100 Days of YARA – Day 20: xmrig

Often, attackers are financially motivated. To capitalize on intrusions, attackers often install cryptocurrency miners on their victim’s hosts. As such, detecting cryptocurrency miners may be advantageous.

Here is a simple rule to detect xmrig, a common cryptocurrency miner:

rule xmrig_generic
{
	meta:
		author = "Daniel Roberson"
		description = "https://github.com/xmrig/xmrig*"

	strings:
		$s1 = "https://xmrig.com"

	condition:
		(uint32(0) == 0x464c457f or uint16(0) == 0x5a4d or uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca)
		and all of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 20: xmrig

  1. Pingback: Week 02 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s