Analysis
-
max time kernel
18s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 21:05
Static task
static1
Behavioral task
behavioral1
Sample
56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Errors
General
-
Target
56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe
-
Size
1.8MB
-
MD5
56c8c048e10d2922c2130aab4509e0aa
-
SHA1
8082a9a6050e497ed4613e352d440b186fd19796
-
SHA256
176402f749dfb2bf03b9dc1131b7340de63bf204490c6df9e7cb5dcfbf4270ee
-
SHA512
387f86e764065fcc455eed2c5c2a81b93befe53568147a2e3a56d6cbefad7bdd77c56dba7f04ba711a0eb7d52a267dd26ea99b660b0e2a1433a9c5bd3eb4385a
-
SSDEEP
49152:HkSQoVCh6f19ne81HbOQDP3D5rtAVBjovA0P9S7w:HkzoQ698YH60NpADjovA0Mc
Malware Config
Signatures
-
LoaderBot executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\svchost.exe loaderbot behavioral2/memory/1620-26-0x0000000000460000-0x00000000007F2000-memory.dmp loaderbot -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3624-68-0x0000000140000000-0x00000001404AB000-memory.dmp xmrig behavioral2/memory/3624-86-0x0000000140000000-0x00000001404AB000-memory.dmp xmrig -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sdfadgfbfsga.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation sdfadgfbfsga.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation svchost.exe -
Cryptocurrency Miner
Makes network request to known mining pool URL.
-
Drops startup file 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
sdfadgfbfsga.exesvshost.exesvchost.exeDriver.exepid process 1048 sdfadgfbfsga.exe 1572 svshost.exe 1620 svchost.exe 3624 Driver.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exeExplorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Time Manager = "C:\\ProgramData\\TimeManager.exe" Explorer.EXE -
Drops file in Windows directory 2 IoCs
Processes:
svchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Explorer.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Explorer.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Explorer.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost.exepid process 4660 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svshost.exesvchost.exepid process 1572 svshost.exe 1572 svshost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
svshost.exesvchost.exeDriver.exesvchost.exesvchost.exeExplorer.EXEsvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 1572 svshost.exe Token: SeDebugPrivilege 1620 svchost.exe Token: SeLockMemoryPrivilege 3624 Driver.exe Token: SeLockMemoryPrivilege 3624 Driver.exe Token: SeAuditPrivilege 4524 svchost.exe Token: SeAuditPrivilege 872 svchost.exe Token: SeShutdownPrivilege 3392 Explorer.EXE Token: SeCreatePagefilePrivilege 3392 Explorer.EXE Token: SeShutdownPrivilege 3392 Explorer.EXE Token: SeCreatePagefilePrivilege 3392 Explorer.EXE Token: SeAuditPrivilege 4364 svchost.exe Token: SeAuditPrivilege 3060 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3392 Explorer.EXE 3392 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 3392 Explorer.EXE 3392 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exesdfadgfbfsga.exesvshost.exesvchost.exedescription pid process target process PID 2984 wrote to memory of 1048 2984 56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe sdfadgfbfsga.exe PID 2984 wrote to memory of 1048 2984 56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe sdfadgfbfsga.exe PID 2984 wrote to memory of 1048 2984 56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe sdfadgfbfsga.exe PID 1048 wrote to memory of 1572 1048 sdfadgfbfsga.exe svshost.exe PID 1048 wrote to memory of 1572 1048 sdfadgfbfsga.exe svshost.exe PID 1048 wrote to memory of 1572 1048 sdfadgfbfsga.exe svshost.exe PID 1048 wrote to memory of 1620 1048 sdfadgfbfsga.exe svchost.exe PID 1048 wrote to memory of 1620 1048 sdfadgfbfsga.exe svchost.exe PID 1048 wrote to memory of 1620 1048 sdfadgfbfsga.exe svchost.exe PID 1572 wrote to memory of 3392 1572 svshost.exe Explorer.EXE PID 1572 wrote to memory of 3392 1572 svshost.exe Explorer.EXE PID 1572 wrote to memory of 3392 1572 svshost.exe Explorer.EXE PID 1572 wrote to memory of 3392 1572 svshost.exe Explorer.EXE PID 1572 wrote to memory of 3392 1572 svshost.exe Explorer.EXE PID 1572 wrote to memory of 3392 1572 svshost.exe Explorer.EXE PID 1572 wrote to memory of 3392 1572 svshost.exe Explorer.EXE PID 1572 wrote to memory of 3392 1572 svshost.exe Explorer.EXE PID 1572 wrote to memory of 3392 1572 svshost.exe Explorer.EXE PID 1572 wrote to memory of 3392 1572 svshost.exe Explorer.EXE PID 1572 wrote to memory of 3392 1572 svshost.exe Explorer.EXE PID 1620 wrote to memory of 3624 1620 svchost.exe Driver.exe PID 1620 wrote to memory of 3624 1620 svchost.exe Driver.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\sdfadgfbfsga.exe"C:\Users\Admin\AppData\Roaming\sdfadgfbfsga.exe" -s -p6dv8vdadv6z8vzdvasfav3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svshost.exe"C:\Users\Admin\AppData\Roaming\svshost.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\TimeManager.exeFilesize
240KB
MD521c580fec61c0ae44a7b99cea7ea697d
SHA1c0cdccf33c0d72dbd00dc84d74cdc9e7afd6bd54
SHA256e9095540ae0b91af9908f5a80ccfbffc2dfa27de015a78e66a42fe11e7803668
SHA5123fae960dbe784d22adaa126c70bbcbbde43d38bb406db6d666234dc007db9d2adb8fe6ba3c459362b62ad6f3a49e0948c4728198be15a1f3c55b2a5fdddec2a9
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exeFilesize
3.5MB
MD5cf36d20a96903fb4d0e92eb4fe873ab8
SHA1c789a22bd215bfc2a698fda1295f295745f34d35
SHA256d38ee5052fa13de8b3db050fe84fb89e7946446e2cd5b826fbd31792e406aae2
SHA512d117cecf9ef9d1f2aab1bd80f6947872c8cc8e18a36ce41f1cb25b1fac008e9c5fae7f0f0093f78835b3967582f7556fd626fd8c8c1fa32d41359ef0206e9535
-
C:\Users\Admin\AppData\Roaming\sdfadgfbfsga.exeFilesize
1.9MB
MD5eff8e6a7ebcbd89040e76016b05f39aa
SHA16bc64b0e081d171596c1a774ba56e7d3180de4e8
SHA25668ccc794872d16dcda0be4cbe98483bab0f9d69c63c4094e278085fbd4b046e4
SHA5120ee9c9b33f1d576a4b090a359fb5ea2613f437c5eaa309d99ab1551edce3aaa3361b6ccf580e7eb448af60ef3b5e0ece6cf0b2cc3efa46cee476264097a25dcc
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
3.6MB
MD52b393ba5e5ad8a75f4dad72877bacd70
SHA1cb3fef3f8a761892567eb064f29a24625dfea6f5
SHA256381f70e51d18dbb18ac3e280085f8c43bceed7d67a0f71c13b10ec622c648c3b
SHA5128a93d77366c8a3c0d28b61c4440829ecae70fe845f4410eefcee1ef369071ec3789de2ac48f301c42bde31db79054a0d2928055490b7b9fc22ffd9a1d5268a6b
-
C:\Users\Admin\AppData\Roaming\svshost.exeFilesize
240KB
MD5e1d65b4deb9cf804673247f96da16754
SHA1b529ee84ae305713de91a83aa822012b20cb00f1
SHA256e4a936c2d6c3a168fdd3fa394007d237af82cdd7cefabc8c275e2b9d4b59e640
SHA5122c04ab097df684c5b2b7c6228a383eb80434fa3979de556f6448aa603d22ca61815c8246302309416480016c2b591568654d578dd7941cef455bd1436df9ff40
-
C:\Windows\Tasks\SA.DATFilesize
6B
MD5f1a6cd5adaab953a6764ea364e17bfb8
SHA1c99a1eb2d8974a667d2e0bc2dc1efcbe0ef23387
SHA25612dc5ccd7fecafe070976a1916e9672e3d53085633c86957aee305ccc584184c
SHA512da8cc20e0c0f48a975f97fc133ba4e99de6771163465d03f1cc0e3019fedfe0afa99799b9e343610a941218b19c9117b12e4ab86911d04c2908b6db44523e84c
-
memory/1572-25-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1572-30-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1572-19-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1620-26-0x0000000000460000-0x00000000007F2000-memory.dmpFilesize
3.6MB
-
memory/1620-43-0x0000000005B90000-0x0000000005BF6000-memory.dmpFilesize
408KB
-
memory/2828-56-0x000001E528B30000-0x000001E528B40000-memory.dmpFilesize
64KB
-
memory/2828-62-0x000001E528B90000-0x000001E528BA0000-memory.dmpFilesize
64KB
-
memory/3392-40-0x0000000002BA0000-0x0000000002BBA000-memory.dmpFilesize
104KB
-
memory/3392-38-0x0000000002BA0000-0x0000000002BBA000-memory.dmpFilesize
104KB
-
memory/3392-39-0x0000000002BA0000-0x0000000002BBA000-memory.dmpFilesize
104KB
-
memory/3392-32-0x0000000002BA0000-0x0000000002BBA000-memory.dmpFilesize
104KB
-
memory/3392-28-0x0000000002BA0000-0x0000000002BBA000-memory.dmpFilesize
104KB
-
memory/3624-53-0x0000000140000000-0x00000001404AB000-memory.dmpFilesize
4.7MB
-
memory/3624-55-0x0000000000520000-0x0000000000530000-memory.dmpFilesize
64KB
-
memory/3624-68-0x0000000140000000-0x00000001404AB000-memory.dmpFilesize
4.7MB
-
memory/3624-86-0x0000000140000000-0x00000001404AB000-memory.dmpFilesize
4.7MB