Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 08:42

General

  • Target

    91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe

  • Size

    2.2MB

  • MD5

    91290227566049adfd31ecd4c1296b92

  • SHA1

    002b9071306530c3915cf27590b8453aa871125d

  • SHA256

    3295d5e6746be0ceb6557380a4b57e6606e8fad051279a0ff78b3236d7b91bf6

  • SHA512

    427c5c9d5d1c5e3c19dcd42dd15a386d536e3d6ed7ce7a954bef751add0581a35392c33c3e986116f779dda24072d92a992eef1953e9e58496ab432516a2e509

  • SSDEEP

    49152:z+5V5bSIh5Robl+Gd6pzGg90o0TickQ7B7Atl9hpHAKf:K75bSynocSQqgqZWjQt7Alfzf

Score
10/10

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 10 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zbe20246384248362.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:860
      • C:\Windows\SysWOW64\schtasks.exe
        Schtasks.EXE /delete /tn "Maintenance" /f
        3⤵
          PID:3472
        • C:\Windows\SysWOW64\schtasks.exe
          Schtasks.EXE /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20246384248362.xml"
          3⤵
          • Creates scheduled task(s)
          PID:4524
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zb20246384248362.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3508
        • C:\Windows\SysWOW64\chcp.com
          chcp 1251
          3⤵
            PID:1236
          • C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe"
            3⤵
            • Executes dropped EXE
            PID:2524
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 372
              4⤵
              • Program crash
              PID:3108
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 3 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:4748
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2524 -ip 2524
        1⤵
          PID:1948
        • C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe
          C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:800
          • C:\Users\Admin\AppData\Local\Temp\6f626a69797569658864148781170505728\idle_maintenance.exe
            C:\Users\Admin\AppData\Local\Temp\6f626a69797569658864148781170505728\idle_maintenance.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3180

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\6f626a69797569658864148781170505728\config.json

          Filesize

          907B

          MD5

          724373fdc80811cf935575305dabc412

          SHA1

          720c6b63d13008eb165d586f62297350d70a42a9

          SHA256

          4acd1300efefc1f61daddbc62583af929b0d490af812c7dce3358cc10d6f930f

          SHA512

          470a18006057379b8d7af91c2884534df04f5a82c499881f6d59b639ea29ee1b14e3714ab60c90c6b9dcbdc9ef59abdc24f7eec359e9253bb42cf1488f2826bd

        • C:\Users\Admin\AppData\Local\Temp\6f626a69797569658864148781170505728\idle_maintenance.exe

          Filesize

          1.0MB

          MD5

          35fadb783458c2c49f06ac6991362ec1

          SHA1

          5d8a08ddf30df09f90613a5998b6106166ae81f5

          SHA256

          56141544ac6d03565909b3043fab104bf40cadb32d53a12d821e1328bc50f087

          SHA512

          abf028a19f1078f41c76eb0b5bc389c4d94f784c497436691e1933a87919fa7589945437fa95a656770ccd29aec328ab5349c6fc7dfd8731fc4c927538f6921f

        • C:\Users\Admin\AppData\Local\Temp\zb20246384248362.bat

          Filesize

          680B

          MD5

          bce7e5428337ca3a72e55dafb75179d1

          SHA1

          7a582edb0e6533cd5b11da4aa777aa78aa788b5c

          SHA256

          f02aa457ed3471f91640da8ee62fa506440ba6abe043418b29781219312a84ba

          SHA512

          946abd5d35a0f62c85d7e8464148cd537fbf7b2b69e7d558afba65a8c778fb034cccd08620643895bfbb7c5ccc99242a858799195180321ae6741b4bfdc258e2

        • C:\Users\Admin\AppData\Local\Temp\zbe20246384248362.bat

          Filesize

          198B

          MD5

          c52a50ad7723919bc4970694f3fa659f

          SHA1

          d828056bf36ae0c035e5e6ae9bb9beeb0d8f1471

          SHA256

          c63a9d286b483741055a5628a0cb2a5893e00a7cca874a954bbf0da54039179b

          SHA512

          a5026aa0c4888900c45fe5ed02600fc80e98b5603a461ac8ebde420e9b4a9381cbe5bde7c34dc665ce28ab80b423d1da6b60166c1a9651a1bb01c9f5314afc27

        • C:\Users\Admin\AppData\Local\Temp\ze20246384248362.tmp

          Filesize

          2.2MB

          MD5

          f4cdf35f34063c1b0377008ae133e79f

          SHA1

          935d7e86cfb4d7b853a6e51f7e4ab938a0a46136

          SHA256

          317a902c2d5a9307e87f7e751aff4745379727fa99c9900d387f0eadd4fbbe43

          SHA512

          7c7216b2ed6ca7381a6ff0cc66b04e20720a9bb9b24cedfaa0158204d6bb6f5937dc4ee6c9b3529fbcebf002415792bd7de81cecbbde9c404ae4e709893a1e9f

        • C:\Users\Admin\AppData\Local\Temp\zx20246384248362.xml

          Filesize

          1KB

          MD5

          209f5fcd60089042d85b45f770eb07e2

          SHA1

          cb245161cc2204192107c7c84ab5aca01c007a5f

          SHA256

          d213081cc799b3d17c8aea6855744e90a0f82be1a4f4ac4b079919366ca78d97

          SHA512

          797fa36bee51a1745c5f7bb4561c120d1f293cbf897a573589697752e155ff7c896ae3746197cc036cee4ebb1cc749dc930c6b68b4f2a9d3ad011262c06942ca

        • C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe

          Filesize

          1.5MB

          MD5

          322d23bc1ee34b9abe2c992274ae417f

          SHA1

          aad310f27146cea18660a7d248ee9a3d5ae3fe87

          SHA256

          f93548cecd2f003c0b6cc6a87b8095b214919db50e888b00f3c2c0ac43546426

          SHA512

          221d75a9e470097a78fd39f5776939f9a9fafb901191d04be813a57ded5d1f6425724a19cb4479778362cd4318ae61e19611479c4d5af3778c6424eb6cad4d0f

        • memory/2524-16-0x0000000000400000-0x00000000005ED000-memory.dmp

          Filesize

          1.9MB

        • memory/2524-14-0x0000000000400000-0x00000000005ED000-memory.dmp

          Filesize

          1.9MB

        • memory/2524-19-0x0000000000400000-0x00000000005ED000-memory.dmp

          Filesize

          1.9MB

        • memory/2524-20-0x0000000075B90000-0x0000000075BE2000-memory.dmp

          Filesize

          328KB

        • memory/2524-21-0x0000000000402000-0x00000000005CE000-memory.dmp

          Filesize

          1.8MB

        • memory/2524-17-0x0000000000400000-0x00000000005ED000-memory.dmp

          Filesize

          1.9MB

        • memory/2524-18-0x0000000000730000-0x0000000000731000-memory.dmp

          Filesize

          4KB

        • memory/2524-15-0x0000000000402000-0x00000000005CE000-memory.dmp

          Filesize

          1.8MB

        • memory/3180-32-0x0000000000400000-0x000000000050D000-memory.dmp

          Filesize

          1.1MB

        • memory/3180-31-0x0000000000400000-0x000000000050D000-memory.dmp

          Filesize

          1.1MB

        • memory/3180-33-0x0000000000400000-0x000000000050D000-memory.dmp

          Filesize

          1.1MB

        • memory/3180-36-0x0000000000400000-0x000000000050D000-memory.dmp

          Filesize

          1.1MB

        • memory/3180-37-0x0000000000400000-0x000000000050D000-memory.dmp

          Filesize

          1.1MB

        • memory/3180-38-0x0000000000400000-0x000000000050D000-memory.dmp

          Filesize

          1.1MB

        • memory/3180-39-0x0000000000400000-0x000000000050D000-memory.dmp

          Filesize

          1.1MB

        • memory/3180-40-0x0000000000400000-0x000000000050D000-memory.dmp

          Filesize

          1.1MB

        • memory/3180-41-0x0000000000400000-0x000000000050D000-memory.dmp

          Filesize

          1.1MB