Analisado por: Bren Matthew Ebriega   
 Plataforma:

Linux

 Classificao do risco total:
 Potencial de dano:
 Potencial de distribuição:
 infecção relatada:
 Impacto no sistema: :
 Exposição das informações:
Baixo
Medium
Alto
Crítico

  • Tipo de grayware:
    Coinminer

  • Destrutivo:
    Não

  • Criptografado:
    Não

  • In the Wild:
    Sim

  Visão geral

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  Detalhes técnicos

Tipo de compactação: 3,672,976 bytes
Tipo de arquivo: ELF
Residente na memória: Sim
Data de recebimento das amostras iniciais: 05 junho 2020

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Andere Details

Für ihre ordnungsgemäße Ausführung sind die folgenden zusätzlichen Komponenten erforderlich:

  • {Coinminer Directory}\config.json

Es macht Folgendes:

  • Accepts the following Parameters:
    • -b, --bind=ADDR bind to specified address, example "0.0.0.0:3333"
    • -a, --algo=ALGO mining algorithm https://xmrig.com/docs/algorithms
    • --coin=COIN specify coin instead of algorithm
    • -m, --mode=MODE proxy mode, nicehash (default) or simple
    • -o, --url=URL URL of mining server
    • -O, --userpass=U:P username:password pair for mining server
    • -u, --user=USERNAME username for mining server
    • -p, --pass=PASSWORD password for mining server
    • --encin encin
    • --encout encout
    • --rig-id=ID rig identifier for pool-side statistics (needs pool support)
    • --tls-fingerprint=F pool TLS certificate fingerprint, if set enable strict certificate pinning
    • -k, --keepalive prevent timeout (needs pool support)
    • -r, --retries=N number of times to retry before switch to backup server (default: 1)
    • -R, --retry-pause=N time to pause between retries (default: 1 second)
    • --custom-diff=N override pool diff
    • --reuse-timeout=N timeout in seconds for reuse pool connections in simple mode
    • --verbose verbose output
    • --user-agent=AGENT set custom user-agent string for pool
    • --no-color disable colored output
    • --no-workers disable per worker statistics
    • --variant algorithm PoW variant
    • --donate-level=N donate level, default 2%%
    • -B, --background run the miner in the background
    • -c, --config=FILE load a JSON-format configuration file
    • -l, --log-file=FILE log all output to a file
    • -S, --syslog use system log for output messages
    • -A --access-log-file=N log all workers access to a file
    • --access-password=P set password to restrict connections to the proxy
    • --no-algo-ext disable "algo" protocol extension
    • --api-worker-id=ID custom worker-id (instance name) for API
    • --api-id=ID custom instance ID for API
    • --http-enabled enable HTTP API
    • --http-host=HOST bind host for HTTP API (by default 127.0.0.1)
    • --http-port=N bind port for HTTP API
    • --http-access-token=T access token for HTTP API
    • --http-no-restricted enable full remote access to HTTP API (only if access token set)
    • --tls enable SSL/TLS support for pool connection (needs pool support)
    • --tls-bind=ADDR bind to specified address with enabled TLS
    • --tls-cert=FILE load TLS certificate chain from a file in the PEM format
    • --tls-cert-key=FILE load TLS certificate private key from a file in the PEM format
    • --tls-dhparam=FILE load DH parameters for DHE ciphers from a file in the PEM format
    • --tls-protocols=N enable specified TLS protocols, example: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
    • --tls-ciphers=S set list of available ciphers (TLSv1.2 and below)
    • --tls-ciphersuites=S set list of available TLSv1.3 ciphersuites
    • -h, --help display this help and exit
    • -V, --version output version information and exit
  • Supported algo options:
    • cryptonight/0
    • cryptonight
    • cryptonight/1
    • cryptonight/2
    • cryptonight-monerov7
    • cryptonight-monerov8
    • cryptonight/r
    • cryptonight/fast
    • cryptonight/msr
    • cryptonight/half
    • cryptonight/xao
    • cryptonight_alloy,
    • cryptonight/rto
    • cryptonight/rwz
    • cryptonight/zls
    • cryptonight/double
    • cryptonight/gpu
    • cryptonight-lite/0
    • cryptonight-lite/1
    • cryptonight-lite
    • cryptonight-light
    • cryptonight_lite
    • cryptonight-aeonv7
    • cryptonight_lite_v7
    • cryptonight-heavy/0
    • cryptonight-heavy
    • cryptonight_heavy
    • cryptonight-heavy/xhv
    • cryptonight_haven
    • cryptonight-heavy/tube
    • cryptonight-bittube2
    • cryptonight-pico
    • cryptonight-pico/trtl
    • cryptonight-turtle
    • cryptonight-ultralite
    • cryptonight_turtle
    • randomx/test
    • RandomX
    • RandomWOW
    • RandomXL
    • randomx/arq
    • RandomARQ
    • randomx/loki
    • randomx/wow
    • randomx/0
    • argon2/chukwa
    • argon2/wrkz
  • Supported coin options:
    • monero
    • arqma

  Solução

Mecanismo de varredura mínima: 9.850
Primeiro arquivo padrão VSAPI: 15.912.05
Data do lançamento do primeiro padrão VSAPI: 05 junho 2020
VSAPI OPR Pattern Version: 15.913.00
VSAPI OPR Pattern veröffentlicht am: 06 junho 2020

Durchsuchen Sie Ihren Computer mit Ihrem Trend Micro Produkt, und löschen Sie Dateien, die als Coinminer.Linux.MALXMR.UWEKT entdeckt werden. Falls die entdeckten Dateien bereits von Ihrem Trend Micro Produkt gesäubert, gelöscht oder in Quarantäne verschoben wurden, sind keine weiteren Schritte erforderlich. Dateien in Quarantäne können einfach gelöscht werden. Auf dieser Knowledge-Base-Seite finden Sie weitere Informationen.


Participe da nossa pesquisa!