xmrig | dbbefd3bcb45bf200201d08745228aff056d2ea1479e80bd5dd7f9cd2b073b5a

Analysis

max time kernel
93s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06969d0beb88276b07addc330e620dfa_JaffaCakes118.exe
Size

1.5MB
MD5

06969d0beb88276b07addc330e620dfa
SHA1

49324747eeed57d11c6ddf9cbb8f71503b713c0e
SHA256

dbbefd3bcb45bf200201d08745228aff056d2ea1479e80bd5dd7f9cd2b073b5a
SHA512

e5e4045affe7a8f794e2a4ea6040716663d33166d89abddbf93e100370eabb63d28ea629b593156d19d9cfc6751c0abec321a29442a98d5f562e163158034eba
SSDEEP

49152:blpazQ3rwifQxSG3+gTC2kX/zXIogLIRhC3:jXNhguX/UogLI

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/1380-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/1380-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4608-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4608-20-0x00000000054D0000-0x0000000005663000-memory.dmp	xmrig
behavioral2/memory/4608-21-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/4608-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
4608	06969d0beb88276b07addc330e620dfa_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4608	06969d0beb88276b07addc330e620dfa_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1380-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/memory/4608-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x000d000000023110-11.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1380	06969d0beb88276b07addc330e620dfa_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1380	06969d0beb88276b07addc330e620dfa_JaffaCakes118.exe
4608	06969d0beb88276b07addc330e620dfa_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 4608	1380	06969d0beb88276b07addc330e620dfa_JaffaCakes118.exe	88
PID 1380 wrote to memory of 4608	1380	06969d0beb88276b07addc330e620dfa_JaffaCakes118.exe	88
PID 1380 wrote to memory of 4608	1380	06969d0beb88276b07addc330e620dfa_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\06969d0beb88276b07addc330e620dfa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06969d0beb88276b07addc330e620dfa_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\06969d0beb88276b07addc330e620dfa_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\06969d0beb88276b07addc330e620dfa_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\06969d0beb88276b07addc330e620dfa_JaffaCakes118.exe

Filesize
784KB

MD5
5d16f7357b20cfa39fe00018f75f69ba

SHA1
04ecfba882d0f8c1ca786c9fb4f3a4e741b5486d

SHA256
6a0f2e1973400cd425ae88d3b213a8e3a9f01e8ad48bf2446aa3ffbf4fc58506

SHA512
0c1564b21ec8e4aa4f2010a413690774cbb0e0b73809fd80d89a8f7788a806d2c598d93ae6ba29d0ef0e2b2121716bd673dfccd59a9a92adf0395f9d3d9812b2

Download Submit
memory/1380-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1380-1-0x00000000017F0000-0x00000000018B4000-memory.dmp

Filesize
784KB

Download
memory/1380-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1380-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4608-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4608-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4608-15-0x00000000018F0000-0x00000000019B4000-memory.dmp

Filesize
784KB

Download
memory/4608-20-0x00000000054D0000-0x0000000005663000-memory.dmp

Filesize
1.6MB

Download
memory/4608-21-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4608-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download