Overview

overview

10

Static

static

1

JaffaCakes...9d.exe

windows7-x64

7

JaffaCakes...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 05:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d.exe

  • Size

    6.6MB

  • MD5

    e4ce16957129f0ce094c9eaae8672333

  • SHA1

    aed6f0d4abb26ee4df7814a14fa59fcb0fb2f013

  • SHA256

    4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d

  • SHA512

    c6c51a3345c191ef694b595406665e9b31ba935de10dcd6be7c6bcf46c158a4a5e58b5e21ebd59a15207dec2feb7a45ddfbb8d6ba21f56c57423bd895c63228d

  • SSDEEP

    196608:NERwPy8YGUdxPSgB/aSoJxJgczOLX5UNm2m31BNL/Ys2tIs+:KRwK8YGMq+V0D7zOL/1BNLgfIP

Score
10/10
xmrigdiscoveryminerpersistenceupx

Malware Config

Signatures

  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 7 IoCs
    miner
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3508
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe --algo ETCHASH --pool etc.2miners.com:1010 --user 0x5E91C51e70b18e904fd29dB42442B29959ADeF7F.TestEasy
          4⤵
            PID:2792
          • C:\Windows\system32\conhost.exe
            C:\Windows\system32\conhost.exe -o xmr.2miners.com:2222 -u XMR_ADDRESS -p "TestEasy"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            PID:1784
        • C:\Windows\SysWOW64\REG.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
          3⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3164
        • C:\Windows\SysWOW64\REG.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v OneDrive /t REG_BINARY /f /d 020000000000000000000000
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1928

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\0WeFMNkFGBmkwq_s
      Filesize

      133B

      MD5

      b4a9904489c912c0ca3df039458c0aa3

      SHA1

      590860d91a576b1ea488416ebbe0c6f3f4f60d97

      SHA256

      c7747a2eef363b46c9329e13018540bb99e6d088baa1a89526c4159ee3c09d74

      SHA512

      74ee4610e4ee2e4dbba872f6f471f8bf41dc00019b817f9aa54a0a39e16103100772e39923de6e36155860d6791a29b9cbd0e4306f6fdc46f6bcd7a9163817c7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
      Filesize

      175KB

      MD5

      f3af73070387fb75b19286826cc3126c

      SHA1

      7774854137d7ada89f3b4bdf67631456a1e74853

      SHA256

      974243f2487ceeb8eeea6aa8fee215f15c7b204382d4bd12f469f712f56c3610

      SHA512

      a620583b2d89e3f0350ae4d5dfe2b2c160d2f982b29dea6b8e273bb39ab2d1d91a2452238e9c30cdd7151aa555e231e1ac9930f9d76f6ff80504eacb25fa557a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Secur32.dll
      Filesize

      316KB

      MD5

      fed6517a5f84eecc29edee5586d7feeb

      SHA1

      56df244bf73c7ec7b59c98e1f5d47b379b58a06b

      SHA256

      5075a0587b1b35c0152d8c44468641d0ab1c52fd8f1814ee257eceb9ffcb89b6

      SHA512

      45cab4395d509b5d7dfb904e84d5a679440412f494c4970191b5882572f4d1b9c9cd28d41a49619353c405c2477153b4a7a1568fcf307709df0b81b38c405642

      Download Submit

    • memory/1784-53-0x0000000140000000-0x00000001407DD000-memory.dmp

      Filesize

      7.9MB

      Download

    • memory/1784-54-0x0000000140000000-0x00000001407DD000-memory.dmp

      Filesize

      7.9MB

      Download

    • memory/1784-55-0x0000022B8E710000-0x0000022B8E730000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1784-56-0x0000000140000000-0x00000001407DD000-memory.dmp

      Filesize

      7.9MB

      Download

    • memory/1784-60-0x0000000140000000-0x00000001407DD000-memory.dmp

      Filesize

      7.9MB

      Download

    • memory/1784-59-0x0000000140000000-0x00000001407DD000-memory.dmp

      Filesize

      7.9MB

      Download

    • memory/1784-58-0x0000000140000000-0x00000001407DD000-memory.dmp

      Filesize

      7.9MB

      Download

    • memory/1784-57-0x0000000140000000-0x00000001407DD000-memory.dmp

      Filesize

      7.9MB

      Download

    • memory/2656-1-0x00000000012A0000-0x00000000013A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2792-51-0x0000000140000000-0x0000000142B59000-memory.dmp

      Filesize

      43.3MB

      Download

    • memory/2792-52-0x0000000140000000-0x0000000142B59000-memory.dmp

      Filesize

      43.3MB

      Download

    • memory/5032-8-0x0000000000400000-0x00000000004CA000-memory.dmp

      Filesize

      808KB

      Download

    • memory/5032-2-0x0000000000400000-0x00000000004CA000-memory.dmp

      Filesize

      808KB

      Download