Malware Analysis Report

2024-10-23 17:04

Sample ID 240401-kn5cpaab77
Target 6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118
SHA256 a867838e4c814a302323d06d5be15caf2629a8ad7cfeea2f9ba9b09cd8edcd89
Tags
xloader mxnu loader rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a867838e4c814a302323d06d5be15caf2629a8ad7cfeea2f9ba9b09cd8edcd89

Threat Level: Known bad

The file 6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xloader mxnu loader rat

Xloader

Xloader payload

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-01 08:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-01 08:45

Reported

2024-04-01 08:48

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe"

Signatures

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe
PID 2372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe
PID 2372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe
PID 2372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe
PID 2372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe
PID 2372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe
PID 2372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe
PID 2372 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2372 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2372 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2372 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 468

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nso7F.tmp\ymwaxaqwhy.dll

MD5 2d4ed9e7b664a0dc8188a557cc6edbcb
SHA1 c2eadf17c215ba6a7e7a2e9944bd1802a5480c20
SHA256 514a4531d1cd29e16e21fe49b89847679d6088d646d785d258424e60435963ce
SHA512 b8bc7b38aa284437d552920c775bd59a815b5939ae26b1ab16eb4bc449a9dcd36bdbcec75fcc53ce8d77da71cd7460d701cfb4e540b102b19bc00e7bf0123ba1

memory/2372-8-0x0000000074F70000-0x0000000074F7A000-memory.dmp

memory/2988-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2988-13-0x0000000000770000-0x0000000000A73000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-01 08:45

Reported

2024-04-01 08:48

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2796 -ip 2796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 968

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsz448C.tmp\ymwaxaqwhy.dll

MD5 2d4ed9e7b664a0dc8188a557cc6edbcb
SHA1 c2eadf17c215ba6a7e7a2e9944bd1802a5480c20
SHA256 514a4531d1cd29e16e21fe49b89847679d6088d646d785d258424e60435963ce
SHA512 b8bc7b38aa284437d552920c775bd59a815b5939ae26b1ab16eb4bc449a9dcd36bdbcec75fcc53ce8d77da71cd7460d701cfb4e540b102b19bc00e7bf0123ba1

memory/2796-8-0x0000000074F70000-0x0000000074F7A000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-01 08:45

Reported

2024-04-01 08:48

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ymwaxaqwhy.dll,#1

Signatures

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2184 set thread context of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ymwaxaqwhy.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ymwaxaqwhy.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ymwaxaqwhy.dll,#1

Network

N/A

Files

memory/2184-0-0x0000000075360000-0x000000007536A000-memory.dmp

memory/2172-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2184-3-0x0000000075360000-0x000000007536A000-memory.dmp

memory/2172-4-0x0000000000410000-0x0000000000410000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-01 08:45

Reported

2024-04-01 08:48

Platform

win10v2004-20240226-en

Max time kernel

95s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ymwaxaqwhy.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ymwaxaqwhy.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ymwaxaqwhy.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ymwaxaqwhy.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 688

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 59.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4856-0-0x0000000075140000-0x000000007514A000-memory.dmp