fatcousin
// case type

cryptojacking

unauthorized miner on endpoint / cloud workload — CPU/GPU baseline drift + persistence + outbound pool traffic.

tools
12
priority
L
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. process tree rebuilderdrop a memory dump · scan EPROCESS pool tags · reconstruct parent/child process tree · flag orphaned and suspicious chains · export CSV · runs locally
  2. memory pe extractordrop a memory dump · scan for PE headers · carve embedded executables · rebuild PE structure · download extracted files · runs locally
  3. memory entropy analyzermemory dump · shannon entropy per block · heatmap · high-entropy regions · hex dump · csv + png export · runs locally
  4. in-memory malware configuration extractordrop process memory dump · xor decode json xml config blocks · c2 ip port campaign mutex extraction · multi-technique local scan · runs locally
  5. network beaconing detectordrop connection logs or PCAP · statistical analysis of connection intervals per host · jitter detection · C2 beaconing patterns · periodic callback identification · export CSV · runs locally
  6. beaconing pattern detectordrop pcap or zeek conn log · periodic c2 beacon intervals · regularity and jitter scores · export csv · runs locally
  7. dns query analyzerdrop a PCAP or paste DNS log · extract queries · detect DGA patterns · DNS tunneling · high-frequency domains · suspicious TLDs · export CSV · runs locally
  8. c2 callback interval analyzerdrop pcap or zeek conn log · deep interval stats · c2 framework timing profiles · jitter estimation · export csv · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. windows scheduled task analyzerdrop task scheduler xml · triggers · actions · principals · suspicion score · encoded powershell decode · persistence hints · runs locally
  2. registry autoruns & services parserdrop NTUSER.DAT · SOFTWARE · or SYSTEM hive · parse Run keys · services · scheduled load points · flag suspicious paths · export CSV · runs locally
  3. linux persistence analyzerdrop linux artifact files · identify all persistence mechanisms · rc.local · systemd units · cron · authorized keys · ld.so.preload · profile scripts · runs locally
  4. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
// case-kit pipeline

run as a stack

skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.

  • cryptojacking — beacon kit

    8 steps

    drop process + network + DNS logs → ancestry → beacon detect → DNS timeline → persistence → report

    1. 01evidence-manifest-generatorhash log exports before analysis
    2. 02process-ancestry-reconstructorreconstruct process parent-child chains for miner processes
    3. 03network-beaconing-pattern-detectordetect periodic beaconing to mining pools
    4. 04host-beaconing-detectorhost-level beacon interval analysis
    5. 05dns-log-analyzerDNS query analysis for pool domain resolution
    6. 06scheduled-task-deletion-detectordetect scheduled-task tampering for miner persistence
    7. 07registry-autorun-removal-detectordetect autorun key removal — anti-forensics after miner install
    8. 08case-report-generatordraft a report identifying miner persistence + pool infrastructure
// pattern-matched

related tools

tools that the manifest-classifier flagged as plausibly useful here but that aren't in the hand-curated lists above. less editorial weight — scan, don't work top-down.

+ 57 more in this pattern match. browse the full forensics catalog via the forensics category.

ready