Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 21:33
Static task
static1
Behavioral task
behavioral1
Sample
97bc9fc82cdd0607f0bd1e83622b80ba_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
97bc9fc82cdd0607f0bd1e83622b80ba_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nrxdd.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nrxdd.dll
Resource
win10v2004-20231215-en
General
-
Target
$PLUGINSDIR/nrxdd.dll
-
Size
42KB
-
MD5
5a5c717c752014c115f8cd5269d09230
-
SHA1
9e98b8f7fc33c2a635b7fafae816e70a991db637
-
SHA256
bbd19853959f6a7e000b9bd1880416753f9129294efc7b5eba835891b4034459
-
SHA512
350f82e6eda8687197d911cddd6d84f734e77f63d538062c49298076db297907643f8771544000d4697d5c3f3995b488ef787a5ba132c89f6b2fba6b5be9a361
-
SSDEEP
768:fAidP+QzDl79yqZw0yAkKjGZbjtY7xgUnNfzyX6ZAunOVfG2WgkhRw:fAMWQzh7kqfkRtY1gQ06ZAumkM
Malware Config
Extracted
xloader
2.5
b65i
leofighters.com
smartat2.xyz
encontrevariedades.com
jimwilliamstutoring.com
kanpaiecuador.com
accura-inv.com
xtzgjxzz.com
scentstrategies.com
high-clicks2.com
hadishgebray.com
woodlawnbailbonds.com
dmsolutionsco.com
rdvulm21.com
beachyweens.com
ishirmansingh.com
rimmasbracelets.com
kellibrat.com
roselmasm.com
datkamoney.info
fermers.club
veytrex.com
bigfussblog.com
seehow3.com
howtosellhighticket.com
gv-china.com
midatlanticbaths.com
peoplexplants.com
xinhe138.com
peoplefirstflorida.com
lk-safe-keepingtoyof4.xyz
lavish-hika.com
thefooddrone.com
lowkeymastery.com
ferratahvar.com
ntgc.glass
ctfeldsine.com
131inwood.com
austinfishandchicken.com
adambridewell.com
starzara.com
pillfinancialliteracy.com
urlos.store
coralhide.com
y6pw.xyz
palazzoloan.com
peoplesadvantage.net
konzertmanagement.com
alphapat-sa.com
moresatisfy.club
sexynailcompany.com
janlgesnetwork.net
manifestingiam.com
vehicaldashino.com
jazminsalym.com
strtplay2day.info
insureagainstearthquake.com
sddn57.xyz
staygood.gmbh
paymentssecureweb.com
gee-law.com
tenloe098.xyz
mikevideodirection.online
povital.com
ktrtaiwan.com
onewebuy.net
Signatures
-
Xloader payload 5 IoCs
Processes:
resource yara_rule behavioral3/memory/1656-1-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral3/memory/1656-5-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral3/memory/1656-10-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral3/memory/2860-16-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader behavioral3/memory/2860-18-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader -
Suspicious use of SetThreadContext 4 IoCs
Processes:
rundll32.exerundll32.exeexplorer.exedescription pid process target process PID 2100 set thread context of 1656 2100 rundll32.exe rundll32.exe PID 1656 set thread context of 1240 1656 rundll32.exe Explorer.EXE PID 1656 set thread context of 1240 1656 rundll32.exe Explorer.EXE PID 2860 set thread context of 1240 2860 explorer.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
rundll32.exeexplorer.exepid process 1656 rundll32.exe 1656 rundll32.exe 1656 rundll32.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe 2860 explorer.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
rundll32.exeexplorer.exepid process 1656 rundll32.exe 1656 rundll32.exe 1656 rundll32.exe 1656 rundll32.exe 2860 explorer.exe 2860 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1656 rundll32.exe Token: SeDebugPrivilege 2860 explorer.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
rundll32.exerundll32.exeExplorer.EXEexplorer.exedescription pid process target process PID 2236 wrote to memory of 2100 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2100 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2100 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2100 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2100 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2100 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2100 2236 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1656 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1656 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1656 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1656 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1656 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1656 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1656 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1656 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1656 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1656 2100 rundll32.exe rundll32.exe PID 1240 wrote to memory of 2860 1240 Explorer.EXE explorer.exe PID 1240 wrote to memory of 2860 1240 Explorer.EXE explorer.exe PID 1240 wrote to memory of 2860 1240 Explorer.EXE explorer.exe PID 1240 wrote to memory of 2860 1240 Explorer.EXE explorer.exe PID 2860 wrote to memory of 2388 2860 explorer.exe cmd.exe PID 2860 wrote to memory of 2388 2860 explorer.exe cmd.exe PID 2860 wrote to memory of 2388 2860 explorer.exe cmd.exe PID 2860 wrote to memory of 2388 2860 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nrxdd.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nrxdd.dll,#13⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nrxdd.dll,#14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\rundll32.exe"3⤵PID:2388