Analysis
-
max time kernel
138s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 10:38
Behavioral task
behavioral1
Sample
e6a304a190393045871a1144609dc414_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e6a304a190393045871a1144609dc414_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e6a304a190393045871a1144609dc414_JaffaCakes118.exe
-
Size
12KB
-
MD5
e6a304a190393045871a1144609dc414
-
SHA1
3606ac6e3d8ee7087e8a92da44bdbf6169794bb0
-
SHA256
6ad6f24871ddeedb5dd1fd49abec8faae3a0809b3211c7ecce5fbce40dd28a75
-
SHA512
0b1e93ba45bbc756a8cc2838272b7e0427553a4f464b3c46fb0490a51ea19a8ae88932f1b9dd177ed2a797c3d53ab59d71d1afa73f3c65262a31455c24b68261
-
SSDEEP
192:pLU/9thAs3VkI0Z2tQN6WcoEuQqMT0U2/JT0JN7Kaemj:pLU/9tis3VkI0Z2iN6NBpnT0UUKN7KO
Malware Config
Extracted
purecrypter
https://store2.gofile.io/download/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dll
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3044 3968 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6a304a190393045871a1144609dc414_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3968 e6a304a190393045871a1144609dc414_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6a304a190393045871a1144609dc414_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6a304a190393045871a1144609dc414_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 17842⤵
- Program crash
PID:3044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4616,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=1008 /prefetch:81⤵PID:1988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3968 -ip 39681⤵PID:3588
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request22.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requeststore2.gofile.ioIN AResponsestore2.gofile.ioIN A45.112.123.239
-
GEThttps://store2.gofile.io/download/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dlle6a304a190393045871a1144609dc414_JaffaCakes118.exeRemote address:45.112.123.239:443RequestGET /download/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dll HTTP/1.1
Host: store2.gofile.io
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
Alt-Svc: h3=":443"; ma=2592000
Content-Length: 138
Content-Type: text/html; charset=utf-8
Date: Tue, 17 Sep 2024 10:38:51 GMT
Location: https://store2.gofile.io/download/web/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dll
Server: Caddy
-
GEThttps://store2.gofile.io/download/web/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dlle6a304a190393045871a1144609dc414_JaffaCakes118.exeRemote address:45.112.123.239:443RequestGET /download/web/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dll HTTP/1.1
Host: store2.gofile.io
ResponseHTTP/1.1 404 Not Found
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
Alt-Svc: h3=":443"; ma=2592000
Content-Length: 27
Content-Type: text/plain; charset=utf-8
Date: Tue, 17 Sep 2024 10:38:51 GMT
Server: Caddy
X-Content-Type-Options: nosniff
-
Remote address:8.8.8.8:53Request239.123.112.45.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request16.43.107.13.in-addr.arpaIN PTRResponse
-
45.112.123.239:443https://store2.gofile.io/download/web/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dlltls, httpe6a304a190393045871a1144609dc414_JaffaCakes118.exe985 B 5.3kB 9 8
HTTP Request
GET https://store2.gofile.io/download/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dllHTTP Response
301HTTP Request
GET https://store2.gofile.io/download/web/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dllHTTP Response
404
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
62 B 78 B 1 1
DNS Request
store2.gofile.io
DNS Response
45.112.123.239
-
73 B 127 B 1 1
DNS Request
239.123.112.45.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
16.43.107.13.in-addr.arpa