Analysis

  • max time kernel
    13s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 02:35 UTC

General

  • Target

    5503970e9c530895482b34c6cb045926_JaffaCakes118.exe

  • Size

    784KB

  • MD5

    5503970e9c530895482b34c6cb045926

  • SHA1

    dfe1b7927eb8ca31e17f495e37d0556205d97e7d

  • SHA256

    83078d8fda61f642384b2f08abff86f8b4268b319cc62daa2b9e8b3aa35e8912

  • SHA512

    f02398e1c072b910cde1fbae5aa13808cc7435bc9eccc0ad1cd10c0f5290934fd54cb12b73ef6110902f797c6768f9ebe9ae90707982e85e9a0c6deaff9921de

  • SSDEEP

    24576:eJOES/eOh46qtCm2Qu0+rFcR0Ng+Ksdf9lcscnf:ecEFOh2tCm3YPgedf9lcsEf

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 8 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5503970e9c530895482b34c6cb045926_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5503970e9c530895482b34c6cb045926_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Users\Admin\AppData\Local\Temp\5503970e9c530895482b34c6cb045926_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\5503970e9c530895482b34c6cb045926_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      PID:3032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\5503970e9c530895482b34c6cb045926_JaffaCakes118.exe

    Filesize

    784KB

    MD5

    eaed224f67303db9f06fcc39d84f019b

    SHA1

    69ec0255a2db5a3998c456c5d603b3377b61b75e

    SHA256

    a79cedbb99622e8dbcaf28c7e1cf7da8ae9722fca18b90351502e4d98b4b50d5

    SHA512

    b70691b428b30af8461ced071833d2bfb715e0686e7261bc8f1405b82e3a395bc1cf84c440b54de2fcb71a52dd9c5c73722c0f8e3101ca516a2206dd08bb5914

  • memory/1492-35-0x00000000031D0000-0x00000000034E2000-memory.dmp

    Filesize

    3.1MB

  • memory/1492-7-0x00000000018B0000-0x0000000001974000-memory.dmp

    Filesize

    784KB

  • memory/1492-2-0x0000000000400000-0x0000000000593000-memory.dmp

    Filesize

    1.6MB

  • memory/1492-15-0x00000000031D0000-0x00000000034E2000-memory.dmp

    Filesize

    3.1MB

  • memory/1492-14-0x0000000000400000-0x0000000000593000-memory.dmp

    Filesize

    1.6MB

  • memory/1492-0-0x0000000000400000-0x0000000000712000-memory.dmp

    Filesize

    3.1MB

  • memory/3032-17-0x0000000000400000-0x0000000000712000-memory.dmp

    Filesize

    3.1MB

  • memory/3032-34-0x0000000000400000-0x0000000000587000-memory.dmp

    Filesize

    1.5MB

  • memory/3032-33-0x0000000003220000-0x00000000033B3000-memory.dmp

    Filesize

    1.6MB

  • memory/3032-24-0x0000000000400000-0x0000000000587000-memory.dmp

    Filesize

    1.5MB

  • memory/3032-19-0x0000000000400000-0x0000000000593000-memory.dmp

    Filesize

    1.6MB

  • memory/3032-18-0x00000000018B0000-0x0000000001974000-memory.dmp

    Filesize

    784KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.