xmrig | 582030bf633f2038a255a41437bb17ca776bfd1ac85b24b969a903664802a05f

Analysis

max time kernel
133s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/12/2024, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_582030bf633f2038a255a41437bb17ca776bfd1ac85b24b969a903664802a05f.exe
Size

3.0MB
MD5

beab92a1b6a1b61caf3d3a87571ec051
SHA1

29543bc4957f33815237239d4ca4001c82466bef
SHA256

582030bf633f2038a255a41437bb17ca776bfd1ac85b24b969a903664802a05f
SHA512

4d6fa42638e7086891148ffe491f733cc9179fc1852c8d68510f12218b7a48e41276a93db929971af16d0581df937e3d3c259ca1d2a8ae4c26e63f0966fa5a39
SSDEEP

49152:EnCbL83y9FdfE0pZ0zCa4wI156uL3pgrCEdMKPFotsgEBr6Gd:EniLf9FdfE0pZB156utgpPFotBEz

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral1/memory/2892-0-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
behavioral1/files/0x000700000001211a-3.dat	xmrig
behavioral1/memory/3032-7-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
behavioral1/memory/2892-8-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
behavioral1/memory/3032-10-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
behavioral1/memory/3032-11-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
3032	aKrxeWn.exe

Loads dropped DLL 1 IoCs

pid	Process
2892	JaffaCakes118_582030bf633f2038a255a41437bb17ca776bfd1ac85b24b969a903664802a05f.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2892-0-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
behavioral1/files/0x000700000001211a-3.dat	upx
behavioral1/memory/3032-7-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
behavioral1/memory/2892-8-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
behavioral1/memory/3032-10-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
behavioral1/memory/3032-11-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System\aKrxeWn.exe	JaffaCakes118_582030bf633f2038a255a41437bb17ca776bfd1ac85b24b969a903664802a05f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2892	JaffaCakes118_582030bf633f2038a255a41437bb17ca776bfd1ac85b24b969a903664802a05f.exe
Token: SeLockMemoryPrivilege	2892	JaffaCakes118_582030bf633f2038a255a41437bb17ca776bfd1ac85b24b969a903664802a05f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 3032	2892	JaffaCakes118_582030bf633f2038a255a41437bb17ca776bfd1ac85b24b969a903664802a05f.exe	29
PID 2892 wrote to memory of 3032	2892	JaffaCakes118_582030bf633f2038a255a41437bb17ca776bfd1ac85b24b969a903664802a05f.exe	29
PID 2892 wrote to memory of 3032	2892	JaffaCakes118_582030bf633f2038a255a41437bb17ca776bfd1ac85b24b969a903664802a05f.exe	29

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_582030bf633f2038a255a41437bb17ca776bfd1ac85b24b969a903664802a05f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_582030bf633f2038a255a41437bb17ca776bfd1ac85b24b969a903664802a05f.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\System\aKrxeWn.exe
  C:\Windows\System\aKrxeWn.exe
  2⤵
  - Executes dropped EXE
  PID:3032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\system\aKrxeWn.exe

Filesize
3.0MB

MD5
640bd4a05973671dbeb7047396d0379d

SHA1
1562cce77274891a3395800cf0011a3a8d21a70e

SHA256
aa65420692850ec088882ef84904d7096ac3df1dfa5e2c1ffdc46c8a06a5cbf3

SHA512
2f1673d8519a252619f82cf24b86bb28cd3529b6e5df2688a4f6d5048699d0ec407d6cd17779c560c3ad4baa7067cf98da98ede99fb4fb98ca838d584ea5a306

Download Submit
memory/2892-0-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2892-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2892-8-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2892-9-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/3032-7-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/3032-10-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/3032-11-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download