/stat xmr_linux_amd64 File opened for reading /proc/165/stat xmr_linux_amd64 File opened for reading /proc/172/comm xmr_linux_amd64 File opened for reading /proc/1108/cmdline xmr_linux_amd64 File opened for reading /proc/1485/cmdline xmr_linux_amd64 File opened for reading /proc/sys/kernel/ngroups_max sudo File opened for reading /proc/73/stat xmr_linux_amd64 File opened for reading /proc/15/cmdline xmr_linux_amd64 File opened for reading /proc/270/comm xmr_linux_amd64 File opened for reading /proc/17/status xmr_linux_amd64 File opened for reading /proc/174/comm xmr_linux_amd64 File opened for reading /proc/609/cmdline xmr_linux_amd64 File opened for reading /proc/976/status xmr_linux_amd64 File opened for reading /proc/1100/comm xmr_linux_amd64 File opened for reading /proc/167/stat xmr_linux_amd64 File opened for reading /proc/1123/stat xmr_linux_amd64 File opened for reading /proc/1328/stat xmr_linux_amd64 File opened for reading /proc/filesystems sudo File opened for reading /proc/163/cmdline xmr_linux_amd64 File opened for reading /proc/1491/comm xmr_linux_amd64 File opened for reading /proc/1630/stat xmr_linux_amd64 File opened for reading /proc/162/cmdline xmr_linux_amd64 File opened for reading /proc/568/comm xmr_linux_amd64 File opened for reading /proc/10/stat xmr_linux_amd64 File opened for reading /proc/170/stat xmr_linux_amd64 File opened for reading /proc/859/stat xmr_linux_amd64 File opened for reading /proc/174/cmdline xmr_linux_amd64 File opened for reading /proc/177/comm xmr_linux_amd64 File opened for reading /proc/461/cmdline xmr_linux_amd64 File opened for reading /proc/980/cmdline xmr_linux_amd64 File opened for reading /proc/1098/cmdline xmr_linux_amd64 File opened for reading /proc/169/stat xmr_linux_amd64 File opened for reading /proc/494/stat xmr_linux_amd64 File opened for reading /proc/1132/stat xmr_linux_amd64 File opened for reading /proc/self/stat sudo File opened for reading /proc/1623/comm xmr_linux_amd64 File opened for reading /proc/1634/cmdline xmr_linux_amd64 File opened for reading /proc/self/stat sudo File opened for reading /proc/171/stat xmr_linux_amd64 File opened for reading /proc/404/stat xmr_linux_amd64 File opened for reading /proc/1091/status xmr_linux_amd64 File opened for reading /proc/134/comm xmr_linux_amd64 File opened for reading /proc/201/status xmr_linux_amd64 File opened for reading /proc/518/cmdline xmr_linux_amd64 File opened for reading /proc/809/cmdline xmr_linux_amd64 File opened for reading /proc/21/stat xmr_linux_amd64 File opened for reading /proc/85/stat xmr_linux_amd64 File opened for reading /proc/645/stat xmr_linux_amd64 File opened for reading /proc/self/stat sudo File opened for reading /proc/self/stat sudo File opened for reading /proc/458/stat xmr_linux_amd64 File opened for reading /proc/687/stat xmr_linux_amd64 File opened for reading /proc/91/comm xmr_linux_amd64 -
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
Processes:
xmr_linux_amd64description ioc process File opened for modification /tmp/xmrig/xmrig-6.22.0/config.json xmr_linux_amd64 File opened for modification /tmp/xmrig/xmrig-6.22.0/xmrig xmr_linux_amd64
Processes
-
/tmp/xmr_linux_amd64/tmp/xmr_linux_amd641⤵
- Modifies hosts file
- Reads list of loaded kernel modules
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1409 -
/usr/bin/sudosudo -n true2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1456 -
/usr/bin/truetrue3⤵PID:1458
-
/usr/bin/chattrchattr +i /tmp/xmrig/xmrig-6.22.0/xmrig2⤵PID:1472
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1473 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1475 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1476 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1477 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1478 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1479 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1480 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1481 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1482 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1483 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1484 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1485 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1486 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1487 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1488 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1489 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1490 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1491 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1493 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1494 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1495 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1496 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1497 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1498 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1499 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1500 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1501 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1615 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1616 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1617 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1632 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1633 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1634 -
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1637
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90B
MD5dbc6fcef70ddc428bd6fed92d06902d6
SHA1f5bf017e726674a6bc954552ba72615de1df1257
SHA256271572941325c5bb6af86dfd2160a2e1358f7130535f88689a4a92ba2c6309fe
SHA5120875636d796d3fb3f4a7930b041f70aec60ee2d11bddc22f5b93fb5ba045aa2bf353a8d0c8c789a7258da49ac099ffad8207344fd178aa85749eaf5504c3ad82
-
Filesize
4KB
MD55c6108e6bc4e612dd59aa1ce9ac909ff
SHA1b66515c379ee4ebaf312b1d453d147527d3a83b2
SHA256fa70f1a297f3ed7d2ef75598d4a1da3fb82d68fc14322fdcc0f29c909882a599
SHA512b69b4b6f73e03f82854f449737a9a24a489b1231681a62a3853037443489ccc52a576f85a5acd4ab21c612c8768f7b0ade6815785293926e195dc93a46d2670b
-
Filesize
4KB
MD5ab6f38fbfc8ccac11a8c354330b80874
SHA13b82832738c50b48f6d7cabb8af9404d60c3e08f
SHA25674d5629905d5dd93bd3d02b3301e5eeee458714e5f9f778895c6af3d7f090d6c
SHA512de93abd324a307b1a17797ca588515117d41f6d9b06fdff1958ae72dd3e95807fbdb1fa02ef02e099a1ad6ed6a6a819b71cf70763d27f943113a6a9d2e1d2f4f
-
Filesize
9.0MB
MD53d1f6bd959a6bdc423d43342dde28b56
SHA179266b5cc7c3762998e87411c56b6bd1a573b91f
SHA2560d861bf1eafe3cd5d47197b2def17efb6853f2d0a5a46cafb289c013c449b33b
SHA512b660cfad542a18a82f06080a51976ab7a355080572728f814b1b927e6956918b73172ecd58c5a9dcfe1af6759dc8bf9acbaa2595e6c10e0e44e7ade903e87439