xmrig | 03ff530c7d56727462fa2e90538fba658da181cb27da4b3c64ef05efe9ce7794

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
Size

3.9MB
MD5

5ae756ec0c535523eeca7f970206c467
SHA1

87b426f1307c2d9c187fd69869fffe38698d01da
SHA256

03ff530c7d56727462fa2e90538fba658da181cb27da4b3c64ef05efe9ce7794
SHA512

03c6386ebdfafa9a46f81c58088e181e6fce552b735ab796fe2531f54dff1b168297515a54a5e003c8bc633c4eea52bb7eea34fee4a11940dcbff734e9c29a3d
SSDEEP

24576:RAHnh+eWsN3skA4RV1Hom2KXMmHaQ17fxgwo5SEbzrVxf5zUSi5WUn+5DsQlkvtv:oh+ZkldoPK8YaQLE6

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral2/memory/404-1-0x0000000000400000-0x000000000058B000-memory.dmp	xmrig
behavioral2/memory/404-7-0x0000000000400000-0x000000000058B000-memory.dmp	xmrig
behavioral2/memory/3136-20-0x0000000000E00000-0x0000000000F8B000-memory.dmp	xmrig
behavioral2/memory/3136-26-0x0000000000E00000-0x0000000000F8B000-memory.dmp	xmrig
behavioral2/memory/3136-34-0x0000000000E00000-0x0000000000F8B000-memory.dmp	xmrig
behavioral2/memory/3136-44-0x0000000000E00000-0x0000000000F8B000-memory.dmp	xmrig
behavioral2/memory/3136-45-0x0000000000E00000-0x0000000000F8B000-memory.dmp	xmrig
behavioral2/memory/3136-43-0x0000000000E00000-0x0000000000F8B000-memory.dmp	xmrig
behavioral2/memory/3136-42-0x0000000000E00000-0x0000000000F8B000-memory.dmp	xmrig
behavioral2/memory/3136-37-0x0000000000E00000-0x0000000000F8B000-memory.dmp	xmrig
behavioral2/memory/3136-40-0x0000000000E00000-0x0000000000F8B000-memory.dmp	xmrig
behavioral2/memory/3136-39-0x0000000000E00000-0x0000000000F8B000-memory.dmp	xmrig
behavioral2/memory/3136-38-0x0000000000E00000-0x0000000000F8B000-memory.dmp	xmrig
behavioral2/memory/3136-35-0x0000000000E00000-0x0000000000F8B000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acppage.url	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acppage.url	PerfWatson2.exe

Executes dropped EXE 2 IoCs

pid	Process
3552	PerfWatson2.exe
3136	PerfWatson2.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00070000000234a2-16.dat	autoit_exe
behavioral2/files/0x00070000000234a1-33.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3888 set thread context of 404	3888	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	87
PID 3552 set thread context of 3136	3552	PerfWatson2.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe
3136	PerfWatson2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3136	PerfWatson2.exe
Token: SeLockMemoryPrivilege	3136	PerfWatson2.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3888	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
3888	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
3888	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
3552	PerfWatson2.exe
3552	PerfWatson2.exe
3552	PerfWatson2.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3888	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
3888	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
3888	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
3552	PerfWatson2.exe
3552	PerfWatson2.exe
3552	PerfWatson2.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 404	3888	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	87
PID 3888 wrote to memory of 404	3888	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	87
PID 3888 wrote to memory of 404	3888	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	87
PID 3888 wrote to memory of 404	3888	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	87
PID 3888 wrote to memory of 404	3888	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	87
PID 404 wrote to memory of 3368	404	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	88
PID 404 wrote to memory of 3368	404	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	88
PID 404 wrote to memory of 3368	404	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	88
PID 404 wrote to memory of 3552	404	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	89
PID 404 wrote to memory of 3552	404	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	89
PID 404 wrote to memory of 3552	404	5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe	89
PID 3552 wrote to memory of 3136	3552	PerfWatson2.exe	91
PID 3552 wrote to memory of 3136	3552	PerfWatson2.exe	91
PID 3552 wrote to memory of 3136	3552	PerfWatson2.exe	91
PID 3552 wrote to memory of 3136	3552	PerfWatson2.exe	91
PID 3552 wrote to memory of 3136	3552	PerfWatson2.exe	91

C:\Users\Admin\AppData\Local\Temp\5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Local\Temp\5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5ae756ec0c535523eeca7f970206c467_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 5 /TN "Performance Watson 2" /TR "C:\Users\Admin\AppData\Roaming\Performance Watson 2\PerfWatson2.exe" /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3368
- - C:\Users\Admin\AppData\Roaming\Performance Watson 2\PerfWatson2.exe
    "C:\Users\Admin\AppData\Roaming\Performance Watson 2\PerfWatson2.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Users\Admin\AppData\Roaming\Performance Watson 2\PerfWatson2.exe
      "C:\Users\Admin\AppData\Roaming\Performance Watson 2\PerfWatson2.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acppage.url

Filesize
87B

MD5
1f993fa6ff1bb89ed2f4058cdddc2825

SHA1
d41327e8dabfbd898e9a17fdb2400a2be5d4ddb8

SHA256
9d6450cfe4c07c8eaf615cf35021921d0ed980428b82064876fc34d13dea34ec

SHA512
54e3ca601fcf5466fba97d3e337c543f2292723bf4c7f0965ba13dde0623bdb7010c83191b49aeecfda97227e12797300205de8a75c62030a28b623bba0f9b0e

Download Submit
C:\Users\Admin\AppData\Roaming\Performance Watson 2\PerfWatson2.exe

Filesize
3.9MB

MD5
5ae756ec0c535523eeca7f970206c467

SHA1
87b426f1307c2d9c187fd69869fffe38698d01da

SHA256
03ff530c7d56727462fa2e90538fba658da181cb27da4b3c64ef05efe9ce7794

SHA512
03c6386ebdfafa9a46f81c58088e181e6fce552b735ab796fe2531f54dff1b168297515a54a5e003c8bc633c4eea52bb7eea34fee4a11940dcbff734e9c29a3d

Download Submit
C:\Users\Admin\audioresourceregistrar\RecoveryDrive.exe

Filesize
3.9MB

MD5
9572b2467a4d658e70ccb1083ff62df0

SHA1
71f30e392c691ee514f093eb220154d239705393

SHA256
c28116fdc2fe2df7edaf3a212f8b8531f260d5571d40d2bb30f442c98f27bff5

SHA512
95f63650448efa1c675b9d149ccf503f3d1a01c688efd7eecf052e6014689fba6839604367237afe56c150f4cf835497862e0b1cc4fce875bca888ec69c01528

Download Submit
C:\Users\Admin\audioresourceregistrar\acppage.vbs

Filesize
128B

MD5
c9a7429855358666a14484a6ca9720d4

SHA1
fc8fd475b4b4461c1ce8fee50ba32d9af20a7963

SHA256
81e502003219a21763b6d42fdf32fc1d9a90c5d6d4cc2c052a909b6b9de5340e

SHA512
b84e1dbd3d4212d69c36424c273268bc1cbd3e7aa9606364bde1990c6984e1bb3cc0dcbb9578034b5b0630f2c0cdff4698b484a042f95e90ad26fd2bc3c3cb48

Download Submit
memory/404-1-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/404-7-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/404-17-0x0000000074B10000-0x0000000074B39000-memory.dmp

Filesize
164KB

Download
memory/3136-34-0x0000000000E00000-0x0000000000F8B000-memory.dmp

Filesize
1.5MB

Download
memory/3136-26-0x0000000000E00000-0x0000000000F8B000-memory.dmp

Filesize
1.5MB

Download
memory/3136-20-0x0000000000E00000-0x0000000000F8B000-memory.dmp

Filesize
1.5MB

Download
memory/3136-44-0x0000000000E00000-0x0000000000F8B000-memory.dmp

Filesize
1.5MB

Download
memory/3136-45-0x0000000000E00000-0x0000000000F8B000-memory.dmp

Filesize
1.5MB

Download
memory/3136-43-0x0000000000E00000-0x0000000000F8B000-memory.dmp

Filesize
1.5MB

Download
memory/3136-42-0x0000000000E00000-0x0000000000F8B000-memory.dmp

Filesize
1.5MB

Download
memory/3136-37-0x0000000000E00000-0x0000000000F8B000-memory.dmp

Filesize
1.5MB

Download
memory/3136-40-0x0000000000E00000-0x0000000000F8B000-memory.dmp

Filesize
1.5MB

Download
memory/3136-39-0x0000000000E00000-0x0000000000F8B000-memory.dmp

Filesize
1.5MB

Download
memory/3136-38-0x0000000000E00000-0x0000000000F8B000-memory.dmp

Filesize
1.5MB

Download
memory/3136-35-0x0000000000E00000-0x0000000000F8B000-memory.dmp

Filesize
1.5MB

Download
memory/3888-8-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download