Linux Analysis Report
.report_system.elf

Overview

General Information

Sample name:	.report_system.elf
Analysis ID:	1545291
MD5:	1271e6e82b344df1c7960230ec449af7
SHA1:	7fe3253d34cae21facc8c445c3620b9e8566988b
SHA256:	fff96ad553f916da4eb0d55b1075b9b4aea7b93249663aefbc0310e53c7498ba
Tags:	elfuser-abuse_ch
Infos:

Detection

Xmrig

Score:	96
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Contains symbols with names commonly found in malware

Detected Stratum mining protocol

Found strings related to Crypto-Mining

Machine Learning detection for sample

Sample reads /proc/mounts (often used for finding a writable filesystem)

Stdout / stderr contain strings indicative of a mining client

Tries to load the MSR kernel module used for reading/writing to CPUs model specific register

Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher)

Creates hidden files and/or directories

Executes commands using a shell command-line interpreter

Executes the "modprobe" command used for loading kernel modules

Reads CPU information from /proc indicative of miner or evasive malware

Reads CPU information from /sys indicative of miner or evasive malware

Reads system information from the proc file system

Reads the 'hosts' file potentially containing internal network hosts

Sample has stripped symbol table

Suricata IDS alerts with low severity for network traffic

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XMRIG		No Attribution	https://www.aquasec.com/blog/container-security-tnt-container-attack/ https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.xmrig

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: .report_system.elf

ReversingLabs: Detection: 50%

Machine Learning detection for sample

Source: .report_system.elf

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: .report_system.elf, type: SAMPLE
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5435.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5436.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .report_system.elf PID: 5435, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .report_system.elf PID: 5436, type: MEMORYSTR

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.2.13:45378 -> 91.184.240.129:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 62 75 6e 72 61 75 22 2c 22 70 61 73 73 22 3a 22 62 75 6e 72 61 75 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 32 31 2e 30 20 28 4c 69 6e 75 78 20 78 38 36 5f 36 34 29 20 6c 69 62 75 76 2f 31 2e 34 34 2e 32 20 67 63 63 2f 37 2e 33 2e 31 22 2c 22 61 6c 67 6f 22 3a 5b 22 72 78 2f 30 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f 75 62 6c 65 22 2c 22 63 6e 2f 63 63 78 22 2c 22 63 6e 2d 6c 69 74 65 2f 31 22 2c 22 63 6e 2d 68 65 61 76 79 2f 30 22 2c 22 63 6e 2d 68 65 61 76 79 2f 74 75 62 65 22 2c 22 63 6e 2d 68 65 61 76 79 2f 78 68 76 22 2c 22 63 6e 2d 70 69 63 6f 22 2c 22 63 6e 2d 70 69 63 6f 2f 74 6c 6f 22 2c 22 63 6e 2f 75 70 78 32 22 2c 22 63 6e 2f 31 22 2c 22 72 78 2f 77 6f 77 22 2c 22 72 78 2f 61 72 71 22 2c 22 72 78 2f 67 72 61 66 74 22 2c 22 72 78 2f 73 66 78 22 2c 22 72 78 2f 6b 65 76 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 76 32 22 2c 22 61 72 67 6f 6e 32 2f 6e 69 6e 6a 61 22 2c 22 67 68 6f 73 74 72 69 64 65 72 22 5d 7d 7d 0a data ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"bunrau","pass":"bunrau","agent":"xmrig/6.21.0 (linux x86_64) libuv/1.44.2 gcc/7.3.1","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}

Found strings related to Crypto-Mining

Source: .report_system.elf, 5435.1.0000000000400000.0000000000c29000.r-x.sdmp	String found in binary or memory: stratum+ssl://randomx.xmrig.com:443
Source: .report_system.elf, 5435.1.0000000000400000.0000000000c29000.r-x.sdmp	String found in binary or memory: CryptonightR_instruction_mov105
Source: .report_system.elf, 5435.1.0000000000400000.0000000000c29000.r-x.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: .report_system.elf, 5435.1.0000000000400000.0000000000c29000.r-x.sdmp	String found in binary or memory: stratum+tcp://
Source: .report_system.elf, 5435.1.0000000000400000.0000000000c29000.r-x.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: .report_system.elf, 5435.1.0000000000400000.0000000000c29000.r-x.sdmp	String found in binary or memory: XMRig 6.21.0

Stdout / stderr contain strings indicative of a mining client

Source: /tmp/.report_system.elf

Stdout: xmrig

Tries to load the MSR kernel module used for reading/writing to CPUs model specific register

Source: /bin/sh (PID: 5443)

Modprobe: /sbin/modprobe -> /sbin/modprobe msr allow_writes=on

Source: /tmp/.report_system.elf (PID: 5436)	MSR open for writing: /dev/cpu/0/msr			Jump to behavior
Source: /tmp/.report_system.elf (PID: 5436)	MSR open for writing: /dev/cpu/1/msr			Jump to behavior

Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_cpus	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_id	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/die_cpus	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/package_cpus	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/physical_package_id	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/level	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/type	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/id	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/size	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/level	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/type	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/id	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/level	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/type	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/id	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/size	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/level	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/type	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/id	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/size	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/core_cpus	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/core_id	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/die_cpus	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/package_cpus	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/physical_package_id	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/shared_cpu_map	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/level	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/type	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/id	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/size	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/coherency_line_size	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/number_of_sets	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/physical_line_partition	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/shared_cpu_map	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/level	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/type	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/id	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/shared_cpu_map	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/level	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/type	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/id	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/size	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/coherency_line_size	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/number_of_sets	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/physical_line_partition	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/shared_cpu_map	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/level	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/type	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/id	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/size	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/coherency_line_size	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/number_of_sets	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/physical_line_partition	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/possible	Jump to behavior

Source: global traffic	DNS traffic detected: DNS query: xkobeproxy.xkobeimparatu.net
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

Source: .report_system.elf	String found in binary or memory: https://gcc.gnu.org/bugsterminate
Source: .report_system.elf	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: .report_system.elf	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: .report_system.elf	String found in binary or memory: https://xmrig.com/wizard
Source: .report_system.elf	String found in binary or memory: https://xmrig.com/wizard%s

Source: .report_system.elf, type: SAMPLE	Matched rule: Linux_Cryptominer_Camelot_cdd631c1 Author: unknown
Source: .report_system.elf, type: SAMPLE	Matched rule: Linux_Cryptominer_Malxmr_979160f6 Author: unknown
Source: .report_system.elf, type: SAMPLE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: .report_system.elf, type: SAMPLE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 5435.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Cryptominer_Camelot_cdd631c1 Author: unknown
Source: 5435.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Cryptominer_Malxmr_979160f6 Author: unknown
Source: 5435.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 5435.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 5436.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Cryptominer_Camelot_cdd631c1 Author: unknown
Source: 5436.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Cryptominer_Malxmr_979160f6 Author: unknown
Source: 5436.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 5436.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: .report_system.elf PID: 5435, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: .report_system.elf PID: 5436, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown

Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction0
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction1
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction10
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction100
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction101
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction102
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction103
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction104
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction105
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction106

Source: /tmp/.report_system.elf (PID: 5435)	Reads from proc file: /proc/cpuinfo	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5435)	Reads from proc file: /proc/meminfo	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5436)	Reads from proc file: /proc/meminfo	Jump to behavior

Source: /tmp/.report_system.elf (PID: 5435)	Queries kernel information via 'uname':	Jump to behavior
Source: /tmp/.report_system.elf (PID: 5436)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/modprobe (PID: 5443)	Queries kernel information via 'uname':	Jump to behavior

Name	IP	Active
daisy.ubuntu.com	162.213.35.25	true
xkobeproxy.xkobeimparatu.net	91.184.240.129	true

ID:	1545291
Product:	CloudBasic
Start time:	11:32:08
Start date:	30.10.2024
Sample:	.report_system.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	1271e6e82b344df1c7960230ec449af7
SHA1:	7fe3253d34cae21facc8c445c3620b9e8566988b
SHA256:	fff96ad553f916da4eb0d55b1075b9b4aea7b93249663aefbc0310e53c7498ba
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Source: .report_system.elf, type: SAMPLE	Matched rule: Linux_Cryptominer_Camelot_cdd631c1 reference_sample = 91549c171ae7f43c1a85a303be30169932a071b5c2b6cf3f4913f20073c97897, os = linux, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Camelot, fingerprint = fa174ac25467ab6e0f11cf1f0a5c6bf653737e9bbdc9411aabeae460a33faa5e, id = cdd631c1-2c03-47dd-b50a-e8c0b9f67271, last_modified = 2021-09-16
Source: .report_system.elf, type: SAMPLE	Matched rule: Linux_Cryptominer_Malxmr_979160f6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Malxmr, fingerprint = fb933702578e2cf7e8ad74554ef93c07b610d6da8bc5743cbf86c363c1615f40, id = 979160f6-402a-4e4b-858a-374c9415493b, last_modified = 2021-09-16
Source: .report_system.elf, type: SAMPLE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: .report_system.elf, type: SAMPLE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 5435.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Cryptominer_Camelot_cdd631c1 reference_sample = 91549c171ae7f43c1a85a303be30169932a071b5c2b6cf3f4913f20073c97897, os = linux, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Camelot, fingerprint = fa174ac25467ab6e0f11cf1f0a5c6bf653737e9bbdc9411aabeae460a33faa5e, id = cdd631c1-2c03-47dd-b50a-e8c0b9f67271, last_modified = 2021-09-16
Source: 5435.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Cryptominer_Malxmr_979160f6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Malxmr, fingerprint = fb933702578e2cf7e8ad74554ef93c07b610d6da8bc5743cbf86c363c1615f40, id = 979160f6-402a-4e4b-858a-374c9415493b, last_modified = 2021-09-16
Source: 5435.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 5435.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 5436.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Cryptominer_Camelot_cdd631c1 reference_sample = 91549c171ae7f43c1a85a303be30169932a071b5c2b6cf3f4913f20073c97897, os = linux, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Camelot, fingerprint = fa174ac25467ab6e0f11cf1f0a5c6bf653737e9bbdc9411aabeae460a33faa5e, id = cdd631c1-2c03-47dd-b50a-e8c0b9f67271, last_modified = 2021-09-16
Source: 5436.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Cryptominer_Malxmr_979160f6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Malxmr, fingerprint = fb933702578e2cf7e8ad74554ef93c07b610d6da8bc5743cbf86c363c1615f40, id = 979160f6-402a-4e4b-858a-374c9415493b, last_modified = 2021-09-16
Source: 5436.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 5436.1.0000000000400000.0000000000c29000.r-x.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: .report_system.elf PID: 5435, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: .report_system.elf PID: 5436, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25

Linux Analysis Report .report_system.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
.report_system.elf

Malware Threat Intel
Provided by