Malware Analysis Report

2024-10-19 02:21

Sample ID 240402-2j7qpafh45
Target 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118
SHA256 014d0ece0d472eaea73698d634308303ddb9f227f39d339a66416c3cb744d2c1
Tags
xloader b2c0 loader rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

014d0ece0d472eaea73698d634308303ddb9f227f39d339a66416c3cb744d2c1

Threat Level: Known bad

The file 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xloader b2c0 loader rat

Xloader

Xloader payload

Loads dropped DLL

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 22:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 22:37

Reported

2024-04-02 22:40

Platform

win7-20240221-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe"

Signatures

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe
PID 1924 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe
PID 1924 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe
PID 1924 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe
PID 1924 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe
PID 1924 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe
PID 1924 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsy1575.tmp\nawgsdqut.dll

MD5 d4233fefc9328cc30b0ef014beb2f51b
SHA1 302180a5edb1fd653d7884bb60172e6edfbbeac4
SHA256 1827a3002964434b0acff1359241948e334148d3413312cfea326cae8f269758
SHA512 b3e19c83e631b6a8b8b0d00ab14af811519765b737f1497f27e8c3a8c3328038967dbb6095671e4095af48d6355b5f13cec20c38ef2dfb14cc2ae8e9482de4af

memory/2804-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2804-11-0x0000000000770000-0x0000000000A73000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 22:37

Reported

2024-04-02 22:40

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe"

Signatures

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 99.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 78.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nso8463.tmp\nawgsdqut.dll

MD5 d4233fefc9328cc30b0ef014beb2f51b
SHA1 302180a5edb1fd653d7884bb60172e6edfbbeac4
SHA256 1827a3002964434b0acff1359241948e334148d3413312cfea326cae8f269758
SHA512 b3e19c83e631b6a8b8b0d00ab14af811519765b737f1497f27e8c3a8c3328038967dbb6095671e4095af48d6355b5f13cec20c38ef2dfb14cc2ae8e9482de4af

memory/5016-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5016-9-0x0000000000A40000-0x0000000000D8A000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-02 22:37

Reported

2024-04-02 22:40

Platform

win7-20240319-en

Max time kernel

117s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nawgsdqut.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nawgsdqut.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nawgsdqut.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 268

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-02 22:37

Reported

2024-04-02 22:40

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nawgsdqut.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4084 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4084 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4084 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nawgsdqut.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nawgsdqut.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2400 -ip 2400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 632

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 78.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

N/A