Malware Analysis Report

2024-10-19 02:22

Sample ID 240403-apz49aab2x
Target 9b20c6a0c05584185da23f0892a7a982_JaffaCakes118
SHA256 53fb1511812b33448fb51c4a6a7f4095600f2d30251546466ab1d401191fa59a
Tags
xloader mxnu loader rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

53fb1511812b33448fb51c4a6a7f4095600f2d30251546466ab1d401191fa59a

Threat Level: Known bad

The file 9b20c6a0c05584185da23f0892a7a982_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xloader mxnu loader rat

Xloader

Xloader payload

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 00:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 00:23

Reported

2024-04-03 00:26

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe"

Signatures

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe
PID 1960 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe
PID 1960 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe
PID 1960 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe
PID 1960 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe
PID 1960 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe
PID 1960 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nsy401D.tmp\cwehlkdexhf.dll

MD5 201dec4f5cfe9c448804d504da2b9f50
SHA1 4a565158eb3ee42694427374e11fc052a0bd3dad
SHA256 f70b1ff393e0aaf8c737ec09a41598d9e51fbdde8bb19a7051aecc8d0752c965
SHA512 52771f45ca9d51fe84d125fcb741ea9485ffef8620c5bf7c4cf233f66540dc27e48bc1b83d7a16dfd2faaafa66903dd7504620721385ce106addbde15a1bac82

memory/1356-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1356-10-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 00:23

Reported

2024-04-03 00:26

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4972 -ip 4972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 980

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 99.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsn34DC.tmp\cwehlkdexhf.dll

MD5 201dec4f5cfe9c448804d504da2b9f50
SHA1 4a565158eb3ee42694427374e11fc052a0bd3dad
SHA256 f70b1ff393e0aaf8c737ec09a41598d9e51fbdde8bb19a7051aecc8d0752c965
SHA512 52771f45ca9d51fe84d125fcb741ea9485ffef8620c5bf7c4cf233f66540dc27e48bc1b83d7a16dfd2faaafa66903dd7504620721385ce106addbde15a1bac82

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-03 00:23

Reported

2024-04-03 00:26

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\cwehlkdexhf.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\cwehlkdexhf.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\cwehlkdexhf.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 264

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-03 00:23

Reported

2024-04-03 00:26

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\cwehlkdexhf.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3464 wrote to memory of 1240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3464 wrote to memory of 1240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3464 wrote to memory of 1240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\cwehlkdexhf.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\cwehlkdexhf.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1240 -ip 1240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 652

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 78.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A