xmrig | 03ff530c7d56727462fa2e90538fba658da181cb27da4b3c64ef05efe9ce7794

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
Size

3.9MB
MD5

5ae756ec0c535523eeca7f970206c467
SHA1

87b426f1307c2d9c187fd69869fffe38698d01da
SHA256

03ff530c7d56727462fa2e90538fba658da181cb27da4b3c64ef05efe9ce7794
SHA512

03c6386ebdfafa9a46f81c58088e181e6fce552b735ab796fe2531f54dff1b168297515a54a5e003c8bc633c4eea52bb7eea34fee4a11940dcbff734e9c29a3d
SSDEEP

24576:RAHnh+eWsN3skA4RV1Hom2KXMmHaQ17fxgwo5SEbzrVxf5zUSi5WUn+5DsQlkvtv:oh+ZkldoPK8YaQLE6

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral1/memory/1712-11-0x00000000006F0000-0x000000000087B000-memory.dmp	xmrig
behavioral1/memory/1712-3-0x00000000006F0000-0x000000000087B000-memory.dmp	xmrig
behavioral1/memory/2868-34-0x00000000001B0000-0x000000000033B000-memory.dmp	xmrig
behavioral1/memory/2868-38-0x00000000001B0000-0x000000000033B000-memory.dmp	xmrig
behavioral1/memory/2868-37-0x00000000001B0000-0x000000000033B000-memory.dmp	xmrig
behavioral1/memory/2868-26-0x00000000001B0000-0x000000000033B000-memory.dmp	xmrig
behavioral1/memory/2868-45-0x00000000001B0000-0x000000000033B000-memory.dmp	xmrig
behavioral1/memory/2868-53-0x00000000001B0000-0x000000000033B000-memory.dmp	xmrig
behavioral1/memory/2868-52-0x00000000001B0000-0x000000000033B000-memory.dmp	xmrig
behavioral1/memory/2868-51-0x00000000001B0000-0x000000000033B000-memory.dmp	xmrig
behavioral1/memory/2868-50-0x00000000001B0000-0x000000000033B000-memory.dmp	xmrig
behavioral1/memory/2868-48-0x00000000001B0000-0x000000000033B000-memory.dmp	xmrig
behavioral1/memory/2868-47-0x00000000001B0000-0x000000000033B000-memory.dmp	xmrig
behavioral1/memory/2868-46-0x00000000001B0000-0x000000000033B000-memory.dmp	xmrig

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acppage.url	PerfWatson2.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acppage.url	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2352	PerfWatson2.exe
2868	PerfWatson2.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0009000000016ccd-20.dat	autoit_exe
behavioral1/files/0x0008000000016cd7-43.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2280 set thread context of 1712	2280	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	30
PID 2352 set thread context of 2868	2352	PerfWatson2.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe
2868	PerfWatson2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2868	PerfWatson2.exe
Token: SeLockMemoryPrivilege	2868	PerfWatson2.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2280	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
2280	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
2280	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
2352	PerfWatson2.exe
2352	PerfWatson2.exe
2352	PerfWatson2.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2280	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
2280	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
2280	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
2352	PerfWatson2.exe
2352	PerfWatson2.exe
2352	PerfWatson2.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 1712	2280	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	30
PID 2280 wrote to memory of 1712	2280	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	30
PID 2280 wrote to memory of 1712	2280	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	30
PID 2280 wrote to memory of 1712	2280	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	30
PID 2280 wrote to memory of 1712	2280	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	30
PID 2280 wrote to memory of 1712	2280	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2800	1712	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	31
PID 1712 wrote to memory of 2800	1712	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	31
PID 1712 wrote to memory of 2800	1712	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	31
PID 1712 wrote to memory of 2800	1712	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	31
PID 1712 wrote to memory of 2352	1712	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	32
PID 1712 wrote to memory of 2352	1712	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	32
PID 1712 wrote to memory of 2352	1712	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	32
PID 1712 wrote to memory of 2352	1712	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2868	2352	PerfWatson2.exe	34
PID 2352 wrote to memory of 2868	2352	PerfWatson2.exe	34
PID 2352 wrote to memory of 2868	2352	PerfWatson2.exe	34
PID 2352 wrote to memory of 2868	2352	PerfWatson2.exe	34
PID 2352 wrote to memory of 2868	2352	PerfWatson2.exe	34
PID 2352 wrote to memory of 2868	2352	PerfWatson2.exe	34

C:\Users\Admin\AppData\Local\Temp\5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 5 /TN "Performance Watson 2" /TR "C:\Users\Admin\AppData\Roaming\Performance Watson 2\PerfWatson2.exe" /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2800
- - C:\Users\Admin\AppData\Roaming\Performance Watson 2\PerfWatson2.exe
    "C:\Users\Admin\AppData\Roaming\Performance Watson 2\PerfWatson2.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Users\Admin\AppData\Roaming\Performance Watson 2\PerfWatson2.exe
      "C:\Users\Admin\AppData\Roaming\Performance Watson 2\PerfWatson2.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acppage.url

Filesize
87B

MD5
1f993fa6ff1bb89ed2f4058cdddc2825

SHA1
d41327e8dabfbd898e9a17fdb2400a2be5d4ddb8

SHA256
9d6450cfe4c07c8eaf615cf35021921d0ed980428b82064876fc34d13dea34ec

SHA512
54e3ca601fcf5466fba97d3e337c543f2292723bf4c7f0965ba13dde0623bdb7010c83191b49aeecfda97227e12797300205de8a75c62030a28b623bba0f9b0e

Download Submit
C:\Users\Admin\AppData\Roaming\Performance Watson 2\PerfWatson2.exe

Filesize
3.9MB

MD5
5ae756ec0c535523eeca7f970206c467

SHA1
87b426f1307c2d9c187fd69869fffe38698d01da

SHA256
03ff530c7d56727462fa2e90538fba658da181cb27da4b3c64ef05efe9ce7794

SHA512
03c6386ebdfafa9a46f81c58088e181e6fce552b735ab796fe2531f54dff1b168297515a54a5e003c8bc633c4eea52bb7eea34fee4a11940dcbff734e9c29a3d

Download Submit
C:\Users\Admin\audioresourceregistrar\RecoveryDrive.exe

Filesize
3.9MB

MD5
9572b2467a4d658e70ccb1083ff62df0

SHA1
71f30e392c691ee514f093eb220154d239705393

SHA256
c28116fdc2fe2df7edaf3a212f8b8531f260d5571d40d2bb30f442c98f27bff5

SHA512
95f63650448efa1c675b9d149ccf503f3d1a01c688efd7eecf052e6014689fba6839604367237afe56c150f4cf835497862e0b1cc4fce875bca888ec69c01528

Download Submit
C:\Users\Admin\audioresourceregistrar\acppage.vbs

Filesize
128B

MD5
c9a7429855358666a14484a6ca9720d4

SHA1
fc8fd475b4b4461c1ce8fee50ba32d9af20a7963

SHA256
81e502003219a21763b6d42fdf32fc1d9a90c5d6d4cc2c052a909b6b9de5340e

SHA512
b84e1dbd3d4212d69c36424c273268bc1cbd3e7aa9606364bde1990c6984e1bb3cc0dcbb9578034b5b0630f2c0cdff4698b484a042f95e90ad26fd2bc3c3cb48

Download Submit
memory/1712-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1712-11-0x00000000006F0000-0x000000000087B000-memory.dmp

Filesize
1.5MB

Download
memory/1712-3-0x00000000006F0000-0x000000000087B000-memory.dmp

Filesize
1.5MB

Download
memory/1712-0-0x00000000006F0000-0x000000000087B000-memory.dmp

Filesize
1.5MB

Download
memory/2280-12-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2868-38-0x00000000001B0000-0x000000000033B000-memory.dmp

Filesize
1.5MB

Download
memory/2868-34-0x00000000001B0000-0x000000000033B000-memory.dmp

Filesize
1.5MB

Download
memory/2868-37-0x00000000001B0000-0x000000000033B000-memory.dmp

Filesize
1.5MB

Download
memory/2868-31-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2868-26-0x00000000001B0000-0x000000000033B000-memory.dmp

Filesize
1.5MB

Download
memory/2868-45-0x00000000001B0000-0x000000000033B000-memory.dmp

Filesize
1.5MB

Download
memory/2868-53-0x00000000001B0000-0x000000000033B000-memory.dmp

Filesize
1.5MB

Download
memory/2868-52-0x00000000001B0000-0x000000000033B000-memory.dmp

Filesize
1.5MB

Download
memory/2868-51-0x00000000001B0000-0x000000000033B000-memory.dmp

Filesize
1.5MB

Download
memory/2868-50-0x00000000001B0000-0x000000000033B000-memory.dmp

Filesize
1.5MB

Download
memory/2868-48-0x00000000001B0000-0x000000000033B000-memory.dmp

Filesize
1.5MB

Download
memory/2868-47-0x00000000001B0000-0x000000000033B000-memory.dmp

Filesize
1.5MB

Download
memory/2868-46-0x00000000001B0000-0x000000000033B000-memory.dmp

Filesize
1.5MB

Download