Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 03:32
Static task
static1
Behavioral task
behavioral1
Sample
8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe
-
Size
389KB
-
MD5
8279edc14cc42685f7fceefe384ddf0d
-
SHA1
d6b01e94dd1528eb364e16db7bc6a5e06a66bde6
-
SHA256
5a573da6707c9373b0f49b049b07ddc21bc6976195b834473d0be2daaf52c173
-
SHA512
6a1963004eb2cbfc49c48b638d70a9f7a9fa9ad24629bb78f2cdd31ad84d3a3908d707d51d88f5cb2f8acc7c9cab0725d84ca8957b3d32ea194205e3390d6f95
-
SSDEEP
6144:kKq6ZZmDQ+3HwOEjhH+KU8b1Qy6mK8WRAYfnsdtGfBYmP6tKX:skoq1BTbKy6x8/vdMfBRX
Malware Config
Extracted
xloader
2.5
shjn
trendlito.com
myspoiledbytchcreations.com
skinsotight.com
merakii.art
sakina.digital
qumpan.com
juxing666.com
andrewolivercounselling.com
blastaerobics.com
linevshaper.store
legendvacationrentals.com
adna17.com
ingodwetrustdaycare.com
j98066.com
noordinarybusiness.com
pacelicensedelectrician.com
istanbulmadencilik.com
roboscop.com
njhude.com
eaglelures.com
asmrfans.com
wwv-kraken-apps.com
agora.markets
factechcolombia.com
cadillacjacksbargrill.com
lakearrowheadescape.com
privatelymeeting.com
purelol.com
bailey-holzwerk.com
lawsorlando.com
zoonseo.com
petscomfortgrooming.com
blogreen.xyz
modernmpm.com
axe8.club
majesticgolftours.com
happyj.biz
2ed58fwec.xyz
moms4real.com
craftsbylarissa.com
ninetofivetheses.com
giftsetswithlove.com
artistryinahome.com
bestofdubrovnik.info
mediakal-sa.net
9158cs.xyz
sakuratyu.com
christasconezntreats.com
flex-aportelabels.com
douyinliu.com
meet-bait.com
sumikkoremon.com
jjscryptosignals.com
repsychel.com
hartfulcleaning.com
buylandintexas.net
xn--blogins-w1b.com
aksene.com
californialandscapeimages.com
watchyellow.space
altcultpromotions.com
fusiongroupgames.net
panchmitramultitrade.com
theledgrowbook.com
anamentor.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2096-11-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exedescription pid process target process PID 2132 set thread context of 2096 2132 8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe 8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exepid process 2096 8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exedescription pid process target process PID 2132 wrote to memory of 2096 2132 8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe 8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe PID 2132 wrote to memory of 2096 2132 8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe 8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe PID 2132 wrote to memory of 2096 2132 8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe 8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe PID 2132 wrote to memory of 2096 2132 8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe 8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe PID 2132 wrote to memory of 2096 2132 8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe 8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe PID 2132 wrote to memory of 2096 2132 8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe 8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe PID 2132 wrote to memory of 2096 2132 8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe 8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2096