Overview

overview

10

Static

static

3

8f60440853...18.exe

windows7-x64

7

8f60440853...18.exe

windows10-2004-x64

10

$1/1337/Ex.exe

windows7-x64

7

$1/1337/Ex.exe

windows10-2004-x64

10

$1/1337/Ex...0].exe

windows7-x64

1

$1/1337/Ex...0].exe

windows10-2004-x64

1

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8f604408532bc298c12de77e77d67652_JaffaCakes118

  • Size

    14.3MB

  • Sample

    240602-zlzfzsff29

  • MD5

    8f604408532bc298c12de77e77d67652

  • SHA1

    b16d5cae22bd5af1919c107ff5c5786a1a8dfdf0

  • SHA256

    354bf7f1899b9c1eec5cd0f24b75520ef811c12f22ad5e66ce595efcd26aea07

  • SHA512

    cb0f3e11060630afd3ac597385652706fac40e683ddf0d4c2328dd2bc267e8e5f8426d1ea744e70f062e9a9ca489311735deca78394d312381b5136a5838d9fc

  • SSDEEP

    393216:QoS9aM6LJYmNPViSfX88SEy0hme/RZkjX87EQiL7xZr7SWWjIj7:QoS976LJYOPA4X887vhnESmnreW77

Score
10/10
loaderbotxmrigloaderminerpersistence

Malware Config

Targets

    • Target

      8f604408532bc298c12de77e77d67652_JaffaCakes118

    • Size

      14.3MB

    • MD5

      8f604408532bc298c12de77e77d67652

    • SHA1

      b16d5cae22bd5af1919c107ff5c5786a1a8dfdf0

    • SHA256

      354bf7f1899b9c1eec5cd0f24b75520ef811c12f22ad5e66ce595efcd26aea07

    • SHA512

      cb0f3e11060630afd3ac597385652706fac40e683ddf0d4c2328dd2bc267e8e5f8426d1ea744e70f062e9a9ca489311735deca78394d312381b5136a5838d9fc

    • SSDEEP

      393216:QoS9aM6LJYmNPViSfX88SEy0hme/RZkjX87EQiL7xZr7SWWjIj7:QoS976LJYOPA4X887vhnESmnreW77

    Score
    10/10
    loaderbotxmrigloaderminerpersistence

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • LoaderBot executable

    • XMRig Miner payload

      miner

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $1/1337/Ex.exe

    • Size

      3.1MB

    • MD5

      7afcb8667f1ec33f0cc084936a8a4044

    • SHA1

      a2755123f3515fbfcbd5b1ab38c22fa757b8afa8

    • SHA256

      2304cf3b3d0753318d60c2769c535a164d5f56ee0343c59ac616036d95e8ad71

    • SHA512

      bc04b81c01df03b360c225709d2db3078d1fb45fc2a67713f5f5154d050c71e241c2c7590f510d9f7ac3a0a4bc820b3b171d96cb56d23c0496df184e527162b8

    • SSDEEP

      98304:A5aFQWMH0wPoBn1ZPBIjKNMxCSz4Rg4MuykNt:A5aF1MHropPDuhg3z

    Score
    10/10
    loaderbotxmrigloaderminerpersistence

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • LoaderBot executable

    • XMRig Miner payload

      miner

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      $1/1337/ExtrimHack [free][22.08.2020].exe

    • Size

      11.3MB

    • MD5

      fe3a88a304364f9c854c512de19a4e94

    • SHA1

      987b853451fa2f61b752e47ab96f3e9de8340d41

    • SHA256

      b092117610e94505469547b4297da5dc4ed48af078dae45515a4d9fc211c541b

    • SHA512

      f88008b5ab5ec1016314bf67e99ba166522546709029f9fec2477e9b2604cc0a32829c046de5104c1ac4ec89bb3e141ed528c74e6d8a8190baf95272ac223396

    • SSDEEP

      196608:QqLGjXkOdDCplo5AWRMnyRWtyDzovKUqYBrZqRHx+havC4RRqi9IDvfcenP:TQCpa5AWR5YyD8QYBQUaxrzOD3c

    Score
    1/10
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      2ae993a2ffec0c137eb51c8832691bcb

    • SHA1

      98e0b37b7c14890f8a599f35678af5e9435906e1

    • SHA256

      681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

    • SHA512

      2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

    • SSDEEP

      192:vPtkumJX7zB22kGwfy0mtVgkCPOsE1un:k702k5qpdsEQn

    Score
    3/10
    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Subvert Trust Controls

2
T1553

SIP and Trust Provider Hijacking

2
T1553.003

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Remote System Discovery

2
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks