Analysis Overview
SHA256
a867838e4c814a302323d06d5be15caf2629a8ad7cfeea2f9ba9b09cd8edcd89
Threat Level: Known bad
The file 6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Xloader
Xloader payload
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-01 08:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-01 08:45
Reported
2024-04-01 08:48
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2372 set thread context of 2988 | N/A | C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 468
Network
Files
\Users\Admin\AppData\Local\Temp\nso7F.tmp\ymwaxaqwhy.dll
| MD5 | 2d4ed9e7b664a0dc8188a557cc6edbcb |
| SHA1 | c2eadf17c215ba6a7e7a2e9944bd1802a5480c20 |
| SHA256 | 514a4531d1cd29e16e21fe49b89847679d6088d646d785d258424e60435963ce |
| SHA512 | b8bc7b38aa284437d552920c775bd59a815b5939ae26b1ab16eb4bc449a9dcd36bdbcec75fcc53ce8d77da71cd7460d701cfb4e540b102b19bc00e7bf0123ba1 |
memory/2372-8-0x0000000074F70000-0x0000000074F7A000-memory.dmp
memory/2988-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2988-13-0x0000000000770000-0x0000000000A73000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-01 08:45
Reported
2024-04-01 08:48
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
127s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2796 wrote to memory of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe |
| PID 2796 wrote to memory of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe |
| PID 2796 wrote to memory of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6d67846f8c9cd695f6ee85e70bd44156_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 968
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsz448C.tmp\ymwaxaqwhy.dll
| MD5 | 2d4ed9e7b664a0dc8188a557cc6edbcb |
| SHA1 | c2eadf17c215ba6a7e7a2e9944bd1802a5480c20 |
| SHA256 | 514a4531d1cd29e16e21fe49b89847679d6088d646d785d258424e60435963ce |
| SHA512 | b8bc7b38aa284437d552920c775bd59a815b5939ae26b1ab16eb4bc449a9dcd36bdbcec75fcc53ce8d77da71cd7460d701cfb4e540b102b19bc00e7bf0123ba1 |
memory/2796-8-0x0000000074F70000-0x0000000074F7A000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-01 08:45
Reported
2024-04-01 08:48
Platform
win7-20240221-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2184 set thread context of 2172 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ymwaxaqwhy.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ymwaxaqwhy.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ymwaxaqwhy.dll,#1
Network
Files
memory/2184-0-0x0000000075360000-0x000000007536A000-memory.dmp
memory/2172-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2184-3-0x0000000075360000-0x000000007536A000-memory.dmp
memory/2172-4-0x0000000000410000-0x0000000000410000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-01 08:45
Reported
2024-04-01 08:48
Platform
win10v2004-20240226-en
Max time kernel
95s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 928 wrote to memory of 4856 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 928 wrote to memory of 4856 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 928 wrote to memory of 4856 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4856 wrote to memory of 4968 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4856 wrote to memory of 4968 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4856 wrote to memory of 4968 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4856 wrote to memory of 4968 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ymwaxaqwhy.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ymwaxaqwhy.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ymwaxaqwhy.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4856 -ip 4856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 688
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.33.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4856-0-0x0000000075140000-0x000000007514A000-memory.dmp