Analysis

  • max time kernel
    197s
  • max time network
    180s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    22-10-2024 13:42

General

  • Target

    xmr_linux_amd64

  • Size

    9.4MB

  • MD5

    355086335423b9c48817e688e111a220

  • SHA1

    b054fc63f8341f2837ad0f94af24ffc980c1ed57

  • SHA256

    16601646d8a77944267e1011652f3b0c48a2c245a06986a0a9aca3afb87c7b11

  • SHA512

    74e4f1933ee573c3f751fb96ec3a7b3db016af9ab7d19f5ef0191d2325feaa4923798aa52a2374efee191da6475e412c542d2c379e0f295f58287a561dfa10f8

  • SSDEEP

    49152:Hu3qHoyXKo3Rhk9DO12pTZjCuXuNZHFWsdK0dpZQI9Y1IbgOSsQVDxTx/pQ5Enjh:O6IqaqqlEc6pCml59S1GEjAPqPhl

Malware Config

Signatures

  • XMRig Miner payload 2 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Modifies hosts file 1 IoCs

    Adds to hosts file used for mapping hosts to IP addresses.

  • OS Credential Dumping 1 TTPs 35 IoCs

    Adversaries may attempt to dump credentials to use it in password cracking.

  • Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 35 IoCs

    Abuse sudo or cached sudo credentials to execute code.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads list of loaded kernel modules 1 TTPs 1 IoCs

    Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 1 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 2 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/xmr_linux_amd64
    /tmp/xmr_linux_amd64
    1⤵
    • Modifies hosts file
    • Reads list of loaded kernel modules
    • Checks CPU configuration
    • Reads CPU attributes
    • Enumerates kernel/hardware configuration
    • Reads runtime system information
    • Writes file to tmp directory
    PID:1409
    • /usr/bin/sudo
      sudo -n true
      2⤵
      • OS Credential Dumping
      • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
      PID:1456
      • /usr/bin/true
        true
        3⤵
          PID:1458
      • /usr/bin/chattr
        chattr +i /tmp/xmrig/xmrig-6.22.0/xmrig
        2⤵
          PID:1472
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1473
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1475
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1476
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1477
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1478
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1479
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          • Reads runtime system information
          PID:1480
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1481
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1482
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1483
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          • Reads runtime system information
          PID:1484
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1485
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          • Reads runtime system information
          PID:1486
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1487
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          • Reads runtime system information
          PID:1488
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1489
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1490
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          • Reads runtime system information
          PID:1491
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          • Reads runtime system information
          PID:1493
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1494
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1495
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1496
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          • Reads runtime system information
          PID:1497
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1498
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1499
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1500
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1501
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1615
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1616
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1617
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1632
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1633
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1634
        • /usr/bin/sudo
          sudo -n /tmp/xmrig/xmrig-6.22.0/xmrig
          2⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          PID:1637

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • /config/.config/openbox/autostart

        Filesize

        90B

        MD5

        dbc6fcef70ddc428bd6fed92d06902d6

        SHA1

        f5bf017e726674a6bc954552ba72615de1df1257

        SHA256

        271572941325c5bb6af86dfd2160a2e1358f7130535f88689a4a92ba2c6309fe

        SHA512

        0875636d796d3fb3f4a7930b041f70aec60ee2d11bddc22f5b93fb5ba045aa2bf353a8d0c8c789a7258da49ac099ffad8207344fd178aa85749eaf5504c3ad82

      • /tmp/xmrig/xmrig-6.22.0/config.json

        Filesize

        4KB

        MD5

        5c6108e6bc4e612dd59aa1ce9ac909ff

        SHA1

        b66515c379ee4ebaf312b1d453d147527d3a83b2

        SHA256

        fa70f1a297f3ed7d2ef75598d4a1da3fb82d68fc14322fdcc0f29c909882a599

        SHA512

        b69b4b6f73e03f82854f449737a9a24a489b1231681a62a3853037443489ccc52a576f85a5acd4ab21c612c8768f7b0ade6815785293926e195dc93a46d2670b

      • /tmp/xmrig/xmrig-6.22.0/config.json

        Filesize

        4KB

        MD5

        ab6f38fbfc8ccac11a8c354330b80874

        SHA1

        3b82832738c50b48f6d7cabb8af9404d60c3e08f

        SHA256

        74d5629905d5dd93bd3d02b3301e5eeee458714e5f9f778895c6af3d7f090d6c

        SHA512

        de93abd324a307b1a17797ca588515117d41f6d9b06fdff1958ae72dd3e95807fbdb1fa02ef02e099a1ad6ed6a6a819b71cf70763d27f943113a6a9d2e1d2f4f

      • /tmp/xmrig/xmrig-6.22.0/xmrig

        Filesize

        9.0MB

        MD5

        3d1f6bd959a6bdc423d43342dde28b56

        SHA1

        79266b5cc7c3762998e87411c56b6bd1a573b91f

        SHA256

        0d861bf1eafe3cd5d47197b2def17efb6853f2d0a5a46cafb289c013c449b33b

        SHA512

        b660cfad542a18a82f06080a51976ab7a355080572728f814b1b927e6956918b73172ecd58c5a9dcfe1af6759dc8bf9acbaa2595e6c10e0e44e7ade903e87439