xmrig | 961c183df9d400c6dd71362db78a4995769e9c8cfc5bcc291145fa76767e2993

General

Target

1485ed9ff45d0d484fef272824339d3b_JaffaCakes118.exe
Size

1.1MB
MD5

1485ed9ff45d0d484fef272824339d3b
SHA1

6b9bf05ac1f6b1e4ae737a7d434b4485d9cb2964
SHA256

961c183df9d400c6dd71362db78a4995769e9c8cfc5bcc291145fa76767e2993
SHA512

8c766ff7e14e9ea54f8eec77f143c5641d3dacbd4ec7d446ee21f65f167ca7952687588635af9c9ab67c59ac39eefeb8d1b65cd5b5bba5801df2502f3b80250f
SSDEEP

24576:6moO8iteOZDYsgqUr7AEfbMgvq3++0iHLi6bE:xPZDYsgP/AfgvqufaO64

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral2/files/0x000a000000023b87-18.dat	xmrig
behavioral2/memory/4360-21-0x0000000000400000-0x000000000050E000-memory.dmp	xmrig
behavioral2/memory/4360-22-0x0000000000400000-0x000000000050E000-memory.dmp	xmrig
behavioral2/memory/4360-23-0x0000000000400000-0x000000000050E000-memory.dmp	xmrig
behavioral2/memory/4360-24-0x0000000000400000-0x000000000050E000-memory.dmp	xmrig
behavioral2/memory/4360-25-0x0000000000400000-0x000000000050E000-memory.dmp	xmrig
behavioral2/memory/4360-26-0x0000000000400000-0x000000000050E000-memory.dmp	xmrig
behavioral2/memory/4360-27-0x0000000000400000-0x000000000050E000-memory.dmp	xmrig
behavioral2/memory/4360-28-0x0000000000400000-0x000000000050E000-memory.dmp	xmrig
behavioral2/memory/4360-29-0x0000000000400000-0x000000000050E000-memory.dmp	xmrig
behavioral2/memory/4360-30-0x0000000000400000-0x000000000050E000-memory.dmp	xmrig
behavioral2/memory/4360-31-0x0000000000400000-0x000000000050E000-memory.dmp	xmrig
behavioral2/memory/4360-32-0x0000000000400000-0x000000000050E000-memory.dmp	xmrig
behavioral2/memory/4360-33-0x0000000000400000-0x000000000050E000-memory.dmp	xmrig
behavioral2/memory/4360-34-0x0000000000400000-0x000000000050E000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	1485ed9ff45d0d484fef272824339d3b_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4360	igfxTray.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3088	NETSTAT.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	1485ed9ff45d0d484fef272824339d3b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3088	NETSTAT.EXE
Token: SeLockMemoryPrivilege	4360	igfxTray.exe
Token: SeLockMemoryPrivilege	4360	igfxTray.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 1880	4416	1485ed9ff45d0d484fef272824339d3b_JaffaCakes118.exe	86
PID 4416 wrote to memory of 1880	4416	1485ed9ff45d0d484fef272824339d3b_JaffaCakes118.exe	86
PID 4416 wrote to memory of 1880	4416	1485ed9ff45d0d484fef272824339d3b_JaffaCakes118.exe	86
PID 1880 wrote to memory of 1204	1880	WScript.exe	87
PID 1880 wrote to memory of 1204	1880	WScript.exe	87
PID 1880 wrote to memory of 1204	1880	WScript.exe	87
PID 1204 wrote to memory of 3088	1204	cmd.exe	89
PID 1204 wrote to memory of 3088	1204	cmd.exe	89
PID 1204 wrote to memory of 3088	1204	cmd.exe	89
PID 1204 wrote to memory of 2948	1204	cmd.exe	90
PID 1204 wrote to memory of 2948	1204	cmd.exe	90
PID 1204 wrote to memory of 2948	1204	cmd.exe	90
PID 1204 wrote to memory of 4360	1204	cmd.exe	92
PID 1204 wrote to memory of 4360	1204	cmd.exe	92
PID 1204 wrote to memory of 4360	1204	cmd.exe	92
PID 1204 wrote to memory of 4644	1204	cmd.exe	93
PID 1204 wrote to memory of 4644	1204	cmd.exe	93
PID 1204 wrote to memory of 4644	1204	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\1485ed9ff45d0d484fef272824339d3b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1485ed9ff45d0d484fef272824339d3b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\guard.bat" /start"
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3088
  - - C:\Windows\SysWOW64\find.exe
      find /C "0.0.0.0:8908"
      4⤵
      PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\igfxTray.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0""\igfxTray.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo ╞⌠╢» ╙┌ 21:18:00.08"
      4⤵
      PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\WinRAR.exe

Filesize
658KB

MD5
175ada89ff333ffa4b6ece758710fa91

SHA1
10632fdea7374642ddbfbd92f2b0eeb926cd8094

SHA256
0dd5f58578061d57d1872638d7aea84786d003e9f50e24ef199d9151918d1764

SHA512
56f5502fc9d0bad24b2c2e03918bca840412f10de6b850120261e64fa4090909debd379c2f262950ce8d1912a10a1afd72cc174cd1ca80627c2d2804b63fdae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.json

Filesize
1KB

MD5
b5175d50f555c542f157f2e280d288b1

SHA1
e1e5ade5bb60138879c037be310fdad947497256

SHA256
027061ebda5c8d6044d1cf73a03ac3cac0342e4c6b25ceced049a402a82a5db4

SHA512
635994e896d61ca3d9e1b2015070dd7608fcedc02cfe54771db3e663e35224262f1428cf2b933942518dd3bfc5e61bcacf878a375100923fe9424e9e73b7649d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\guard.bat

Filesize
532B

MD5
e180a796e1f36116cfb473d040616f8c

SHA1
72ad438e050ffde5a1b5d1981b320d47880233d7

SHA256
de7e15120a7101da2dede66402b5848fa3d03f4a1694acd3f492ab12863c07fc

SHA512
23df8ee5836ea5e7f98badeb61b9d3460269bacc56e08c2d8eb245e93649cd158182d986324b72d274461b655ec16583f16e5033d9d4b158c934baadeb3a39fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\igfxTray.exe

Filesize
1.0MB

MD5
56b0dd01de2015299511dff182948112

SHA1
9ebde4fe231e3db3dfb5dc43c8d17f0ff23c0b45

SHA256
f11f3b381425ca4181c425d5b693407431f964759bb903f66b7cd2345fcdd786

SHA512
0d67f4885dabb78a744c3f40cc214360dc3a5410a54da146e0a3ad10adfb61eff800cfd442a1d0c36c62ae8ccdf42c09ee0c601195ed818e3a64cb2edd9b0151

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbe

Filesize
81B

MD5
d7d8a56917fcf83ca3d6e91fe6ecaaea

SHA1
5285d86afd5ab00dd183232bdf2756dc0a23a698

SHA256
275d327d89f646fc76c9187218920c8b71251534b56a7774cb84fdb22cef682d

SHA512
be6feefe10f92f737fc2a6663683ba625b90cd30ef34407a7e1ef879450233ca681c0a18a83d2cc738a0a6240baf858ab7105b913b754ae29e5da4cffd6c75fe

Download Submit
memory/4360-24-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4360-28-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4360-23-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4360-21-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4360-25-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4360-26-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4360-27-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4360-22-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4360-29-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4360-30-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4360-31-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4360-32-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4360-33-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4360-34-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads