Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2024 12:29

General

  • Target

    f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe

  • Size

    74KB

  • MD5

    f85fffaeb5a6b1d4c2e88fcd3f1eae19

  • SHA1

    1f5bab84b27438a032c44beae8ff6c06fe6934b7

  • SHA256

    2261e72f0d0b2f0ffbc284c0ba81ed231990bb1f29d6538a6ba1f86831e13ad3

  • SHA512

    b4b13f470fe7768c06447cb60a986c0223d958375f55cc4370f88c9a4c8fbe0ce1d83acaebd403325147548b0eb53bbbcc4ae364f9fe2081560bbe29489eb858

  • SSDEEP

    384:xFNCkrP6b4TZcdr4SAJlCqe5OThQYuMnJA700eTxzxkx+xMx4ZxDvpVIecOzZuO2:vrP6bQl4qnJA700yvP

Malware Config

Extracted

Family

purecrypter

C2

https://store2.gofile.io/download/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dll

Signatures

  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4580
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2560

Network

  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    twitch.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    twitch.com
    IN A
    Response
    twitch.com
    IN A
    54.69.113.251
    twitch.com
    IN A
    52.42.212.97
    twitch.com
    IN A
    54.148.77.250
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    98.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.117.19.2.in-addr.arpa
    IN PTR
    Response
    98.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-98deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    twitch.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    twitch.com
    IN A
    Response
    twitch.com
    IN A
    52.42.212.97
    twitch.com
    IN A
    54.148.77.250
    twitch.com
    IN A
    54.69.113.251
  • flag-us
    DNS
    twitch.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    twitch.com
    IN AAAA
    Response
  • flag-us
    DNS
    twitch.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    twitch.com
    IN A
    Response
    twitch.com
    IN A
    54.69.113.251
    twitch.com
    IN A
    54.148.77.250
    twitch.com
    IN A
    52.42.212.97
  • flag-us
    DNS
    twitch.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    twitch.com
    IN AAAA
    Response
  • flag-us
    DNS
    store2.gofile.io
    f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    store2.gofile.io
    IN A
    Response
    store2.gofile.io
    IN A
    45.112.123.239
  • flag-fr
    GET
    https://store2.gofile.io/download/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dll
    f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe
    Remote address:
    45.112.123.239:443
    Request
    GET /download/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dll HTTP/1.1
    Host: store2.gofile.io
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
    Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
    Alt-Svc: h3=":443"; ma=2592000
    Content-Length: 126
    Content-Type: text/html; charset=utf-8
    Date: Thu, 26 Sep 2024 12:31:51 GMT
    Location: https://store2.gofile.io/download/web/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dll
    Server: Caddy
  • flag-fr
    GET
    https://store2.gofile.io/download/web/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dll
    f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe
    Remote address:
    45.112.123.239:443
    Request
    GET /download/web/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dll HTTP/1.1
    Host: store2.gofile.io
    Response
    HTTP/1.1 404 Not Found
    Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
    Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
    Alt-Svc: h3=":443"; ma=2592000
    Content-Length: 27
    Content-Type: text/plain; charset=utf-8
    Date: Thu, 26 Sep 2024 12:31:51 GMT
    Server: Caddy
    X-Content-Type-Options: nosniff
  • flag-us
    DNS
    239.123.112.45.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    239.123.112.45.in-addr.arpa
    IN PTR
    Response
  • 45.112.123.239:443
    https://store2.gofile.io/download/web/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dll
    tls, http
    f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe
    961 B
    5.3kB
    9
    8

    HTTP Request

    GET https://store2.gofile.io/download/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dll

    HTTP Response

    301

    HTTP Request

    GET https://store2.gofile.io/download/web/c0f09c5b-4af1-4366-b250-a13825e99334/Oxucssglmojl.dll

    HTTP Response

    404
  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    twitch.com
    dns
    powershell.exe
    56 B
    104 B
    1
    1

    DNS Request

    twitch.com

    DNS Response

    54.69.113.251
    52.42.212.97
    54.148.77.250

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    98.117.19.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    98.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    twitch.com
    dns
    powershell.exe
    56 B
    104 B
    1
    1

    DNS Request

    twitch.com

    DNS Response

    52.42.212.97
    54.148.77.250
    54.69.113.251

  • 8.8.8.8:53
    twitch.com
    dns
    powershell.exe
    56 B
    138 B
    1
    1

    DNS Request

    twitch.com

  • 8.8.8.8:53
    twitch.com
    dns
    powershell.exe
    56 B
    104 B
    1
    1

    DNS Request

    twitch.com

    DNS Response

    54.69.113.251
    54.148.77.250
    52.42.212.97

  • 8.8.8.8:53
    twitch.com
    dns
    powershell.exe
    56 B
    138 B
    1
    1

    DNS Request

    twitch.com

  • 8.8.8.8:53
    store2.gofile.io
    dns
    f85fffaeb5a6b1d4c2e88fcd3f1eae19_JaffaCakes118.exe
    62 B
    78 B
    1
    1

    DNS Request

    store2.gofile.io

    DNS Response

    45.112.123.239

  • 8.8.8.8:53
    239.123.112.45.in-addr.arpa
    dns
    73 B
    127 B
    1
    1

    DNS Request

    239.123.112.45.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    9b839c896dee7cbef31e62d9130fe067

    SHA1

    20974f32005a641b3b7aae03b130f9a6fb0bd321

    SHA256

    970916b50c737053ae7dcdb13e84fe4786b7884a03e4486c10cabd6d9f00e573

    SHA512

    75d645562b621afe3735ab1e92664a27b27c93948c7edfa88299ea77ca5bec1d383c0f2eaa908f527dc22108beaf81dc7b31fa96e63ae7842966a34cd7f8fed7

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    09a0740708168aef065ab3b83f34da47

    SHA1

    d1d921fd3f5be2eb47de068542d9f3e45de030f1

    SHA256

    997b34f7dbccc36b9a676d3f5fe723bd6afad83db30a689aac4ce705fe38c34c

    SHA512

    4c9db0864abd3e3aeadfa6e47a61c2883c69945c64967e9dfed642cbfb89fc154103c376f3afc888f7f92796f405d0b0989173a103064441eecab7d272429ed3

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_25gzytvo.3tq.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/2960-17-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

    Filesize

    10.8MB

  • memory/2960-1-0x0000000000300000-0x0000000000316000-memory.dmp

    Filesize

    88KB

  • memory/2960-2-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

    Filesize

    10.8MB

  • memory/2960-43-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

    Filesize

    10.8MB

  • memory/2960-0-0x00007FFDEB623000-0x00007FFDEB625000-memory.dmp

    Filesize

    8KB

  • memory/4580-20-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

    Filesize

    10.8MB

  • memory/4580-23-0x0000025A57FE0000-0x0000025A5800A000-memory.dmp

    Filesize

    168KB

  • memory/4580-18-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

    Filesize

    10.8MB

  • memory/4580-19-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

    Filesize

    10.8MB

  • memory/4580-15-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

    Filesize

    10.8MB

  • memory/4580-21-0x0000025A57F60000-0x0000025A57F70000-memory.dmp

    Filesize

    64KB

  • memory/4580-22-0x0000025A57F90000-0x0000025A57FAA000-memory.dmp

    Filesize

    104KB

  • memory/4580-16-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

    Filesize

    10.8MB

  • memory/4580-24-0x0000025A57FE0000-0x0000025A58004000-memory.dmp

    Filesize

    144KB

  • memory/4580-25-0x0000025A57FC0000-0x0000025A57FCE000-memory.dmp

    Filesize

    56KB

  • memory/4580-26-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

    Filesize

    10.8MB

  • memory/4580-27-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

    Filesize

    10.8MB

  • memory/4580-30-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

    Filesize

    10.8MB

  • memory/4580-14-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

    Filesize

    10.8MB

  • memory/4580-13-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

    Filesize

    10.8MB

  • memory/4580-12-0x0000025A3F050000-0x0000025A3F072000-memory.dmp

    Filesize

    136KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.