Overview

overview

10

Static

static

7

JaffaCakes...fc.exe

windows7-x64

10

JaffaCakes...fc.exe

windows10-2004-x64

10

#/1.exe

windows7-x64

#/1.exe

windows10-2004-x64

#/2.exe

windows7-x64

#/2.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_878ec6377348ad7fea7823d62801582f708bb83b09808b2e060163ca46cb4dfc

  • Size

    789.8MB

  • Sample

    241230-f61p1azjht

  • MD5

    7b1c6614bf92b909e55f066a20c272c9

  • SHA1

    9dd881a80ffc63673610c4b96b7d6ec77e2eb922

  • SHA256

    878ec6377348ad7fea7823d62801582f708bb83b09808b2e060163ca46cb4dfc

  • SHA512

    50196a823c4b9a7ecb046d6a93b268126d79974f5f55a06a7654f2e3604ccfb55e4d92f844e79d5c50d9b935e993d2b15dc35b9beb533393d3c2203202f61523

  • SSDEEP

    196608:m1ar9j+0pcUEZ8NrOPIgrbw927UZkPpoROfGqQG3+Yd+pdc+LJ:mApccrOjbw9Sp6OfGqL3+Yym+

Score
10/10
rhadamanthysxmrigdiscoveryevasionexecutionminerstealerthemidatrojan

Malware Config

Extracted

Family

rhadamanthys

C2

https://65.21.101.233:4714/2f5e662542c10b098/e8c101kl.lxije

Targets

    • Target

      JaffaCakes118_878ec6377348ad7fea7823d62801582f708bb83b09808b2e060163ca46cb4dfc

    • Size

      789.8MB

    • MD5

      7b1c6614bf92b909e55f066a20c272c9

    • SHA1

      9dd881a80ffc63673610c4b96b7d6ec77e2eb922

    • SHA256

      878ec6377348ad7fea7823d62801582f708bb83b09808b2e060163ca46cb4dfc

    • SHA512

      50196a823c4b9a7ecb046d6a93b268126d79974f5f55a06a7654f2e3604ccfb55e4d92f844e79d5c50d9b935e993d2b15dc35b9beb533393d3c2203202f61523

    • SSDEEP

      196608:m1ar9j+0pcUEZ8NrOPIgrbw927UZkPpoROfGqQG3+Yd+pdc+LJ:mApccrOjbw9Sp6OfGqL3+Yym+

    Score
    10/10
    rhadamanthysxmrigdiscoveryevasionexecutionminerstealerthemidatrojan

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Rhadamanthys family

      rhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      #/1.exe

    • Size

      787.5MB

    • MD5

      370cca5df1800fd0e63914e82b4c8ab5

    • SHA1

      aed6994c15ff5ac1389d00cfd8919db7e7520928

    • SHA256

      aa8186b7280b13e6afb1617e9bdda5f8135b76b596f704691e21d3866021e5ba

    • SHA512

      67056266f2d41f50c575f8d091f9c73f16dcc012127e7729d77002e3b8c2753797a76415286534916bfe65c42427dcd99ee62fe81689ea18484b1a302cd17bf2

    • SSDEEP

      98304:clYOv6s9UqlNkIE57IQOrRTQ0tdHuyRafIlsewjDUv9Lk9tBtROM1H5TQysNTHQY:yv6ONkIQMQORQAuywfIlppv9S+6GVT

    Score
    1/10
    behavioral3behavioral4

    • Target

      #/2.exe

    • Size

      236.0MB

    • MD5

      239acf31d325df974934fc809cb2554f

    • SHA1

      6967235df4216d052a80b72eeedad01c51dfda84

    • SHA256

      ae67a5fa7358988d5bfe18386d2e0097d10e9eab90fec1176f62aa33ec237e5f

    • SHA512

      0e3706e1ee6e89e5b1a10b55493c7711a573d0ec22787d374feb5954e78be669ecbb94f25e890bb7fab79c51fcb28bafbad681c7bc540bcef434d729ea82080e

    • SSDEEP

      24576:tSBNKCWdg5r/26p6DMZGbukOGz9f3NEJqmnK09oGww:tMXr/26p6IDkh93NoqmnhOGww

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks