Analysis

  • max time kernel
    44s
  • max time network
    6s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    22/05/2024, 15:02

General

  • Target

    67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    67aa4626a523e1eac3b90552be1cd4ad

  • SHA1

    9eb3bd7d1131a820a87b20a1631bc7b6bf9140c9

  • SHA256

    ec4438d1b316a2d106e5070cc7881f9f9d9bcfaf51614bf1c768cc374bdc4ae2

  • SHA512

    bfc6c4098a1c550ee41544b084eb0d2488577e656b5106a445a553a37a7a80e6b8a84be7f1467d3ca6c31046191f32c4feae31a56c5e16093b71fec7ea7d37de

  • SSDEEP

    24576:+c/nsodv5hQpu6q8K8MZLQJTkeOfAn/RZDtbQLf7u+YAgNdwuL8wmKiVME:/nHB5hYb4x2ftbQ2+owugwE9

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 1 IoCs
  • Stops running service(s) 4 TTPs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 5 IoCs
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -h -r -a C:\Windows\Fonts
        3⤵
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:2780
    • C:\Windows\SysWOW64\net.exe
      net stop Microsarver
      2⤵
        PID:2752
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop Microsarver
          3⤵
            PID:2908
        • C:\Windows\SysWOW64\sc.exe
          sc delete Microsarver
          2⤵
          • Launches sc.exe
          PID:3056
        • C:\Windows\SysWOW64\net.exe
          net stop Samsorver
          2⤵
            PID:2580
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop Samsorver
              3⤵
                PID:2784
            • C:\Windows\SysWOW64\sc.exe
              sc delete Samsorver
              2⤵
              • Launches sc.exe
              PID:2616
            • C:\Windows\SysWOW64\net.exe
              net stop lanmanserver /y
              2⤵
                PID:2576
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop lanmanserver /y
                  3⤵
                    PID:1460
                • C:\Windows\SysWOW64\sc.exe
                  sc config lanmanserver start= DISABLED 2>nul
                  2⤵
                  • Launches sc.exe
                  PID:2688
                • C:\Windows\SysWOW64\sc.exe
                  sc delete lanmanserver
                  2⤵
                  • Launches sc.exe
                  PID:2692
                • C:\Windows\SysWOW64\net.exe
                  net stop mssecsvc2.0
                  2⤵
                    PID:2596
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop mssecsvc2.0
                      3⤵
                        PID:1528
                    • C:\Windows\SysWOW64\sc.exe
                      sc delete mssecsvc2.0
                      2⤵
                      • Launches sc.exe
                      PID:2604
                    • C:\Windows\SysWOW64\net.exe
                      net stop mssecsvc2.1
                      2⤵
                        PID:2588
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop mssecsvc2.1
                          3⤵
                            PID:2396
                        • C:\Windows\SysWOW64\sc.exe
                          sc delete mssecsvc2.1
                          2⤵
                          • Launches sc.exe
                          PID:2724
                        • \??\c:\windows\Fonts\svchost.exe
                          c:\windows\Fonts\svchost.exe install Microsarver c:\windows\Fonts\conhost.exe
                          2⤵
                          • Executes dropped EXE
                          PID:2124
                        • \??\c:\windows\Fonts\svchost.exe
                          c:\windows\Fonts\svchost.exe set Microsarver DisplayName Network Location Service
                          2⤵
                          • Executes dropped EXE
                          PID:2636
                        • \??\c:\windows\Fonts\svchost.exe
                          c:\windows\Fonts\svchost.exe set Microsarver Description Provides performance library information from Windows Management.
                          2⤵
                          • Executes dropped EXE
                          PID:2696
                        • \??\c:\windows\Fonts\svchost.exe
                          c:\windows\Fonts\svchost.exe start Microsarver
                          2⤵
                          • Executes dropped EXE
                          PID:2644
                        • C:\Windows\SysWOW64\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
                          2⤵
                          • Deletes itself
                          PID:1680

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\tem.vbs

                        Filesize

                        257B

                        MD5

                        f88a489a387ebc7c4c0c6b122ff6aa9b

                        SHA1

                        197f045b81fc47892ec4b879f4b55ef1fda8f307

                        SHA256

                        8d6df3f20ca96ef6e033fe7c442f76784bed8aad65e7272b384175e4b9412a5a

                        SHA512

                        046a13ce212c374adf315b1d3c95bf4044feee01b44eaa91b48cb1885660899473f5934031b1fef8ee2639fa4b322e83ebea1ad42fbb9100fd3f66fd3b59c391

                      • \Windows\Fonts\svchost.exe

                        Filesize

                        292KB

                        MD5

                        0a7d7ed55c4202f5106824f11ecb22fa

                        SHA1

                        730da74e178d7b114e5d4c0f1dcc956accd4942d

                        SHA256

                        5657876e79df5212f255b4bfb0f69df9b09be4ae833e1b170de78a37b7179595

                        SHA512

                        45a4652d229491c936b0fd5839b335ae924d5b7ee5b05925ebb2f0bb8ca030fca9544ecf4050089b04195e877fcdae4657cd29621299e053398093ee4e5fadb7

                      • memory/1968-0-0x0000000000400000-0x00000000009C1000-memory.dmp

                        Filesize

                        5.8MB

                      • memory/1968-21-0x0000000000400000-0x00000000009C1000-memory.dmp

                        Filesize

                        5.8MB