Analysis Overview
SHA256
4016a4561423b5b849066c2785e363d557fd5b6a3cea7b24e8de63d071b7b4be
Threat Level: Known bad
The file 727433bc99315ea686fe6b4b8b7cdeaa_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike family
Cobaltstrike
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-25 15:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 15:44
Reported
2024-05-25 15:47
Platform
win7-20240221-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\RvPIfrL.exe | N/A |
| N/A | N/A | C:\Windows\System\xwWQNCo.exe | N/A |
| N/A | N/A | C:\Windows\System\WmpfzFZ.exe | N/A |
| N/A | N/A | C:\Windows\System\vxaKTph.exe | N/A |
| N/A | N/A | C:\Windows\System\RJRCwVv.exe | N/A |
| N/A | N/A | C:\Windows\System\ZoGmePX.exe | N/A |
| N/A | N/A | C:\Windows\System\uGPjgBP.exe | N/A |
| N/A | N/A | C:\Windows\System\KQPzrHd.exe | N/A |
| N/A | N/A | C:\Windows\System\TBkMOKY.exe | N/A |
| N/A | N/A | C:\Windows\System\WXnACrK.exe | N/A |
| N/A | N/A | C:\Windows\System\FZOSzXS.exe | N/A |
| N/A | N/A | C:\Windows\System\gGaqRTf.exe | N/A |
| N/A | N/A | C:\Windows\System\FYaihCv.exe | N/A |
| N/A | N/A | C:\Windows\System\LsadDYm.exe | N/A |
| N/A | N/A | C:\Windows\System\rxJOJIG.exe | N/A |
| N/A | N/A | C:\Windows\System\ATbgfOa.exe | N/A |
| N/A | N/A | C:\Windows\System\lVHcrKQ.exe | N/A |
| N/A | N/A | C:\Windows\System\mTAJWyH.exe | N/A |
| N/A | N/A | C:\Windows\System\bBxbtaS.exe | N/A |
| N/A | N/A | C:\Windows\System\IxpFsTM.exe | N/A |
| N/A | N/A | C:\Windows\System\mWlCjoz.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\727433bc99315ea686fe6b4b8b7cdeaa_JaffaCakes118.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\727433bc99315ea686fe6b4b8b7cdeaa_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\727433bc99315ea686fe6b4b8b7cdeaa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\727433bc99315ea686fe6b4b8b7cdeaa_JaffaCakes118.exe"
C:\Windows\System\RvPIfrL.exe
C:\Windows\System\RvPIfrL.exe
C:\Windows\System\xwWQNCo.exe
C:\Windows\System\xwWQNCo.exe
C:\Windows\System\vxaKTph.exe
C:\Windows\System\vxaKTph.exe
C:\Windows\System\WmpfzFZ.exe
C:\Windows\System\WmpfzFZ.exe
C:\Windows\System\RJRCwVv.exe
C:\Windows\System\RJRCwVv.exe
C:\Windows\System\ZoGmePX.exe
C:\Windows\System\ZoGmePX.exe
C:\Windows\System\KQPzrHd.exe
C:\Windows\System\KQPzrHd.exe
C:\Windows\System\uGPjgBP.exe
C:\Windows\System\uGPjgBP.exe
C:\Windows\System\TBkMOKY.exe
C:\Windows\System\TBkMOKY.exe
C:\Windows\System\WXnACrK.exe
C:\Windows\System\WXnACrK.exe
C:\Windows\System\gGaqRTf.exe
C:\Windows\System\gGaqRTf.exe
C:\Windows\System\FZOSzXS.exe
C:\Windows\System\FZOSzXS.exe
C:\Windows\System\LsadDYm.exe
C:\Windows\System\LsadDYm.exe
C:\Windows\System\FYaihCv.exe
C:\Windows\System\FYaihCv.exe
C:\Windows\System\rxJOJIG.exe
C:\Windows\System\rxJOJIG.exe
C:\Windows\System\ATbgfOa.exe
C:\Windows\System\ATbgfOa.exe
C:\Windows\System\lVHcrKQ.exe
C:\Windows\System\lVHcrKQ.exe
C:\Windows\System\mTAJWyH.exe
C:\Windows\System\mTAJWyH.exe
C:\Windows\System\bBxbtaS.exe
C:\Windows\System\bBxbtaS.exe
C:\Windows\System\IxpFsTM.exe
C:\Windows\System\IxpFsTM.exe
C:\Windows\System\mWlCjoz.exe
C:\Windows\System\mWlCjoz.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2752-0-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2752-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\RvPIfrL.exe
| MD5 | 34219ac7dd1aeb26b8465c7164d0f9dc |
| SHA1 | a79f6c5e7ef264edd62fa31db95e9b9989f79605 |
| SHA256 | 8581050af362e594d7afd0a574edc762adf690acfbb8dd003acc66233800e338 |
| SHA512 | 5098c4871cfe479985cbe5189a7fd24e3493dceea7c7e4a3e17c4915d899bb57fcfcb5a1f23c4051c1c748c9952245ed2fe4241b30a13ed6ec6604168f5fc1d8 |
C:\Windows\system\xwWQNCo.exe
| MD5 | df60bd58c96a69edd3d38df64ad4fd33 |
| SHA1 | 40e40d9ba4ac110c83e0233de64a7deae8575151 |
| SHA256 | 8ec80ab0deb1ad79f01dd5eb36e89ce0ee1a6840550078421c58bea64a31ee23 |
| SHA512 | 885b772c1a174a22e7064dd974628025c2870161058fa28beb36a040b891d1084e2b035b45257f1a6a1263587c2dda1dbd20457b6942ab6375ce45256469a642 |
C:\Windows\system\vxaKTph.exe
| MD5 | 076739315ba902f8f98561250a2ff991 |
| SHA1 | 9098c413fed1d2afbd139695680a6f19d41300eb |
| SHA256 | cbbcc0b64f80752b3684393ee94f7c77042e90b37bba21df24b2b9a19c07ebb7 |
| SHA512 | ab3239e15f2e0397db0fd711e30537088f62a97a6b6b4a7dca83a454f6066ca5dd2ee308b7f5e9eacf78044bb2dbadb65d76903b599bc44146ef8030a3501bcd |
memory/2752-18-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2752-26-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2752-24-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2648-22-0x000000013FF60000-0x00000001402B4000-memory.dmp
C:\Windows\system\WmpfzFZ.exe
| MD5 | c553230bb76fe3ccd4fe49da01f6d922 |
| SHA1 | 41b2406faa158b47c772d7245af510649014406f |
| SHA256 | fc4ccc224923a4b8b419bce9ac210d8835261be0edc33baa69d8e46887956124 |
| SHA512 | e6564387ec0bdd9ea823e4e3663e387948d3b60c7e7e6dc3c46920106f975d07179760ba4e5c6d334555fd49544a4e68f9af94d385d3cde147301828d0ad7460 |
C:\Windows\system\ZoGmePX.exe
| MD5 | 89df8f21dc829451c7e58fb9a6462b4d |
| SHA1 | c2e1dd9505e7ec8876c04cc6451b6bdd3de78d21 |
| SHA256 | 1b23d1321ceacbfe92f87635b1e7adcc0b2efe4de2d8d5b40b550a25a0a66bef |
| SHA512 | 6031ef061219774c5de4463c3a955e271131930d43ceea11a469ae406ea494c19d6646ba3d5b2102f6a2f021764a93c19b7f9c267bef5f9bfb068c6e742a41f8 |
memory/2752-40-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2548-41-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2528-35-0x000000013F930000-0x000000013FC84000-memory.dmp
C:\Windows\system\RJRCwVv.exe
| MD5 | f118382d7d61861891833da92e2c6858 |
| SHA1 | 0ffd02f4ccfd60935598fcce657643ee54ebda54 |
| SHA256 | 8cee3cd7adcb16a9090a80cede48abdb931222537f94e46dbe34818315b6d3d9 |
| SHA512 | 4b531d012a6e5f2c5a610b6bfa148200a98bf6c00ecaf92072c9708d555d6e67011d4683afebea663117aa418681cdce2ee2cf96f42acac2cad084c4cd810027 |
memory/2752-33-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2636-32-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/3064-30-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/1684-16-0x000000013F400000-0x000000013F754000-memory.dmp
C:\Windows\system\KQPzrHd.exe
| MD5 | c5b1b3a53cc3c35015a84211ea16824a |
| SHA1 | 8dc1b2b1cd840dbf79ef8109c4951fbc50d99ac7 |
| SHA256 | 9ec579fe5c82ed6fa2b3e1056053315d40037fc099a83e07a15426d6d19a3421 |
| SHA512 | 91d49b5a8f17a89c534441a9ebdfed87a99779391de6861505336c79025e3c167da1eee8c7f9eb967f7c47efbf12145b2220ddb7488904b0878552e29b26a942 |
memory/2752-52-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2412-54-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2432-53-0x000000013F7D0000-0x000000013FB24000-memory.dmp
C:\Windows\system\uGPjgBP.exe
| MD5 | 8058ffbd3e07d41761b901edf60651ad |
| SHA1 | 9ee254d41b78d17cb7e22d35aa03ec0dd6e0ad25 |
| SHA256 | 41d479559aa3f33090aaf848c8c286b7315e2c7656aca985c571920fbb8a057f |
| SHA512 | 543e578dca62755db6e7a842a759b714fb5404104cc41e619472e413a994c08c70e6209c2cb22f823627403aa774a536c1ddbba9929d3fb957b55aff45ddaf72 |
memory/2752-57-0x000000013F960000-0x000000013FCB4000-memory.dmp
\Windows\system\TBkMOKY.exe
| MD5 | ffe174bb5f5188fa96235b0d0664b570 |
| SHA1 | 2a2dfa96f7ad20aaaf876087ec6691156bc25562 |
| SHA256 | 5288b1c5018874f1dc6a1b8bfa3e4e04c53ad505845fa7baf2b9382cacf6fafd |
| SHA512 | 766a42c1fc2dd02b1e53ccf39a189258782ce0cabe07de1167b6afe87487a02fa17d18a100b9e37181152387b8ae696084e71ca1407d7b194d5f981af669045b |
memory/1684-62-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2848-68-0x000000013FE90000-0x00000001401E4000-memory.dmp
\Windows\system\FZOSzXS.exe
| MD5 | 617378a1e0534ae706b02dbe524b56e2 |
| SHA1 | 409ab5fe38ceea41f2823cfd5f2af64b9c880c5a |
| SHA256 | 6299f62e093dc75f2f9c304e4f8d062b94ecbd446e046e3491e15a9a39aa3211 |
| SHA512 | 1e8aa625e956c9a4ab5bc610e5c2282f73910d8de15f8abeacf0b498fefc176c532a764d3ebfecf3c7ff6536a0138fea292836c147fd7bd40fba47c9d901bf85 |
memory/2752-83-0x000000013F310000-0x000000013F664000-memory.dmp
C:\Windows\system\gGaqRTf.exe
| MD5 | 2a93ba1cf0cbc68b945ee1092bf319ef |
| SHA1 | 17922e5baadf24fbe2a0783fd311f02eab2622c0 |
| SHA256 | 799a8b86a1d5cce43e66df21da91a17a24dffa4af9f6ae9dba299ff14de5d8c8 |
| SHA512 | f2bd4aeecc800dbb7bd13f8fcf24a1beef5e0de83a67ffbdd35247653ec689dd608d023726c5ed2b9813b13e5641a7043f811f5cb6cb4de77c09eed2c8a1882f |
memory/1304-85-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2752-95-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2548-97-0x000000013FA60000-0x000000013FDB4000-memory.dmp
C:\Windows\system\LsadDYm.exe
| MD5 | b05a93c8958674d368601148d012eaab |
| SHA1 | d83093cbf57f230ce7fe5fff5e30fea894ad11aa |
| SHA256 | b1b242c03c2f1785bb5b505788d818dc0e1f78db34f50cd1c4f3181ed4be7f77 |
| SHA512 | ddf3f0b12c33a0bbf6234d32d11f8de75fb2a4a3afd0d91d854c5d162a58dce6575e637128d1bdac0ea5df9c04e6541b270022903e11c6026858d3aec9869fd5 |
memory/596-91-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2528-89-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2064-101-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2752-75-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2752-98-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2592-96-0x000000013F780000-0x000000013FAD4000-memory.dmp
C:\Windows\system\FYaihCv.exe
| MD5 | 8952db307d104728cfa5382c10264a01 |
| SHA1 | 75fe53772a46df3961e5191001f1c8ab969be5a6 |
| SHA256 | f7de53b31a847911b4dc4d0dbeecc76f31678b5217d98c0fdbd3133b2a393eb0 |
| SHA512 | 17eab68504561ae59801618dcb7707432338d05f81e21e5940a2ddef8fa057d649842adaff551e8acb1d5b7f8fe02ea7c0dfab1c467081adbc84e3789538507e |
memory/2752-84-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2752-79-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2752-77-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/684-71-0x000000013FB50000-0x000000013FEA4000-memory.dmp
C:\Windows\system\WXnACrK.exe
| MD5 | 3365ec7065a05cf4612be1783c580611 |
| SHA1 | f626ca3a776d601efcf7f6355473288b11c8c433 |
| SHA256 | 0334daed19ec297be3f534cb914fcf59987a102282952a261a9bf502dcd28696 |
| SHA512 | 11a47984858767cba2e182aff60c48619e9c25aee0c2a86a3ff6819925f3cb24c08c182bbd43f851b375dfe276b7f8b8fa8a42464169eb2476eff6e5012f0b89 |
memory/2752-64-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2412-104-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2432-103-0x000000013F7D0000-0x000000013FB24000-memory.dmp
\Windows\system\rxJOJIG.exe
| MD5 | d547cdc2d87be7f972b2a0c0b69ada7a |
| SHA1 | 4453e1897d26231dfcf042972bb4f0f0b418029c |
| SHA256 | d0d52b66519a12ccf48aaee6c313afb08e8e66cacc2153fecc4f6af58b6be78f |
| SHA512 | ff1e1f54dbb719f03c84cfc617329e3c7df26a282d16e440857469b05efe42ca15853b42b34760056cfddf8d890b41194ec91d92c73b250ec2a25e1054777a23 |
C:\Windows\system\ATbgfOa.exe
| MD5 | 37f6da97ec42a8f5792ea32cd09f447c |
| SHA1 | b2376719114e74e5430126071bb3a8a292040b36 |
| SHA256 | abd6d11333a7db83bad0b69d217fe62b61a29cd36c80969a058ea0cf122e8068 |
| SHA512 | 22f002e7a0a0ecea6f41254ef77fb4c1f8b539c1a8d5a15fa5651d6882fef774ec6d9c9cd2e937be81c7ce9fe6b148d4fa36705f297eef2b823454653e4fd49c |
\Windows\system\lVHcrKQ.exe
| MD5 | 1db0240c485ea00e50655844969353d4 |
| SHA1 | 359a2d5445661e69fd6b8af58b21964f210e465f |
| SHA256 | 3d006b3ec62c1058638ad86387db22426638936b4367e003e5a3a9ecf90d31d5 |
| SHA512 | fd8b0653a0105920ad793f7e64192e1d5937120dda67e7eced4839aebb1a8e77b36ed78f9c3ac92fb12b9d648ac06753670ee25a70e5f0dcb7019427393efe9b |
\Windows\system\bBxbtaS.exe
| MD5 | 1a3f5f4a53a4a75be0ccd1f75c18a09b |
| SHA1 | cb37e771e3894f1fafa4605a9da800f6d0c37dfc |
| SHA256 | 7e975d9fdeb8348c41c0630cfbffc42989b812b7a99740bd45290be3f235e3b1 |
| SHA512 | ff1f50d5a0a3baa8d2771a3c3486d51be2ec680a21ee6281927f2d229a78ce476d5382ebbfa90613c52c1e67f5ac0d212865528c0f66dfa1943901424bb37e71 |
\Windows\system\IxpFsTM.exe
| MD5 | 079330afe59b45534f83c0eabde31356 |
| SHA1 | cae06360b2e7936f2d529e86ffbfddd4cce6872d |
| SHA256 | 5326aaaaa06d2db3aaafcd6b880d8f894ab9995ece32882ecd9d6063fc1e1ec4 |
| SHA512 | 1de02d0e3a91e0aa29f56766a0c7b63075dc42cc77cfc7700563e2e5fa16e927e9dd782d55c408565819d3c26e5f12fc5ca7a5d2f99bb95c082715e190ff2bc9 |
C:\Windows\system\mTAJWyH.exe
| MD5 | 795d562e09185db9499878815f7a34b4 |
| SHA1 | 601dc5f75fa476394d83cd969ad32a77db74f76f |
| SHA256 | 1378914b31837bb919aa77b8973b314212e3895bd74503766385225381b08b07 |
| SHA512 | eaece92e2e0a1078aa8d5a41ea83a9a584e93da9fb8cfc705e8ee8662112b3adf6457205ad45a5eca635ef1c710230b4becb0cddbb2c3245bc211ff2438b2145 |
\Windows\system\mWlCjoz.exe
| MD5 | 3e39e811881f97d64b36e350ba929cd6 |
| SHA1 | 891d9f5b1831ec269a7a113180d6a91d644a4da6 |
| SHA256 | a0bf795d8a0b686f3b3e5dbb20e86fc9d0b9ff75ecc04f6622e48224174a0e99 |
| SHA512 | 25211e6cbdbe304f3129651b6cfd3dcc23f47f152ddbbd89eeafbe0942dbe0f11526b219a7b9f968fd0e03d616a3291043b5f02e47d1098d73a7a511bf62e955 |
memory/684-141-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2752-142-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2752-143-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/596-144-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2592-145-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2752-146-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2064-147-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2752-148-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2648-149-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/1684-150-0x000000013F400000-0x000000013F754000-memory.dmp
memory/3064-151-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2636-152-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2528-153-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2548-154-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2432-155-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2412-156-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2848-157-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/684-158-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/1304-159-0x000000013F310000-0x000000013F664000-memory.dmp
memory/596-160-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2592-161-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2064-162-0x000000013FCD0000-0x0000000140024000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 15:44
Reported
2024-05-25 15:47
Platform
win10v2004-20240426-en
Max time kernel
133s
Max time network
126s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\727433bc99315ea686fe6b4b8b7cdeaa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\727433bc99315ea686fe6b4b8b7cdeaa_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4820-0-0x00007FF627680000-0x00007FF6279D4000-memory.dmp