xmrig | a67822dcc76103f495d6ca4409767478e368eaa672dd9220edfcf11c62853076

Analysis

max time kernel
93s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9f8efc3c2595d1b9014198e61b44904_JaffaCakes118.exe
Size

784KB
MD5

f9f8efc3c2595d1b9014198e61b44904
SHA1

ced6950b5df2961bcd0bccbe4303b3856cba6153
SHA256

a67822dcc76103f495d6ca4409767478e368eaa672dd9220edfcf11c62853076
SHA512

ee839a23b74c50e824447fa4fb011de1c7caae00129a9f5d61f22b03085ea08422d07f42870cb1526e2e61defb23d9f2c6b0d52b5a72ec2d425bbefd35d30a48
SSDEEP

12288:dPgB9iZ+r89/XLzPoYGTT1eTH78xVbBE1Gtjl6rKEcAZ5CqUtmVIz3kmq:d4brq/7zPoT1I8xVbBLYcAZ/HVIl

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/2416-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/2416-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4884-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4884-21-0x0000000005420000-0x00000000055B3000-memory.dmp	xmrig
behavioral2/memory/4884-20-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/4884-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
4884	f9f8efc3c2595d1b9014198e61b44904_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4884	f9f8efc3c2595d1b9014198e61b44904_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2416-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x000500000002326f-11.dat	upx
behavioral2/memory/4884-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2416	f9f8efc3c2595d1b9014198e61b44904_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2416	f9f8efc3c2595d1b9014198e61b44904_JaffaCakes118.exe
4884	f9f8efc3c2595d1b9014198e61b44904_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 4884	2416	f9f8efc3c2595d1b9014198e61b44904_JaffaCakes118.exe	86
PID 2416 wrote to memory of 4884	2416	f9f8efc3c2595d1b9014198e61b44904_JaffaCakes118.exe	86
PID 2416 wrote to memory of 4884	2416	f9f8efc3c2595d1b9014198e61b44904_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\f9f8efc3c2595d1b9014198e61b44904_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9f8efc3c2595d1b9014198e61b44904_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\f9f8efc3c2595d1b9014198e61b44904_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f9f8efc3c2595d1b9014198e61b44904_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f9f8efc3c2595d1b9014198e61b44904_JaffaCakes118.exe

Filesize
784KB

MD5
4b33bcfb5f23a49fcd79d7f0a83f0816

SHA1
c0cf5b6921a01704f29b3ac586dd2c0e0796ccba

SHA256
68bb95f9b89e38ea93ee692e46cb7690a71b67c02b941b35d6a176bb2153c1a3

SHA512
cc321d0508edc7c29c1b96dadfc1673190a946a537158d56eb4456ab49f610ba989c4912af9b1bdabfe7610b26a53366b86298448f523ec4cfdc6904cbe97290

Download Submit
memory/2416-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2416-1-0x0000000001A90000-0x0000000001B54000-memory.dmp

Filesize
784KB

Download
memory/2416-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2416-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4884-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4884-15-0x0000000001A30000-0x0000000001AF4000-memory.dmp

Filesize
784KB

Download
memory/4884-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4884-21-0x0000000005420000-0x00000000055B3000-memory.dmp

Filesize
1.6MB

Download
memory/4884-20-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4884-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download