Analysis
-
max time kernel
120s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-03-2024 21:01
Static task
static1
Behavioral task
behavioral1
Sample
5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe
-
Size
346KB
-
MD5
5e14cab7735db2f831e80c7b51254405
-
SHA1
61957df403a09153c60e1b0789c449fa3786d657
-
SHA256
b6c03a67716ee57c51bb9b400fe294f2fdc3e996ec1afdeeb820553796c00c31
-
SHA512
cde0d5e8d673502eb432e4dbc13115be99ad32631b5f6f78517dc176e01e40a0e9f1950d078359a653ce94e3d1feb77990d7ea5fab107298627e29a389253754
-
SSDEEP
6144:CBFYXmW1WV5kjpzmfxIjdjJ5AuIUvvWkhIFUnLmUjEdPJN6:CsXHEkcGjBXfvvvvYUnNEdPJA
Malware Config
Extracted
xloader
2.5
p0on
milopcoesbr.com
homestyle.online
cannonceramics.com
allycreditunion.com
findoutturkey.com
wingsboxmalta.com
freedomnflow.com
kwresearchfreelancer.com
filomenafashions.com
lilpil.com
extremevids.biz
suenasa.com
voraspices.com
bex-fit.com
gerontis.net
brighton-holidays.com
ginakferguson.store
newmexicochiletrader.com
klauszeit.com
gsareno.com
courseincomeaccelerator.com
projectdemo.pro
pandrwatch2.store
deb-directory.xyz
fueluplocal.com
anandiapers.xyz
tootieblues.com
mintarix.com
appliancerepairplusllc.com
espotplay.com
containerhousejodhpur.com
thelettingagent.online
camnal88.com
pikimenu.com
h4hijuby5wri.biz
debusute.com
seo-clicks6.com
kqitv.com
silkyskin.one
propcarcondition.com
escuelavascadeparapente.com
ifgravitygenuine.xyz
mrglink.club
mainmassager.com
autoestoria.com
building18candleco.com
thebreadbank.net
pracownia-wnetrz.com
tover.xyz
spaceameseu.xyz
bjshunfei.com
haoyinxing.com
lahorizameen.com
payamefinance.com
shadowboardsglobal.com
nextcara.com
fa4411.com
musiquespoetry.com
globallogisticx.com
lafermemdjs.online
evenonweb.com
spatialpor.xyz
escalarsalud.com
istansw.com
mejoresamateur.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1056-22-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exedescription pid process target process PID 2876 set thread context of 1056 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1304 1056 WerFault.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exepowershell.exepid process 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe 2520 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exepowershell.exedescription pid process Token: SeDebugPrivilege 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe Token: SeDebugPrivilege 2520 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exepid process 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exeRegSvcs.exedescription pid process target process PID 2876 wrote to memory of 2520 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe powershell.exe PID 2876 wrote to memory of 2520 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe powershell.exe PID 2876 wrote to memory of 2520 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe powershell.exe PID 2876 wrote to memory of 2520 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe powershell.exe PID 2876 wrote to memory of 1784 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe schtasks.exe PID 2876 wrote to memory of 1784 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe schtasks.exe PID 2876 wrote to memory of 1784 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe schtasks.exe PID 2876 wrote to memory of 1784 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe schtasks.exe PID 2876 wrote to memory of 1056 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe RegSvcs.exe PID 2876 wrote to memory of 1056 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe RegSvcs.exe PID 2876 wrote to memory of 1056 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe RegSvcs.exe PID 2876 wrote to memory of 1056 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe RegSvcs.exe PID 2876 wrote to memory of 1056 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe RegSvcs.exe PID 2876 wrote to memory of 1056 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe RegSvcs.exe PID 2876 wrote to memory of 1056 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe RegSvcs.exe PID 2876 wrote to memory of 1056 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe RegSvcs.exe PID 2876 wrote to memory of 1056 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe RegSvcs.exe PID 2876 wrote to memory of 1056 2876 5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe RegSvcs.exe PID 1056 wrote to memory of 1304 1056 RegSvcs.exe WerFault.exe PID 1056 wrote to memory of 1304 1056 RegSvcs.exe WerFault.exe PID 1056 wrote to memory of 1304 1056 RegSvcs.exe WerFault.exe PID 1056 wrote to memory of 1304 1056 RegSvcs.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5e14cab7735db2f831e80c7b51254405_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrSZHwvxtOgA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp23F5.tmp"2⤵
- Creates scheduled task(s)
PID:1784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 363⤵
- Program crash
PID:1304