loaderbot | fa5bbde6bc224e578b7eb2e4ea1506570b378279b4c5f79185043d15cc81b419

General

Target

364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
Size

16KB
MD5

364a15d8bb0ffb21e6b7dd650eb12b0b
SHA1

d0db53c0e2e9f4e2ac87ea879d50775b20114754
SHA256

fa5bbde6bc224e578b7eb2e4ea1506570b378279b4c5f79185043d15cc81b419
SHA512

51f24d29c20af9a8d75e5dd17e2e8cd7a09e196cda55442b6c502b1ac7f6ba7e89e5ceb448ecf10ca2b954be22f80c3e784ef8e122b97aa5cc276087f8696638
SSDEEP

384:e+FvJsPhdH19GTXjdhk1uujYcV6AUwJFZb:eAkfV9AhAfYcV6Dw9b

Score

10^/10

loaderbot loader miner persistence

Malware Config

Extracted

Family

loaderbot

C2

http://s0rick.rckl.pw/cmd.php

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral2/memory/3712-1-0x00000000000D0000-0x00000000000DA000-memory.dmp	loaderbot

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe"	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe"	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3624	schtasks.exe
4856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3712	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
2144	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3712	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3712	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
Token: SeDebugPrivilege	2144	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 4644	3712	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe	82
PID 3712 wrote to memory of 4644	3712	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe	82
PID 3712 wrote to memory of 4644	3712	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe	82
PID 4644 wrote to memory of 3624	4644	cmd.exe	85
PID 4644 wrote to memory of 3624	4644	cmd.exe	85
PID 4644 wrote to memory of 3624	4644	cmd.exe	85
PID 2144 wrote to memory of 3620	2144	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe	95
PID 2144 wrote to memory of 3620	2144	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe	95
PID 2144 wrote to memory of 3620	2144	364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe	95
PID 3620 wrote to memory of 4856	3620	cmd.exe	97
PID 3620 wrote to memory of 4856	3620	cmd.exe	97
PID 3620 wrote to memory of 4856	3620	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
    3⤵
    - Creates scheduled task(s)
    PID:3624

C:\Users\Admin\AppData\Roaming\Windows\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
C:\Users\Admin\AppData\Roaming\Windows\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\364a15d8bb0ffb21e6b7dd650eb12b0b_JaffaCakes118.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
    3⤵
    - Creates scheduled task(s)
    PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2144-7-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/2144-8-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/2144-10-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3712-0-0x00000000751EE000-0x00000000751EF000-memory.dmp

Filesize
4KB

Download
memory/3712-1-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/3712-3-0x00000000049E0000-0x0000000004A46000-memory.dmp

Filesize
408KB

Download
memory/3712-4-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3712-5-0x00000000751EE000-0x00000000751EF000-memory.dmp

Filesize
4KB

Download
memory/3712-6-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads