Analysis Overview
SHA256
5270bc9905eafb0b4174ba7ab447db19d7f7dc3adbc5b6a2a747fda70a63849e
Threat Level: Known bad
The file 7890ee8b506470d111dffe7df8b06093_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Xloader
Xloader payload
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-01 19:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-01 19:37
Reported
2024-04-01 19:40
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3488 set thread context of 1440 | N/A | C:\Users\Admin\AppData\Local\Temp\7890ee8b506470d111dffe7df8b06093_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7890ee8b506470d111dffe7df8b06093_JaffaCakes118.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7890ee8b506470d111dffe7df8b06093_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7890ee8b506470d111dffe7df8b06093_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7890ee8b506470d111dffe7df8b06093_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7890ee8b506470d111dffe7df8b06093_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7890ee8b506470d111dffe7df8b06093_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7890ee8b506470d111dffe7df8b06093_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
Files
memory/3488-0-0x00000000006B0000-0x000000000070E000-memory.dmp
memory/3488-1-0x0000000075120000-0x00000000758D0000-memory.dmp
memory/3488-2-0x00000000055A0000-0x0000000005B44000-memory.dmp
memory/3488-3-0x0000000004FF0000-0x0000000005082000-memory.dmp
memory/3488-4-0x0000000004F40000-0x0000000004F50000-memory.dmp
memory/3488-5-0x0000000004F90000-0x0000000004F9A000-memory.dmp
memory/3488-6-0x0000000005200000-0x000000000520A000-memory.dmp
memory/3488-7-0x0000000075120000-0x00000000758D0000-memory.dmp
memory/3488-8-0x0000000004F40000-0x0000000004F50000-memory.dmp
memory/3488-9-0x0000000006610000-0x00000000066AC000-memory.dmp
memory/3488-10-0x00000000066B0000-0x0000000006702000-memory.dmp
memory/1440-11-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3488-13-0x0000000075120000-0x00000000758D0000-memory.dmp
memory/1440-14-0x0000000001860000-0x0000000001BAA000-memory.dmp
memory/1440-15-0x0000000001860000-0x0000000001BAA000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-01 19:37
Reported
2024-04-01 19:40
Platform
win7-20240221-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1976 set thread context of 928 | N/A | C:\Users\Admin\AppData\Local\Temp\7890ee8b506470d111dffe7df8b06093_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7890ee8b506470d111dffe7df8b06093_JaffaCakes118.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7890ee8b506470d111dffe7df8b06093_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7890ee8b506470d111dffe7df8b06093_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7890ee8b506470d111dffe7df8b06093_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7890ee8b506470d111dffe7df8b06093_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7890ee8b506470d111dffe7df8b06093_JaffaCakes118.exe"
Network
Files
memory/1976-0-0x0000000000CA0000-0x0000000000CFE000-memory.dmp
memory/1976-1-0x0000000074BA0000-0x000000007528E000-memory.dmp
memory/1976-2-0x0000000004CD0000-0x0000000004D10000-memory.dmp
memory/1976-3-0x0000000000880000-0x000000000088A000-memory.dmp
memory/1976-4-0x0000000074BA0000-0x000000007528E000-memory.dmp
memory/1976-5-0x0000000004CD0000-0x0000000004D10000-memory.dmp
memory/1976-6-0x0000000004C60000-0x0000000004CB2000-memory.dmp
memory/928-7-0x0000000000400000-0x0000000000429000-memory.dmp
memory/928-8-0x0000000000400000-0x0000000000429000-memory.dmp
memory/928-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/928-11-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1976-12-0x0000000074BA0000-0x000000007528E000-memory.dmp
memory/928-13-0x0000000000D00000-0x0000000001003000-memory.dmp