Analysis

  • max time kernel
    138s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-09-2024 10:38

General

  • Target

    e6a304a190393045871a1144609dc414_JaffaCakes118.exe

  • Size

    12KB

  • MD5

    e6a304a190393045871a1144609dc414

  • SHA1

    3606ac6e3d8ee7087e8a92da44bdbf6169794bb0

  • SHA256

    6ad6f24871ddeedb5dd1fd49abec8faae3a0809b3211c7ecce5fbce40dd28a75

  • SHA512

    0b1e93ba45bbc756a8cc2838272b7e0427553a4f464b3c46fb0490a51ea19a8ae88932f1b9dd177ed2a797c3d53ab59d71d1afa73f3c65262a31455c24b68261

  • SSDEEP

    192:pLU/9thAs3VkI0Z2tQN6WcoEuQqMT0U2/JT0JN7Kaemj:pLU/9tis3VkI0Z2iN6NBpnT0UUKN7KO

Malware Config

Extracted

Family

purecrypter

C2

https://store2.gofile.io/download/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dll

Signatures

  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6a304a190393045871a1144609dc414_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e6a304a190393045871a1144609dc414_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:3968
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1784
      2⤵
      • Program crash
      PID:3044
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4616,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=1008 /prefetch:8
    1⤵
      PID:1988
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3968 -ip 3968
      1⤵
        PID:3588

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        97.17.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.17.167.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.214.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.214.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        22.160.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        22.160.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        58.55.71.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        58.55.71.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        store2.gofile.io
        e6a304a190393045871a1144609dc414_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        store2.gofile.io
        IN A
        Response
        store2.gofile.io
        IN A
        45.112.123.239
      • flag-fr
        GET
        https://store2.gofile.io/download/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dll
        e6a304a190393045871a1144609dc414_JaffaCakes118.exe
        Remote address:
        45.112.123.239:443
        Request
        GET /download/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dll HTTP/1.1
        Host: store2.gofile.io
        Connection: Keep-Alive
        Response
        HTTP/1.1 301 Moved Permanently
        Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
        Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
        Access-Control-Allow-Origin: *
        Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
        Alt-Svc: h3=":443"; ma=2592000
        Content-Length: 138
        Content-Type: text/html; charset=utf-8
        Date: Tue, 17 Sep 2024 10:38:51 GMT
        Location: https://store2.gofile.io/download/web/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dll
        Server: Caddy
      • flag-fr
        GET
        https://store2.gofile.io/download/web/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dll
        e6a304a190393045871a1144609dc414_JaffaCakes118.exe
        Remote address:
        45.112.123.239:443
        Request
        GET /download/web/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dll HTTP/1.1
        Host: store2.gofile.io
        Response
        HTTP/1.1 404 Not Found
        Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
        Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
        Access-Control-Allow-Origin: *
        Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
        Alt-Svc: h3=":443"; ma=2592000
        Content-Length: 27
        Content-Type: text/plain; charset=utf-8
        Date: Tue, 17 Sep 2024 10:38:51 GMT
        Server: Caddy
        X-Content-Type-Options: nosniff
      • flag-us
        DNS
        239.123.112.45.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        239.123.112.45.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        50.23.12.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        50.23.12.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        171.39.242.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        171.39.242.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        16.43.107.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        16.43.107.13.in-addr.arpa
        IN PTR
        Response
      • 45.112.123.239:443
        https://store2.gofile.io/download/web/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dll
        tls, http
        e6a304a190393045871a1144609dc414_JaffaCakes118.exe
        985 B
        5.3kB
        9
        8

        HTTP Request

        GET https://store2.gofile.io/download/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dll

        HTTP Response

        301

        HTTP Request

        GET https://store2.gofile.io/download/web/15a5b26e-809f-49c3-aa8f-3c0a207e9711/Fsyymzlzzxciphnzblhopzku.dll

        HTTP Response

        404
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
        90 B
        1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        97.17.167.52.in-addr.arpa
        dns
        71 B
        145 B
        1
        1

        DNS Request

        97.17.167.52.in-addr.arpa

      • 8.8.8.8:53
        172.214.232.199.in-addr.arpa
        dns
        74 B
        128 B
        1
        1

        DNS Request

        172.214.232.199.in-addr.arpa

      • 8.8.8.8:53
        22.160.190.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        22.160.190.20.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        58.55.71.13.in-addr.arpa
        dns
        70 B
        144 B
        1
        1

        DNS Request

        58.55.71.13.in-addr.arpa

      • 8.8.8.8:53
        store2.gofile.io
        dns
        e6a304a190393045871a1144609dc414_JaffaCakes118.exe
        62 B
        78 B
        1
        1

        DNS Request

        store2.gofile.io

        DNS Response

        45.112.123.239

      • 8.8.8.8:53
        239.123.112.45.in-addr.arpa
        dns
        73 B
        127 B
        1
        1

        DNS Request

        239.123.112.45.in-addr.arpa

      • 8.8.8.8:53
        50.23.12.20.in-addr.arpa
        dns
        70 B
        156 B
        1
        1

        DNS Request

        50.23.12.20.in-addr.arpa

      • 8.8.8.8:53
        171.39.242.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        171.39.242.20.in-addr.arpa

      • 8.8.8.8:53
        16.43.107.13.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        16.43.107.13.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3968-0-0x000000007494E000-0x000000007494F000-memory.dmp

        Filesize

        4KB

      • memory/3968-1-0x0000000000230000-0x0000000000238000-memory.dmp

        Filesize

        32KB

      • memory/3968-2-0x0000000074940000-0x00000000750F0000-memory.dmp

        Filesize

        7.7MB

      • memory/3968-3-0x000000007494E000-0x000000007494F000-memory.dmp

        Filesize

        4KB

      • memory/3968-4-0x0000000074940000-0x00000000750F0000-memory.dmp

        Filesize

        7.7MB

      • memory/3968-5-0x0000000074940000-0x00000000750F0000-memory.dmp

        Filesize

        7.7MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.