Coinminer.Linux.MALXMR.UWEKP

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It steals certain information from the system and/or the user.

It connects to certain websites to send and receive information. It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency.

Arrival Details

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Information Theft

This Coinminer steals the following information:

• CPU Information
• Memory information
• Status of all mounted file systems

Other Details

This Coinminer connects to the following website to send and receive information:

• {BLOCKED}.{BLOCKED}.87.231

It does the following:

• Accepts the following configuration files:
  • {Coinminer Directory}\config.json
• It uses the following default details on its coin mining routine if parameter is not specified:
  • URL: xmr-eu1.nanopool.org
  • coin: monero
  • User: {BLOCKED}wS3gXfsgR7fgXeGP4KAXtQTXJfkicBoRSHXwGbhVzj1JXZRJRhbMrvhxvXvgbJuyV3GGWzD6JvVMuQwAXxLZmTWkb
  • Password: mine
• Accepts the following parameters:
  • -o, --url=URL=URL of mining server
  • -a, --algo=ALGO=specify the algorithm to use; cryptonite, cryptonite-light, cryptonite-heavy
  • --coin=COIN=specify coin instead of algorithm
  • -u, --user=USERNAME=username for mining server
  • -p, --pass=PASSWORD=password for mining server
  • -O, --userpass=U:P=username:password pair for mining server
  • -k, --keepalive=send keepalived packet for prevent timeout (needs pool support)
  • --nicehash=enable nicehash.com support
  • --rig-id=ID=rig identifier for pool-side statistics (needs pool support)
  • -r, --retries=N=number of times to retry before switch to backup server (default: 5)
  • -R, --retry-pause=N =time to pause between retries (default: 5)
  • --user-agent=set custom user-agent string for pool
  • --donate-level=N=donate level, default 5%% (5 minutes in 100 minutes)
  • --donate-over-proxy=N=control donate over xmrig-proxy feature
  • --no-cpu=disable CPU mining backend
  • -t, --threads=N=number of CPU threads
  • -v, --av=N=algorithm variation, 0 auto select
  • --cpu-affinity=set process affinity to CPU core(s), mask 0x3 for cores 0 and 1
  • --cpu-priority=set process priority (0 idle, 2 normal to 5 highest)
  • --cpu-max-threads-hint=N=maximum CPU threads count (in percentage) hint for autoconfig
  • --cpu-memory-pool=N=number of 2 MB pages for persistent memory pool, -1 (auto), 0 (disable)
  • --cpu-no-yield=prefer maximum hashrate rather than system response/stability
  • --no-huge-pages=disable huge pages support
  • --asm=ASM=ASM optimizations, possible values: auto, none, intel, ryzen, bulldozer
  • --randomx-init=N=threads count to initialize RandomX dataset
  • --randomx-no-numa=disable NUMA support for RandomX
  • --randomx-mode=MODE=RandomX mode: auto, fast, light
  • --randomx-1gb-pages=use 1GB hugepages for dataset (Linux only)
  • --randomx-wrmsr=N=write custom value (0-15) to Intel MSR register 0x1a4 or disable MSR mod (-1)
  • --randomx-no-rdmsr=disable reverting initial MSR values on exit
  • -S, --syslog=use system log for output messages
  • -l, --log-file=FILE=log all output to a file
  • --print-time=N=print hashrate report every N seconds
  • --no-color=disable colored output
  • --verbose=verbose output
  • -c, --config=FILE=load a JSON-format configuration file
  • -B, --background=run the miner in the background
  • -V, --version=output version information and exit
  • -h, --help=display this help and exit
  • --dry-run=test configuration and exit
  • --export-topology=export hwloc topology to a XML file and exit

It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency. This behavior makes the system run abnormally slow.