loaderbot | fa5bbde6bc224e578b7eb2e4ea1506570b378279b4c5f79185043d15cc81b419

General

Target

364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
Size

16KB
MD5

364a15d8bb0ffb21e6b7dd650eb12b0b
SHA1

d0db53c0e2e9f4e2ac87ea879d50775b20114754
SHA256

fa5bbde6bc224e578b7eb2e4ea1506570b378279b4c5f79185043d15cc81b419
SHA512

51f24d29c20af9a8d75e5dd17e2e8cd7a09e196cda55442b6c502b1ac7f6ba7e89e5ceb448ecf10ca2b954be22f80c3e784ef8e122b97aa5cc276087f8696638
SSDEEP

384:e+FvJsPhdH19GTXjdhk1uujYcV6AUwJFZb:eAkfV9AhAfYcV6Dw9b

Score

10^/10

loaderbot loader miner persistence

Malware Config

Extracted

Family

loaderbot

C2

http://s0rick.rckl.pw/cmd.php

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

LoaderBot executable 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2676-1-0x0000000000100000-0x000000000010A000-memory.dmp	loaderbot

Drops startup file 1 IoCs

Processes:

364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe"	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe"	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2912 schtasks.exe
992 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe

pid process

2676 364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
1752 364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe

pid process

2676 364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe

pid	process
2912	schtasks.exe
992	schtasks.exe

pid	process
2676	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
1752	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe

pid	process
2676	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2676	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
Token: SeDebugPrivilege	1752	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.execmd.exetaskeng.exe364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2676 wrote to memory of 2848	2676	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe	cmd.exe
PID 2676 wrote to memory of 2848	2676	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe	cmd.exe
PID 2676 wrote to memory of 2848	2676	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe	cmd.exe
PID 2676 wrote to memory of 2848	2676	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe	cmd.exe
PID 2848 wrote to memory of 2912	2848	cmd.exe	schtasks.exe
PID 2848 wrote to memory of 2912	2848	cmd.exe	schtasks.exe
PID 2848 wrote to memory of 2912	2848	cmd.exe	schtasks.exe
PID 2848 wrote to memory of 2912	2848	cmd.exe	schtasks.exe
PID 2044 wrote to memory of 1752	2044	taskeng.exe	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
PID 2044 wrote to memory of 1752	2044	taskeng.exe	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
PID 2044 wrote to memory of 1752	2044	taskeng.exe	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
PID 2044 wrote to memory of 1752	2044	taskeng.exe	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
PID 1752 wrote to memory of 384	1752	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe	cmd.exe
PID 1752 wrote to memory of 384	1752	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe	cmd.exe
PID 1752 wrote to memory of 384	1752	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe	cmd.exe
PID 1752 wrote to memory of 384	1752	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe	cmd.exe
PID 384 wrote to memory of 992	384	cmd.exe	schtasks.exe
PID 384 wrote to memory of 992	384	cmd.exe	schtasks.exe
PID 384 wrote to memory of 992	384	cmd.exe	schtasks.exe
PID 384 wrote to memory of 992	384	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
    3⤵
    - Creates scheduled task(s)
    PID:2912

C:\Windows\system32\taskeng.exe
taskeng.exe {8BABC266-DE12-4846-A38D-1FEFDE67D2E1} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Roaming\Windows\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Roaming\Windows\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
      4⤵
      Creates scheduled task(s)
      PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1752-6-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/1752-7-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-0-0x000000007498E000-0x000000007498F000-memory.dmp

Filesize
4KB

Download
memory/2676-1-0x0000000000100000-0x000000000010A000-memory.dmp

Filesize
40KB

Download
memory/2676-3-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-4-0x000000007498E000-0x000000007498F000-memory.dmp

Filesize
4KB

Download
memory/2676-5-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads