Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
xmrig.elf

Overview

General Information

Sample name:xmrig.elf
Analysis ID:1582298
MD5:dcb1cee3fede188013bb6aba3509f681
SHA1:d5fad02182bb36fca0045eca5154b6342b0ba85d
SHA256:5110bb024627cea2c92830ac8a544f12fceb8ef7e3eda51f0f3660ff9c1b296f
Tags:elfuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Xmrig
Score:68
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Found strings related to Crypto-Mining
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1582298
Start date and time:2024-12-30 09:33:07 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 19s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:xmrig.elf
Detection:MAL
Classification:mal68.mine.linELF@0/0@0/0

Errors

  • No process behavior to analyse as no analysis process or sample was found

Runtime Messages

Command:/tmp/xmrig.elf
PID:6217
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XMRIGNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.xmrig

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
xmrig.elfJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    xmrig.elfLinux_Trojan_Pornoasset_927f314funknownunknown
    • 0x2099d8:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
    xmrig.elfMacOS_Cryptominer_Xmrig_241780a1unknownunknown
    • 0x5ce6c6:$a1: mining.set_target
    • 0x5cd909:$a2: XMRIG_HOSTNAME
    • 0x5e7e70:$a3: Usage: xmrig [OPTIONS]
    • 0x5cd8ea:$a4: XMRIG_VERSION
    xmrig.elfminer_lin_xmrig_stringsDetects XMRig ELFSekoia.io
    • 0x5ce2d2:$: XMRig
    • 0x5e9730:$: XMRig
    • 0x5ce3f2:$: pool_wallet
    • 0x5ce42c:$: IP Address currently banned
    • 0x5ce45d:$: rigid
    • 0x5ce494:$: diff_current
    • 0x5ce4a1:$: shares_good
    • 0x5ce4ad:$: shares_total
    • 0x5ce4ba:$: avg_time
    • 0x5ce4c3:$: avg_time
    • 0x5ce4c3:$: avg_time_ms
    • 0x5ce4cf:$: hashes_total
    • 0x5ce589:$: pool address
    • 0x5ce596:$: ping time
    • 0x5ce5a0:$: connection time
    • 0x5e2e2c:$: connection time
    • 0x6049e0:$: daemon+https://
    • 0x6049f0:$: daemon+http://
    • 0x604a00:$: socks5://
    • 0x5cf6d7:$: stratum+ssl://
    • 0x5e7e18:$: stratum+ssl://

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: xmrig.elfVirustotal: Detection: 40%Perma Link
    Source: xmrig.elfReversingLabs: Detection: 23%

    Bitcoin Miner

    barindex
    Yara detected Xmrig cryptocurrency miner
    Source: Yara matchFile source: xmrig.elf, type: SAMPLE
    Found strings related to Crypto-Mining
    Source: xmrig.elfString found in binary or memory: stratum+ssl://%s
    Source: xmrig.elfString found in binary or memory: cryptonight/0
    Source: xmrig.elfString found in binary or memory: -o, --url=URL URL of mining server
    Source: xmrig.elfString found in binary or memory: stratum+tcp://
    Source: xmrig.elfString found in binary or memory: Usage: xmrig [OPTIONS]
    Source: xmrig.elfString found in binary or memory: XMRig 6.22.2
    Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
    Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
    Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
    Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
    Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
    Source: xmrig.elfString found in binary or memory: https://gcc.gnu.org/bugsrg/bugs/):
    Source: xmrig.elfString found in binary or memory: https://xmrig.com/benchmark/%s
    Source: xmrig.elfString found in binary or memory: https://xmrig.com/docs/algorithms
    Source: xmrig.elfString found in binary or memory: https://xmrig.com/wizard
    Source: xmrig.elfString found in binary or memory: https://xmrig.com/wizard%s
    Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: xmrig.elf, type: SAMPLEMatched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
    Source: xmrig.elf, type: SAMPLEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
    Source: xmrig.elf, type: SAMPLEMatched rule: Detects XMRig ELF Author: Sekoia.io
    Source: xmrig.elf, type: SAMPLEMatched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
    Source: xmrig.elf, type: SAMPLEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
    Source: xmrig.elf, type: SAMPLEMatched rule: miner_lin_xmrig_strings author = Sekoia.io, description = Detects XMRig ELF, creation_date = 2022-09-08, classification = TLP:CLEAR, version = 1.0, modification_date = 2024-01-04, id = 2f99020b-424c-4433-860c-5e9ab4e1f1de
    Source: classification engineClassification label: mal68.mine.linELF@0/0@0/0

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
    Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service

    Malware Configuration

    No configs have been found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    xmrig.elf41%VirustotalBrowse
    xmrig.elf24%ReversingLabsLinux.Coinminer.Generic

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://gcc.gnu.org/bugsrg/bugs/):xmrig.elffalse
      		high
      https://xmrig.com/benchmark/%sxmrig.elffalse
        		high
        https://xmrig.com/wizardxmrig.elffalse
          		high
          https://xmrig.com/wizard%sxmrig.elffalse
            		high
            https://xmrig.com/docs/algorithmsxmrig.elffalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              109.202.202.202
              		unknownSwitzerland
              		13030INIT7CHfalse
              91.189.91.43
              		unknownUnited Kingdom
              		41231CANONICAL-ASGBfalse
              91.189.91.42
              		unknownUnited Kingdom
              		41231CANONICAL-ASGBfalse

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
              • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
              91.189.91.43vcimanagement.x86.elfGet hashmaliciousMiraiBrowse
                vcimanagement.sh4.elfGet hashmaliciousMiraiBrowse
                  Aqua.m68k.elfGet hashmaliciousMiraiBrowse
                    botx.arm5.elfGet hashmaliciousMiraiBrowse
                      i.elfGet hashmaliciousUnknownBrowse
                        m68k.elfGet hashmaliciousMirai, MoobotBrowse
                          arm6.elfGet hashmaliciousMirai, MoobotBrowse
                            .Sspc.elfGet hashmaliciousUnknownBrowse
                              zmap.arm5.elfGet hashmaliciousOkiruBrowse
                                .Sppc.elfGet hashmaliciousUnknownBrowse
                                  91.189.91.42vcimanagement.x86.elfGet hashmaliciousMiraiBrowse
                                    vcimanagement.m68k.elfGet hashmaliciousMiraiBrowse
                                      vcimanagement.sh4.elfGet hashmaliciousMiraiBrowse
                                        Aqua.m68k.elfGet hashmaliciousMiraiBrowse
                                          botx.arm5.elfGet hashmaliciousMiraiBrowse
                                            i.elfGet hashmaliciousUnknownBrowse
                                              m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                arm6.elfGet hashmaliciousMirai, MoobotBrowse
                                                  .Sspc.elfGet hashmaliciousUnknownBrowse
                                                    zmap.arm5.elfGet hashmaliciousOkiruBrowse

                                                      Domains

                                                      No context

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      CANONICAL-ASGBvcimanagement.x86.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      vcimanagement.m68k.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      vcimanagement.sh4.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      Aqua.m68k.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      botx.arm5.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      i.elfGet hashmaliciousUnknownBrowse
                                                      • 91.189.91.42
                                                      m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                      • 91.189.91.42
                                                      wkb86.elfGet hashmaliciousMiraiBrowse
                                                      • 185.125.190.26
                                                      arm6.elfGet hashmaliciousMirai, MoobotBrowse
                                                      • 91.189.91.42
                                                      .Sspc.elfGet hashmaliciousUnknownBrowse
                                                      • 91.189.91.42
                                                      CANONICAL-ASGBvcimanagement.x86.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      vcimanagement.m68k.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      vcimanagement.sh4.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      Aqua.m68k.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      botx.arm5.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      i.elfGet hashmaliciousUnknownBrowse
                                                      • 91.189.91.42
                                                      m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                      • 91.189.91.42
                                                      wkb86.elfGet hashmaliciousMiraiBrowse
                                                      • 185.125.190.26
                                                      arm6.elfGet hashmaliciousMirai, MoobotBrowse
                                                      • 91.189.91.42
                                                      .Sspc.elfGet hashmaliciousUnknownBrowse
                                                      • 91.189.91.42
                                                      INIT7CHvcimanagement.x86.elfGet hashmaliciousMiraiBrowse
                                                      • 109.202.202.202
                                                      vcimanagement.m68k.elfGet hashmaliciousMiraiBrowse
                                                      • 109.202.202.202
                                                      vcimanagement.sh4.elfGet hashmaliciousMiraiBrowse
                                                      • 109.202.202.202
                                                      Aqua.m68k.elfGet hashmaliciousMiraiBrowse
                                                      • 109.202.202.202
                                                      botx.arm5.elfGet hashmaliciousMiraiBrowse
                                                      • 109.202.202.202
                                                      i.elfGet hashmaliciousUnknownBrowse
                                                      • 109.202.202.202
                                                      m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                      • 109.202.202.202
                                                      arm6.elfGet hashmaliciousMirai, MoobotBrowse
                                                      • 109.202.202.202
                                                      .Sspc.elfGet hashmaliciousUnknownBrowse
                                                      • 109.202.202.202
                                                      zmap.arm5.elfGet hashmaliciousOkiruBrowse
                                                      • 109.202.202.202

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      No created / dropped files found

                                                      Static File Info

                                                      General

                                                      File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, missing section headers at 8297648
                                                      Entropy (8bit):6.587544554553277
                                                      TrID:
                                                      • ELF Executable and Linkable format (Linux) (4029/14) 49.77%
                                                      • ELF Executable and Linkable format (generic) (4004/1) 49.46%
                                                      • Lumena CEL bitmap (63/63) 0.78%
                                                      File name:xmrig.elf
                                                      File size:7'328'792 bytes
                                                      MD5:dcb1cee3fede188013bb6aba3509f681
                                                      SHA1:d5fad02182bb36fca0045eca5154b6342b0ba85d
                                                      SHA256:5110bb024627cea2c92830ac8a544f12fceb8ef7e3eda51f0f3660ff9c1b296f
                                                      SHA512:7a75b2297571f8e1cb9207e52a6fdc13b661d66f64b837c1bb497c925bad80cf853a4d83ba7d38f3c22d6f85942c1af88791733d423e557361071fc558d5e02d
                                                      SSDEEP:98304:yr6P2CZlp4ledj/mf7ukUzX093B9VK/OQGthOlgPEWi1MVNWoGt7rPAW3R1lrepI:bl4lcmDi1WIPFCBNcJ7oEkLsQg
                                                      TLSH:4C765B57A5E314FCC1DAC474472FD623BE71B8A84221BE7B72989A302F66E60171DF21
                                                      File Content Preview:.ELF..............>.....S.@.....@.......p.~.........@.8...@.......................@.......@...............................................@.......@.......\.......\.......................\.....................................................`.w.....`......

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 30, 2024 09:33:45.920279026 CET43928443192.168.2.2391.189.91.42
                                                      Dec 30, 2024 09:33:51.295603991 CET42836443192.168.2.2391.189.91.43
                                                      Dec 30, 2024 09:33:52.831427097 CET4251680192.168.2.23109.202.202.202
                                                      Dec 30, 2024 09:34:06.397541046 CET43928443192.168.2.2391.189.91.42
                                                      Dec 30, 2024 09:34:18.683834076 CET42836443192.168.2.2391.189.91.43
                                                      Dec 30, 2024 09:34:22.779264927 CET4251680192.168.2.23109.202.202.202
                                                      Dec 30, 2024 09:34:47.351804972 CET43928443192.168.2.2391.189.91.42

                                                      System Behavior