General
-
Target
fd2f11c31192e8efe0eb4b37d1a5e1b6_JaffaCakes118
-
Size
9.5MB
-
Sample
240420-vaycbsch78
-
MD5
fd2f11c31192e8efe0eb4b37d1a5e1b6
-
SHA1
48b2610a347ae04cd61cd33100715ca5476e1951
-
SHA256
a15c3b6773fa9d8db715f8c557c76c95e8f84db0fa5046ed7a01589bfdc778b5
-
SHA512
39a5e38dfb04b462e167462e78fe9cf018215cd8e9fcc7e1cf67e6ea93f99176af49995ed9c987899f140fe32faeda6757a2e814944b899454e771f183b04afa
-
SSDEEP
196608:0FSJAB+ZcpS+S6SrGTsD2dmmhGlkrwPgZS7rjsn6P44Nm:0FS+Bkc0+Fe6dmracMR7
Static task
static1
Behavioral task
behavioral1
Sample
fd2f11c31192e8efe0eb4b37d1a5e1b6_JaffaCakes118.exe
Resource
win7-20240221-en
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/868513655556292688/7ViWQKXofSCTi8VWoHEcGeQK61RUEBYfnsE72cu6TJnpHYwlgzbrVI5gQn_jpfUMFoS5
Targets
-
-
Target
fd2f11c31192e8efe0eb4b37d1a5e1b6_JaffaCakes118
-
Size
9.5MB
-
MD5
fd2f11c31192e8efe0eb4b37d1a5e1b6
-
SHA1
48b2610a347ae04cd61cd33100715ca5476e1951
-
SHA256
a15c3b6773fa9d8db715f8c557c76c95e8f84db0fa5046ed7a01589bfdc778b5
-
SHA512
39a5e38dfb04b462e167462e78fe9cf018215cd8e9fcc7e1cf67e6ea93f99176af49995ed9c987899f140fe32faeda6757a2e814944b899454e771f183b04afa
-
SSDEEP
196608:0FSJAB+ZcpS+S6SrGTsD2dmmhGlkrwPgZS7rjsn6P44Nm:0FS+Bkc0+Fe6dmracMR7
-
XMRig Miner payload
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1