xmrig | 47faf970d9ffbd4b00d71422c8d085031cc886cc38f954f944795919077110e8

General

Target

0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
Size

1.1MB
MD5

0e0f26990fcd9cfca701cf0a3b5453ef
SHA1

03535fcd98358f9b223198665de99b0445200151
SHA256

47faf970d9ffbd4b00d71422c8d085031cc886cc38f954f944795919077110e8
SHA512

e8ed55c83645e25afcf3e918cd59224c95df3bff3d0b701f1367ceae2542c2aa1f2d3822a3945d9f06560e3c012e7beb63831c7bf74baa46e79807863d108204
SSDEEP

24576:xqqG0ss+JPptGgRUbUrMymVxVYRdZDoHyhVr4B2+WFw2:rG0aPpUgvrMymVxV0Z8SVSD6l

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral1/memory/1684-30-0x0000000000400000-0x0000000000504000-memory.dmp	xmrig
behavioral1/memory/1684-28-0x0000000000400000-0x0000000000504000-memory.dmp	xmrig
behavioral1/memory/1684-34-0x0000000000400000-0x0000000000504000-memory.dmp	xmrig

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LtHgNeMqRB.url	wscript.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1684-21-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1684-27-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1684-30-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1684-28-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1684-24-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1684-23-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1684-26-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1684-34-0x0000000000400000-0x0000000000504000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1268 set thread context of 1684	1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	34

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	1684	notepad.exe
Token: SeLockMemoryPrivilege	1684	notepad.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 2484	1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	31
PID 1268 wrote to memory of 2484	1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	31
PID 1268 wrote to memory of 2484	1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	31
PID 1268 wrote to memory of 2484	1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	31
PID 2484 wrote to memory of 2368	2484	cmd.exe	33
PID 2484 wrote to memory of 2368	2484	cmd.exe	33
PID 2484 wrote to memory of 2368	2484	cmd.exe	33
PID 2484 wrote to memory of 2368	2484	cmd.exe	33
PID 1268 wrote to memory of 1684	1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	34
PID 1268 wrote to memory of 1684	1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	34
PID 1268 wrote to memory of 1684	1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	34
PID 1268 wrote to memory of 1684	1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	34
PID 1268 wrote to memory of 1684	1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	34
PID 1268 wrote to memory of 1684	1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	34
PID 1268 wrote to memory of 1684	1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	34
PID 1268 wrote to memory of 1684	1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	34
PID 1268 wrote to memory of 1684	1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	34
PID 1268 wrote to memory of 1684	1268	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C WScript "C:\ProgramData\ADwXcSSGvY\r.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\wscript.exe
    WScript "C:\ProgramData\ADwXcSSGvY\r.vbs"
    3⤵
    - Drops startup file
    PID:2368
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\ADwXcSSGvY\cfgi"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ADwXcSSGvY\cfgi

Filesize
796B

MD5
c82bd86f2d2a47c38580470130d1bfb1

SHA1
5bb0b3ad1241e0cfe9825d4dffc8e44a3c4335f8

SHA256
61c106a638366ad618d8d8766ff0d9d8632907868d6b534e35c59461330ff072

SHA512
e627d0f8d4c019b16078448f9351c4cb12d32cea48182fcdff2bc4d1cf410618358c4572bbfd5f67d192fc9278ea04b2aca64e967230470052fe45c97060e905

Download Submit
C:\ProgramData\ADwXcSSGvY\r.vbs

Filesize
664B

MD5
93b9bfbc16702b4a580b1b10ade41669

SHA1
c46af90cfafaa8feff2a9c1563a2da73b6f9bf96

SHA256
e14122ddfd187d32e2cf73411a885bc2fae9990ed719d162b8081b92f1419d28

SHA512
ee19ac86906445d342a2d0c024dee7dd8729cc1cc3d7172dbe3fd37cb70fc732d7feba639f06382a4e678a6adcea1eb18a01b3588c9823e2450791723c84752a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LtHgNeMqRB.url

Filesize
75B

MD5
2b379682588c1bcb623e04d20869a310

SHA1
bdab53a1491407f835c38bf817f62b43713abd37

SHA256
854654abacce4466699d85a84e4998e1e984219e6ce5763596be2471186c7ef6

SHA512
08f721ad3bee99d7543b1f86bc22f9b9c5e11d56f9f7ee1666e161daf109d97db02741443f324c0f5d653cbd398c032d7258981887f2f76c8e007803e3791b02

Download Submit
memory/1268-0-0x0000000002330000-0x0000000002437000-memory.dmp

Filesize
1.0MB

Download
memory/1268-2-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/1268-3-0x0000000002330000-0x0000000002437000-memory.dmp

Filesize
1.0MB

Download
memory/1268-5-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1268-31-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/1268-1-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1684-27-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1684-30-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1684-28-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1684-24-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1684-23-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1684-26-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1684-21-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1684-34-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing