Analysis
-
max time kernel
148s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 05:06
Static task
static1
Behavioral task
behavioral1
Sample
846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/envdl.dll
Resource
win7-20240221-en
General
-
Target
$PLUGINSDIR/envdl.dll
-
Size
21KB
-
MD5
4a7f4f8dddc69b711134773bc01482c5
-
SHA1
7c3e00bfff4bcfaf2ccdce971cd247f7be3cdb0f
-
SHA256
d12d71c87dbbe93303a1402e368e5e8827d512aa54bae78347077ca468abdbc6
-
SHA512
19548dd1400535a606c1d6d82f7b9e6c41ecfedbeed269c7e62009f60fff12a96a24c837e8332e31d529b0a81e09e1ac470c1b7b500cc39fccae23cae12b8e2a
-
SSDEEP
384:jnM0lcYC8SkzLuFhmRWxENbU1UpqrT5JHrqH+OC:jM0+YfSkzLuFjIwW6nHrd
Malware Config
Extracted
xloader
2.5
nqn4
posadaluna.com
ztwl2000.com
cvmu.net
marvellouslles.com
tiromiesu.com
allinsqadminn.com
8straps.com
buyfood.store
jipodh.xyz
earthsidesoulalchemist.com
overiodize.xyz
weed.enterprises
minuseasy.com
konchord.com
14attrayanteoffre.com
brasbux.com
aog.group
hairuno.com
solheimdesign.com
cosmetictreat.com
datingperformance.website
woaini.website
totusnet.com
palisadestahoeresorts.com
judoclubalbigny.com
positivethingsbymarion.com
ejezeta3d.com
viar.website
qgt114.com
trust-top.net
diet-health-and-beauty.tech
anytimedryout.com
lexhire.com
blazingfastcredit.com
serenityminded.com
retirees-aa.net
futurehumandesign.net
92clavelcourt.com
primaryblohtw.top
alhudadevelopers.com
evertownnyc.net
storyconnect.tech
minecrafttop.net
wordofgod.xyz
cmledbetter.com
dromenvangers.com
thedelawarekeys.com
perfectionbyinjection.com
dehn-sso.com
alltagsentlastung.com
poradniabioetyczna.com
ayushigangwar.com
stlaurenthp.com
alsafi.website
lkdwaterfowlers.com
needaletterforfreedom.com
eco1tnpasumo3.xyz
lawsonboards.com
unapologeticlyme.net
hoshikuzu-hegemony.com
notedinvestment.website
ebikerating.com
bigbrostudios.com
ansisms.com
geefmijcorona.online
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral3/memory/2560-1-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral3/memory/2560-5-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral3/memory/2516-11-0x0000000000080000-0x00000000000A9000-memory.dmp xloader behavioral3/memory/2516-13-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
rundll32.exerundll32.exeNETSTAT.EXEdescription pid process target process PID 2720 set thread context of 2560 2720 rundll32.exe rundll32.exe PID 2560 set thread context of 1204 2560 rundll32.exe Explorer.EXE PID 2516 set thread context of 1204 2516 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 2516 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
rundll32.exeNETSTAT.EXEpid process 2560 rundll32.exe 2560 rundll32.exe 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE 2516 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
rundll32.exeNETSTAT.EXEpid process 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2516 NETSTAT.EXE 2516 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 2560 rundll32.exe Token: SeDebugPrivilege 2516 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
rundll32.exerundll32.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 2456 wrote to memory of 2720 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 2720 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 2720 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 2720 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 2720 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 2720 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 2720 2456 rundll32.exe rundll32.exe PID 2720 wrote to memory of 2560 2720 rundll32.exe rundll32.exe PID 2720 wrote to memory of 2560 2720 rundll32.exe rundll32.exe PID 2720 wrote to memory of 2560 2720 rundll32.exe rundll32.exe PID 2720 wrote to memory of 2560 2720 rundll32.exe rundll32.exe PID 2720 wrote to memory of 2560 2720 rundll32.exe rundll32.exe PID 2720 wrote to memory of 2560 2720 rundll32.exe rundll32.exe PID 2720 wrote to memory of 2560 2720 rundll32.exe rundll32.exe PID 2720 wrote to memory of 2560 2720 rundll32.exe rundll32.exe PID 2720 wrote to memory of 2560 2720 rundll32.exe rundll32.exe PID 2720 wrote to memory of 2560 2720 rundll32.exe rundll32.exe PID 1204 wrote to memory of 2516 1204 Explorer.EXE NETSTAT.EXE PID 1204 wrote to memory of 2516 1204 Explorer.EXE NETSTAT.EXE PID 1204 wrote to memory of 2516 1204 Explorer.EXE NETSTAT.EXE PID 1204 wrote to memory of 2516 1204 Explorer.EXE NETSTAT.EXE PID 2516 wrote to memory of 2684 2516 NETSTAT.EXE cmd.exe PID 2516 wrote to memory of 2684 2516 NETSTAT.EXE cmd.exe PID 2516 wrote to memory of 2684 2516 NETSTAT.EXE cmd.exe PID 2516 wrote to memory of 2684 2516 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\envdl.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\envdl.dll,#13⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\envdl.dll,#14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2560 -
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\rundll32.exe"3⤵PID:2684