Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 22:37
Static task
static1
Behavioral task
behavioral1
Sample
98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nawgsdqut.dll
Resource
win7-20240319-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nawgsdqut.dll
Resource
win10v2004-20240226-en
General
-
Target
98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe
-
Size
445KB
-
MD5
98ffc3c812e6cec919ebd286973e2002
-
SHA1
b0d1a65445a7923870ad23ec4d80f592e808c987
-
SHA256
014d0ece0d472eaea73698d634308303ddb9f227f39d339a66416c3cb744d2c1
-
SHA512
5875f8f2c736cbf501c25635f5c9014e499a7fce01f139315cbf5c0d3c45e1e8568a9fa8ddfe60cb0a44804a7677fdcd411eab4be6177926649b1b691d97a721
-
SSDEEP
6144:hBlL/NDevWMKIPT48zhmgL58KCjuLkTMm6GBX3KTDDC3cz/3aKkm3HC:n6B8KC4kTrV3KlziKkR
Malware Config
Extracted
xloader
2.5
b2c0
bjyxszd520.xyz
hsvfingerprinting.com
elliotpioneer.com
bf396.com
chinaopedia.com
6233v.com
shopeuphoricapparel.com
loccssol.store
truefictionpictures.com
playstarexch.com
peruviancoffee.store
shobhajoshi.com
philme.net
avito-rules.com
independencehomecenters.com
atp-cayenne.com
invetorsbank.com
sasanos.com
scentfreebnb.com
catfuid.com
sunshinefamilysupport.com
madison-co-atty.net
newhousebr.com
newstodayupdate.com
kamalaanjna.com
itpronto.com
hi-loentertainment.com
sadpartyrentals.com
vertuminy.com
khomayphotocopy.club
roleconstructora.com
cottonhome.online
starsspell.com
bedrijfs-kledingshop.com
aydeyahouse.com
miaintervista.com
taolemix.com
lnagvv.space
bjmobi.com
collabkc.art
onayli.net
ecostainable.com
vi88.info
brightlifeprochoice.com
taoluzhibo.info
techgobble.com
ideemimarlikinsaat.com
andajzx.com
shineshaft.website
arroundworld.com
reyuzed.com
emilfaucets.com
lumberjackguitarloops.com
pearl-interior.com
altitudebc.com
cqjiubai.com
kutahyaescortbayanlarim.xyz
metalworkingadditives.online
unasolucioendesa.com
andrewfjohnston.com
visionmark.net
dxxlewis.com
carts-amazon.com
anadolu.academy
thesewhitevvalls.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2804-8-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exepid process 1924 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exedescription pid process target process PID 1924 set thread context of 2804 1924 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exepid process 2804 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exedescription pid process target process PID 1924 wrote to memory of 2804 1924 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe PID 1924 wrote to memory of 2804 1924 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe PID 1924 wrote to memory of 2804 1924 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe PID 1924 wrote to memory of 2804 1924 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe PID 1924 wrote to memory of 2804 1924 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe PID 1924 wrote to memory of 2804 1924 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe PID 1924 wrote to memory of 2804 1924 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe 98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD5d4233fefc9328cc30b0ef014beb2f51b
SHA1302180a5edb1fd653d7884bb60172e6edfbbeac4
SHA2561827a3002964434b0acff1359241948e334148d3413312cfea326cae8f269758
SHA512b3e19c83e631b6a8b8b0d00ab14af811519765b737f1497f27e8c3a8c3328038967dbb6095671e4095af48d6355b5f13cec20c38ef2dfb14cc2ae8e9482de4af