Analysis Overview
SHA256
014d0ece0d472eaea73698d634308303ddb9f227f39d339a66416c3cb744d2c1
Threat Level: Known bad
The file 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Xloader
Xloader payload
Loads dropped DLL
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Enumerates physical storage devices
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-02 22:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 22:37
Reported
2024-04-02 22:40
Platform
win7-20240221-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1924 set thread context of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsy1575.tmp\nawgsdqut.dll
| MD5 | d4233fefc9328cc30b0ef014beb2f51b |
| SHA1 | 302180a5edb1fd653d7884bb60172e6edfbbeac4 |
| SHA256 | 1827a3002964434b0acff1359241948e334148d3413312cfea326cae8f269758 |
| SHA512 | b3e19c83e631b6a8b8b0d00ab14af811519765b737f1497f27e8c3a8c3328038967dbb6095671e4095af48d6355b5f13cec20c38ef2dfb14cc2ae8e9482de4af |
memory/2804-8-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2804-11-0x0000000000770000-0x0000000000A73000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-02 22:37
Reported
2024-04-02 22:40
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
160s
Command Line
Signatures
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2292 set thread context of 5016 | N/A | C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nso8463.tmp\nawgsdqut.dll
| MD5 | d4233fefc9328cc30b0ef014beb2f51b |
| SHA1 | 302180a5edb1fd653d7884bb60172e6edfbbeac4 |
| SHA256 | 1827a3002964434b0acff1359241948e334148d3413312cfea326cae8f269758 |
| SHA512 | b3e19c83e631b6a8b8b0d00ab14af811519765b737f1497f27e8c3a8c3328038967dbb6095671e4095af48d6355b5f13cec20c38ef2dfb14cc2ae8e9482de4af |
memory/5016-8-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5016-9-0x0000000000A40000-0x0000000000D8A000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-02 22:37
Reported
2024-04-02 22:40
Platform
win7-20240319-en
Max time kernel
117s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nawgsdqut.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nawgsdqut.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 268
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-02 22:37
Reported
2024-04-02 22:40
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4084 wrote to memory of 2400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4084 wrote to memory of 2400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4084 wrote to memory of 2400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nawgsdqut.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nawgsdqut.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2400 -ip 2400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 632
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |