Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2024 20:13
Static task
static1
Behavioral task
behavioral1
Sample
5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe
-
Size
550KB
-
MD5
5d054d358e94c8b282b9c0e6ba2185c9
-
SHA1
069c96d4a9fb1ed9eaf6acc8b5b410803b38b8de
-
SHA256
c53c1098e4621c2258d13bd6c36d95493343129c5846f6c0ca07c12565da843d
-
SHA512
029518b8bf359508c02c5e0b1d108210549131ef25ec515c42cb09b2957b129fe83d5b0dfcc9a6a7436ef821145cec85ce0a9c9385eee1ffd809ef7c599aacfa
-
SSDEEP
12288:fSNB3UxOvePX94GhfHxzWorVKcaJQocYnKrnSO:4ixTPX94YPrVKcaCochS
Malware Config
Extracted
xloader
2.5
sg5c
chosenstoryto-detecttoday.info
eighthundredthousand.info
objectionportal.com
thelitsi.store
techbridgeassociates.com
noctilucaart.com
lift2.cloud
ureflective.com
tmongpil.com
hhhsccultum.quest
lzagc.com
jobs-fp.com
dalvarostyle.com
mushrelax.com
smokersoutletinc.com
centralenergi.com
bodepuro.com
no562.com
vintagechateauii.com
thriftyniftyandfine.com
danielanddistefano.com
86oo.com
sitchhair.com
miamorusa.com
gtkzjn.space
myjkirowerowe.com
nottryingdoing.com
kundedefender.com
leticiavquadros.com
elimibed.com
kare-inn.com
mmorpgheroes.net
holyolivestores.com
sandraksullivan.store
onehundredandseven.com
802eats.net
abdomenforuwk.xyz
reneehutchens.com
lvcustomers.com
mailm8.net
gpklogistech.com
millionairelifestlye.com
betterturkeyresidency.com
trixie-washington.com
taxactlon.biz
egeguzel.com
kellid.com
jandthebees.com
horsesapp.net
paksepet.com
kodkitchen.com
queenslandspirits.com
skyhighhumidify.com
bestofsydney.info
thesexygodessway.com
grandwincasinos.com
atrapatusalon.com
fellasies.com
surewin8.com
gunpowderbrahmans.com
countrycomfortlpggas.xyz
elegancymoda.store
igotfish.com
telehealthusaorg.com
maquinadevendasonlinegrt.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2872-11-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exedescription pid process target process PID 4160 set thread context of 2872 4160 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exepid process 2872 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe 2872 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe 2872 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exedescription pid process target process PID 4160 wrote to memory of 2872 4160 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe PID 4160 wrote to memory of 2872 4160 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe PID 4160 wrote to memory of 2872 4160 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe PID 4160 wrote to memory of 2872 4160 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe PID 4160 wrote to memory of 2872 4160 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe PID 4160 wrote to memory of 2872 4160 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe 5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Users\Admin\AppData\Local\Temp\5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d054d358e94c8b282b9c0e6ba2185c9_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2188 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:81⤵PID:1612