loaderbot | 176402f749dfb2bf03b9dc1131b7340de63bf204490c6df9e7cb5dcfbf4270ee

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe
Size

1.8MB
MD5

56c8c048e10d2922c2130aab4509e0aa
SHA1

8082a9a6050e497ed4613e352d440b186fd19796
SHA256

176402f749dfb2bf03b9dc1131b7340de63bf204490c6df9e7cb5dcfbf4270ee
SHA512

387f86e764065fcc455eed2c5c2a81b93befe53568147a2e3a56d6cbefad7bdd77c56dba7f04ba711a0eb7d52a267dd26ea99b660b0e2a1433a9c5bd3eb4385a
SSDEEP

49152:HkSQoVCh6f19ne81HbOQDP3D5rtAVBjovA0P9S7w:HkzoQ698YH60NpADjovA0Mc

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 2 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000149f5-28.dat	loaderbot
behavioral1/memory/2604-42-0x0000000001290000-0x0000000001622000-memory.dmp	loaderbot

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral1/memory/1784-77-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig
behavioral1/memory/1784-78-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig
behavioral1/memory/1784-79-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig
behavioral1/memory/1784-80-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig
behavioral1/memory/1784-81-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig
behavioral1/memory/1784-82-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig
behavioral1/memory/1784-83-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig
behavioral1/memory/1784-84-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig
behavioral1/memory/1784-85-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig
behavioral1/memory/1784-86-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig
behavioral1/memory/1784-87-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig
behavioral1/memory/1784-88-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig
behavioral1/memory/1784-89-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig
behavioral1/memory/1784-90-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2252	sdfadgfbfsga.exe
2476	svshost.exe
2604	svchost.exe
1784	Driver.exe

Loads dropped DLL 12 IoCs

pid	Process
1752	56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe
2252	sdfadgfbfsga.exe
2252	sdfadgfbfsga.exe
2252	sdfadgfbfsga.exe
2252	sdfadgfbfsga.exe
2252	sdfadgfbfsga.exe
2252	sdfadgfbfsga.exe
2252	sdfadgfbfsga.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\svchost.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2476	svshost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	svshost.exe
Token: SeDebugPrivilege	2604	svchost.exe
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeLockMemoryPrivilege	1784	Driver.exe
Token: SeLockMemoryPrivilege	1784	Driver.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2476	svshost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2252	1752	56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe	28
PID 1752 wrote to memory of 2252	1752	56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe	28
PID 1752 wrote to memory of 2252	1752	56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe	28
PID 1752 wrote to memory of 2252	1752	56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2476	2252	sdfadgfbfsga.exe	29
PID 2252 wrote to memory of 2476	2252	sdfadgfbfsga.exe	29
PID 2252 wrote to memory of 2476	2252	sdfadgfbfsga.exe	29
PID 2252 wrote to memory of 2476	2252	sdfadgfbfsga.exe	29
PID 2252 wrote to memory of 2604	2252	sdfadgfbfsga.exe	30
PID 2252 wrote to memory of 2604	2252	sdfadgfbfsga.exe	30
PID 2252 wrote to memory of 2604	2252	sdfadgfbfsga.exe	30
PID 2252 wrote to memory of 2604	2252	sdfadgfbfsga.exe	30
PID 2252 wrote to memory of 2604	2252	sdfadgfbfsga.exe	30
PID 2252 wrote to memory of 2604	2252	sdfadgfbfsga.exe	30
PID 2252 wrote to memory of 2604	2252	sdfadgfbfsga.exe	30
PID 2476 wrote to memory of 1380	2476	svshost.exe	21
PID 2476 wrote to memory of 1380	2476	svshost.exe	21
PID 2476 wrote to memory of 1380	2476	svshost.exe	21
PID 2476 wrote to memory of 1380	2476	svshost.exe	21
PID 2476 wrote to memory of 1380	2476	svshost.exe	21
PID 2476 wrote to memory of 1380	2476	svshost.exe	21
PID 2476 wrote to memory of 1380	2476	svshost.exe	21
PID 2476 wrote to memory of 1380	2476	svshost.exe	21
PID 2476 wrote to memory of 1380	2476	svshost.exe	21
PID 2476 wrote to memory of 1380	2476	svshost.exe	21
PID 2476 wrote to memory of 1380	2476	svshost.exe	21
PID 2604 wrote to memory of 1784	2604	svchost.exe	33
PID 2604 wrote to memory of 1784	2604	svchost.exe	33
PID 2604 wrote to memory of 1784	2604	svchost.exe	33
PID 2604 wrote to memory of 1784	2604	svchost.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1380
- C:\Users\Admin\AppData\Local\Temp\56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Roaming\sdfadgfbfsga.exe
    "C:\Users\Admin\AppData\Roaming\sdfadgfbfsga.exe" -s -p6dv8vdadv6z8vzdvasfav
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Users\Admin\AppData\Roaming\svshost.exe
      "C:\Users\Admin\AppData\Roaming\svshost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2476
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 4
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url

Filesize
166B

MD5
b92a1c9dfffbd8db8e0cc7180557c0a5

SHA1
8a6d98863f77b9b87976e5e1aeb39b1d0799bddc

SHA256
66f0162106144ba237125013036a2304f23116b1dd137bc7738ae556463cb87b

SHA512
896796ca2789e7b3b739a0a03f9b87cc075a55fe328ab61a1e345ea82a00ebd16f61bff4f722a4e544dc9b2c6322ad3e93c00483812cca5d9d2a00b4af0292ac

Download Submit
C:\Users\Admin\AppData\Roaming\svshost.exe

Filesize
240KB

MD5
e1d65b4deb9cf804673247f96da16754

SHA1
b529ee84ae305713de91a83aa822012b20cb00f1

SHA256
e4a936c2d6c3a168fdd3fa394007d237af82cdd7cefabc8c275e2b9d4b59e640

SHA512
2c04ab097df684c5b2b7c6228a383eb80434fa3979de556f6448aa603d22ca61815c8246302309416480016c2b591568654d578dd7941cef455bd1436df9ff40

Download Submit
\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.5MB

MD5
cf36d20a96903fb4d0e92eb4fe873ab8

SHA1
c789a22bd215bfc2a698fda1295f295745f34d35

SHA256
d38ee5052fa13de8b3db050fe84fb89e7946446e2cd5b826fbd31792e406aae2

SHA512
d117cecf9ef9d1f2aab1bd80f6947872c8cc8e18a36ce41f1cb25b1fac008e9c5fae7f0f0093f78835b3967582f7556fd626fd8c8c1fa32d41359ef0206e9535

Download Submit
\Users\Admin\AppData\Roaming\sdfadgfbfsga.exe

Filesize
1.9MB

MD5
eff8e6a7ebcbd89040e76016b05f39aa

SHA1
6bc64b0e081d171596c1a774ba56e7d3180de4e8

SHA256
68ccc794872d16dcda0be4cbe98483bab0f9d69c63c4094e278085fbd4b046e4

SHA512
0ee9c9b33f1d576a4b090a359fb5ea2613f437c5eaa309d99ab1551edce3aaa3361b6ccf580e7eb448af60ef3b5e0ece6cf0b2cc3efa46cee476264097a25dcc

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
3.6MB

MD5
2b393ba5e5ad8a75f4dad72877bacd70

SHA1
cb3fef3f8a761892567eb064f29a24625dfea6f5

SHA256
381f70e51d18dbb18ac3e280085f8c43bceed7d67a0f71c13b10ec622c648c3b

SHA512
8a93d77366c8a3c0d28b61c4440829ecae70fe845f4410eefcee1ef369071ec3789de2ac48f301c42bde31db79054a0d2928055490b7b9fc22ffd9a1d5268a6b

Download Submit
memory/1380-44-0x0000000002A60000-0x0000000002A9C000-memory.dmp

Filesize
240KB

Download
memory/1380-51-0x0000000003E10000-0x0000000003E2A000-memory.dmp

Filesize
104KB

Download
memory/1380-47-0x0000000003E10000-0x0000000003E2A000-memory.dmp

Filesize
104KB

Download
memory/1380-45-0x0000000003E10000-0x0000000003E2A000-memory.dmp

Filesize
104KB

Download
memory/1380-49-0x0000000003E10000-0x0000000003E2A000-memory.dmp

Filesize
104KB

Download
memory/1380-65-0x0000000003E10000-0x0000000003E2A000-memory.dmp

Filesize
104KB

Download
memory/1380-63-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1380-61-0x0000000003E10000-0x0000000003E2A000-memory.dmp

Filesize
104KB

Download
memory/1380-59-0x0000000003E10000-0x0000000003E2A000-memory.dmp

Filesize
104KB

Download
memory/1380-57-0x0000000003E10000-0x0000000003E2A000-memory.dmp

Filesize
104KB

Download
memory/1380-55-0x0000000003E10000-0x0000000003E2A000-memory.dmp

Filesize
104KB

Download
memory/1380-54-0x0000000003E10000-0x0000000003E2A000-memory.dmp

Filesize
104KB

Download
memory/1784-81-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/1784-84-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/1784-90-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/1784-89-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/1784-88-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/1784-87-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/1784-86-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/1784-75-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/1784-76-0x0000000000210000-0x0000000000220000-memory.dmp

Filesize
64KB

Download
memory/1784-77-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/1784-78-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/1784-79-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/1784-80-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/1784-85-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/1784-82-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/1784-83-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/2252-14-0x00000000034B0000-0x00000000034F0000-memory.dmp

Filesize
256KB

Download
memory/2252-24-0x00000000034B0000-0x00000000034F0000-memory.dmp

Filesize
256KB

Download
memory/2252-23-0x00000000034B0000-0x00000000034F0000-memory.dmp

Filesize
256KB

Download
memory/2476-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-74-0x0000000006610000-0x0000000006ABB000-memory.dmp

Filesize
4.7MB

Download
memory/2604-42-0x0000000001290000-0x0000000001622000-memory.dmp

Filesize
3.6MB

Download