Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\cake.exe

"C:\Users\user\Desktop\cake.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5144
Target ID:	0
Parent PID:	1028
Name:	cake.exe
Path:	C:\Users\user\Desktop\cake.exe
Commandline:	"C:\Users\user\Desktop\cake.exe"
Size:	33280
MD5:	D64C3A1236EED6BA90305DCB38F92F6C
Time:	13:14:02
Date:	25/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x70000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

vecotr.viewdns.net

Details

Name:	vecotr.viewdns.net
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\cake.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Domains

Name

Malicious

vecotr.viewdns.net

163.5.112.71

Details

Name:	vecotr.viewdns.net
IP:	163.5.112.71
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

163.5.112.71

vecotr.viewdns.net

France

Details

IP:	163.5.112.71
TargetID:	0
Current Path:	C:\Users\user\Desktop\cake.exe
Country:	France
Countrycode:	FRA
ASN number:	56339
ASN name:	EPITECHFR
Private:	false
Domain:	vecotr.viewdns.net

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

72000

unkown

page readonly

8B0000

heap

page read and write

1ABB3000

heap

page read and write

7FF848D6D000

trusted library allocation

page execute and read and write

1AFBE000

stack

page read and write

1AB7E000

stack

page read and write

1B0BF000

stack

page read and write

1ABB0000

heap

page read and write

220E000

stack

page read and write

1A599000

heap

page read and write

400000

heap

page read and write

1B86C000

stack

page read and write

1ADB4000

stack

page read and write

406000

heap

page read and write

7FF848E10000

trusted library allocation

page execute and read and write

7FF848E00000

trusted library allocation

page read and write

7FF848E36000

trusted library allocation

page execute and read and write

1B96C000

stack

page read and write

500000

heap

page read and write

7FF848D7D000

trusted library allocation

page execute and read and write

920000

heap

page execute and read and write

40C000

heap

page read and write

7FF848D62000

trusted library allocation

page read and write

600000

heap

page read and write

8C3000

trusted library allocation

page read and write

431000

heap

page read and write

7FF848D60000

trusted library allocation

page read and write

7FF487CD0000

trusted library allocation

page execute and read and write

5E0000

heap

page read and write

7FF848D54000

trusted library allocation

page read and write

1B270000

heap

page read and write

70000

unkown

page readonly

1ACBA000

stack

page read and write

1B4000

stack

page read and write

1AAE0000

heap

page read and write

7FF848D70000

trusted library allocation

page read and write

7FF848D50000

trusted library allocation

page read and write

444000

heap

page read and write

1B56C000

stack

page read and write

7FF848D53000

trusted library allocation

page execute and read and write

4CC000

heap

page read and write

1B0F3000

heap

page read and write

7FF848D5D000

trusted library allocation

page execute and read and write

46E000

heap

page read and write

965000

heap

page read and write

12218000

trusted library allocation

page read and write

1AEBF000

stack

page read and write

7FF848E70000

trusted library allocation

page execute and read and write

7FF848DAC000

trusted library allocation

page execute and read and write

670000

trusted library allocation

page read and write

695000

heap

page read and write

8A0000

trusted library allocation

page read and write

7FF848D74000

trusted library allocation

page read and write

1B0C0000

heap

page read and write

434000

heap

page read and write

620000

heap

page read and write

1B76A000

stack

page read and write

2255000

trusted library allocation

page read and write

12211000

trusted library allocation

page read and write

8C0000

trusted library allocation

page read and write

1B1FE000

stack

page read and write

70000

unkown

page readonly

7FF848EF0000

trusted library allocation

page read and write

1A79C000

stack

page read and write

4F0000

heap

page read and write

442000

heap

page read and write

42C000

heap

page read and write

7FF848E0C000

trusted library allocation

page execute and read and write

1A240000

trusted library allocation

page read and write

1AB30000

heap

page execute and read and write

960000

heap

page read and write

690000

heap

page read and write

2211000

trusted library allocation

page read and write

7FF848E06000

trusted library allocation

page read and write

79F000

stack

page read and write

89E000

stack

page read and write

There are 66 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
cake.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportcake.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
cake.exe