xmrig | 2d890c8d5cbbb900b5930265cb8ff52018eed03568ad60657629e203ddc12bbe

Analysis

max time kernel
126s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 14:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

da905732ed719251ce5c0666a6f571a9_JaffaCakes118.exe
Size

784KB
MD5

da905732ed719251ce5c0666a6f571a9
SHA1

4e3baaf6cfd0e98b2c75bb026ad1d41e3f81fff5
SHA256

2d890c8d5cbbb900b5930265cb8ff52018eed03568ad60657629e203ddc12bbe
SHA512

962eedd1b70337daae785f2824acdc996e34614a0659ab3291f5ee4d04177792fa3c505e5977792ee506d8c9dfc21291008e9c0270152d8458ada402b5098fa8
SSDEEP

24576:Mj94PiavbVoNTCNS+OGqZR0ulatXpYmRuf6rQ1XEGsV:u46/NTehqbwXppoyrQ6V

Score

10^/10

xmrig discovery miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/4948-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4948-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3236-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3236-20-0x00000000053D0000-0x0000000005563000-memory.dmp	xmrig
behavioral2/memory/3236-21-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/3236-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3236	da905732ed719251ce5c0666a6f571a9_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3236	da905732ed719251ce5c0666a6f571a9_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4948-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x0008000000023634-11.dat	upx
behavioral2/memory/3236-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da905732ed719251ce5c0666a6f571a9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da905732ed719251ce5c0666a6f571a9_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4948	da905732ed719251ce5c0666a6f571a9_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4948	da905732ed719251ce5c0666a6f571a9_JaffaCakes118.exe
3236	da905732ed719251ce5c0666a6f571a9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 3236	4948	da905732ed719251ce5c0666a6f571a9_JaffaCakes118.exe	93
PID 4948 wrote to memory of 3236	4948	da905732ed719251ce5c0666a6f571a9_JaffaCakes118.exe	93
PID 4948 wrote to memory of 3236	4948	da905732ed719251ce5c0666a6f571a9_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\da905732ed719251ce5c0666a6f571a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da905732ed719251ce5c0666a6f571a9_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\da905732ed719251ce5c0666a6f571a9_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\da905732ed719251ce5c0666a6f571a9_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:3236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4424,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:8
1⤵
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\da905732ed719251ce5c0666a6f571a9_JaffaCakes118.exe

Filesize
784KB

MD5
00051644f4f165341079202d773b490b

SHA1
2816dca2aca3942004f0f31eae2ffad801ddb619

SHA256
35229bce77fc2e5f6e3d72d55c6d728fb5fcfb5222ed34595efc9f60231702d3

SHA512
86584479bc5adb24c1ad62817e0051cf81457bdbffc5bb12d8ed4a81b18d51e57f96be2c3f61fb38fbc65ce9425dcbc61e0bd1bdc1ae1bebfadaddb0073c26c2

Download Submit
memory/3236-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3236-14-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/3236-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3236-20-0x00000000053D0000-0x0000000005563000-memory.dmp

Filesize
1.6MB

Download
memory/3236-21-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3236-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4948-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4948-1-0x0000000001A90000-0x0000000001B54000-memory.dmp

Filesize
784KB

Download
memory/4948-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4948-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download