xmrig | 9e74bb5ce06aa4ac1752c9ed68052eafbc2154cf9cf2f989f402ba48bc2da608

General

Target

JaffaCakes118_9e74bb5ce06aa4ac1752c9ed68052eafbc2154cf9cf2f989f402ba48bc2da608.exe
Size

5.4MB
MD5

a4d9a9399f3bcce1602c774b0a7f3989
SHA1

7ef064d4112722de8fc0aeaac73d9647591f6d17
SHA256

9e74bb5ce06aa4ac1752c9ed68052eafbc2154cf9cf2f989f402ba48bc2da608
SHA512

618b060f98f587e8165c5a49c59d83c7f0f8d3e0895b0affe3ba826be3fc75f617678e3ed0cf0bd534d61f3e7b0098d37d20fa8dab215840bbc6e00dd08a3332
SSDEEP

98304:EniLf9FdfE0pZB156utgpPFotBER/mQ32U:eOl56utgpPF8u/B

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/1152-0-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/files/0x000d00000001277d-6.dat	xmrig
behavioral1/files/0x0008000000015f4e-7.dat	xmrig
behavioral1/memory/2772-13-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2812-11-0x000000013FD10000-0x0000000140064000-memory.dmp	xmrig
behavioral1/memory/1152-15-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/memory/2812-16-0x000000013FD10000-0x0000000140064000-memory.dmp	xmrig
behavioral1/memory/2772-17-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2812-18-0x000000013FD10000-0x0000000140064000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

pid	Process
2772	gVMSpka.exe
2812	pAzRvCj.exe

Loads dropped DLL 2 IoCs

pid	Process
1152	JaffaCakes118_9e74bb5ce06aa4ac1752c9ed68052eafbc2154cf9cf2f989f402ba48bc2da608.exe
1152	JaffaCakes118_9e74bb5ce06aa4ac1752c9ed68052eafbc2154cf9cf2f989f402ba48bc2da608.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1152-0-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/files/0x000d00000001277d-6.dat	upx
behavioral1/files/0x0008000000015f4e-7.dat	upx
behavioral1/memory/2772-13-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/2812-11-0x000000013FD10000-0x0000000140064000-memory.dmp	upx
behavioral1/memory/1152-15-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/memory/2812-16-0x000000013FD10000-0x0000000140064000-memory.dmp	upx
behavioral1/memory/2772-17-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/2812-18-0x000000013FD10000-0x0000000140064000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System\gVMSpka.exe	JaffaCakes118_9e74bb5ce06aa4ac1752c9ed68052eafbc2154cf9cf2f989f402ba48bc2da608.exe
File created	C:\Windows\System\pAzRvCj.exe	JaffaCakes118_9e74bb5ce06aa4ac1752c9ed68052eafbc2154cf9cf2f989f402ba48bc2da608.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1152	JaffaCakes118_9e74bb5ce06aa4ac1752c9ed68052eafbc2154cf9cf2f989f402ba48bc2da608.exe
Token: SeLockMemoryPrivilege	1152	JaffaCakes118_9e74bb5ce06aa4ac1752c9ed68052eafbc2154cf9cf2f989f402ba48bc2da608.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2772	1152	JaffaCakes118_9e74bb5ce06aa4ac1752c9ed68052eafbc2154cf9cf2f989f402ba48bc2da608.exe	32
PID 1152 wrote to memory of 2772	1152	JaffaCakes118_9e74bb5ce06aa4ac1752c9ed68052eafbc2154cf9cf2f989f402ba48bc2da608.exe	32
PID 1152 wrote to memory of 2772	1152	JaffaCakes118_9e74bb5ce06aa4ac1752c9ed68052eafbc2154cf9cf2f989f402ba48bc2da608.exe	32
PID 1152 wrote to memory of 2812	1152	JaffaCakes118_9e74bb5ce06aa4ac1752c9ed68052eafbc2154cf9cf2f989f402ba48bc2da608.exe	33
PID 1152 wrote to memory of 2812	1152	JaffaCakes118_9e74bb5ce06aa4ac1752c9ed68052eafbc2154cf9cf2f989f402ba48bc2da608.exe	33
PID 1152 wrote to memory of 2812	1152	JaffaCakes118_9e74bb5ce06aa4ac1752c9ed68052eafbc2154cf9cf2f989f402ba48bc2da608.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e74bb5ce06aa4ac1752c9ed68052eafbc2154cf9cf2f989f402ba48bc2da608.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e74bb5ce06aa4ac1752c9ed68052eafbc2154cf9cf2f989f402ba48bc2da608.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\System\gVMSpka.exe
  C:\Windows\System\gVMSpka.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\pAzRvCj.exe
  C:\Windows\System\pAzRvCj.exe
  2⤵
  - Executes dropped EXE
  PID:2812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\gVMSpka.exe

Filesize
5.4MB

MD5
bc3eccec66598d612e59431db20c22ed

SHA1
4030eb5be19d2e766842b93922092d9cf62a5a56

SHA256
6f157eb13b484d8f3ad9627f523abb91e6181f62d717cc0c310b442a999ae133

SHA512
3bce0524545c0a847b362d3b709ddac2a7aa6e3ecdeafc5be53d106eeffc25305369f60a9ce1f0f13f80e57f6ea4c4a0530a9da53c74936c47c024878e9fc8ff

Download Submit
\Windows\system\pAzRvCj.exe

Filesize
5.4MB

MD5
b420bcf5ed8b47f94152ac1fc8436e26

SHA1
fb80025dc4f245636cd2f7158c73e2d8df5b86e0

SHA256
a1c7114f37eaeb27532dc75b29376929d39e5aac2303dc4107a02b931a28e0f5

SHA512
0a51c03bf4f4ce6cf28ec3e93e4ed484331d4f467491000358b897fe2fc9c31ae5678176dab3faf38b8e8e6a618e7e51b99b422c2beedafdc73a5edb9b402d94

Download Submit
memory/1152-0-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/1152-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1152-14-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/1152-15-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2772-13-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2772-17-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2812-11-0x000000013FD10000-0x0000000140064000-memory.dmp

Filesize
3.3MB

Download
memory/2812-16-0x000000013FD10000-0x0000000140064000-memory.dmp

Filesize
3.3MB

Download
memory/2812-18-0x000000013FD10000-0x0000000140064000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing