Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 22:28
Static task
static1
Behavioral task
behavioral1
Sample
98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/gyalquzbu.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/gyalquzbu.dll
Resource
win10v2004-20240226-en
General
-
Target
98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe
-
Size
450KB
-
MD5
98d2d5ac3bd493d77f0a7300a43d045b
-
SHA1
7fdd3b9b76f2c40df10def7ec3aa25c4fb192ec7
-
SHA256
1bbc8a34b7590c1593c5a79a8d0f93b17a162f44893c37aa11e4cb9e0e2d96bf
-
SHA512
32b7aa0518d6b41864d0f6f90d397cd377244b8f6af07178252aeb5b7ecf57e347c2aa2a3a4d94327d799bfcf8fe87b5c8164b0102c64258fd55a4c024ad0ef3
-
SSDEEP
12288:g4fXqKkoo4mdIaFOyzsfUvCqqTb+3e3DcGv2:9PbkoodWaEXU6P/2
Malware Config
Extracted
xloader
2.5
b2c0
bjyxszd520.xyz
hsvfingerprinting.com
elliotpioneer.com
bf396.com
chinaopedia.com
6233v.com
shopeuphoricapparel.com
loccssol.store
truefictionpictures.com
playstarexch.com
peruviancoffee.store
shobhajoshi.com
philme.net
avito-rules.com
independencehomecenters.com
atp-cayenne.com
invetorsbank.com
sasanos.com
scentfreebnb.com
catfuid.com
sunshinefamilysupport.com
madison-co-atty.net
newhousebr.com
newstodayupdate.com
kamalaanjna.com
itpronto.com
hi-loentertainment.com
sadpartyrentals.com
vertuminy.com
khomayphotocopy.club
roleconstructora.com
cottonhome.online
starsspell.com
bedrijfs-kledingshop.com
aydeyahouse.com
miaintervista.com
taolemix.com
lnagvv.space
bjmobi.com
collabkc.art
onayli.net
ecostainable.com
vi88.info
brightlifeprochoice.com
taoluzhibo.info
techgobble.com
ideemimarlikinsaat.com
andajzx.com
shineshaft.website
arroundworld.com
reyuzed.com
emilfaucets.com
lumberjackguitarloops.com
pearl-interior.com
altitudebc.com
cqjiubai.com
kutahyaescortbayanlarim.xyz
metalworkingadditives.online
unasolucioendesa.com
andrewfjohnston.com
visionmark.net
dxxlewis.com
carts-amazon.com
anadolu.academy
thesewhitevvalls.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2172-8-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exepid process 1904 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exedescription pid process target process PID 1904 set thread context of 2172 1904 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exepid process 2172 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exedescription pid process target process PID 1904 wrote to memory of 2172 1904 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe PID 1904 wrote to memory of 2172 1904 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe PID 1904 wrote to memory of 2172 1904 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe PID 1904 wrote to memory of 2172 1904 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe PID 1904 wrote to memory of 2172 1904 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe PID 1904 wrote to memory of 2172 1904 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe PID 1904 wrote to memory of 2172 1904 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe 98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\98d2d5ac3bd493d77f0a7300a43d045b_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5a8caa6d267951ad22e835233b5e50c46
SHA145c722c5958d99727a95d30eaa3032203d1f4ab2
SHA256db7b70b0734285b8d9a1f3617e55603b0cb649d9bf0b7fbf8988c44e684f4e76
SHA5129ee74bf576554210f8923dda8aa28f6dc7f3c5aa52da7b48a94beaf56cb4e27f1c3d0387cc9116e467631bc13c0e743341129bffa84b9db16ace1248a53b4cd7