Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-04-2024 05:54
Static task
static1
Behavioral task
behavioral1
Sample
699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe
-
Size
653KB
-
MD5
699589bd45b3cfbe2800dd137a56619d
-
SHA1
c7a5efbb84d4c748556c38c39da5f30fddb4a1a6
-
SHA256
0ce4e2f71989e9a0a4aef640b12237135e2be4b037f9cf533ca7925224e9daa8
-
SHA512
8c073234aa0d08c1d6d2fd2e1f42eaa2750cb0423fde65dae8be9de525e69be656ebb7f64aebbd89aa3a9369bddb76ad6c95518828550de966c8c00b17c29680
-
SSDEEP
12288:6vf3jRILfwanROnheVzCrZLW5xZWutzZz15SgO:kILQGz+FW5P1tzlK
Malware Config
Extracted
xloader
2.5
mqi9
spectehnika-rb.com
daleproaudio.xyz
cpw887.com
gosbs-b01.com
clarkmanagementhawaii.com
taobaoi68.xyz
hoppedchardonnay.com
extremesavings.net
newbiepanda.com
arul-jegadish.com
kellibrat.com
avto-mercury.info
percussionportal.com
colorfulworldpublishing.com
notvaccinatedjobs.com
cattavida.com
pioniersa.com
yanduy.com
mzjing.com
piedmontpines.school
sosibibyslot.space
yfly635.xyz
undauntedearth.com
ratqueen.art
docomoat.xyz
themysticalmushroom.com
woodbinecommunityplan.com
al-m3hd.com
globalglodpower.com
circuitboardsolution.com
zoipartner.com
varibat45.com
sean-inspires.com
533hd.com
yuezhong66.com
latewood.xyz
mrsparberrysplace.com
shyy-life.com
znypay.com
eludice.net
kalitelihavaperdesi.com
classicmusclecargarage.com
divulgesloatr.xyz
djkozmos.com
eazyjspowerwash.com
xn--naturecan-823hqc4t8089b.xyz
merchediazcobo.com
09mpt.xyz
zapoartist.quest
vagusartesaniaymoda.online
blogbynasir.com
cliffwoof.com
aj03yansinbiz.biz
gaboshoes.com
italiangomvqs.xyz
safari-fadel.com
diorbijoux.com
lookforwardswiss.com
qsygqc.com
wehaveunconditionallove.com
kingsmeadfarm.com
928711.com
saint444.com
fashiona.space
vulcanopresale.icu
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2524-14-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exedescription pid process target process PID 3036 set thread context of 2524 3036 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exepid process 2524 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exedescription pid process target process PID 3036 wrote to memory of 2524 3036 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe PID 3036 wrote to memory of 2524 3036 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe PID 3036 wrote to memory of 2524 3036 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe PID 3036 wrote to memory of 2524 3036 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe PID 3036 wrote to memory of 2524 3036 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe PID 3036 wrote to memory of 2524 3036 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe PID 3036 wrote to memory of 2524 3036 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2524