Analysis Overview
SHA256
53fb1511812b33448fb51c4a6a7f4095600f2d30251546466ab1d401191fa59a
Threat Level: Known bad
The file 9b20c6a0c05584185da23f0892a7a982_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Xloader
Xloader payload
Loads dropped DLL
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 00:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 00:23
Reported
2024-04-03 00:26
Platform
win7-20240221-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1960 set thread context of 1356 | N/A | C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\nsy401D.tmp\cwehlkdexhf.dll
| MD5 | 201dec4f5cfe9c448804d504da2b9f50 |
| SHA1 | 4a565158eb3ee42694427374e11fc052a0bd3dad |
| SHA256 | f70b1ff393e0aaf8c737ec09a41598d9e51fbdde8bb19a7051aecc8d0752c965 |
| SHA512 | 52771f45ca9d51fe84d125fcb741ea9485ffef8620c5bf7c4cf233f66540dc27e48bc1b83d7a16dfd2faaafa66903dd7504620721385ce106addbde15a1bac82 |
memory/1356-8-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1356-10-0x00000000008E0000-0x0000000000BE3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 00:23
Reported
2024-04-03 00:26
Platform
win10v2004-20240226-en
Max time kernel
91s
Max time network
127s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4972 wrote to memory of 1780 | N/A | C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe |
| PID 4972 wrote to memory of 1780 | N/A | C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe |
| PID 4972 wrote to memory of 1780 | N/A | C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4972 -ip 4972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 980
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.33.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsn34DC.tmp\cwehlkdexhf.dll
| MD5 | 201dec4f5cfe9c448804d504da2b9f50 |
| SHA1 | 4a565158eb3ee42694427374e11fc052a0bd3dad |
| SHA256 | f70b1ff393e0aaf8c737ec09a41598d9e51fbdde8bb19a7051aecc8d0752c965 |
| SHA512 | 52771f45ca9d51fe84d125fcb741ea9485ffef8620c5bf7c4cf233f66540dc27e48bc1b83d7a16dfd2faaafa66903dd7504620721385ce106addbde15a1bac82 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-03 00:23
Reported
2024-04-03 00:26
Platform
win7-20240221-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\cwehlkdexhf.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\cwehlkdexhf.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 264
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-03 00:23
Reported
2024-04-03 00:26
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3464 wrote to memory of 1240 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3464 wrote to memory of 1240 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3464 wrote to memory of 1240 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\cwehlkdexhf.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\cwehlkdexhf.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1240 -ip 1240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 652
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |