xmrig | 3d66f1ea21a52ff0426c0fa7399abc3db42f533e7675ab4a1306e285b1268c72

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

432e901174b4cd9b29d66468be769a71_JaffaCakes118.exe
Size

784KB
MD5

432e901174b4cd9b29d66468be769a71
SHA1

5015c02155e2235e5418734957167dd20c68527a
SHA256

3d66f1ea21a52ff0426c0fa7399abc3db42f533e7675ab4a1306e285b1268c72
SHA512

7ae2d99ae39d1c782ba9c3fd98169f5ce3442ac40b43527957626fc1fab1025ee1d000eeb81177a4cc5a36dfd6a40197e891cee6c39f850e69cf682933418954
SSDEEP

24576:dEiP79bHgG0cekGfwcsrl7MyB6dR3/PDFKGpNJz:dPPBbiQGfzkl7jBSR3DT

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/1244-13-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1244-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2148-16-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2148-33-0x0000000000400000-0x0000000000712000-memory.dmp	xmrig
behavioral1/memory/2148-32-0x0000000003230000-0x00000000033C3000-memory.dmp	xmrig
behavioral1/memory/2148-30-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/2148-21-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/1244-34-0x00000000018B0000-0x0000000001974000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2148	432e901174b4cd9b29d66468be769a71_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2148	432e901174b4cd9b29d66468be769a71_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1244	432e901174b4cd9b29d66468be769a71_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1244-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000a00000001225f-7.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1244	432e901174b4cd9b29d66468be769a71_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1244	432e901174b4cd9b29d66468be769a71_JaffaCakes118.exe
2148	432e901174b4cd9b29d66468be769a71_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2148	1244	432e901174b4cd9b29d66468be769a71_JaffaCakes118.exe	31
PID 1244 wrote to memory of 2148	1244	432e901174b4cd9b29d66468be769a71_JaffaCakes118.exe	31
PID 1244 wrote to memory of 2148	1244	432e901174b4cd9b29d66468be769a71_JaffaCakes118.exe	31
PID 1244 wrote to memory of 2148	1244	432e901174b4cd9b29d66468be769a71_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\432e901174b4cd9b29d66468be769a71_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\432e901174b4cd9b29d66468be769a71_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\432e901174b4cd9b29d66468be769a71_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\432e901174b4cd9b29d66468be769a71_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\432e901174b4cd9b29d66468be769a71_JaffaCakes118.exe

Filesize
784KB

MD5
8da9e22fdd6a81d035a193d12739bb41

SHA1
70413696b6d781642e528692301772c0f62e6098

SHA256
f2d488f35b81860471eca34c3cee51e525b0e5b90477e555eaaff6a6e7123026

SHA512
10eeeca02d78213db329ba0a492215eadc8f4fb9a2dd9b1c389027cd16254f668208016fc09c1a5325a799be5e72127f0a8fe5683f5d4bda8c9d8c02626dc854

Download Submit
memory/1244-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1244-14-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/1244-13-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1244-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1244-34-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/2148-16-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2148-33-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2148-32-0x0000000003230000-0x00000000033C3000-memory.dmp

Filesize
1.6MB

Download
memory/2148-31-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2148-30-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2148-21-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download