Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 05:06
Static task
static1
Behavioral task
behavioral1
Sample
846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/envdl.dll
Resource
win7-20240221-en
General
-
Target
846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe
-
Size
256KB
-
MD5
846d3c6c1ce0237c373de8ec0403f0e1
-
SHA1
06fd0d16804228e0f4b50393f18d78457055a640
-
SHA256
7946718754bb669d3c7a80e355a20047e3e87dbfa9446927ceb6fabab21847d1
-
SHA512
d630de0d71fc09327fa09d10304168ef8704e6136f78025ce8420d6c6e048a5d91803e096f8d56c46ea42fc5d3f8cbdb02d5206bb556316b5d78391205419ee0
-
SSDEEP
6144:F8LxBs4OJ4RU5hy+AoHXCUqalLDsktt54JnzO7eIt:/4acZOXR7xKJzv4
Malware Config
Extracted
xloader
2.5
nqn4
posadaluna.com
ztwl2000.com
cvmu.net
marvellouslles.com
tiromiesu.com
allinsqadminn.com
8straps.com
buyfood.store
jipodh.xyz
earthsidesoulalchemist.com
overiodize.xyz
weed.enterprises
minuseasy.com
konchord.com
14attrayanteoffre.com
brasbux.com
aog.group
hairuno.com
solheimdesign.com
cosmetictreat.com
datingperformance.website
woaini.website
totusnet.com
palisadestahoeresorts.com
judoclubalbigny.com
positivethingsbymarion.com
ejezeta3d.com
viar.website
qgt114.com
trust-top.net
diet-health-and-beauty.tech
anytimedryout.com
lexhire.com
blazingfastcredit.com
serenityminded.com
retirees-aa.net
futurehumandesign.net
92clavelcourt.com
primaryblohtw.top
alhudadevelopers.com
evertownnyc.net
storyconnect.tech
minecrafttop.net
wordofgod.xyz
cmledbetter.com
dromenvangers.com
thedelawarekeys.com
perfectionbyinjection.com
dehn-sso.com
alltagsentlastung.com
poradniabioetyczna.com
ayushigangwar.com
stlaurenthp.com
alsafi.website
lkdwaterfowlers.com
needaletterforfreedom.com
eco1tnpasumo3.xyz
lawsonboards.com
unapologeticlyme.net
hoshikuzu-hegemony.com
notedinvestment.website
ebikerating.com
bigbrostudios.com
ansisms.com
geefmijcorona.online
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5084-9-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exepid process 1424 846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exedescription pid process target process PID 1424 set thread context of 5084 1424 846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe 846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exepid process 5084 846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe 5084 846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exedescription pid process target process PID 1424 wrote to memory of 5084 1424 846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe 846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe PID 1424 wrote to memory of 5084 1424 846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe 846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe PID 1424 wrote to memory of 5084 1424 846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe 846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe PID 1424 wrote to memory of 5084 1424 846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe 846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe PID 1424 wrote to memory of 5084 1424 846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe 846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe PID 1424 wrote to memory of 5084 1424 846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe 846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD54a7f4f8dddc69b711134773bc01482c5
SHA17c3e00bfff4bcfaf2ccdce971cd247f7be3cdb0f
SHA256d12d71c87dbbe93303a1402e368e5e8827d512aa54bae78347077ca468abdbc6
SHA51219548dd1400535a606c1d6d82f7b9e6c41ecfedbeed269c7e62009f60fff12a96a24c837e8332e31d529b0a81e09e1ac470c1b7b500cc39fccae23cae12b8e2a