Analysis Overview
SHA256
58dba7acff401599f1503ae6741f3be82f8491975334eb22d54c46f4c404863e
Threat Level: Known bad
The file 6827422d1c3790b8ae0a5c27d3689beb_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
UPX packed file
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 18:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 18:11
Reported
2024-05-22 18:13
Platform
win7-20240215-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\dGpDguAlnf = "\"C:\\Users\\Admin\\AppData\\Local\\VZEUJV~1\\WINUPD~1.EXE\"" | C:\Users\Admin\AppData\Local\Temp\6827422d1c3790b8ae0a5c27d3689beb_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1856 set thread context of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\6827422d1c3790b8ae0a5c27d3689beb_JaffaCakes118.exe | C:\Windows\notepad.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6827422d1c3790b8ae0a5c27d3689beb_JaffaCakes118.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\notepad.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\notepad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6827422d1c3790b8ae0a5c27d3689beb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6827422d1c3790b8ae0a5c27d3689beb_JaffaCakes118.exe"
C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\Users\Admin\AppData\Local\VzEujvQEZT\cfgi"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | monerohash.com | udp |
| US | 107.191.99.221:3333 | monerohash.com | tcp |
| US | 107.191.99.221:3333 | monerohash.com | tcp |
| US | 107.191.99.221:3333 | monerohash.com | tcp |
| US | 107.191.99.221:3333 | monerohash.com | tcp |
| US | 107.191.99.221:3333 | monerohash.com | tcp |
| US | 107.191.99.221:3333 | monerohash.com | tcp |
| US | 107.191.99.221:3333 | monerohash.com | tcp |
| US | 107.191.99.221:3333 | monerohash.com | tcp |
| US | 107.191.99.221:3333 | monerohash.com | tcp |
| US | 107.191.99.221:3333 | monerohash.com | tcp |
| US | 107.191.99.221:3333 | monerohash.com | tcp |
| US | 8.8.8.8:53 | monerohash.com | udp |
| US | 107.191.99.221:3333 | monerohash.com | tcp |
Files
memory/1856-0-0x0000000000280000-0x000000000033C000-memory.dmp
memory/1856-2-0x0000000000280000-0x000000000033C000-memory.dmp
memory/1928-6-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/1928-5-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/1928-8-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/1928-11-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/1856-10-0x0000000000400000-0x00000000004C9000-memory.dmp
C:\Users\Admin\AppData\Local\VzEujvQEZT\cfgi
| MD5 | e15fa56863f393425d47d0928c6f6bbb |
| SHA1 | 92a6aab52b6bf214859946f095f478a0e317cba3 |
| SHA256 | d51ab79d74f6ce6becdf7f8155e52680807f6cccfcf128c1271e7790ca2ddedb |
| SHA512 | 7cd667adf696cbfda44de1665dac1258586681a2cd6c7f3e1d7003deb9a12984e5294f166ba78ba69ee40b2be626e01e562bbc466c556998b2129d555cb751e3 |
memory/1928-7-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/1856-12-0x0000000000400000-0x00000000004E9000-memory.dmp
memory/1856-13-0x0000000000280000-0x000000000033C000-memory.dmp
memory/1928-15-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/1856-21-0x0000000000400000-0x00000000004E9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 18:11
Reported
2024-05-22 18:13
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
158s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6827422d1c3790b8ae0a5c27d3689beb_JaffaCakes118.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6827422d1c3790b8ae0a5c27d3689beb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6827422d1c3790b8ae0a5c27d3689beb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6827422d1c3790b8ae0a5c27d3689beb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6827422d1c3790b8ae0a5c27d3689beb_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6827422d1c3790b8ae0a5c27d3689beb_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3252 wrote to memory of 3264 | N/A | C:\Users\Admin\AppData\Local\Temp\6827422d1c3790b8ae0a5c27d3689beb_JaffaCakes118.exe | C:\Windows\notepad.exe |
| PID 3252 wrote to memory of 3264 | N/A | C:\Users\Admin\AppData\Local\Temp\6827422d1c3790b8ae0a5c27d3689beb_JaffaCakes118.exe | C:\Windows\notepad.exe |
| PID 3252 wrote to memory of 3264 | N/A | C:\Users\Admin\AppData\Local\Temp\6827422d1c3790b8ae0a5c27d3689beb_JaffaCakes118.exe | C:\Windows\notepad.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6827422d1c3790b8ae0a5c27d3689beb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6827422d1c3790b8ae0a5c27d3689beb_JaffaCakes118.exe"
C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\Users\Admin\AppData\Local\VzEujvQEZT\cfgi"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3252 -ip 3252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 560
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3252-2-0x0000000002160000-0x0000000002229000-memory.dmp
memory/3252-5-0x0000000000400000-0x00000000004C9000-memory.dmp
memory/3252-6-0x0000000000400000-0x00000000004E9000-memory.dmp
memory/3252-7-0x0000000000400000-0x00000000004C9000-memory.dmp