Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 09:31
Behavioral task
behavioral1
Sample
21dec55f11ea3365d7e95e26f6693c55_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
21dec55f11ea3365d7e95e26f6693c55_JaffaCakes118.exe
-
Size
784KB
-
MD5
21dec55f11ea3365d7e95e26f6693c55
-
SHA1
fefa938cefc4a5e9efb97a854a525787767b529a
-
SHA256
c8cbf8a62456328236a698b340f244753d277c97f63069dc45a7ca5cf3acefc4
-
SHA512
67a02415b13b412984c57c8dc38cb0bcc17fd31c85116f01a85a45cc00a5aa0570e88df7d68f5def25de33ffa58926b85c92fef7bf6dea3980d48b6e54c94020
-
SSDEEP
24576:UFJ8+5UD9OwqIMdypWefszwueM5mt7x8kck1:U8LqIMdypWMszwueOmtCxk1
Malware Config
Signatures
-
XMRig Miner payload 6 IoCs
resource yara_rule behavioral2/memory/5016-2-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/5016-12-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/4460-14-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/4460-29-0x00000000053D0000-0x0000000005563000-memory.dmp xmrig behavioral2/memory/4460-19-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral2/memory/4460-30-0x0000000000400000-0x0000000000587000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 4460 21dec55f11ea3365d7e95e26f6693c55_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4460 21dec55f11ea3365d7e95e26f6693c55_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/5016-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral2/files/0x00080000000233c1-11.dat upx behavioral2/memory/4460-13-0x0000000000400000-0x0000000000712000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5016 21dec55f11ea3365d7e95e26f6693c55_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 5016 21dec55f11ea3365d7e95e26f6693c55_JaffaCakes118.exe 4460 21dec55f11ea3365d7e95e26f6693c55_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5016 wrote to memory of 4460 5016 21dec55f11ea3365d7e95e26f6693c55_JaffaCakes118.exe 81 PID 5016 wrote to memory of 4460 5016 21dec55f11ea3365d7e95e26f6693c55_JaffaCakes118.exe 81 PID 5016 wrote to memory of 4460 5016 21dec55f11ea3365d7e95e26f6693c55_JaffaCakes118.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\21dec55f11ea3365d7e95e26f6693c55_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\21dec55f11ea3365d7e95e26f6693c55_JaffaCakes118.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\21dec55f11ea3365d7e95e26f6693c55_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\21dec55f11ea3365d7e95e26f6693c55_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4460
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD55686f11f57113cecad913c100607919d
SHA1a3c607d22703404b4cdb2b8087b26a3d244413d5
SHA256d8ed96d911952c9b70273a354957b8e7ff6d8f6da7876d6369f5b0d11c1921bd
SHA512e5ebbe98225ff9af83b0e2dc79fd890207ecdd0973dad5b5dc47e2af3536c6e0a8fd6de4634386d7166a15043843429d39401ed909d2e26da21be178693d5a45