Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2024 22:38
Static task
static1
Behavioral task
behavioral1
Sample
7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe
-
Size
389KB
-
MD5
7c48d5a7ae49ca4649503c6b41699d50
-
SHA1
a69ed59d393ee4929668a83323853ea752330c94
-
SHA256
6d9669eccc50a3331c3138b4649edfe5e5096693ab4647696d5e1075c95b8fbf
-
SHA512
a9a5dba7d5e21394c32d7d95b15b79ff3131121f478d469cdebbf06b49219e6e5fd230698f3bca550a5175a88a7f1f9f634644396d4ebcd0d13580a9dada3417
-
SSDEEP
12288:TK1Gta0NmUDWVqLbHLJElYIx+ZCW6OP62IIs:Tr7NkVqPHLJECGWM2IIs
Malware Config
Extracted
xloader
2.5
g53s
kosnac.com
tujaso.com
handmadealtrimenti.com
txclaimsguy.com
newonedrivedocc.com
11t.xyz
shawnliang.tech
worldigger.com
lesgitar.online
winlanddepot.xyz
mofangxx.store
8ls-world.com
localrelics.com
piccadeliquickup.com
rhinogroup.online
hxrhorend.quest
avtfitness.com
oakabbey.net
presox.com
bluegreendi.com
noonshop72.com
terkyz.xyz
aerialnft.xyz
alskdfalskdf.com
kocaeli-digital.com
cerulean.media
sakthiadvancesystems.com
avielman.com
thechicentrepreneur.com
doralgomed.com
warehamcrossings.com
scotsafealarms.com
524571.com
shoppernft.com
narrativecontracting.com
bakirciticaret.com
moneythrust.com
hackthework.com
goldenversatility.com
mgav13.xyz
dp1game.com
rockalps.com
pinmagix.com
santahat.party
stoneequiprnent.com
qarandhis.com
moussevision.com
darlingdesignstore.com
gemutlichkeit.info
j497.com
pitch9.com
codingismining.com
dtmcard.com
fellasies.com
djdidinooeijduuji.com
freayabnnd.com
gaalli.xyz
mnselfservice.com
dkaobrand.com
tactical-resiliency.com
daltem.com
c23spfx.com
shopbonnetsbybri.com
xana-ana.com
anysignals.net
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4872-11-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exedescription pid process target process PID 4708 set thread context of 4872 4708 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exepid process 4708 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe 4708 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe 4708 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe 4708 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe 4708 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe 4708 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe 4708 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe 4872 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe 4872 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 4708 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exedescription pid process target process PID 4708 wrote to memory of 4872 4708 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe PID 4708 wrote to memory of 4872 4708 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe PID 4708 wrote to memory of 4872 4708 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe PID 4708 wrote to memory of 4872 4708 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe PID 4708 wrote to memory of 4872 4708 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe PID 4708 wrote to memory of 4872 4708 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe 7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7c48d5a7ae49ca4649503c6b41699d50_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵PID:4080