xmrig | 3444fc6d446d99d77a40eb92575b62d59463142d32574f51c24e3f6b3b0dadfd

Analysis

max time kernel
135s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7131c2d3ec2d66df49601c5b6db5c686_JaffaCakes118.exe
Size

784KB
MD5

7131c2d3ec2d66df49601c5b6db5c686
SHA1

cfed6fad580e71e29981df1db1f8cc9470157200
SHA256

3444fc6d446d99d77a40eb92575b62d59463142d32574f51c24e3f6b3b0dadfd
SHA512

0e9c342341dd9c4b7115d5a14c1a320f21d643dd29d4a479cdbe3b31b9d5ea2c3fab587a2ba5e601841c4d26ca78bf7cd90f0b759514689ca8242e85a3b9da9f
SSDEEP

24576:2U+QIWJK5Yyll/iQ4UPv0wqLzll6Gqbw:2uxJK1lUQ4UPv0wqzlljq

Score

10^/10

xmrig discovery miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/2360-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/2360-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3824-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3824-27-0x0000000005440000-0x00000000055D3000-memory.dmp	xmrig
behavioral2/memory/3824-20-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/3824-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3824	7131c2d3ec2d66df49601c5b6db5c686_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3824	7131c2d3ec2d66df49601c5b6db5c686_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2360-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x0008000000023494-11.dat	upx
behavioral2/memory/3824-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7131c2d3ec2d66df49601c5b6db5c686_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7131c2d3ec2d66df49601c5b6db5c686_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2360	7131c2d3ec2d66df49601c5b6db5c686_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2360	7131c2d3ec2d66df49601c5b6db5c686_JaffaCakes118.exe
3824	7131c2d3ec2d66df49601c5b6db5c686_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3824	2360	7131c2d3ec2d66df49601c5b6db5c686_JaffaCakes118.exe	85
PID 2360 wrote to memory of 3824	2360	7131c2d3ec2d66df49601c5b6db5c686_JaffaCakes118.exe	85
PID 2360 wrote to memory of 3824	2360	7131c2d3ec2d66df49601c5b6db5c686_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\7131c2d3ec2d66df49601c5b6db5c686_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7131c2d3ec2d66df49601c5b6db5c686_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\7131c2d3ec2d66df49601c5b6db5c686_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\7131c2d3ec2d66df49601c5b6db5c686_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7131c2d3ec2d66df49601c5b6db5c686_JaffaCakes118.exe

Filesize
784KB

MD5
d06958db97459f9ed0acc2716bb4d18c

SHA1
08ea3151cd33ed3a0c76eaec053d75b403dc95f9

SHA256
b89f49860f8a25461f2ba241f2831296d7783654ce9a006da783ecc2bfbb0860

SHA512
bd189f91e72676caf28bf0316bc40f3af9e4b0c4e2127c78264133b97181189441582f09c3d19995e4354da4aa4294bc0bfc93783014abafda18dca2fa2ba951

Download Submit
memory/2360-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2360-1-0x0000000001920000-0x00000000019E4000-memory.dmp

Filesize
784KB

Download
memory/2360-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2360-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3824-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3824-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3824-15-0x0000000001A50000-0x0000000001B14000-memory.dmp

Filesize
784KB

Download
memory/3824-27-0x0000000005440000-0x00000000055D3000-memory.dmp

Filesize
1.6MB

Download
memory/3824-20-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3824-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download