Analysis Overview
SHA256
521183d9266bde2a78c84d7cf3ff89b4af900ce5143ff2da95617a025ea953eb
Threat Level: Known bad
The file 82dce0006c45aa6b2c4da413eaea2596_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
xmrig
Xmrig family
Cobaltstrike family
XMRig Miner payload
Cobaltstrike
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 03:13
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 03:13
Reported
2024-05-30 03:16
Platform
win7-20240221-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\OaItDPR.exe | N/A |
| N/A | N/A | C:\Windows\System\EkrMzyv.exe | N/A |
| N/A | N/A | C:\Windows\System\oDDHSSS.exe | N/A |
| N/A | N/A | C:\Windows\System\jcfDToa.exe | N/A |
| N/A | N/A | C:\Windows\System\vAqkfbB.exe | N/A |
| N/A | N/A | C:\Windows\System\oMzfdBt.exe | N/A |
| N/A | N/A | C:\Windows\System\xHSYjcu.exe | N/A |
| N/A | N/A | C:\Windows\System\dxKXbzv.exe | N/A |
| N/A | N/A | C:\Windows\System\elyYOEr.exe | N/A |
| N/A | N/A | C:\Windows\System\qnkWKsZ.exe | N/A |
| N/A | N/A | C:\Windows\System\dRgoUBW.exe | N/A |
| N/A | N/A | C:\Windows\System\vHimNXK.exe | N/A |
| N/A | N/A | C:\Windows\System\cWcFMyD.exe | N/A |
| N/A | N/A | C:\Windows\System\UzmORRV.exe | N/A |
| N/A | N/A | C:\Windows\System\dxjxMih.exe | N/A |
| N/A | N/A | C:\Windows\System\pyqOCit.exe | N/A |
| N/A | N/A | C:\Windows\System\JsHerrv.exe | N/A |
| N/A | N/A | C:\Windows\System\snnhFIK.exe | N/A |
| N/A | N/A | C:\Windows\System\qAjgfTM.exe | N/A |
| N/A | N/A | C:\Windows\System\lkoJhrX.exe | N/A |
| N/A | N/A | C:\Windows\System\wTClCli.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\82dce0006c45aa6b2c4da413eaea2596_JaffaCakes118.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\82dce0006c45aa6b2c4da413eaea2596_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\82dce0006c45aa6b2c4da413eaea2596_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82dce0006c45aa6b2c4da413eaea2596_JaffaCakes118.exe"
C:\Windows\System\OaItDPR.exe
C:\Windows\System\OaItDPR.exe
C:\Windows\System\EkrMzyv.exe
C:\Windows\System\EkrMzyv.exe
C:\Windows\System\oDDHSSS.exe
C:\Windows\System\oDDHSSS.exe
C:\Windows\System\jcfDToa.exe
C:\Windows\System\jcfDToa.exe
C:\Windows\System\vAqkfbB.exe
C:\Windows\System\vAqkfbB.exe
C:\Windows\System\oMzfdBt.exe
C:\Windows\System\oMzfdBt.exe
C:\Windows\System\xHSYjcu.exe
C:\Windows\System\xHSYjcu.exe
C:\Windows\System\dxKXbzv.exe
C:\Windows\System\dxKXbzv.exe
C:\Windows\System\elyYOEr.exe
C:\Windows\System\elyYOEr.exe
C:\Windows\System\qnkWKsZ.exe
C:\Windows\System\qnkWKsZ.exe
C:\Windows\System\dRgoUBW.exe
C:\Windows\System\dRgoUBW.exe
C:\Windows\System\vHimNXK.exe
C:\Windows\System\vHimNXK.exe
C:\Windows\System\cWcFMyD.exe
C:\Windows\System\cWcFMyD.exe
C:\Windows\System\UzmORRV.exe
C:\Windows\System\UzmORRV.exe
C:\Windows\System\dxjxMih.exe
C:\Windows\System\dxjxMih.exe
C:\Windows\System\pyqOCit.exe
C:\Windows\System\pyqOCit.exe
C:\Windows\System\JsHerrv.exe
C:\Windows\System\JsHerrv.exe
C:\Windows\System\snnhFIK.exe
C:\Windows\System\snnhFIK.exe
C:\Windows\System\qAjgfTM.exe
C:\Windows\System\qAjgfTM.exe
C:\Windows\System\lkoJhrX.exe
C:\Windows\System\lkoJhrX.exe
C:\Windows\System\wTClCli.exe
C:\Windows\System\wTClCli.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2068-0-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2068-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\OaItDPR.exe
| MD5 | c78e2df6efe86f2bc36d4d4cf61feb19 |
| SHA1 | 2b2501f4dcfd9c42ce3559342a939aa37c18b416 |
| SHA256 | 104047967d31885a082076aad28e9fbb9bc158daea6ed188a31cadbe62a15c55 |
| SHA512 | 4aeeeeb89806db75a881f00105118e02615d25817af0691f29861f31d342f88036aef073dcd60cdf7bf64f1bb186085fc6eaebaa4e2aa2f9c65cf0d30dccef39 |
memory/2068-6-0x00000000023F0000-0x0000000002744000-memory.dmp
\Windows\system\EkrMzyv.exe
| MD5 | f44c842de127eeb34312baebabc353bf |
| SHA1 | f3cd4a382709420fb2c2780f52bea90d344ab612 |
| SHA256 | 38bffa4409a45ffad06ed6fe20f641922e40a205a728b1cc74ffb993e5419898 |
| SHA512 | c873a929004117dfe21c5f0d205b720f85cd387410fcfab20b81a61c536ceb97cb08db0061b8c5209d9ad0356ae7c8effb1b51701eff5c5be10b0ad662e975eb |
C:\Windows\system\oDDHSSS.exe
| MD5 | 95cd5f2554542c2baf853ac0f0358ad6 |
| SHA1 | be19d081312c8efadfb6954f3cc87f42f6633db1 |
| SHA256 | 6ce638ae3c53799f3f9f9de0404da73e73eeb559a7ce6a56f6f3c770a2e4050d |
| SHA512 | d4139119220e1c6a1aaa6e0b20b2baaefaf0c86374bb50c8c3cc68e35f9c4448fd09fcac944b5de9f67d656c706ede28f109e5761c2c66cbc759837f43f3b969 |
memory/2060-15-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/1116-8-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2068-18-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2068-13-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/1068-23-0x000000013F1F0000-0x000000013F544000-memory.dmp
C:\Windows\system\jcfDToa.exe
| MD5 | 5b474134dc911fe58f81d277b545cd7b |
| SHA1 | feec829efa7ccd88f802afa1c2283332c1231fa7 |
| SHA256 | 6f673517c843c8e66d7318d417373f407c77b3fc89670a7c3716be8e9239ec6e |
| SHA512 | 0f6bbc55ff45f3a3ac5f96909adad4a0830dca7b8b76d28b3bbeb62f4f9788158dac8bf51bedf96d504f637524fe04d3c7666eb4a0e5899b2988a74a791be57f |
\Windows\system\vAqkfbB.exe
| MD5 | 8847170e7c2be8c9037d3ec32ddadc71 |
| SHA1 | 65c0b9bb4251d57993ec04588d6c8d4c06e4567f |
| SHA256 | b38873649a52768ef80f6d18669f3539bb67ddfa2eab2761d5522b846b809916 |
| SHA512 | 832140828f7f0d2bf1625e2c1da22370da782104a8b00abc4fde7298d1365f8d4cfcfe24fb32ddc6387c646513c91d6e862d7a2de286dce5f55c2bfd9f26a58a |
\Windows\system\oMzfdBt.exe
| MD5 | 2809e0093f3796781a225f19cf2a92ee |
| SHA1 | c6b2f443aa15959fa76f3092cdbc74eb74b3714b |
| SHA256 | eea05efc590cca14ae52b1c8fb8ae5e02407fd3df9808ce33335deafb0817896 |
| SHA512 | c3c2b4cf2670a9f03b00d44be860b5f477a079677707a5698c339fbeb7fcbb1410be8e4bdc6ea68fc023efbca4195e6499aa6e1c61581a59344c29d14e3f7213 |
memory/2068-41-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2516-42-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2068-37-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2068-29-0x000000013FEC0000-0x0000000140214000-memory.dmp
\Windows\system\dxKXbzv.exe
| MD5 | db9ebc988b542bc19ba0f9c6fe526904 |
| SHA1 | 3e49d55a4bcca84b4924c17dee9c3bdb0f7615ae |
| SHA256 | a94ed348e0540c27e3d61acb971c603ced82bdf3e1a142174b3a10645cd09ae0 |
| SHA512 | 56ac92329e8630f512eff99664d1f372862cdd37ace8f4bf75cac3c8983916429365627310ed4c015bd721ad56dadc49fabd87d7aab9dbb52036ddfa8d446b1d |
memory/2060-51-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2384-52-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2656-33-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2644-57-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2068-56-0x00000000023F0000-0x0000000002744000-memory.dmp
\Windows\system\elyYOEr.exe
| MD5 | 1de44de16fdcb74dccd5327dca4335f2 |
| SHA1 | 5a1f0fa93c0d8e54e116afacdf4ae25e080ac1e6 |
| SHA256 | b93523ea9bd5d43f0985aa5b26fbd146f4726ec731823925df6af0c6dccd2a5d |
| SHA512 | 8e3ae417854ea4255c81f65b86f53b56a6b459255f694f47db9a3d74f56a0e37581a15c546186a8387c665180e51b3014caa88c9e04283eb86a7df4fdfb9412f |
C:\Windows\system\qnkWKsZ.exe
| MD5 | f8e67a79609db446ca3fb4fd672dc1da |
| SHA1 | 2ab3c57435b6fd8dcbe7545417e3a56463c1e8d0 |
| SHA256 | ddccc392b186091e954c3c7449f0f72eef8e290e053d04796e9f9300371b159b |
| SHA512 | 8b7fde2c5f4598911a2e7af0859b17ddd85d372839be3e25c06372a650aec3e3502e49e20808133f4806c454b9e518b442b06be2b710c20bf14f5cb62ea25d67 |
memory/2608-71-0x000000013F530000-0x000000013F884000-memory.dmp
C:\Windows\system\vHimNXK.exe
| MD5 | bbe9f01b9cb3e115420277075ccb3876 |
| SHA1 | 2ae099e761813db7579555c3fd660bc6f8ad4c52 |
| SHA256 | 0cbd5f5c65a0698d807473ee12252a65790d3f23415fb3833083fdaa05c1f86c |
| SHA512 | b7f299d2c525721d79f1fe04824ab3a7c5ede050617e96c39fa688b7f0e7ac4762d6b425d5649bb544e7e8beced07c8de3ca6dcf319dc55b0f79a7edb70bed81 |
memory/2396-77-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2816-84-0x000000013FF70000-0x00000001402C4000-memory.dmp
C:\Windows\system\UzmORRV.exe
| MD5 | 7cf78b2fed88a2775c3e8b0151da95ea |
| SHA1 | 93ed655e9c3478b09ad922b549e2d9479845caee |
| SHA256 | a2ec254b0ccf0ac83d1637415e5170b1ff148705a3e71d443b62bec14a98dbd7 |
| SHA512 | c58c725ac3e9af40e41cf3f1600564b6b8646615a0bb15edb044e52a6ab5301593b3f1e6c4a2a9b70a1752fe52bc47b53abb31249b07b1abcd63cbd6a31ee709 |
\Windows\system\cWcFMyD.exe
| MD5 | 5cee9a5d8d62625c093e1fe5ef3a2e7d |
| SHA1 | 35ca6baee2d3881735400a6e2124bb2ecc09f14e |
| SHA256 | b9c9c5a5725ba2e3bd413f88520ff68b6f2a4ac3cbe0053190d002ee07137a68 |
| SHA512 | d2f98edb68931a2c770d6151fef14f74eb0665c342a2c34284777513297fe4d36cb8a407beba286f73dd741256f42c997666520672db8588ad7f76463fb33d5c |
memory/2100-91-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2356-96-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2068-95-0x000000013FC30000-0x000000013FF84000-memory.dmp
\Windows\system\dxjxMih.exe
| MD5 | eae824b2cf9d79370e37ef6ec72b0784 |
| SHA1 | 85dc9e26f9f4599b4b85300ae73633a81cd7d37c |
| SHA256 | 4eeb3d635f90832dac6fd3ac814578940f7006111ca4c2087f17ac9937a6cb7d |
| SHA512 | 63db86491afaef13923d4efb7cec2029690b717206a96c25acf9401c193689dd3822408e1a67bb595a7e7453120bb2ae8374c329c7cd79d5d07ceb26a75033df |
\Windows\system\wTClCli.exe
| MD5 | 47acac8987ca0b089eb166932bf37fe4 |
| SHA1 | 9e19982c1ccb3f22f2d8653e1fc9476711655c26 |
| SHA256 | 77766a70b5eebf3d0d058dd7bb035242b278acdeeeda1d847148bb291b4e28d7 |
| SHA512 | 71aec92ac094b447fce6983a118fec4371176d0782209e81aa363773b87512859bea0a188fd97bc7e717578d5358710d79746fa71157f84948fc771b9b9c0f28 |
C:\Windows\system\qAjgfTM.exe
| MD5 | 737728d0a48194a391a5831500fe388d |
| SHA1 | be05311186a1db52e76141b0aaa08855ff6f8e59 |
| SHA256 | ef3398d574511d198fd2616578e4ef43c87ceece5fa4bdf4f6481fda96c72a49 |
| SHA512 | e5cc36a8c8acf2a72f52d08d106604b577078687b7fb22837b3e009967b4a3f2a0c5396747d1eefa4307390383da2b91d849fc20a78c0234fdfadcc5b081f27f |
C:\Windows\system\lkoJhrX.exe
| MD5 | 3839d5dd2a8fbbc331d762a66742bdd2 |
| SHA1 | 042ac23035a8d7d77e1b3733a8cc356c9d013297 |
| SHA256 | 18898a3021bd727f69764e93a5b530eeabb9658569bd29e7645c4442e7df41ad |
| SHA512 | a6ff4843ee139819494ca87eec04e03951a3ac161896ff5f33ecd9b37163b008c6dd62d3665f2e109016480fcebce5eddba30ec2deb56034540f70b175437baf |
C:\Windows\system\snnhFIK.exe
| MD5 | ec401b7a597bd03471bf86acb6b5077d |
| SHA1 | d61a9b43adaac2445d0fc48744953c9adf980ba6 |
| SHA256 | 8cad021f416ef91b0d20eb79afe57055b2428625e87079b2731221e54b64844d |
| SHA512 | 8b52ed3f30973e5d8e2430bd51ebe3e3060e4a1fc0bd345c6c937c4dcb901fe0ea12d782c647556ef069ed53e2fa1036b7b0eeb0349517bdde70968415a14016 |
C:\Windows\system\JsHerrv.exe
| MD5 | 54c130946ce8ebd69e6abca5f1502836 |
| SHA1 | abdc655fa63cca10041a84b80c0ac6c9120af8a1 |
| SHA256 | 341b3621a67c6c5a678d9081fe0b51a6faad4383b980d010bb38b4290e06471b |
| SHA512 | 8ca6347b3343135e41f72081a28a372f500366da19448a111a7b1a6167f0a6d15bc86fb368e91ab6bbac5e97b2ce270728923ad8fecf1091f988a2bb35286bbe |
C:\Windows\system\pyqOCit.exe
| MD5 | 1975c5116e5e82de246e458f2ed3014b |
| SHA1 | 0347c64e559eda19561e51871b2951beff085f06 |
| SHA256 | 48da5fc6b8f78678ff6a90a93f2b395f83b8610471904b7ed6ff5da845a8c8c4 |
| SHA512 | 4ba49054b8315a14fd1b143b35e3ba3f5f087960f764e8497187029cfb6c848ea1ffb07fdb027f2161a9824c8bc6c64ee2a168a3fbb0d635ffd081c27aec1d97 |
memory/2516-103-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2068-83-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2068-76-0x000000013FA70000-0x000000013FDC4000-memory.dmp
C:\Windows\system\dRgoUBW.exe
| MD5 | cac043039641c8ddebfc64cd4a4ceb27 |
| SHA1 | 793694bd0f377879765ef35b2569a3eb3bed1db4 |
| SHA256 | ac930dace662e27bce39de25badd96eeecc0c43a2b10476998f10b10325c7e23 |
| SHA512 | ee4a74f51ad5a11d0eec2e32aa61106dea4e956a1d0d3a2af431fc23dc59135ade9ce2e171c0632ce25008310ece8ec8e2d1b2e45887fc6456f3eee15bb1f6e1 |
memory/2068-70-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2552-64-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2384-136-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\xHSYjcu.exe
| MD5 | b288cd3d051cfefabb3cc65752ce4cb2 |
| SHA1 | 5957ab6fffd39c388a7caa3b7c0cbf08e33536a1 |
| SHA256 | e5c48daa13b2d346402dd600af8493cb604ae95ffd50b53d8adc05ecdbbeb4f7 |
| SHA512 | 97b6cc48d67eb84129a5a0e37e7d1cc3952af53885a7032eb3eb01f4f6093e155dbabeceb6efd6054719144a529bdc0d041a61ef4b83d6c4bc8f8ecbfd457147 |
memory/2068-54-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/1116-50-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2592-45-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2644-137-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2552-139-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2068-138-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2068-140-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2608-141-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2068-142-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2396-143-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2068-144-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2816-145-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2068-146-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2100-147-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2068-148-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2356-149-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2068-150-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/1116-151-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2060-152-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/1068-153-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2656-154-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2592-155-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2516-156-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2384-157-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2552-158-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2608-159-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2396-160-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2816-161-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2356-162-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2100-163-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2644-164-0x000000013F8D0000-0x000000013FC24000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 03:13
Reported
2024-05-30 03:16
Platform
win10v2004-20240508-en
Max time kernel
132s
Max time network
124s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\82dce0006c45aa6b2c4da413eaea2596_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82dce0006c45aa6b2c4da413eaea2596_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
Files
memory/3328-0-0x00007FF62B9F0000-0x00007FF62BD44000-memory.dmp