Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 08:42
Static task
static1
Behavioral task
behavioral1
Sample
91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
91290227566049adfd31ecd4c1296b92
-
SHA1
002b9071306530c3915cf27590b8453aa871125d
-
SHA256
3295d5e6746be0ceb6557380a4b57e6606e8fad051279a0ff78b3236d7b91bf6
-
SHA512
427c5c9d5d1c5e3c19dcd42dd15a386d536e3d6ed7ce7a954bef751add0581a35392c33c3e986116f779dda24072d92a992eef1953e9e58496ab432516a2e509
-
SSDEEP
49152:z+5V5bSIh5Robl+Gd6pzGg90o0TickQ7B7Atl9hpHAKf:K75bSynocSQqgqZWjQt7Alfzf
Malware Config
Signatures
-
XMRig Miner payload 10 IoCs
resource yara_rule behavioral2/files/0x0008000000023391-29.dat xmrig behavioral2/memory/3180-31-0x0000000000400000-0x000000000050D000-memory.dmp xmrig behavioral2/memory/3180-32-0x0000000000400000-0x000000000050D000-memory.dmp xmrig behavioral2/memory/3180-33-0x0000000000400000-0x000000000050D000-memory.dmp xmrig behavioral2/memory/3180-36-0x0000000000400000-0x000000000050D000-memory.dmp xmrig behavioral2/memory/3180-37-0x0000000000400000-0x000000000050D000-memory.dmp xmrig behavioral2/memory/3180-38-0x0000000000400000-0x000000000050D000-memory.dmp xmrig behavioral2/memory/3180-39-0x0000000000400000-0x000000000050D000-memory.dmp xmrig behavioral2/memory/3180-40-0x0000000000400000-0x000000000050D000-memory.dmp xmrig behavioral2/memory/3180-41-0x0000000000400000-0x000000000050D000-memory.dmp xmrig -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation maintenance.exe -
Executes dropped EXE 3 IoCs
pid Process 2524 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 800 maintenance.exe 3180 idle_maintenance.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3108 2524 WerFault.exe 89 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4524 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4748 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 800 maintenance.exe 800 maintenance.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3180 idle_maintenance.exe Token: SeLockMemoryPrivilege 3180 idle_maintenance.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1876 wrote to memory of 860 1876 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 82 PID 1876 wrote to memory of 860 1876 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 82 PID 1876 wrote to memory of 860 1876 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 82 PID 1876 wrote to memory of 3508 1876 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 84 PID 1876 wrote to memory of 3508 1876 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 84 PID 1876 wrote to memory of 3508 1876 91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe 84 PID 860 wrote to memory of 3472 860 cmd.exe 86 PID 860 wrote to memory of 3472 860 cmd.exe 86 PID 860 wrote to memory of 3472 860 cmd.exe 86 PID 860 wrote to memory of 4524 860 cmd.exe 87 PID 860 wrote to memory of 4524 860 cmd.exe 87 PID 860 wrote to memory of 4524 860 cmd.exe 87 PID 3508 wrote to memory of 1236 3508 cmd.exe 88 PID 3508 wrote to memory of 1236 3508 cmd.exe 88 PID 3508 wrote to memory of 1236 3508 cmd.exe 88 PID 3508 wrote to memory of 2524 3508 cmd.exe 89 PID 3508 wrote to memory of 2524 3508 cmd.exe 89 PID 3508 wrote to memory of 2524 3508 cmd.exe 89 PID 3508 wrote to memory of 4748 3508 cmd.exe 90 PID 3508 wrote to memory of 4748 3508 cmd.exe 90 PID 3508 wrote to memory of 4748 3508 cmd.exe 90 PID 800 wrote to memory of 3180 800 maintenance.exe 109 PID 800 wrote to memory of 3180 800 maintenance.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zbe20246384248362.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\schtasks.exeSchtasks.EXE /delete /tn "Maintenance" /f3⤵PID:3472
-
-
C:\Windows\SysWOW64\schtasks.exeSchtasks.EXE /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20246384248362.xml"3⤵
- Creates scheduled task(s)
PID:4524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zb20246384248362.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\chcp.comchcp 12513⤵PID:1236
-
-
C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe"3⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 3724⤵
- Program crash
PID:3108
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3 /nobreak3⤵
- Delays execution with timeout.exe
PID:4748
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2524 -ip 25241⤵PID:1948
-
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exeC:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Users\Admin\AppData\Local\Temp\6f626a69797569658864148781170505728\idle_maintenance.exeC:\Users\Admin\AppData\Local\Temp\6f626a69797569658864148781170505728\idle_maintenance.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
907B
MD5724373fdc80811cf935575305dabc412
SHA1720c6b63d13008eb165d586f62297350d70a42a9
SHA2564acd1300efefc1f61daddbc62583af929b0d490af812c7dce3358cc10d6f930f
SHA512470a18006057379b8d7af91c2884534df04f5a82c499881f6d59b639ea29ee1b14e3714ab60c90c6b9dcbdc9ef59abdc24f7eec359e9253bb42cf1488f2826bd
-
Filesize
1.0MB
MD535fadb783458c2c49f06ac6991362ec1
SHA15d8a08ddf30df09f90613a5998b6106166ae81f5
SHA25656141544ac6d03565909b3043fab104bf40cadb32d53a12d821e1328bc50f087
SHA512abf028a19f1078f41c76eb0b5bc389c4d94f784c497436691e1933a87919fa7589945437fa95a656770ccd29aec328ab5349c6fc7dfd8731fc4c927538f6921f
-
Filesize
680B
MD5bce7e5428337ca3a72e55dafb75179d1
SHA17a582edb0e6533cd5b11da4aa777aa78aa788b5c
SHA256f02aa457ed3471f91640da8ee62fa506440ba6abe043418b29781219312a84ba
SHA512946abd5d35a0f62c85d7e8464148cd537fbf7b2b69e7d558afba65a8c778fb034cccd08620643895bfbb7c5ccc99242a858799195180321ae6741b4bfdc258e2
-
Filesize
198B
MD5c52a50ad7723919bc4970694f3fa659f
SHA1d828056bf36ae0c035e5e6ae9bb9beeb0d8f1471
SHA256c63a9d286b483741055a5628a0cb2a5893e00a7cca874a954bbf0da54039179b
SHA512a5026aa0c4888900c45fe5ed02600fc80e98b5603a461ac8ebde420e9b4a9381cbe5bde7c34dc665ce28ab80b423d1da6b60166c1a9651a1bb01c9f5314afc27
-
Filesize
2.2MB
MD5f4cdf35f34063c1b0377008ae133e79f
SHA1935d7e86cfb4d7b853a6e51f7e4ab938a0a46136
SHA256317a902c2d5a9307e87f7e751aff4745379727fa99c9900d387f0eadd4fbbe43
SHA5127c7216b2ed6ca7381a6ff0cc66b04e20720a9bb9b24cedfaa0158204d6bb6f5937dc4ee6c9b3529fbcebf002415792bd7de81cecbbde9c404ae4e709893a1e9f
-
Filesize
1KB
MD5209f5fcd60089042d85b45f770eb07e2
SHA1cb245161cc2204192107c7c84ab5aca01c007a5f
SHA256d213081cc799b3d17c8aea6855744e90a0f82be1a4f4ac4b079919366ca78d97
SHA512797fa36bee51a1745c5f7bb4561c120d1f293cbf897a573589697752e155ff7c896ae3746197cc036cee4ebb1cc749dc930c6b68b4f2a9d3ad011262c06942ca
-
Filesize
1.5MB
MD5322d23bc1ee34b9abe2c992274ae417f
SHA1aad310f27146cea18660a7d248ee9a3d5ae3fe87
SHA256f93548cecd2f003c0b6cc6a87b8095b214919db50e888b00f3c2c0ac43546426
SHA512221d75a9e470097a78fd39f5776939f9a9fafb901191d04be813a57ded5d1f6425724a19cb4479778362cd4318ae61e19611479c4d5af3778c6424eb6cad4d0f