Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01-04-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe
-
Size
397KB
-
MD5
7ddf9139b29b7b35647dfa9e585023de
-
SHA1
ff9455ae69b531bf1864ece4ab90dd8186f1ae28
-
SHA256
4e9cb6e83b7ea6e353bafe82262c6b1c1de8a5fb5517fa8bd8bd80b353ca472d
-
SHA512
a4e66072f3bbb32e6f5594065eba358a05113c7e56b3e149c68dfd4905661489385af03e9a1d89d9c087a856a88c5ee699fc3c6f9a212962856988c89a81aad2
-
SSDEEP
6144:agwqt/BtMSCT/xmu9DC1pZbpUhiGYcpskR+8O57P7/CpYQCbszjY:AqSSEUKDC15BGJekR+77lQ94
Malware Config
Extracted
xloader
2.5
sw39
ashwinpokharel.com
bzsxlaw.com
know-christ.com
findevinsurance.com
greenlink-engineering.com
poseidonvips.com
thebrandstudiointernational.com
airkrol.com
callofdutytool.xyz
anthologyofenglishpoems.info
dandftrading.com
cjrotulacion.com
tiroalpalodigital.com
axeologements.com
nchh29.xyz
karedxb.com
9158cs.xyz
christialana.com
francegravures.com
snclgroupsource.com
articulospromocionalescv.com
garethjame.biz
6865321.com
liverarebotanicals.com
goldcoastdoublelot.com
pinnacle-legal-services.com
selinunutmaz.com
zidami.com
sionelog.store
sanagov.xyz
azienda-agricola-stellino.com
amenos.net
smiexpert.com
lly03toyof4.xyz
druslocute.quest
biobosa.com
quick2repair.net
tigaadmasie.com
enterprisedaas.support
smilingstyles.com
chrisandkaye.online
kbofoto.com
lab-clement.tools
rlgbyfrozenfoods.com
myfaithinfitness.com
anonymousmomforum.club
sam4director.com
rewiagewade.quest
ehaszcarpetbagger.com
haywood-disability-attorney.com
jocebo.com
summercamplife.com
besasin09.com
elaish.com
dosana.online
0h2.online
elenapapernaya.com
urgcity.com
themindfulnessmakers.com
spartanheavy.com
lorasasiankitchen.com
bettermebodyandmind.com
lj-safe-keepingtoyof5.xyz
gogo30.com
kompastar.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2272-10-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exedescription pid process target process PID 2060 set thread context of 2272 2060 7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe 7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exepid process 2272 7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exedescription pid process target process PID 2060 wrote to memory of 2272 2060 7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe 7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe PID 2060 wrote to memory of 2272 2060 7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe 7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe PID 2060 wrote to memory of 2272 2060 7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe 7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe PID 2060 wrote to memory of 2272 2060 7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe 7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe PID 2060 wrote to memory of 2272 2060 7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe 7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe PID 2060 wrote to memory of 2272 2060 7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe 7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe PID 2060 wrote to memory of 2272 2060 7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe 7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7ddf9139b29b7b35647dfa9e585023de_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2272