xmrig

General

Target

JaffaCakes118_998997122e364144750a72db4049d50e38e6a879b0c67bd92ff5f6a549c7f2f5
Size

680.4MB
Sample

241225-r6zcqavrb1
MD5

b7b4e0558eb6188abc6e17d77abb4f73
SHA1

22851c79469486055efc62599a25eb4e1f8cc8b1
SHA256

998997122e364144750a72db4049d50e38e6a879b0c67bd92ff5f6a549c7f2f5
SHA512

638827eb702d032bf9f045854c1a79cd3bb841c9147ddd66fce98d91072bcd67338ae7214a248f8b0c8e43a68c8af48d2991a5ecae9df4e35666cf0477529cc3
SSDEEP

196608:gomVwAoiSs79XEVmNmbGHDoKUrUNQ9SzsIW8YtuNfU/:goqwAoSREVmDjzfIuNfU/

Score

10^/10

Malware Config

Targets

- Target
  
  JaffaCakes118_998997122e364144750a72db4049d50e38e6a879b0c67bd92ff5f6a549c7f2f5
- Size
  
  680.4MB
- MD5
  
  b7b4e0558eb6188abc6e17d77abb4f73
- SHA1
  
  22851c79469486055efc62599a25eb4e1f8cc8b1
- SHA256
  
  998997122e364144750a72db4049d50e38e6a879b0c67bd92ff5f6a549c7f2f5
- SHA512
  
  638827eb702d032bf9f045854c1a79cd3bb841c9147ddd66fce98d91072bcd67338ae7214a248f8b0c8e43a68c8af48d2991a5ecae9df4e35666cf0477529cc3
- SSDEEP
  
  196608:gomVwAoiSs79XEVmNmbGHDoKUrUNQ9SzsIW8YtuNfU/:goqwAoSREVmDjzfIuNfU/
Score

10^/10

xmrig discovery evasion execution miner themida trojan
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  #/[New]3.exe
- Size
  
  678.7MB
- MD5
  
  5a0bccfe6d74400f7d85d1fdde17d0cb
- SHA1
  
  52651d2bb9d43087173d43f35bb10cece676e1b1
- SHA256
  
  794eb5198ce2e7b8dae24bad2c4f4ff22beec2930df07c086fc61ec6d72aeb99
- SHA512
  
  2bc7126650008c9ff26a0a155132598ab614208499d75900f94141e6a526c2fa2c0823ce108f70f3ac92249d0cb68961dd5c0bc1f4180e72d09815c46ed3abeb
- SSDEEP
  
  196608:kVGX2wkOZk+aKkVBuQyWvDFeynwuLzR51XKAOaBI8y71RDwhMELJU:R2wZaRiQyWUcX16AOaexEL
Score

1^/10
behavioral3 behavioral4
- Target
  
  #/[New]crypted.exe
- Size
  
  345.0MB
- MD5
  
  16c54db617264f93a97e912952abba5a
- SHA1
  
  bad735076a3dd6f7e45ef76affb27f17e4850a85
- SHA256
  
  212d3ecf448a910640f4e7fc9d45f1a85ee329649942b0ec1a6891c49fe6716d
- SHA512
  
  3988607b155dce1453e1bcde4a855374cd345b6395597c3ed5b0ab2bf5a23a5d5d515c9684fb27413ce0292ce3f07622e9189a2a8a5c5381c43ecf4e2823f0c3
- SSDEEP
  
  24576:42NnjK5U1a2vjevHHunpE5GAfrMb9pOV5q3IzUtoc:Tra2vjevHHuKJrMVp
Score

1^/10
behavioral5 behavioral6