xmrig | 9c72dad5d73eefc96b1ff370e0e35b3744dea6134a7ddaef6bcd881521f6538d

Resubmissions

04/04/2024, 21:07

240404-zymyqaad5x 10

04/04/2024, 20:48

240404-zlhhgaag22 10

Analysis

max time kernel
318s
max time network
319s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/04/2024, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe
Size

4.6MB
MD5

c261149d4e7f6c19bdb188c7f37f7d8f
SHA1

ae83e0ee118bc28cbb2fac3cb1c2e3346a8abaa5
SHA256

9c72dad5d73eefc96b1ff370e0e35b3744dea6134a7ddaef6bcd881521f6538d
SHA512

ad5c52ecfaca9deccc4a7f2c5591093d5266556029a34fcd944dab0daef1be2f9d754c69fc3207dd004e6e701ea23b893fd9bd801fea60d79c7d3b1162115418
SSDEEP

98304:kUCP180L5+irxQKnAjAtHZO4VZAlBOIbU+dZq5ojlbHl8dr47n:kRO0LZrxD5O4VZAZUq85SlbSBun

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral1/memory/1708-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1708-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1748-19-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1748-24-0x0000000002FF0000-0x0000000003183000-memory.dmp	xmrig
behavioral1/memory/1748-25-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/1748-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/1748-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2956-36-0x0000000140000000-0x00000001405E8000-memory.dmp	xmrig
behavioral1/memory/2956-37-0x0000000140000000-0x00000001405E8000-memory.dmp	xmrig
behavioral1/memory/2956-38-0x0000000140000000-0x00000001405E8000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
1748	c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1748	c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1708	c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1708-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x0009000000012265-10.dat	upx
behavioral1/memory/1708-15-0x00000000039A0000-0x0000000003CB2000-memory.dmp	upx
behavioral1/memory/1748-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2956	taskmgr.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1708	c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1708	c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe
1748	c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1748	1708	c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe	29
PID 1708 wrote to memory of 1748	1708	c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe	29
PID 1708 wrote to memory of 1748	1708	c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe	29
PID 1708 wrote to memory of 1748	1708	c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1748

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe

Filesize
784KB

MD5
79fac9bf578b3cc71cdd36fd81f59f3d

SHA1
e935f10f863c0df10a023c52ca0bcd673dd52607

SHA256
4f4d7ed36cebfd5bb6743b6e68c04731ee54ab130736d234c5db726c531991d9

SHA512
084b973163d72a920fbb37eb08615c3cc8ba3173314ed2504355a8ad8c8ae7acd6ee5c06cb1abbd3289f472378b16a3e10a07add8ce69135fd4ccc0e7a8171d1

Download Submit
memory/1708-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1708-2-0x00000000002A0000-0x0000000000364000-memory.dmp

Filesize
784KB

Download
memory/1708-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1708-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1708-15-0x00000000039A0000-0x0000000003CB2000-memory.dmp

Filesize
3.1MB

Download
memory/1748-19-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1748-18-0x0000000000300000-0x00000000003C4000-memory.dmp

Filesize
784KB

Download
memory/1748-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1748-24-0x0000000002FF0000-0x0000000003183000-memory.dmp

Filesize
1.6MB

Download
memory/1748-25-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1748-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/1748-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2956-36-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2956-37-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2956-38-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2956-39-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download