Overview

overview

10

Static

static

7

JaffaCakes...3e.exe

windows7-x64

10

JaffaCakes...3e.exe

windows10-2004-x64

10

#/Discord.exe

windows7-x64

#/Discord.exe

windows10-2004-x64

#/Packag...he.exe

windows7-x64

#/Packag...he.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_3426d0e0926c092be63bb12c0df0708087db8bd74fa489f24c5672958b095a3e

  • Size

    789.5MB

  • Sample

    241225-rhxtzsvlex

  • MD5

    b9e441398c6ffb9c8fb7ca199268f09a

  • SHA1

    53e866fe192f620bd5f9fe57d6750db6b0bb8569

  • SHA256

    3426d0e0926c092be63bb12c0df0708087db8bd74fa489f24c5672958b095a3e

  • SHA512

    6e277251e803dbb4f80c50b3e010fc8cbaea32aeb42c2a89617ee1c794b57b7306fe2f6f60bb967e73d19019675ea44a26cb4985fa006444336c63ea128fdd9f

  • SSDEEP

    196608:gJjuM3xa11pQ8Q7l9XJ3Js0g3VyY7x3BEPo3upZePWy:oa11+8QJ9XdOFyY7xy8MZeP

Score
10/10
rhadamanthysxmrigdiscoveryevasionexecutionminerstealerthemidatrojan

Malware Config

Extracted

Family

rhadamanthys

C2

https://65.21.101.233:4714/2f5e662542c10b098/e8c101kl.lxije

Targets

    • Target

      JaffaCakes118_3426d0e0926c092be63bb12c0df0708087db8bd74fa489f24c5672958b095a3e

    • Size

      789.5MB

    • MD5

      b9e441398c6ffb9c8fb7ca199268f09a

    • SHA1

      53e866fe192f620bd5f9fe57d6750db6b0bb8569

    • SHA256

      3426d0e0926c092be63bb12c0df0708087db8bd74fa489f24c5672958b095a3e

    • SHA512

      6e277251e803dbb4f80c50b3e010fc8cbaea32aeb42c2a89617ee1c794b57b7306fe2f6f60bb967e73d19019675ea44a26cb4985fa006444336c63ea128fdd9f

    • SSDEEP

      196608:gJjuM3xa11pQ8Q7l9XJ3Js0g3VyY7x3BEPo3upZePWy:oa11+8QJ9XdOFyY7xy8MZeP

    Score
    10/10
    rhadamanthysxmrigdiscoveryevasionexecutionminerstealerthemidatrojan

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Rhadamanthys family

      rhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      #/Discord.exe

    • Size

      781.3MB

    • MD5

      9baec735dd09cf2647bc3a0b940addf0

    • SHA1

      58aa69bc881ca7c10ac9bf7efacef6c38ee36167

    • SHA256

      ef27df3f7d7e8a55f5bb8996e8a1e1ff30ea597755591ebcfafeffb0ffd20cb0

    • SHA512

      79dd11b0ba922c95e3ebd4d1adc64e2a762dd0ad20d4b3f243d097c1f3da1743b88a42aa26b4a3f29a84ad48a4d13dddb03b9744b540a64a9a490d14a9083615

    • SSDEEP

      24576:2N9+b29AJ87kHCzSRGMuoRqvoEcbQs2jxaBCqx:2nM87kHCRMjovtcss2jYCq

    Score
    1/10
    behavioral3behavioral4

    • Target

      #/PackageLaunche.exe

    • Size

      5.0MB

    • MD5

      aa0241ab56b4d373714233775a660014

    • SHA1

      af875728270c1ba60aa1b696dcb70f0f0b96d002

    • SHA256

      36bfa2383cde18cde2ebc7d30896e8843d4bd2c7c46d97d64826c757d3d25ee4

    • SHA512

      452ba11026e2cb15abc1d452d564933c04d7e4baf38253ebc3ee30974bb89e4f07a9d6bc849f084b6f4dc7e005779eae21ab56e0328f73aff87da530981d89f8

    • SSDEEP

      98304:PU0BntPCykuMLBKVq5F/4SkHForv/Ye4r0JUjXav7lLWyZgi+VzZxh1UgXB:PUontPCyvBVmwCIr0JyKv7FWyuzxPUq

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks