100 Days of YARA – Day 20: xmrig

On By DanielIn 100 days of Yara

Often, attackers are financially motivated. To capitalize on intrusions, attackers often install cryptocurrency miners on their victim’s hosts. As such, detecting cryptocurrency miners may be advantageous.

Here is a simple rule to detect xmrig, a common cryptocurrency miner:

rule xmrig_generic
{
	meta:
		author = "Daniel Roberson"
		description = "https://github.com/xmrig/xmrig*"

	strings:
		$s1 = "https://xmrig.com"

	condition:
		(uint32(0) == 0x464c457f or uint16(0) == 0x5a4d or uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca)
		and all of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 20: xmrig

  1. Pingback: Week 02 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s