xmrig | 9931ed9a4ecdbd530f9521963fd398b5e75db27b008bf23ca3d6533eeb71a9ac

General

Target

a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe
Size

500KB
MD5

a5c4e5a50eb533016e2533067cb48bc5
SHA1

ed14201aa8df5130bf9122800bfe9fe5879129a1
SHA256

9931ed9a4ecdbd530f9521963fd398b5e75db27b008bf23ca3d6533eeb71a9ac
SHA512

6e49e956a08b656af8b9c90bf1711cc1e8187f2253e8db88a60c346e54f596c4b9a70ad6d38c16bafa1a1aef1ba8066b7d4761d92a810c5f1b20a6d6b8f319a0
SSDEEP

12288:AYtvrXl1DEr9/627p+uWxNkNg3NRK3lgpCQUAhv:86+wuWxa63O3lgpJhv

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3168-26-0x0000000000400000-0x0000000000529000-memory.dmp	xmrig
behavioral2/memory/3168-27-0x0000000000400000-0x0000000000529000-memory.dmp	xmrig
behavioral2/memory/3168-28-0x0000000000400000-0x0000000000529000-memory.dmp	xmrig

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3904-20-0x0000000000400000-0x0000000000529000-memory.dmp	upx
behavioral2/memory/3168-26-0x0000000000400000-0x0000000000529000-memory.dmp	upx
behavioral2/memory/3168-25-0x0000000000400000-0x0000000000529000-memory.dmp	upx
behavioral2/memory/3168-27-0x0000000000400000-0x0000000000529000-memory.dmp	upx
behavioral2/memory/3168-24-0x0000000000400000-0x0000000000529000-memory.dmp	upx
behavioral2/memory/3168-28-0x0000000000400000-0x0000000000529000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

Processes:

a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe

description	pid	process	target process
PID 3108 set thread context of 3904	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 3108 set thread context of 3168	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe

pid process

3108 a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe
3108 a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe

pid	process
3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe
3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	3168	vbc.exe
Token: SeLockMemoryPrivilege	3168	vbc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 3108 wrote to memory of 2224	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	csc.exe
PID 3108 wrote to memory of 2224	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	csc.exe
PID 2224 wrote to memory of 2728	2224	csc.exe	cvtres.exe
PID 2224 wrote to memory of 2728	2224	csc.exe	cvtres.exe
PID 3108 wrote to memory of 3904	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 3108 wrote to memory of 3904	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 3108 wrote to memory of 3904	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 3108 wrote to memory of 3904	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 3108 wrote to memory of 3904	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 3108 wrote to memory of 3904	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 3108 wrote to memory of 3904	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 3108 wrote to memory of 3168	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 3108 wrote to memory of 3168	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 3108 wrote to memory of 3168	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 3108 wrote to memory of 3168	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 3108 wrote to memory of 3168	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 3108 wrote to memory of 3168	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe
PID 3108 wrote to memory of 3168	3108	a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2zybln3u\2zybln3u.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37F8.tmp" "c:\Users\Admin\AppData\Local\Temp\2zybln3u\CSC69C60CB393BF40C397A0E077D3DE779.TMP"
3⤵
PID:2728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
-o relay.100chickens.me:8000 --max-cpu-usage 15 -u 1 -p x -k -a cryptonight --variant="-1"
2⤵
PID:3904

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
-o relay.100chickens.me:8000 --max-cpu-usage 99 -u 1 -p x -k -a cryptonight --variant="-1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3168

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2zybln3u\2zybln3u.dll
Filesize
6KB

MD5
510200e372ad8b060830f424053a06ab

SHA1
dc71a0093c011744ae7cdc2e863740c22c75ef21

SHA256
9481f2dbad398442ba4963db0ff8d52848020456ed0020e1e0a43d0dcc41a032

SHA512
385b4ebbc3c7abfdf3d71205d360c56cd70e98e9a24595a0d417c77cb5382fde2e3b1bd97430ab097b00f3a8cef851adb3cf3ad238f6bee2fc2d63e89a1ce2d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zybln3u\2zybln3u.pdb
Filesize
15KB

MD5
08e4eca89b8632c4f04bcd8ca6c623ae

SHA1
d71819cb1269700acb3ce79681c6637082500736

SHA256
00dc733a23db2cf2fbf99f67ef763fac626ee9e229655168b87404f9c7516efb

SHA512
c08f16e203ac8bba3245118ccbdb47c4036be93582b1856d77612e038ac58a626ab8a2bc67c6efda62e02af71fb0aadf698ae669936e3bd133f3c598e2ad1c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES37F8.tmp
Filesize
1KB

MD5
e8e8484701b313589ea36e6be9119350

SHA1
851d26ca842cf853a82cf4bcb9c1bd800a3fa05d

SHA256
36d67c352b1a2eb845c20ecdf6f8a7076543ca463f7fcb02bf48138b90bddefe

SHA512
2345704240e4420faac19ee63ab9d7b52d3dabaaa7a61081ddb1283f806b28be992661cb2c3f58c15a1b949886d1e5e4dbde2eec74cfdcfc1032f2810c40ae43

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2zybln3u\2zybln3u.0.cs
Filesize
2KB

MD5
5948bce18180803e60088f2616225169

SHA1
0e992166427f0a8bce3849d9a3168c25f0733996

SHA256
d14f42c88c197dfa3d124b22280971ba819531752ef659ed2dd81e034082519a

SHA512
696fa5c75209a368ab5204f08c98140977360285849bd38eadb4db6e954d59291e0c36417afe84b129e8bbead6c4a1228a4dd70ec2eb0613d7f400496bfb049c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2zybln3u\2zybln3u.cmdline
Filesize
312B

MD5
54cb40d9b794882c2c149f774de9133a

SHA1
76374b7c76252fcec2c32bac1bb04ae9dae8915d

SHA256
4211eb643c4426860268c61a3c49392ced0b240b90daffc471ada01c58c46455

SHA512
cdbebea5235992441dd00d7bab9d299bcf0c74cfdf9676c792bbee8cbc7d89f88948e073d5930048fb965a8b3fc135497ca646f68561f0300b9ad0a95c1ca991

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2zybln3u\CSC69C60CB393BF40C397A0E077D3DE779.TMP
Filesize
1KB

MD5
d8831db7810f6d899bd69a53268b3abb

SHA1
3f665c6e0e68775922f6b7c19ce5f05bf5150800

SHA256
5739c8152809b5b6eb12783b3afc98735434955b3747e5c521153b4ba480fa46

SHA512
a5ace05cfbad4b9d361c551e4eb90548ae77b5f199352a78661e8ad7df18ca411fb3ca544af23465d917c738e4e8834c305d4f27458e972b7a10c26f1397d445

Download Submit
memory/3108-6-0x00007FFB32430000-0x00007FFB32EF1000-memory.dmp

Filesize
10.8MB

Download
memory/3108-0-0x0000000000240000-0x00000000002C2000-memory.dmp

Filesize
520KB

Download
memory/3108-1-0x00007FFB32433000-0x00007FFB32435000-memory.dmp

Filesize
8KB

Download
memory/3108-17-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/3108-19-0x000000001B2F0000-0x000000001B374000-memory.dmp

Filesize
528KB

Download
memory/3108-23-0x00007FFB32430000-0x00007FFB32EF1000-memory.dmp

Filesize
10.8MB

Download
memory/3168-26-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/3168-25-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/3168-27-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/3168-24-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/3168-28-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/3904-20-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads