purecrypter | aede97a0d8d484c415f9c7aadd7b378781934208bb23df61319af2a52181cacc

Analysis

max time kernel
144s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5541d3aa08592decddea56b1cdd82802_JaffaCakes118.exe
Size

170KB
MD5

5541d3aa08592decddea56b1cdd82802
SHA1

4d66649d7f111f51751be789fffd968bbba4ae0a
SHA256

aede97a0d8d484c415f9c7aadd7b378781934208bb23df61319af2a52181cacc
SHA512

1fffe08fe990125363429f7f93aaad228f50402bcf0afbd4cb6f6a49fda0a23c833cc02d722b3cb582238ec4643679bae89ce0a3e4554cd3107538727bfd7392
SSDEEP

384:6mHNuLmRHMwq+Ez7EeHHHHmL777/wcKsvhpNU/zlJFiKyauLpSxbZdKsMsjj:htlswrErHHHHmL777/wcHKyauObZPf

Score

10^/10

purecrypter discovery downloader loader

Malware Config

Extracted

Family

purecrypter

https://store2.gofile.io/download/75ae5dfc-5ae6-46ff-992b-cca732d48fb6/Eldqxspuu.dll

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	5541d3aa08592decddea56b1cdd82802_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1888	3532	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5541d3aa08592decddea56b1cdd82802_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4740	powershell.exe
4740	powershell.exe
2656	powershell.exe
2656	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3532	5541d3aa08592decddea56b1cdd82802_JaffaCakes118.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeIncreaseQuotaPrivilege	4740	powershell.exe
Token: SeSecurityPrivilege	4740	powershell.exe
Token: SeTakeOwnershipPrivilege	4740	powershell.exe
Token: SeLoadDriverPrivilege	4740	powershell.exe
Token: SeSystemProfilePrivilege	4740	powershell.exe
Token: SeSystemtimePrivilege	4740	powershell.exe
Token: SeProfSingleProcessPrivilege	4740	powershell.exe
Token: SeIncBasePriorityPrivilege	4740	powershell.exe
Token: SeCreatePagefilePrivilege	4740	powershell.exe
Token: SeBackupPrivilege	4740	powershell.exe
Token: SeRestorePrivilege	4740	powershell.exe
Token: SeShutdownPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeSystemEnvironmentPrivilege	4740	powershell.exe
Token: SeRemoteShutdownPrivilege	4740	powershell.exe
Token: SeUndockPrivilege	4740	powershell.exe
Token: SeManageVolumePrivilege	4740	powershell.exe
Token: 33	4740	powershell.exe
Token: 34	4740	powershell.exe
Token: 35	4740	powershell.exe
Token: 36	4740	powershell.exe
Token: SeIncreaseQuotaPrivilege	4740	powershell.exe
Token: SeSecurityPrivilege	4740	powershell.exe
Token: SeTakeOwnershipPrivilege	4740	powershell.exe
Token: SeLoadDriverPrivilege	4740	powershell.exe
Token: SeSystemProfilePrivilege	4740	powershell.exe
Token: SeSystemtimePrivilege	4740	powershell.exe
Token: SeProfSingleProcessPrivilege	4740	powershell.exe
Token: SeIncBasePriorityPrivilege	4740	powershell.exe
Token: SeCreatePagefilePrivilege	4740	powershell.exe
Token: SeBackupPrivilege	4740	powershell.exe
Token: SeRestorePrivilege	4740	powershell.exe
Token: SeShutdownPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeSystemEnvironmentPrivilege	4740	powershell.exe
Token: SeRemoteShutdownPrivilege	4740	powershell.exe
Token: SeUndockPrivilege	4740	powershell.exe
Token: SeManageVolumePrivilege	4740	powershell.exe
Token: 33	4740	powershell.exe
Token: 34	4740	powershell.exe
Token: 35	4740	powershell.exe
Token: 36	4740	powershell.exe
Token: SeIncreaseQuotaPrivilege	4740	powershell.exe
Token: SeSecurityPrivilege	4740	powershell.exe
Token: SeTakeOwnershipPrivilege	4740	powershell.exe
Token: SeLoadDriverPrivilege	4740	powershell.exe
Token: SeSystemProfilePrivilege	4740	powershell.exe
Token: SeSystemtimePrivilege	4740	powershell.exe
Token: SeProfSingleProcessPrivilege	4740	powershell.exe
Token: SeIncBasePriorityPrivilege	4740	powershell.exe
Token: SeCreatePagefilePrivilege	4740	powershell.exe
Token: SeBackupPrivilege	4740	powershell.exe
Token: SeRestorePrivilege	4740	powershell.exe
Token: SeShutdownPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeSystemEnvironmentPrivilege	4740	powershell.exe
Token: SeRemoteShutdownPrivilege	4740	powershell.exe
Token: SeUndockPrivilege	4740	powershell.exe
Token: SeManageVolumePrivilege	4740	powershell.exe
Token: 33	4740	powershell.exe
Token: 34	4740	powershell.exe
Token: 35	4740	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 4740	3532	5541d3aa08592decddea56b1cdd82802_JaffaCakes118.exe	86
PID 3532 wrote to memory of 4740	3532	5541d3aa08592decddea56b1cdd82802_JaffaCakes118.exe	86
PID 3532 wrote to memory of 4740	3532	5541d3aa08592decddea56b1cdd82802_JaffaCakes118.exe	86
PID 3532 wrote to memory of 2656	3532	5541d3aa08592decddea56b1cdd82802_JaffaCakes118.exe	116
PID 3532 wrote to memory of 2656	3532	5541d3aa08592decddea56b1cdd82802_JaffaCakes118.exe	116
PID 3532 wrote to memory of 2656	3532	5541d3aa08592decddea56b1cdd82802_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\5541d3aa08592decddea56b1cdd82802_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5541d3aa08592decddea56b1cdd82802_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4740
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 2132
  2⤵
  - Program crash
  PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3532 -ip 3532
1⤵
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
c018e16dd35f28481778200f64d48f7d

SHA1
1c62dc5094a3c3c1a029a6c364e085f8b394a5f8

SHA256
1eca7f2483e92089e119033f7da113033c06f53bd1925eb2029fcbd00cf14425

SHA512
2b100699503cb3c9775faf2ccb3f2365fa412eef29e2d8e631e1fa606bd2c5a4652c3dfb929da0d9964fd1ccf123ee81c509a9a45b03028fb045c6ce3f6c19c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
fb2a6d2d431df57dc0af629efebd60fc

SHA1
944ee5fa2f22bf3e6f2607566f2dd4583eaa12e4

SHA256
f184830e61b258880b535f5849968a10af665169777ad9ca6d2ab4ead3cc85b5

SHA512
b32cba962751226059956593edf0e061214a264aac553750ff9f98ceee342c408a843a200bd3d5d8df37c263728739d152c70ebe8ccba7d0a4ec45fe555c9c1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
24KB

MD5
ee323ba483ad72c4ff7ce768c52664a3

SHA1
dd8c8bd72bfe64388774d9719da2f29f28f19a3d

SHA256
098ef8dc1df45b8abdd07dd7e07fb93e923ee8702ac98895c81b0ae1e5f9971f

SHA512
29b4045b2e5c71596afb9535ef4d9542a17d636a6a61b45db1fe542e9bd6a0e410a26c34e8d5a9635a5af11704329d6377240a08c6188f42e81c04e0c056f7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lg54onmp.ppc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2656-61-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/2656-76-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/2656-68-0x00000000059B0000-0x0000000005D04000-memory.dmp

Filesize
3.3MB

Download
memory/2656-62-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/2656-60-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3532-77-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3532-0-0x000000007493E000-0x000000007493F000-memory.dmp

Filesize
4KB

Download
memory/3532-2-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3532-1-0x00000000006B0000-0x00000000006E0000-memory.dmp

Filesize
192KB

Download
memory/3532-44-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3532-43-0x000000007493E000-0x000000007493F000-memory.dmp

Filesize
4KB

Download
memory/4740-41-0x00000000072C0000-0x0000000007356000-memory.dmp

Filesize
600KB

Download
memory/4740-50-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4740-25-0x000000006FEE0000-0x000000006FF2C000-memory.dmp

Filesize
304KB

Download
memory/4740-37-0x0000000006EE0000-0x0000000006F83000-memory.dmp

Filesize
652KB

Download
memory/4740-36-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-35-0x00000000062C0000-0x00000000062DE000-memory.dmp

Filesize
120KB

Download
memory/4740-38-0x0000000007680000-0x0000000007CFA000-memory.dmp

Filesize
6.5MB

Download
memory/4740-39-0x0000000007040000-0x000000000705A000-memory.dmp

Filesize
104KB

Download
memory/4740-40-0x00000000070B0000-0x00000000070BA000-memory.dmp

Filesize
40KB

Download
memory/4740-24-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-42-0x0000000007240000-0x0000000007251000-memory.dmp

Filesize
68KB

Download
memory/4740-22-0x0000000005D40000-0x0000000005D8C000-memory.dmp

Filesize
304KB

Download
memory/4740-21-0x0000000005D10000-0x0000000005D2E000-memory.dmp

Filesize
120KB

Download
memory/4740-45-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-46-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-47-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-48-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-23-0x00000000062E0000-0x0000000006312000-memory.dmp

Filesize
200KB

Download
memory/4740-51-0x0000000004B10000-0x0000000004B2A000-memory.dmp

Filesize
104KB

Download
memory/4740-52-0x0000000007450000-0x000000000747A000-memory.dmp

Filesize
168KB

Download
memory/4740-53-0x0000000007480000-0x00000000074A4000-memory.dmp

Filesize
144KB

Download
memory/4740-54-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-55-0x00000000022A0000-0x00000000022AE000-memory.dmp

Filesize
56KB

Download
memory/4740-58-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-20-0x0000000005880000-0x0000000005BD4000-memory.dmp

Filesize
3.3MB

Download
memory/4740-9-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/4740-10-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/4740-8-0x0000000004C50000-0x0000000004C72000-memory.dmp

Filesize
136KB

Download
memory/4740-7-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-6-0x0000000004F30000-0x0000000005558000-memory.dmp

Filesize
6.2MB

Download
memory/4740-5-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-4-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-3-0x0000000002400000-0x0000000002436000-memory.dmp

Filesize
216KB

Download