xmrig | 76d332b6e7871c530bb0386be776bf1186010e87e4f0cbf75aac198b60f3e3f6

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea1376209e8560be36d79d1272bf0e76_JaffaCakes118.exe
Size

2.2MB
MD5

ea1376209e8560be36d79d1272bf0e76
SHA1

1d02fb9ef45ef007159bf40e82eb8a2575d980cf
SHA256

76d332b6e7871c530bb0386be776bf1186010e87e4f0cbf75aac198b60f3e3f6
SHA512

1b4c44e9c5a8e032e12502a2e40c6d8fe3254eede52ccc0a553734c2186b982480507af9b37c63498d4efe767437dfac4a16c0c41ab4c23e18fab0300d9b4715
SSDEEP

49152:2cSj3XQ7F34XH+Ym0Ktg8nNjXv2O/rx+loL8CqTcD0mgRI:2c6w7F34X+YtKBnNhr7djrgR

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 22 IoCs

miner

resource	yara_rule
behavioral1/memory/2492-41-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-42-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-43-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-44-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-45-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-46-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-47-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-48-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-49-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-52-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-55-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-57-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-58-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-60-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-61-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-59-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-62-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-63-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-65-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-66-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-67-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2492-70-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Executes dropped EXE 3 IoCs

pid	Process
2560	sihost64.exe
2256	Services.exe
2992	sihost64.exe

Loads dropped DLL 3 IoCs

pid	Process
2276	ea1376209e8560be36d79d1272bf0e76_JaffaCakes118.exe
2276	ea1376209e8560be36d79d1272bf0e76_JaffaCakes118.exe
2256	Services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
3	pastebin.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2256 set thread context of 2492	2256	Services.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2140	schtasks.exe
1588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2276	ea1376209e8560be36d79d1272bf0e76_JaffaCakes118.exe
2276	ea1376209e8560be36d79d1272bf0e76_JaffaCakes118.exe
2256	Services.exe
2256	Services.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	ea1376209e8560be36d79d1272bf0e76_JaffaCakes118.exe
Token: SeDebugPrivilege	2256	Services.exe
Token: SeLockMemoryPrivilege	2492	explorer.exe
Token: SeLockMemoryPrivilege	2492	explorer.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1696	2276	ea1376209e8560be36d79d1272bf0e76_JaffaCakes118.exe	28
PID 2276 wrote to memory of 1696	2276	ea1376209e8560be36d79d1272bf0e76_JaffaCakes118.exe	28
PID 2276 wrote to memory of 1696	2276	ea1376209e8560be36d79d1272bf0e76_JaffaCakes118.exe	28
PID 1696 wrote to memory of 2140	1696	cmd.exe	30
PID 1696 wrote to memory of 2140	1696	cmd.exe	30
PID 1696 wrote to memory of 2140	1696	cmd.exe	30
PID 2276 wrote to memory of 2560	2276	ea1376209e8560be36d79d1272bf0e76_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2560	2276	ea1376209e8560be36d79d1272bf0e76_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2560	2276	ea1376209e8560be36d79d1272bf0e76_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2256	2276	ea1376209e8560be36d79d1272bf0e76_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2256	2276	ea1376209e8560be36d79d1272bf0e76_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2256	2276	ea1376209e8560be36d79d1272bf0e76_JaffaCakes118.exe	32
PID 2256 wrote to memory of 3028	2256	Services.exe	34
PID 2256 wrote to memory of 3028	2256	Services.exe	34
PID 2256 wrote to memory of 3028	2256	Services.exe	34
PID 3028 wrote to memory of 1588	3028	cmd.exe	36
PID 3028 wrote to memory of 1588	3028	cmd.exe	36
PID 3028 wrote to memory of 1588	3028	cmd.exe	36
PID 2256 wrote to memory of 2992	2256	Services.exe	39
PID 2256 wrote to memory of 2992	2256	Services.exe	39
PID 2256 wrote to memory of 2992	2256	Services.exe	39
PID 2256 wrote to memory of 2492	2256	Services.exe	40
PID 2256 wrote to memory of 2492	2256	Services.exe	40
PID 2256 wrote to memory of 2492	2256	Services.exe	40
PID 2256 wrote to memory of 2492	2256	Services.exe	40
PID 2256 wrote to memory of 2492	2256	Services.exe	40
PID 2256 wrote to memory of 2492	2256	Services.exe	40
PID 2256 wrote to memory of 2492	2256	Services.exe	40
PID 2256 wrote to memory of 2492	2256	Services.exe	40
PID 2256 wrote to memory of 2492	2256	Services.exe	40
PID 2256 wrote to memory of 2492	2256	Services.exe	40
PID 2256 wrote to memory of 2492	2256	Services.exe	40
PID 2256 wrote to memory of 2492	2256	Services.exe	40
PID 2256 wrote to memory of 2492	2256	Services.exe	40
PID 2256 wrote to memory of 2492	2256	Services.exe	40
PID 2256 wrote to memory of 2492	2256	Services.exe	40
PID 2256 wrote to memory of 2492	2256	Services.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ea1376209e8560be36d79d1272bf0e76_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea1376209e8560be36d79d1272bf0e76_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2140
- C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\Services.exe
  "C:\Users\Admin\AppData\Local\Temp\Services.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1588
- - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
    3⤵
    - Executes dropped EXE
    PID:2992
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6088091 --pass=test --cpu-max-threads-hint=20 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
2.2MB

MD5
ea1376209e8560be36d79d1272bf0e76

SHA1
1d02fb9ef45ef007159bf40e82eb8a2575d980cf

SHA256
76d332b6e7871c530bb0386be776bf1186010e87e4f0cbf75aac198b60f3e3f6

SHA512
1b4c44e9c5a8e032e12502a2e40c6d8fe3254eede52ccc0a553734c2186b982480507af9b37c63498d4efe767437dfac4a16c0c41ab4c23e18fab0300d9b4715

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
12KB

MD5
c3eb90046d4b0b14a8a53664f348808c

SHA1
ac4b540c0054f43bb9f975d050209ac2f23deecf

SHA256
0eeab4949b0c0767d47d7f9441054d952c72e6b2b6aba64fe315db614661111e

SHA512
8763c9082a3b6f6519fef67f5fd034915e2f362fbeb14aa3a0aab23b6583fc513984059b36c37bcafdf2e55f31633f8752a178e3033daf8dfb9ea46e6282c848

Download Submit
memory/2256-54-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/2256-37-0x0000000002280000-0x000000000228E000-memory.dmp

Filesize
56KB

Download
memory/2256-23-0x000000001BB50000-0x000000001BBD0000-memory.dmp

Filesize
512KB

Download
memory/2256-22-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/2256-19-0x000000013F520000-0x000000013F752000-memory.dmp

Filesize
2.2MB

Download
memory/2276-3-0x00000000020E0000-0x0000000002160000-memory.dmp

Filesize
512KB

Download
memory/2276-0-0x000000013FF60000-0x0000000140192000-memory.dmp

Filesize
2.2MB

Download
memory/2276-20-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/2276-4-0x000000001CED0000-0x000000001D0F0000-memory.dmp

Filesize
2.1MB

Download
memory/2276-2-0x000000001BFF0000-0x000000001C210000-memory.dmp

Filesize
2.1MB

Download
memory/2276-1-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/2492-60-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-52-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-72-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/2492-70-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-68-0x0000000000140000-0x0000000000144000-memory.dmp

Filesize
16KB

Download
memory/2492-67-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-38-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-39-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-40-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-41-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-42-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-43-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-44-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-45-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-46-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-47-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-48-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-49-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-50-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

Filesize
4KB

Download
memory/2492-66-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-65-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-55-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-56-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/2492-57-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-58-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-64-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/2492-61-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-59-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-62-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2492-63-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2560-21-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/2560-17-0x000000013F270000-0x000000013F278000-memory.dmp

Filesize
32KB

Download
memory/2560-26-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/2560-24-0x0000000000650000-0x0000000000656000-memory.dmp

Filesize
24KB

Download
memory/2560-25-0x000000001AC10000-0x000000001AC90000-memory.dmp

Filesize
512KB

Download
memory/2992-36-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/2992-69-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/2992-35-0x000000013F080000-0x000000013F088000-memory.dmp

Filesize
32KB

Download
memory/2992-71-0x000000001AC80000-0x000000001AD00000-memory.dmp

Filesize
512KB

Download