Analysis
-
max time kernel
155s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2024, 08:51
Static task
static1
Behavioral task
behavioral1
Sample
1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/bckkx.dll
Resource
win7-20240319-en
General
-
Target
$PLUGINSDIR/bckkx.dll
-
Size
42KB
-
MD5
eaddca0182a37dcadc481a26307ad111
-
SHA1
a7aef3dcbd7fffedc716dc70610a1f0f62fcaf42
-
SHA256
a62639b271e480d9aa28d50945051ae35577711d95702f270060d809b062bb56
-
SHA512
9409069ca080c0170a70ec7e5baf7dd4c959362c9f540d525f45644ed95012f87b6818b16085bff2e1ae843281be97183372b8b0721673720bb76e93a5704c3d
-
SSDEEP
768:Tk9vanYHr7T9FE4FiAGKzgVTpQJTvRTyzFEjuRAkwYY7m6:Tk9uYL7hVG1amFEjuRAFYY7m6
Malware Config
Extracted
xloader
2.5
dgt9
glimpse-media.com
crimsongomidv.xyz
seo-clicks6.com
cloudbreakhq.com
oakabbey.net
findcasinoslots.com
thehelloloveshop.com
havetsuczyli.quest
celestialtransportation.net
nianlun.wiki
valentinaturals.com
808gang.net
tykaa.com
sparoom.store
empregosbr1.online
visaractivateddprocessing.com
industriamadereraargentina.com
ekopressbrake.com
984561.com
oklahomacasinoreviews.com
weihao.online
ct5k.com
ncya14.xyz
drinkrhino.com
syrianwindow.com
dsj2015.com
income-icm.com
rdaubuisson.com
686281.com
crushanxiety.com
tetstore.com
api-23nnys.com
jizhibao.xyz
echosymbol.com
gftsets.com
tenlog066.xyz
syzhangyi.com
fortlewisapartment.com
flatironstreeservice.com
daomars.com
metaverse360.biz
suplena.top
rontestcfb29.com
christmaspyjamashop.com
lftreasures.com
datsdopedesign.com
recloud-inc.com
maloma4u.com
imagesetblues.paris
wantto.net
barco-group.com
ebonygirls.net
freenewgameonline.com
berryfreshcans.com
ez.money
maxicashprofgt.xyz
wilyardmarketing.com
sukien-membership-garana.com
andrewwoodrealty.com
efllubricants.com
wwwa526.com
khl0q.com
beijixing-zs.com
suwei8.com
discountaquarium.com
Signatures
-
Xloader payload 4 IoCs
resource yara_rule behavioral4/memory/3308-1-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral4/memory/3308-5-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral4/memory/4784-11-0x0000000000760000-0x0000000000789000-memory.dmp xloader behavioral4/memory/4784-13-0x0000000000760000-0x0000000000789000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4092 set thread context of 3308 4092 rundll32.exe 88 PID 3308 set thread context of 3492 3308 rundll32.exe 57 PID 4784 set thread context of 3492 4784 rundll32.exe 57 -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 3308 rundll32.exe 3308 rundll32.exe 3308 rundll32.exe 3308 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 3308 rundll32.exe 3308 rundll32.exe 3308 rundll32.exe 4784 rundll32.exe 4784 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3308 rundll32.exe Token: SeDebugPrivilege 4784 rundll32.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3492 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2344 wrote to memory of 4092 2344 rundll32.exe 85 PID 2344 wrote to memory of 4092 2344 rundll32.exe 85 PID 2344 wrote to memory of 4092 2344 rundll32.exe 85 PID 4092 wrote to memory of 3308 4092 rundll32.exe 88 PID 4092 wrote to memory of 3308 4092 rundll32.exe 88 PID 4092 wrote to memory of 3308 4092 rundll32.exe 88 PID 4092 wrote to memory of 3308 4092 rundll32.exe 88 PID 4092 wrote to memory of 3308 4092 rundll32.exe 88 PID 4092 wrote to memory of 3308 4092 rundll32.exe 88 PID 3492 wrote to memory of 4784 3492 Explorer.EXE 90 PID 3492 wrote to memory of 4784 3492 Explorer.EXE 90 PID 3492 wrote to memory of 4784 3492 Explorer.EXE 90 PID 4784 wrote to memory of 4136 4784 rundll32.exe 95 PID 4784 wrote to memory of 4136 4784 rundll32.exe 95 PID 4784 wrote to memory of 4136 4784 rundll32.exe 95
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bckkx.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bckkx.dll,#13⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bckkx.dll,#14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\rundll32.exe"3⤵PID:4136
-
-