Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-03-2024 20:13
Static task
static1
Behavioral task
behavioral1
Sample
5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe
-
Size
550KB
-
MD5
5d054d358e94c8b282b9c0e6ba2185c9
-
SHA1
069c96d4a9fb1ed9eaf6acc8b5b410803b38b8de
-
SHA256
c53c1098e4621c2258d13bd6c36d95493343129c5846f6c0ca07c12565da843d
-
SHA512
029518b8bf359508c02c5e0b1d108210549131ef25ec515c42cb09b2957b129fe83d5b0dfcc9a6a7436ef821145cec85ce0a9c9385eee1ffd809ef7c599aacfa
-
SSDEEP
12288:fSNB3UxOvePX94GhfHxzWorVKcaJQocYnKrnSO:4ixTPX94YPrVKcaCochS
Malware Config
Extracted
xloader
2.5
sg5c
chosenstoryto-detecttoday.info
eighthundredthousand.info
objectionportal.com
thelitsi.store
techbridgeassociates.com
noctilucaart.com
lift2.cloud
ureflective.com
tmongpil.com
hhhsccultum.quest
lzagc.com
jobs-fp.com
dalvarostyle.com
mushrelax.com
smokersoutletinc.com
centralenergi.com
bodepuro.com
no562.com
vintagechateauii.com
thriftyniftyandfine.com
danielanddistefano.com
86oo.com
sitchhair.com
miamorusa.com
gtkzjn.space
myjkirowerowe.com
nottryingdoing.com
kundedefender.com
leticiavquadros.com
elimibed.com
kare-inn.com
mmorpgheroes.net
holyolivestores.com
sandraksullivan.store
onehundredandseven.com
802eats.net
abdomenforuwk.xyz
reneehutchens.com
lvcustomers.com
mailm8.net
gpklogistech.com
millionairelifestlye.com
betterturkeyresidency.com
trixie-washington.com
taxactlon.biz
egeguzel.com
kellid.com
jandthebees.com
horsesapp.net
paksepet.com
kodkitchen.com
queenslandspirits.com
skyhighhumidify.com
bestofsydney.info
thesexygodessway.com
grandwincasinos.com
atrapatusalon.com
fellasies.com
surewin8.com
gunpowderbrahmans.com
countrycomfortlpggas.xyz
elegancymoda.store
igotfish.com
telehealthusaorg.com
maquinadevendasonlinegrt.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1484-13-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exedescription pid process target process PID 2852 set thread context of 1484 2852 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exepid process 1484 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exedescription pid process target process PID 2852 wrote to memory of 1484 2852 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe PID 2852 wrote to memory of 1484 2852 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe PID 2852 wrote to memory of 1484 2852 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe PID 2852 wrote to memory of 1484 2852 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe PID 2852 wrote to memory of 1484 2852 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe PID 2852 wrote to memory of 1484 2852 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe PID 2852 wrote to memory of 1484 2852 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1484