Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 12:29
Behavioral task
behavioral1
Sample
f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe
-
Size
74KB
-
MD5
f85fffaeb5a6b1d4c2e88fcd3f1eae19
-
SHA1
1f5bab84b27438a032c44beae8ff6c06fe6934b7
-
SHA256
2261e72f0d0b2f0ffbc284c0ba81ed231990bb1f29d6538a6ba1f86831e13ad3
-
SHA512
b4b13f470fe7768c06447cb60a986c0223d958375f55cc4370f88c9a4c8fbe0ce1d83acaebd403325147548b0eb53bbbcc4ae364f9fe2081560bbe29489eb858
-
SSDEEP
384:xFNCkrP6b4TZcdr4SAJlCqe5OThQYuMnJA700eTxzxkx+xMx4ZxDvpVIecOzZuO2:vrP6bQl4qnJA700yvP
Malware Config
Extracted
purecrypter
https://store2.gofile.io/download/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dll
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4580 powershell.exe 4580 powershell.exe 2560 powershell.exe 2560 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2960 f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe Token: SeDebugPrivilege 4580 powershell.exe Token: SeIncreaseQuotaPrivilege 4580 powershell.exe Token: SeSecurityPrivilege 4580 powershell.exe Token: SeTakeOwnershipPrivilege 4580 powershell.exe Token: SeLoadDriverPrivilege 4580 powershell.exe Token: SeSystemProfilePrivilege 4580 powershell.exe Token: SeSystemtimePrivilege 4580 powershell.exe Token: SeProfSingleProcessPrivilege 4580 powershell.exe Token: SeIncBasePriorityPrivilege 4580 powershell.exe Token: SeCreatePagefilePrivilege 4580 powershell.exe Token: SeBackupPrivilege 4580 powershell.exe Token: SeRestorePrivilege 4580 powershell.exe Token: SeShutdownPrivilege 4580 powershell.exe Token: SeDebugPrivilege 4580 powershell.exe Token: SeSystemEnvironmentPrivilege 4580 powershell.exe Token: SeRemoteShutdownPrivilege 4580 powershell.exe Token: SeUndockPrivilege 4580 powershell.exe Token: SeManageVolumePrivilege 4580 powershell.exe Token: 33 4580 powershell.exe Token: 34 4580 powershell.exe Token: 35 4580 powershell.exe Token: 36 4580 powershell.exe Token: SeIncreaseQuotaPrivilege 4580 powershell.exe Token: SeSecurityPrivilege 4580 powershell.exe Token: SeTakeOwnershipPrivilege 4580 powershell.exe Token: SeLoadDriverPrivilege 4580 powershell.exe Token: SeSystemProfilePrivilege 4580 powershell.exe Token: SeSystemtimePrivilege 4580 powershell.exe Token: SeProfSingleProcessPrivilege 4580 powershell.exe Token: SeIncBasePriorityPrivilege 4580 powershell.exe Token: SeCreatePagefilePrivilege 4580 powershell.exe Token: SeBackupPrivilege 4580 powershell.exe Token: SeRestorePrivilege 4580 powershell.exe Token: SeShutdownPrivilege 4580 powershell.exe Token: SeDebugPrivilege 4580 powershell.exe Token: SeSystemEnvironmentPrivilege 4580 powershell.exe Token: SeRemoteShutdownPrivilege 4580 powershell.exe Token: SeUndockPrivilege 4580 powershell.exe Token: SeManageVolumePrivilege 4580 powershell.exe Token: 33 4580 powershell.exe Token: 34 4580 powershell.exe Token: 35 4580 powershell.exe Token: 36 4580 powershell.exe Token: SeIncreaseQuotaPrivilege 4580 powershell.exe Token: SeSecurityPrivilege 4580 powershell.exe Token: SeTakeOwnershipPrivilege 4580 powershell.exe Token: SeLoadDriverPrivilege 4580 powershell.exe Token: SeSystemProfilePrivilege 4580 powershell.exe Token: SeSystemtimePrivilege 4580 powershell.exe Token: SeProfSingleProcessPrivilege 4580 powershell.exe Token: SeIncBasePriorityPrivilege 4580 powershell.exe Token: SeCreatePagefilePrivilege 4580 powershell.exe Token: SeBackupPrivilege 4580 powershell.exe Token: SeRestorePrivilege 4580 powershell.exe Token: SeShutdownPrivilege 4580 powershell.exe Token: SeDebugPrivilege 4580 powershell.exe Token: SeSystemEnvironmentPrivilege 4580 powershell.exe Token: SeRemoteShutdownPrivilege 4580 powershell.exe Token: SeUndockPrivilege 4580 powershell.exe Token: SeManageVolumePrivilege 4580 powershell.exe Token: 33 4580 powershell.exe Token: 34 4580 powershell.exe Token: 35 4580 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2960 wrote to memory of 4580 2960 f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe 83 PID 2960 wrote to memory of 4580 2960 f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe 83 PID 2960 wrote to memory of 2560 2960 f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe 97 PID 2960 wrote to memory of 2560 2960 f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 52⤵
- Suspicious behavior: EnumeratesProcesses
PID:2560
-
Network
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttwitch.comIN AResponsetwitch.comIN A54.69.113.251twitch.comIN A52.42.212.97twitch.comIN A54.148.77.250
-
Remote address:8.8.8.8:53Request138.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request98.117.19.2.in-addr.arpaIN PTRResponse98.117.19.2.in-addr.arpaIN PTRa2-19-117-98deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttwitch.comIN AResponsetwitch.comIN A52.42.212.97twitch.comIN A54.148.77.250twitch.comIN A54.69.113.251
-
Remote address:8.8.8.8:53Requesttwitch.comIN AAAAResponse
-
Remote address:8.8.8.8:53Requesttwitch.comIN AResponsetwitch.comIN A54.69.113.251twitch.comIN A54.148.77.250twitch.comIN A52.42.212.97
-
Remote address:8.8.8.8:53Requesttwitch.comIN AAAAResponse
-
Remote address:8.8.8.8:53Requeststore2.gofile.ioIN AResponsestore2.gofile.ioIN A45.112.123.239
-
GEThttps://store2.gofile.io/download/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dllf85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exeRemote address:45.112.123.239:443RequestGET /download/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dll HTTP/1.1
Host: store2.gofile.io
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
Alt-Svc: h3=":443"; ma=2592000
Content-Length: 126
Content-Type: text/html; charset=utf-8
Date: Thu, 26 Sep 2024 12:31:51 GMT
Location: https://store2.gofile.io/download/web/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dll
Server: Caddy
-
GEThttps://store2.gofile.io/download/web/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dllf85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exeRemote address:45.112.123.239:443RequestGET /download/web/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dll HTTP/1.1
Host: store2.gofile.io
ResponseHTTP/1.1 404 Not Found
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
Alt-Svc: h3=":443"; ma=2592000
Content-Length: 27
Content-Type: text/plain; charset=utf-8
Date: Thu, 26 Sep 2024 12:31:51 GMT
Server: Caddy
X-Content-Type-Options: nosniff
-
Remote address:8.8.8.8:53Request239.123.112.45.in-addr.arpaIN PTRResponse
-
45.112.123.239:443https://store2.gofile.io/download/web/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dlltls, httpf85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe961 B 5.3kB 9 8
HTTP Request
GET https://store2.gofile.io/download/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dllHTTP Response
301HTTP Request
GET https://store2.gofile.io/download/web/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dllHTTP Response
404
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
56 B 104 B 1 1
DNS Request
twitch.com
DNS Response
54.69.113.25152.42.212.9754.148.77.250
-
72 B 158 B 1 1
DNS Request
138.32.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
98.117.19.2.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
-
56 B 104 B 1 1
DNS Request
twitch.com
DNS Response
52.42.212.9754.148.77.25054.69.113.251
-
56 B 138 B 1 1
DNS Request
twitch.com
-
56 B 104 B 1 1
DNS Request
twitch.com
DNS Response
54.69.113.25154.148.77.25052.42.212.97
-
56 B 138 B 1 1
DNS Request
twitch.com
-
62 B 78 B 1 1
DNS Request
store2.gofile.io
DNS Response
45.112.123.239
-
73 B 127 B 1 1
DNS Request
239.123.112.45.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59b839c896dee7cbef31e62d9130fe067
SHA120974f32005a641b3b7aae03b130f9a6fb0bd321
SHA256970916b50c737053ae7dcdb13e84fe4786b7884a03e4486c10cabd6d9f00e573
SHA51275d645562b621afe3735ab1e92664a27b27c93948c7edfa88299ea77ca5bec1d383c0f2eaa908f527dc22108beaf81dc7b31fa96e63ae7842966a34cd7f8fed7
-
Filesize
1KB
MD509a0740708168aef065ab3b83f34da47
SHA1d1d921fd3f5be2eb47de068542d9f3e45de030f1
SHA256997b34f7dbccc36b9a676d3f5fe723bd6afad83db30a689aac4ce705fe38c34c
SHA5124c9db0864abd3e3aeadfa6e47a61c2883c69945c64967e9dfed642cbfb89fc154103c376f3afc888f7f92796f405d0b0989173a103064441eecab7d272429ed3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82