Malware Analysis Report

2025-03-15 06:00

Sample ID 240512-jdnrhsef9y
Target 38f70ac1cf4072da6e340dc50012596c_JaffaCakes118
SHA256 af647f7792cc76974d8016eb25b303c41281f166c29af268a2fb5d6c9af409cd
Tags
miner vmprotect xmrig
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af647f7792cc76974d8016eb25b303c41281f166c29af268a2fb5d6c9af409cd

Threat Level: Known bad

The file 38f70ac1cf4072da6e340dc50012596c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

miner vmprotect xmrig

Xmrig family

xmrig

XMRig Miner payload

XMRig Miner payload

VMProtect packed file

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-12 07:33

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-12 07:33

Reported

2024-05-12 07:35

Platform

win7-20240221-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38f70ac1cf4072da6e340dc50012596c_JaffaCakes118.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\cpsvchost.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\38f70ac1cf4072da6e340dc50012596c_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\ProgramData\cpsvchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\cpsvchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\38f70ac1cf4072da6e340dc50012596c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\38f70ac1cf4072da6e340dc50012596c_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN System\WindowsDefender /TR C:\ProgramData\cpsvchost.exe /F

C:\Windows\system32\taskeng.exe

taskeng.exe {0DB00EF9-66B1-48E5-8FA5-AD597B484FED} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\ProgramData\cpsvchost.exe

C:\ProgramData\cpsvchost.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN System\WindowsDefender /TR C:\ProgramData\cpsvchost.exe /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 pool.monero.hashvault.pro udp

Files

memory/1368-7-0x0000000000C31000-0x0000000000E15000-memory.dmp

memory/1368-0-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1368-5-0x0000000000B80000-0x000000000104D000-memory.dmp

memory/1368-4-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1368-2-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1368-10-0x0000000000B80000-0x000000000104D000-memory.dmp

memory/1368-12-0x0000000000B80000-0x000000000104D000-memory.dmp

memory/1368-13-0x0000000000C31000-0x0000000000E15000-memory.dmp

C:\ProgramData\cpsvchost.exe

MD5 38f70ac1cf4072da6e340dc50012596c
SHA1 180dcd4b8d02db621886ccb7f038635341d545c7
SHA256 af647f7792cc76974d8016eb25b303c41281f166c29af268a2fb5d6c9af409cd
SHA512 30af5f95ed4f43d470046b311cb5057455c3ad515dcb93f72323be55d0250629ba42629e2937c16fc08c5bd51de79d222a14edc9b9de5e6fbbf3a0531e1136d6

memory/2428-20-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2428-22-0x00000000000B0000-0x000000000057D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-12 07:33

Reported

2024-05-12 07:35

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38f70ac1cf4072da6e340dc50012596c_JaffaCakes118.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\38f70ac1cf4072da6e340dc50012596c_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\ProgramData\cpsvchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\cpsvchost.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\38f70ac1cf4072da6e340dc50012596c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38f70ac1cf4072da6e340dc50012596c_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A
N/A N/A C:\ProgramData\cpsvchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\ProgramData\cpsvchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\cpsvchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\38f70ac1cf4072da6e340dc50012596c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\38f70ac1cf4072da6e340dc50012596c_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN System\WindowsDefender /TR C:\ProgramData\cpsvchost.exe /F

C:\ProgramData\cpsvchost.exe

C:\ProgramData\cpsvchost.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN System\WindowsDefender /TR C:\ProgramData\cpsvchost.exe /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
NL 52.111.243.29:443 tcp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp
US 8.8.8.8:53 pool.monero.hashvault.pro udp

Files

memory/1260-0-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/1260-1-0x0000000000210000-0x00000000006DD000-memory.dmp

memory/1260-5-0x00000000002C1000-0x00000000004A5000-memory.dmp

memory/1260-6-0x0000000000210000-0x00000000006DD000-memory.dmp

memory/1260-8-0x00000000002C1000-0x00000000004A5000-memory.dmp

memory/1260-9-0x0000000000210000-0x00000000006DD000-memory.dmp

C:\ProgramData\cpsvchost.exe

MD5 38f70ac1cf4072da6e340dc50012596c
SHA1 180dcd4b8d02db621886ccb7f038635341d545c7
SHA256 af647f7792cc76974d8016eb25b303c41281f166c29af268a2fb5d6c9af409cd
SHA512 30af5f95ed4f43d470046b311cb5057455c3ad515dcb93f72323be55d0250629ba42629e2937c16fc08c5bd51de79d222a14edc9b9de5e6fbbf3a0531e1136d6

memory/2908-12-0x00000000028F0000-0x00000000028F1000-memory.dmp

memory/2908-14-0x0000000000451000-0x0000000000635000-memory.dmp

memory/2908-13-0x00000000003A0000-0x000000000086D000-memory.dmp

memory/2908-17-0x00000000003A0000-0x000000000086D000-memory.dmp