xmrig | 5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717

General

Target

903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
Size

904KB
MD5

903bd7b89548605115d214e7ee2f877f
SHA1

831c4b9ebb534983d1fc94fd740f053c69f0d29d
SHA256

5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717
SHA512

55fc3a8081d972cc46aecaeb5e615bb219e327feee9b934cbbc1a9e5dbb1c074a48f1368e9971531652c559950e774e39b037a75bde971c90d8f269c41e2ccbc
SSDEEP

24576:yw1lwL30zXpvhC2trjjaxOESTjLDKIIa2:ywgLopp/tTaxOEQOII/

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1976-32-0x0000000000400000-0x0000000000504000-memory.dmp	xmrig
behavioral1/memory/1976-30-0x0000000000400000-0x0000000000504000-memory.dmp	xmrig
behavioral1/memory/1976-36-0x0000000000400000-0x0000000000504000-memory.dmp	xmrig
behavioral1/memory/1976-37-0x0000000000400000-0x0000000000504000-memory.dmp	xmrig

Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url	wscript.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1976-22-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1976-25-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1976-32-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1976-30-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1976-29-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1976-28-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1976-24-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1976-27-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1976-36-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1976-37-0x0000000000400000-0x0000000000504000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe

description pid process target process

PID 1688 set thread context of 1976 1688 903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe notepad.exe

description	pid	process	target process
PID 1688 set thread context of 1976	1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe	notepad.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe

pid	process
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	1976	notepad.exe
Token: SeLockMemoryPrivilege	1976	notepad.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

903bd7b89548605115d214e7ee2f877f_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 1688 wrote to memory of 2724	1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 2724	1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 2724	1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 2724	1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe	cmd.exe
PID 2724 wrote to memory of 2040	2724	cmd.exe	wscript.exe
PID 2724 wrote to memory of 2040	2724	cmd.exe	wscript.exe
PID 2724 wrote to memory of 2040	2724	cmd.exe	wscript.exe
PID 2724 wrote to memory of 2040	2724	cmd.exe	wscript.exe
PID 1688 wrote to memory of 1976	1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe	notepad.exe
PID 1688 wrote to memory of 1976	1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe	notepad.exe
PID 1688 wrote to memory of 1976	1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe	notepad.exe
PID 1688 wrote to memory of 1976	1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe	notepad.exe
PID 1688 wrote to memory of 1976	1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe	notepad.exe
PID 1688 wrote to memory of 1976	1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe	notepad.exe
PID 1688 wrote to memory of 1976	1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe	notepad.exe
PID 1688 wrote to memory of 1976	1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe	notepad.exe
PID 1688 wrote to memory of 1976	1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe	notepad.exe
PID 1688 wrote to memory of 1976	1688	903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\903bd7b89548605115d214e7ee2f877f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\wscript.exe
WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
3⤵
- Drops startup file
PID:2040

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GCxcrhlcfj\cfgi

Filesize
796B

MD5
a1c4eb4f379ce22c0234bde232b39e92

SHA1
71a25aba2cc93516c70c91c9bfc7908610ceab2f

SHA256
8d7fa449e7679516bba96ce58e05f4dd7e2432c65ba0b9cb3f06e053c078aeb7

SHA512
5f96e5f3c7e147a66898bbc5e39bc7c6d27380ad08a438c1dc02601a69108fb589b39813e0061e4327b2903d46f031a856b7f42bf97963bab917d1f1b698852b

Download Submit
C:\ProgramData\GCxcrhlcfj\r.vbs

Filesize
662B

MD5
7cc317139a7d477bc8c5faf0fafed491

SHA1
3966c44cf9988e6cc6af135eac5b7ab93d2c4058

SHA256
c065f76aad68eedaf001ec5142e7bcaaba73916b3903037cc46a54eb67be77a8

SHA512
5e8f3bc963c690f4000349589fe11f08b4efadff7b8d56a9634692ec4fbbbce4330935ee3afbd8542e3c770f68cab4b9949ea7f06c9996e040b42969a7fb7fd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url

Filesize
74B

MD5
059ec62ae3c51a6ff8d0f02363e108e9

SHA1
24742ba20d3323718b0ee51c9efe166825b314a5

SHA256
117b0440b143c36cbe18a6b01f7f0c483a0a67a10600140e545d0c3c61634ac8

SHA512
62dafb2db57840cd0d0886dbe92af3a82f7f82902118a985e6baf81f3f3bc5dc5076d28c3a3ae601a83e7c2c9ee845c030752f36b02f586828bc427284989664

Download Submit
memory/1688-6-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1688-1-0x0000000000610000-0x00000000006D5000-memory.dmp

Filesize
788KB

Download
memory/1688-0-0x0000000000610000-0x00000000006D5000-memory.dmp

Filesize
788KB

Download
memory/1688-3-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1688-2-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1688-33-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1688-5-0x0000000000610000-0x00000000006D5000-memory.dmp

Filesize
788KB

Download
memory/1976-30-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1976-32-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1976-25-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1976-29-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1976-28-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1976-24-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1976-27-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1976-22-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1976-36-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1976-37-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads