Analysis Overview
SHA256
61c43704ece17cfd15fd68a0e1d97de358d4b1896b37807ac0854a2b93ee5646
Threat Level: Known bad
The file a8ace75184056072baa65ea689806a20_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
xmrig
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
Cobaltstrike
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 08:11
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 08:11
Reported
2024-06-14 08:14
Platform
win7-20240611-en
Max time kernel
150s
Max time network
139s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\kMZtJkE.exe | N/A |
| N/A | N/A | C:\Windows\System\ReiCNKT.exe | N/A |
| N/A | N/A | C:\Windows\System\kTyhSSi.exe | N/A |
| N/A | N/A | C:\Windows\System\RqCQpIn.exe | N/A |
| N/A | N/A | C:\Windows\System\kyZIxpF.exe | N/A |
| N/A | N/A | C:\Windows\System\wWFgLfV.exe | N/A |
| N/A | N/A | C:\Windows\System\HGPnEsU.exe | N/A |
| N/A | N/A | C:\Windows\System\WEpBSdj.exe | N/A |
| N/A | N/A | C:\Windows\System\pFaVCGn.exe | N/A |
| N/A | N/A | C:\Windows\System\dAzQiPd.exe | N/A |
| N/A | N/A | C:\Windows\System\qZjZDfW.exe | N/A |
| N/A | N/A | C:\Windows\System\DveMOgK.exe | N/A |
| N/A | N/A | C:\Windows\System\llylQWo.exe | N/A |
| N/A | N/A | C:\Windows\System\jNLGQZz.exe | N/A |
| N/A | N/A | C:\Windows\System\uDnmjJh.exe | N/A |
| N/A | N/A | C:\Windows\System\toVcdlR.exe | N/A |
| N/A | N/A | C:\Windows\System\gHzPmII.exe | N/A |
| N/A | N/A | C:\Windows\System\YYbmbzg.exe | N/A |
| N/A | N/A | C:\Windows\System\qZMZlyk.exe | N/A |
| N/A | N/A | C:\Windows\System\hIJlpJN.exe | N/A |
| N/A | N/A | C:\Windows\System\XUTCvvA.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a8ace75184056072baa65ea689806a20_JaffaCakes118.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a8ace75184056072baa65ea689806a20_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a8ace75184056072baa65ea689806a20_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8ace75184056072baa65ea689806a20_JaffaCakes118.exe"
C:\Windows\System\kMZtJkE.exe
C:\Windows\System\kMZtJkE.exe
C:\Windows\System\ReiCNKT.exe
C:\Windows\System\ReiCNKT.exe
C:\Windows\System\kTyhSSi.exe
C:\Windows\System\kTyhSSi.exe
C:\Windows\System\RqCQpIn.exe
C:\Windows\System\RqCQpIn.exe
C:\Windows\System\kyZIxpF.exe
C:\Windows\System\kyZIxpF.exe
C:\Windows\System\wWFgLfV.exe
C:\Windows\System\wWFgLfV.exe
C:\Windows\System\HGPnEsU.exe
C:\Windows\System\HGPnEsU.exe
C:\Windows\System\WEpBSdj.exe
C:\Windows\System\WEpBSdj.exe
C:\Windows\System\dAzQiPd.exe
C:\Windows\System\dAzQiPd.exe
C:\Windows\System\pFaVCGn.exe
C:\Windows\System\pFaVCGn.exe
C:\Windows\System\qZjZDfW.exe
C:\Windows\System\qZjZDfW.exe
C:\Windows\System\DveMOgK.exe
C:\Windows\System\DveMOgK.exe
C:\Windows\System\llylQWo.exe
C:\Windows\System\llylQWo.exe
C:\Windows\System\jNLGQZz.exe
C:\Windows\System\jNLGQZz.exe
C:\Windows\System\uDnmjJh.exe
C:\Windows\System\uDnmjJh.exe
C:\Windows\System\toVcdlR.exe
C:\Windows\System\toVcdlR.exe
C:\Windows\System\gHzPmII.exe
C:\Windows\System\gHzPmII.exe
C:\Windows\System\YYbmbzg.exe
C:\Windows\System\YYbmbzg.exe
C:\Windows\System\qZMZlyk.exe
C:\Windows\System\qZMZlyk.exe
C:\Windows\System\hIJlpJN.exe
C:\Windows\System\hIJlpJN.exe
C:\Windows\System\XUTCvvA.exe
C:\Windows\System\XUTCvvA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1672-0-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/1672-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\kMZtJkE.exe
| MD5 | beae88bc850b9c5f9f7cd4e799942c79 |
| SHA1 | 918e1a30cd335d6223ca76a32955590f3e4deaa5 |
| SHA256 | 490e330da6d949c96d1cd5ddad3c1a657c79c0f878fa9e33d308179e86915452 |
| SHA512 | fbb65c2ddf644f2847d7970a96991f8b9af8486dcc773a60e9aaba8f71390da9127ec57eb86d6c71e52a038a0f6e00ab188e875c491acc29d5b2e6c1e34c2507 |
C:\Windows\system\ReiCNKT.exe
| MD5 | 89cfb21b5ff861997f777d0cff0a3d71 |
| SHA1 | 19be098a0f219202c426c9874567b124c6f1edf2 |
| SHA256 | 12cf929aca2f1f10f80f8c29d0ab222d63cb7b0c985fa2e2fcc7f4a46f6d17e6 |
| SHA512 | 577d5dd1f1cd53259e806b832d1fdf5b6da50b660ca7a53ef3dac02174796dfec5c3c2194b76cf1a53e177c7c735cfbcdb090f92621f4d98b38d56ad7c141277 |
memory/2404-14-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2996-15-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
C:\Windows\system\kTyhSSi.exe
| MD5 | 706d5149482b9437f6005d1a4ca5e9dc |
| SHA1 | 8bfeaa78e2b5877f555ae4bb069a3f4d2e018c05 |
| SHA256 | 3fe91c4dbe085bb47f9fb47e792c8bc63a9b727bf055ea2e7367250c87a40ed8 |
| SHA512 | 1f980a6384c9d84376a4d2bca60fabf48790b10de382d5cc07f7f20a4e66889b4328ad06821299b6aa8827b76287b80e3e0c02fc3d54d23fc10eb56047c64b1c |
memory/1672-11-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/1672-20-0x000000013FE40000-0x0000000140194000-memory.dmp
\Windows\system\RqCQpIn.exe
| MD5 | c7eaece7d6035b67ca91381b0f654c4c |
| SHA1 | c6242ff2ec28b1a246e6e183659c17d28bb68f0f |
| SHA256 | 22ce842e739e9d67cbf6af45238fed372855bbf07cf455a6838814d7be3eb150 |
| SHA512 | 89e2d0ec28297d1705a63eec6051a41c7aa082564bd34d6b019176fd094e9731d4d9fc99cf6dbffe4434ac8127711b124dc0000259eff25c2da095a278d7fc69 |
memory/2744-28-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/1672-33-0x000000013FC20000-0x000000013FF74000-memory.dmp
\Windows\system\wWFgLfV.exe
| MD5 | fa414988899f22cc965bc336e3d0c64a |
| SHA1 | 93edd92b015244fef3ea96ac6f71a8c7f86c2101 |
| SHA256 | b520bbc83accee8b9c43e0b14e5ac520a6fdab0ee7db20f0269fc8f6a0465ea1 |
| SHA512 | f55e7874a39c7cfd03dc84b127f2adcd9ab2783e16fa71bf47d6c1340984e7c9228a340fe79036aee7405a80826425ef261e94813cfe70b8755bc5e37c5b24b4 |
C:\Windows\system\kyZIxpF.exe
| MD5 | 4156ce5da0fdb1350be4af3a9f2be165 |
| SHA1 | 881dfa9649bd030b5dd569ac07161fff0b5af76d |
| SHA256 | 9059ba303c7879c6fb6d004a71b4314e9e6a96bedb65d0d94192d9293f170b18 |
| SHA512 | f2227d9a6e91c1b4efb93f3fdbcc50fc15133132d52cfeeeb87680701e2e8de5014c75a880de625d689370ce41c45cbadf774ef72c83e535878a9ca34352278d |
memory/2924-40-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2640-41-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/1672-34-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2620-27-0x000000013FE40000-0x0000000140194000-memory.dmp
C:\Windows\system\HGPnEsU.exe
| MD5 | aa25c1b3f967f3bb78e170a0cd2eed91 |
| SHA1 | 7bcce2a40a03514644873120fbd8e227db2c872b |
| SHA256 | 26e4de5f347d6488171cb8f838056877640eea04760a58553271c3acee4912f8 |
| SHA512 | 12ae54327f89505cbdeef34c0a39a49c555892f08cbd2eb1d73956ddaad1195b18bcde8670feb063866e0b24163628921fa192943f7ad780fff9daaef712cc3b |
\Windows\system\WEpBSdj.exe
| MD5 | 8ed7fc37ff5f961d8fad4e2e6b531bd0 |
| SHA1 | 1e6f3b7ab0baab4306d9ea48e044bf65aa235290 |
| SHA256 | 2048fcea4d0a060a5a61655bb660668095631b833370d9be90c2d8f0444bf1d0 |
| SHA512 | ada13009feca0fc204537c199247e2939a3f4866d4532c5b41330fc2dc236aa3e5423ba79b0466d6fe8318cd2f11c019d21f5133e30962acd1e450a527c2803d |
memory/2648-57-0x000000013FA10000-0x000000013FD64000-memory.dmp
\Windows\system\qZjZDfW.exe
| MD5 | c4d150985ea52f2f68929389d290a715 |
| SHA1 | 479155faf2a36ef8a711aeec6f8ed8de4b4b9d73 |
| SHA256 | 608a3750044b2ea2fdfb243d233c3656c3e2823fbb1db5db679f1275b051637f |
| SHA512 | 7c3002ee95a2f574df454eb3e67bbe7b4fb505c0f520de8e78b5c9e3847d6f629647de0b095ebe48c067dff7c214bcb64c579eae345073071f0d8c3335e6f37d |
C:\Windows\system\pFaVCGn.exe
| MD5 | 4e339ee157e4b8e0d6d4d5ef7ad0b94a |
| SHA1 | 97b9556295c1d432cab0fd35fc8825b30f22a3a7 |
| SHA256 | e777849f2011c89c5e2d22425c6b7554b2fc230420bb357465e284948be8b838 |
| SHA512 | fc73247a112c0e38e685192a7193156c0c1ec869c0283a41a66576610a7438b0d5ad736cacb2a5a531edffbe2005716188667e3358922af0cb46abfc2442d8f0 |
\Windows\system\dAzQiPd.exe
| MD5 | b0243398414d1f83bed5022eefaac8d7 |
| SHA1 | 11b5f6ed7a17237bf8077dc6f2fbe9683eb18557 |
| SHA256 | 1553c38f78c07f24c2c5f4136607152f79da396b8aeca280465124a2bc0001b4 |
| SHA512 | 7317986812bcf58920ec1c0f2bcc9fc1c6be7033070e9642c0bbb991da23d6516a7544d3c542ca0fdfedde964e493c116c4835647c72df279e1cca6822c8bf82 |
memory/2616-56-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/1672-61-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/3032-76-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2480-75-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/1672-74-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/1672-72-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2552-71-0x000000013F7C0000-0x000000013FB14000-memory.dmp
C:\Windows\system\DveMOgK.exe
| MD5 | fc2f4314f7ec7d8ebf7e64080774fcee |
| SHA1 | 698852a950a45862552f09bcd9edc59dd2af9327 |
| SHA256 | b9dbae4b0a1d8124dd82bd020fc70fcf35fd420168be46c4b946c75a8dab5626 |
| SHA512 | c38c1365be64305a93414d116a0e85137f26c625308a3d8cd237987d895f84e0175620be520803beffedf4d3759b9aa22a765639da6eda146452d06b9267b957 |
memory/2620-81-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/1672-83-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/664-84-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1672-69-0x000000013FA10000-0x000000013FD64000-memory.dmp
\Windows\system\llylQWo.exe
| MD5 | f525125e10c843500a748df9166afc8e |
| SHA1 | 121904c85349b1829e4053a85a5c5cf1c4fbdeea |
| SHA256 | d5abfca8d40f014891e96236e51ad113af1ff8ebbf367848946c67d0f4786093 |
| SHA512 | 7104e12668ee2f5540cd5934511ec8284a75688ce6925c7b62e2aa52dcd291b3c098738146453d72feb9c29b0ae9e021307d91a48c14583fc088315d6c373554 |
memory/2800-90-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/1672-88-0x000000013F870000-0x000000013FBC4000-memory.dmp
\Windows\system\jNLGQZz.exe
| MD5 | 0419c2e63902c93bd8eca70b2923d491 |
| SHA1 | bb0d88a80cd628c3c6db98aa86b4404970c3e3e0 |
| SHA256 | 39db1a748b7740c27a99d94861a39c6f9cd3a97c49c8f8183fe45e5f7b9013ab |
| SHA512 | 22dd9f27b4e718cb72917fbff17494476e146c26cff17420825da8ef0dbadb6d9b8b96affa1867a5795a1a8b1ffc08c1eaa9b742f5166679ef24ed9fbdb991ce |
\Windows\system\uDnmjJh.exe
| MD5 | dceb2d0d351cd4c9edcf3be335ad9e31 |
| SHA1 | 316f079364b884cb2e2e2e1b2c94ee6337bfe587 |
| SHA256 | bc10500f7979a5ef92c2de8bb542f69d3d11b9763365def6332d3604ed5ba641 |
| SHA512 | a139a25ee9e01f39810b185b1ae1472e712a2dbc45038c7245612166fb3cb5458eaf478472dcaaa549ed4cf455a4f3db47279e1ca00b3efe982132b0d1b955e2 |
C:\Windows\system\toVcdlR.exe
| MD5 | 298799d7e44404c3fb5b09feca9cd61c |
| SHA1 | c821741c7d9d2427bb8e4990544b48b637afbd52 |
| SHA256 | 670879471a56e71fd56620f0ee3d2447c1a5c0b5b726dba14348ad3941b5f6e6 |
| SHA512 | c03575a9bb44eecb19abb602874996e95f383ee5af1462c7871ee40c087cb053f7b20f405faf8e67b3c73520c610ee63e598f8206b05ff3c81d3f102c86795e1 |
memory/1672-110-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2924-103-0x000000013FC20000-0x000000013FF74000-memory.dmp
\Windows\system\gHzPmII.exe
| MD5 | 4868a2b15f2aba72292f4251693e5ecf |
| SHA1 | b708472524e2f2b783309623656225b149a6c821 |
| SHA256 | 8ad34a9e2887419dba2c90de50753afc40be76a05be5c9b10137270bca59945f |
| SHA512 | 890a51e0289f421eaf152eb992a0571a6a4440eb83b754285d2563d41aa754c9ab2dde0bd85b9c1c92a805e5bece188c3569df21c68d077de55af218b008d6e3 |
C:\Windows\system\YYbmbzg.exe
| MD5 | c368ab5096b4d4381c600e86cab61a2f |
| SHA1 | 61edbd28cde715ac6d01127652d6dd0394295aba |
| SHA256 | 856bf0783644c4fb62adac14c85a7a68dd9b29269c93cc6e81b69c7551277bfd |
| SHA512 | e862c91c335a807e8f361a454dad502a2aa851d2ba8f2b8e0a02bfd23214bb91dd189f999b9a2ea3c0864e161920873f70ca99d228f2e6d47c41685c1f8d387f |
C:\Windows\system\hIJlpJN.exe
| MD5 | 3bebbfd9e8ac118c9ac1a217573f8b7b |
| SHA1 | bb7ab3491271a8e4d2ab88a3e022d74f8f8169ee |
| SHA256 | 437dbb86e808100cb60c236edc2f81633dd497c4f30891a2360ce4810a797d73 |
| SHA512 | 18886ddaa8c62a282b2aee7c343ce3f3fb59815a4d5fd15d8fd49701a2a56207f5b751f70eb7db38ccbfac84e79c97fe8c991bca32d74a644676578fa4ecd35d |
\Windows\system\XUTCvvA.exe
| MD5 | fce416eede7198e4a76a7bd2a4a5121e |
| SHA1 | 7d2a7615bf46f9999067ac5e605050de516c062c |
| SHA256 | 20629830909a73032e1d5de9ee9f96fafb6562ca778e307116781b46bbb2b51a |
| SHA512 | e1dda6996c2cad75d7541dca34895a1bce31e73124b7ca4585d3b156d49a41bd0e0a6bd070a291df612830b397d2f227feaf5f9e234b6b34fb23863a34e288fe |
C:\Windows\system\qZMZlyk.exe
| MD5 | c3da04b38c64db52a2c6b69c1325d2d6 |
| SHA1 | 0d5b49cc7c09024d4fe6b63478eb24415378c839 |
| SHA256 | bc58713e7fd59995243a65dcc6a441decb180368b19401cf211b466208014104 |
| SHA512 | 16aae55d151011bd44679e0449cfd49026d5dcfe4214ff9c00fe2089fc23e01e7d1b45f4e08ff64896116d4b61911d6743a1e118bfb15a9dd02071bdf5cce5dc |
memory/2844-98-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/1672-97-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/1672-135-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/1672-136-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/1672-137-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/1672-138-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1672-139-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2800-140-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/1672-141-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/1672-142-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2404-143-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2996-144-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2744-145-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2620-146-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2640-147-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2924-148-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2616-149-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2648-150-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2480-152-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2552-151-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/3032-153-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/664-154-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2800-155-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2844-156-0x000000013FB10000-0x000000013FE64000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 08:11
Reported
2024-06-14 08:14
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a8ace75184056072baa65ea689806a20_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8ace75184056072baa65ea689806a20_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/5112-0-0x00007FF71CC70000-0x00007FF71CFC4000-memory.dmp