xmrig | c77ba4022846e7e59066d6c7021a9a272056b1b2e445072ad209f37bfb061e20

General

Target

17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
Size

2.0MB
MD5

17cb20331d11f4cf3003f4e9bbb5b98a
SHA1

54355e68a195734f6169c9ed930f7aae6a0ee9ce
SHA256

c77ba4022846e7e59066d6c7021a9a272056b1b2e445072ad209f37bfb061e20
SHA512

4a98ca40d7e9caf96de083cd054108cda317f4d066b722f3a4a0bf5e2706d2a23a907db0fc554fe1cb38e0fd385edf65362a2352ab2a65460bd44f239c2fe3c5
SSDEEP

49152:iLSNBo4po43R53O90CRJfMGJXvirT5xfhO50Y+azY6KH:OL4Xh5+mw9yA0Ta8H

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral1/memory/544-29-0x0000000000400000-0x0000000000626000-memory.dmp	xmrig
behavioral1/memory/544-27-0x0000000000400000-0x0000000000626000-memory.dmp	xmrig
behavioral1/memory/544-37-0x0000000000400000-0x0000000000626000-memory.dmp	xmrig

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AHZSVhvnGm.url	wscript.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/544-22-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/544-23-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/544-29-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/544-27-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/544-25-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/544-26-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/544-20-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/544-37-0x0000000000400000-0x0000000000626000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2832 set thread context of 544	2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	34

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	544	notepad.exe
Token: SeLockMemoryPrivilege	544	notepad.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 1744	2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	31
PID 2832 wrote to memory of 1744	2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	31
PID 2832 wrote to memory of 1744	2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	31
PID 2832 wrote to memory of 1744	2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	31
PID 1744 wrote to memory of 2144	1744	cmd.exe	33
PID 1744 wrote to memory of 2144	1744	cmd.exe	33
PID 1744 wrote to memory of 2144	1744	cmd.exe	33
PID 1744 wrote to memory of 2144	1744	cmd.exe	33
PID 2832 wrote to memory of 544	2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	34
PID 2832 wrote to memory of 544	2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	34
PID 2832 wrote to memory of 544	2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	34
PID 2832 wrote to memory of 544	2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	34
PID 2832 wrote to memory of 544	2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	34
PID 2832 wrote to memory of 544	2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	34
PID 2832 wrote to memory of 544	2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	34
PID 2832 wrote to memory of 544	2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	34
PID 2832 wrote to memory of 544	2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	34
PID 2832 wrote to memory of 544	2832	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C WScript "C:\ProgramData\pBSiTUERTJ\r.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\wscript.exe
    WScript "C:\ProgramData\pBSiTUERTJ\r.vbs"
    3⤵
    - Drops startup file
    PID:2144
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\pBSiTUERTJ\cfgi"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pBSiTUERTJ\cfgi

Filesize
800B

MD5
a2d9de4f192ae199671a6bfecb0cdec5

SHA1
6072c4e0991bdf36d2a7b9e2a06694d4ba2f60fe

SHA256
5f4e9c413be8ebec151c07c59763867fd0c32e42dda23bb9cbc7959c9bb0aa96

SHA512
392ce9eefec1853ecfff794da96dbb87769bd52846edbf7c8bd7fe2d05b33e42de4db45ce3a8e1a591b459ca54776dc3f63c0b6efe2ff2215c4169249005b88a

Download Submit
C:\ProgramData\pBSiTUERTJ\r.vbs

Filesize
658B

MD5
025c9749abe9961e40cd4068e2cc047d

SHA1
0fb7858f65a1ceb1dc8da122aa1bfe55314e88b0

SHA256
536cb727392e341d79693075242da5d4865007503183674a367a8174ccc1b01f

SHA512
a8eea7949d791fb4e401a3982a56cb26e93a902a68b85ddf6197ed4fd7ebf51c1b51cccbedda1408be4abe7737b918b0130f7c21fc700b07e0e5bf33fa6411cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AHZSVhvnGm.url

Filesize
72B

MD5
1242379032e0a71b0cc5e4aefe5be941

SHA1
fefdc6b0833795dceccf530aa0def4b2c0d686a1

SHA256
5194877bf348f0d6fb86827ed3af109c8077b05f9c95473dc166b61b95344a42

SHA512
f5fef05beab85f402c22dc8671a6b547c9cece06f96ee621c061dd1dfb1111307fa063001dde617c070b6d13ebc411315c1074f673763b1d35bfbaf86a0127cc

Download Submit
memory/544-27-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/544-33-0x00000000003D0000-0x00000000003D4000-memory.dmp

Filesize
16KB

Download
memory/544-38-0x00000000003B0000-0x00000000003B4000-memory.dmp

Filesize
16KB

Download
memory/544-22-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/544-23-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/544-37-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/544-29-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/544-31-0x0000000000390000-0x0000000000394000-memory.dmp

Filesize
16KB

Download
memory/544-25-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/544-26-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/544-20-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/544-30-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/544-34-0x00000000007C0000-0x00000000007C4000-memory.dmp

Filesize
16KB

Download
memory/544-32-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/2832-3-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2832-0-0x0000000002170000-0x0000000002326000-memory.dmp

Filesize
1.7MB

Download
memory/2832-35-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2832-2-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2832-1-0x0000000002170000-0x0000000002326000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing