PUA.Linux.XMRig.AH

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency.

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

This Potentially Unwanted Application requires the following additional components to properly run:

• {Execution directory}/config.json
• /{User home directory}/.xmrig.json
• /{User home directory}/.config/xmrig.json

It does the following:

• Supported algorithm options:
  • cryptonight/0
  • cn/0
  • cryptonight
  • cryptonight/1
  • cn/1
  • cryptonight-monerov7
  • cryptonight_v7
  • cryptonight/2
  • cn/2
  • cryptonight-monerov8
  • cryptonight_v8
  • cryptonight/r
  • cn/r
  • cryptonight_r
  • cryptonight/fast
  • cn/fast
  • cryptonight/msr
  • cn/msr
  • cryptonight/half
  • half
  • cryptonight/xao
  • cn/xao
  • cryptonight_alloy
  • cryptonight/rto
  • cn/rto
  • cryptonight/rwz
  • cn/rwz
  • cryptonight/zls
  • cn/zls
  • cryptonight/double
  • cn/double
  • cryptonight-lite/0
  • cn-lite/0
  • cryptonight-lite/1
  • cn-lite/1
  • cryptonight-lite
  • cn-lite
  • cryptonight-light
  • cn-light
  • cryptonight_lite
  • cryptonight-aeonv7
  • cryptonight_lite_v7
  • cryptonight-heavy/0
  • cn-heavy/0
  • cryptonight-heavy
  • cn-heavy
  • cryptonight_heavy
  • cryptonight-heavy/xhv
  • cn-heavy/xhv
  • cryptonight_haven
  • cryptonight-heavy/tube
  • cn-heavy/tube
  • cryptonight-bittube2
  • cryptonight-pico
  • cn-pico
  • cryptonight-pico/trtl
  • cn-pico/trtl
  • cryptonight-turtle
  • cn-trtl
  • cryptonight-ultralite
  • cn-ultralite
  • cryptonight_turtle
  • cn_turtle
  • cryptonight-pico/tlo
  • cn-pico/tlo
  • cryptonight/ultra
  • cn/ultra
  • cryptonight-talleo
  • cn-talleo
  • cryptonight_talleo
  • cn_talleo
  • randomx/0
  • rx/0
  • randomx/test
  • rx/test
  • RandomX
  • randomx/wow
  • rx/wow
  • RandomWOW
  • randomx/arq
  • rx/arq
  • RandomARQ
  • randomx/sfx
  • rx/sfx
  • RandomSFX
  • randomx/
  • keva
  • rx/keva
  • RandomKEVA
  • argon2/chukwa
  • argon2/chukwav2
  • argon2/wrkz
  • astrobwt
  • astrobwt/
  • dero
  • kawpow
  • kawpow/rvn
  • cryptonight/ccx
  • cn/ccx
  • cryptonight/conceal
  • conceal
• Supported coin options:
  • monero
  • xmr
  • arqma
  • ravencoin

It accepts the following parameters:

• -o or --url=URL -> URL of mining server
• -a or --algo=ALGO -> mining algorithm https://{BLOCKED}.com/docs/algorithms
• --coin=COIN -> specify coin instead of algorithm
• -u or --user=USERNAME -> username for mining server
• -p or --pass=PASSWORD -> password for mining server
• -O or --userpass=U:P -> username:password pair for mining server
• -x or --proxy=HOST:PORT -> connect through a SOCKS5 proxy
• -k or --keepalive -> send keepalived packet for prevent timeout (needs pool support)
• --nicehash -> enable nicehash.com support
• --rig-id=ID -> rig identifier for pool-side statistics (needs pool support)
• --tls -> enable SSL/TLS support (needs pool support)
• --tls-fingerprint=HEX -> pool TLS certificate fingerprint for strict certificate pinning
• --daemon -> use daemon RPC instead of pool for solo mining
• --daemon-poll-interval=N daemon poll interval in milliseconds (default: 1000)
• --self-select=URL -> self-select block templates from URL
• -r or --retries=N -> number of times to retry before switch to backup server (default: 5)
• -R or --retry-pause=N -> time to pause between retries (default: 5)
• --user-agent -> set custom user-agent string for pool
• --donate-level=N -> donate level, default 1%% (1 minute in 100 minutes)
• --donate-over-proxy=N -> control donate over xmrig-proxy feature
• --no-cpu -> disable CPU mining backend
• -t or --threads=N -> number of CPU threads
• -v or --av=N -> algorithm variation, 0 auto select
• --cpu-affinity -> set process affinity to CPU core(s), mask 0x3 for cores 0 and 1
• --cpu-priority -> set process priority (0 idle, 2 normal to 5 highest)
• --cpu-max-threads-hint=N -> maximum CPU threads count (in percentage) hint for autoconfig
• --cpu-memory-pool=N -> number of 2 MB pages for persistent memory pool, -1 (auto), 0 (disable)
• --cpu-no-yield -> prefer maximum hashrate rather than system response/stability
• --no-huge-pages -> disable huge pages support
• --asm=ASM -> ASM optimizations, possible values: auto, none, intel, ryzen, bulldozer
• --argon2-impl=IMPL -> argon2 implementation: x86_64, SSE2, SSSE3, XOP, AVX2, AVX-512F
• --randomx-init=N -> threads count to initialize RandomX dataset
• --randomx-no-numa -> disable NUMA support for RandomX
• --randomx-mode=MODE -> RandomX mode: auto, fast, light
• --randomx-1gb-pages -> use 1GB hugepages for RandomX dataset (Linux only)
• --randomx-wrmsr=N -> write custom value(s) to MSR registers or disable MSR mod (-1)
• --randomx-no-rdmsr -> disable reverting initial MSR values on exit
• --randomx-cache-qos -> enable Cache QoS
• --astrobwt-max-size=N -> skip hashes with large stage 2 size, default: 550, min: 400, max: 1200
• --astrobwt-avx2 -> enable AVX2 optimizations for AstroBWT algorithm
• --api-worker-id=ID -> custom worker-id for API
• --api-id=ID -> custom instance ID for API
• --http-host=HOST -> bind host for HTTP API (default: {BLOCKED}.{BLOCKED}.0.1 )
• --http-port=N -> bind port for HTTP API
• --http-access-token=T -> access token for HTTP API
• --http-no-restricted -> enable full remote access to HTTP API (only if access token set)
• --tls-gen=HOSTNAME -> generate TLS certificate for specific hostname
• --tls-cert=FILE -> load TLS certificate chain from a file in the PEM format
• --tls-cert-key=FILE -> load TLS certificate private key from a file in the PEM format
• --tls-dhparam=FILE -> load DH parameters for DHE ciphers from a file in the PEM format
• --tls-protocols=N -> enable specified TLS protocols, example: \"TLSv1 TLSv1.1 TLSv1.2 TLSv1.3\"
• --tls-ciphers=S -> set list of available ciphers (TLSv1.2 and below)
• --tls-ciphersuites=S -> set list of available TLSv1.3 ciphersuites
• -S or --syslog -> use system log for output messages
• -l or --log-file=FILE -> log all output to a file
• --print-time=N -> print hashrate report every N seconds
• --no-color -> disable colored output
• --verbose -> verbose output
• -c or --config=FILE -> load a JSON-format configuration file
• -B or --background -> run the miner in the background
• -V or --version -> output version information and exit
• -h or --help -> display this help and exit
• --dry-run -> test configuration and exit
• --export-topology -> export hwloc topology to a XML file and exit
• --pause-on-battery -> pause mine on battery power
• --stress -> run continuous stress test to check system stability
• --bench=N -> run benchmark, N can be between 1M and 10M
• --submit -> perform an online benchmark and submit result for sharing
• --verify=ID -> verify submitted benchmark by ID
• --seed=SEED -> custom RandomX seed for benchmark
• --hash=HASH -> compare benchmark result with specified hash

It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency. This behavior makes the system run abnormally slow.