Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2024 05:54
Static task
static1
Behavioral task
behavioral1
Sample
699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe
-
Size
653KB
-
MD5
699589bd45b3cfbe2800dd137a56619d
-
SHA1
c7a5efbb84d4c748556c38c39da5f30fddb4a1a6
-
SHA256
0ce4e2f71989e9a0a4aef640b12237135e2be4b037f9cf533ca7925224e9daa8
-
SHA512
8c073234aa0d08c1d6d2fd2e1f42eaa2750cb0423fde65dae8be9de525e69be656ebb7f64aebbd89aa3a9369bddb76ad6c95518828550de966c8c00b17c29680
-
SSDEEP
12288:6vf3jRILfwanROnheVzCrZLW5xZWutzZz15SgO:kILQGz+FW5P1tzlK
Malware Config
Extracted
xloader
2.5
mqi9
spectehnika-rb.com
daleproaudio.xyz
cpw887.com
gosbs-b01.com
clarkmanagementhawaii.com
taobaoi68.xyz
hoppedchardonnay.com
extremesavings.net
newbiepanda.com
arul-jegadish.com
kellibrat.com
avto-mercury.info
percussionportal.com
colorfulworldpublishing.com
notvaccinatedjobs.com
cattavida.com
pioniersa.com
yanduy.com
mzjing.com
piedmontpines.school
sosibibyslot.space
yfly635.xyz
undauntedearth.com
ratqueen.art
docomoat.xyz
themysticalmushroom.com
woodbinecommunityplan.com
al-m3hd.com
globalglodpower.com
circuitboardsolution.com
zoipartner.com
varibat45.com
sean-inspires.com
533hd.com
yuezhong66.com
latewood.xyz
mrsparberrysplace.com
shyy-life.com
znypay.com
eludice.net
kalitelihavaperdesi.com
classicmusclecargarage.com
divulgesloatr.xyz
djkozmos.com
eazyjspowerwash.com
xn--naturecan-823hqc4t8089b.xyz
merchediazcobo.com
09mpt.xyz
zapoartist.quest
vagusartesaniaymoda.online
blogbynasir.com
cliffwoof.com
aj03yansinbiz.biz
gaboshoes.com
italiangomvqs.xyz
safari-fadel.com
diorbijoux.com
lookforwardswiss.com
qsygqc.com
wehaveunconditionallove.com
kingsmeadfarm.com
928711.com
saint444.com
fashiona.space
vulcanopresale.icu
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4920-13-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exedescription pid process target process PID 1580 set thread context of 4920 1580 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exepid process 4920 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe 4920 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe 4920 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exedescription pid process target process PID 1580 wrote to memory of 4920 1580 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe PID 1580 wrote to memory of 4920 1580 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe PID 1580 wrote to memory of 4920 1580 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe PID 1580 wrote to memory of 4920 1580 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe PID 1580 wrote to memory of 4920 1580 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe PID 1580 wrote to memory of 4920 1580 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe 699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\699589bd45b3cfbe2800dd137a56619d_JaffaCakes118.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=712 --field-trial-handle=2268,i,4334050275411101233,11484630688883830558,262144 --variations-seed-version /prefetch:81⤵PID:2424