xmrig | 1eb70604b0de10415f6305e9ae671f40913f7ba56d35bc0198264fb76011d3b0

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 13:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

28622fa3efaa0c1e6cce38715ec6072f_JaffaCakes118.exe
Size

784KB
MD5

28622fa3efaa0c1e6cce38715ec6072f
SHA1

1b7ebd4f451ae7992d4404487a1c1d360e4611fb
SHA256

1eb70604b0de10415f6305e9ae671f40913f7ba56d35bc0198264fb76011d3b0
SHA512

aa0084f32a87761ca4a4a029ecffff8ed55c83076df8cc19ad5d62e37520e6c4b94770099f7a2763a5113e625fb8de3e6eb744402bfcfc556dff155cd71b236b
SSDEEP

24576:p4ma3wfkv8cefLokRBYQfeLbTJGsswre:fckLBYfLHJGsXe

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/2964-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2964-16-0x0000000003100000-0x0000000003412000-memory.dmp	xmrig
behavioral1/memory/2964-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2552-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2552-33-0x0000000002FD0000-0x0000000003163000-memory.dmp	xmrig
behavioral1/memory/2552-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2552-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2552-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/2964-36-0x0000000003100000-0x0000000003412000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2552	28622fa3efaa0c1e6cce38715ec6072f_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2552	28622fa3efaa0c1e6cce38715ec6072f_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2964	28622fa3efaa0c1e6cce38715ec6072f_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2964-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000c00000001444f-10.dat	upx
behavioral1/memory/2552-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/memory/2964-16-0x0000000003100000-0x0000000003412000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2964	28622fa3efaa0c1e6cce38715ec6072f_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2964	28622fa3efaa0c1e6cce38715ec6072f_JaffaCakes118.exe
2552	28622fa3efaa0c1e6cce38715ec6072f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2552	2964	28622fa3efaa0c1e6cce38715ec6072f_JaffaCakes118.exe	29
PID 2964 wrote to memory of 2552	2964	28622fa3efaa0c1e6cce38715ec6072f_JaffaCakes118.exe	29
PID 2964 wrote to memory of 2552	2964	28622fa3efaa0c1e6cce38715ec6072f_JaffaCakes118.exe	29
PID 2964 wrote to memory of 2552	2964	28622fa3efaa0c1e6cce38715ec6072f_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\28622fa3efaa0c1e6cce38715ec6072f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28622fa3efaa0c1e6cce38715ec6072f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\28622fa3efaa0c1e6cce38715ec6072f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\28622fa3efaa0c1e6cce38715ec6072f_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\28622fa3efaa0c1e6cce38715ec6072f_JaffaCakes118.exe

Filesize
784KB

MD5
efe656d9083f3cda9126e95b474ceb8c

SHA1
4a6bfedff381b7f3b4c3411f339cadf90cc03f93

SHA256
2acecff913cfe953c5ab2360cac5fe09f075f437585c04063b04dfb9f7f5db11

SHA512
2ee7c334d428d1ac68376be47a6dd73ba8767c1d3085e88ad72c58f2056ceebc637e0b781312b896e5165e7ada8a71b0a79f55a44f11f271b45cb0235750fbb6

Download Submit
memory/2552-33-0x0000000002FD0000-0x0000000003163000-memory.dmp

Filesize
1.6MB

Download
memory/2552-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2552-21-0x00000000002A0000-0x0000000000364000-memory.dmp

Filesize
784KB

Download
memory/2552-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2552-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2552-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2552-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2964-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2964-1-0x00000000002A0000-0x0000000000364000-memory.dmp

Filesize
784KB

Download
memory/2964-16-0x0000000003100000-0x0000000003412000-memory.dmp

Filesize
3.1MB

Download
memory/2964-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2964-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2964-36-0x0000000003100000-0x0000000003412000-memory.dmp

Filesize
3.1MB

Download