Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 05:06
Static task
static1
Behavioral task
behavioral1
Sample
846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/envdl.dll
Resource
win7-20240221-en
General
-
Target
$PLUGINSDIR/envdl.dll
-
Size
21KB
-
MD5
4a7f4f8dddc69b711134773bc01482c5
-
SHA1
7c3e00bfff4bcfaf2ccdce971cd247f7be3cdb0f
-
SHA256
d12d71c87dbbe93303a1402e368e5e8827d512aa54bae78347077ca468abdbc6
-
SHA512
19548dd1400535a606c1d6d82f7b9e6c41ecfedbeed269c7e62009f60fff12a96a24c837e8332e31d529b0a81e09e1ac470c1b7b500cc39fccae23cae12b8e2a
-
SSDEEP
384:jnM0lcYC8SkzLuFhmRWxENbU1UpqrT5JHrqH+OC:jM0+YfSkzLuFjIwW6nHrd
Malware Config
Extracted
xloader
2.5
nqn4
posadaluna.com
ztwl2000.com
cvmu.net
marvellouslles.com
tiromiesu.com
allinsqadminn.com
8straps.com
buyfood.store
jipodh.xyz
earthsidesoulalchemist.com
overiodize.xyz
weed.enterprises
minuseasy.com
konchord.com
14attrayanteoffre.com
brasbux.com
aog.group
hairuno.com
solheimdesign.com
cosmetictreat.com
datingperformance.website
woaini.website
totusnet.com
palisadestahoeresorts.com
judoclubalbigny.com
positivethingsbymarion.com
ejezeta3d.com
viar.website
qgt114.com
trust-top.net
diet-health-and-beauty.tech
anytimedryout.com
lexhire.com
blazingfastcredit.com
serenityminded.com
retirees-aa.net
futurehumandesign.net
92clavelcourt.com
primaryblohtw.top
alhudadevelopers.com
evertownnyc.net
storyconnect.tech
minecrafttop.net
wordofgod.xyz
cmledbetter.com
dromenvangers.com
thedelawarekeys.com
perfectionbyinjection.com
dehn-sso.com
alltagsentlastung.com
poradniabioetyczna.com
ayushigangwar.com
stlaurenthp.com
alsafi.website
lkdwaterfowlers.com
needaletterforfreedom.com
eco1tnpasumo3.xyz
lawsonboards.com
unapologeticlyme.net
hoshikuzu-hegemony.com
notedinvestment.website
ebikerating.com
bigbrostudios.com
ansisms.com
geefmijcorona.online
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral4/memory/2360-1-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral4/memory/2360-5-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral4/memory/5092-11-0x00000000006B0000-0x00000000006D9000-memory.dmp xloader behavioral4/memory/5092-13-0x00000000006B0000-0x00000000006D9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
rundll32.exerundll32.exerundll32.exedescription pid process target process PID 4532 set thread context of 2360 4532 rundll32.exe rundll32.exe PID 2360 set thread context of 3420 2360 rundll32.exe Explorer.EXE PID 5092 set thread context of 3420 5092 rundll32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
rundll32.exerundll32.exepid process 2360 rundll32.exe 2360 rundll32.exe 2360 rundll32.exe 2360 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
rundll32.exerundll32.exepid process 2360 rundll32.exe 2360 rundll32.exe 2360 rundll32.exe 5092 rundll32.exe 5092 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exerundll32.exedescription pid process Token: SeDebugPrivilege 2360 rundll32.exe Token: SeDebugPrivilege 5092 rundll32.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3420 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exeExplorer.EXErundll32.exedescription pid process target process PID 1124 wrote to memory of 4532 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 4532 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 4532 1124 rundll32.exe rundll32.exe PID 4532 wrote to memory of 2360 4532 rundll32.exe rundll32.exe PID 4532 wrote to memory of 2360 4532 rundll32.exe rundll32.exe PID 4532 wrote to memory of 2360 4532 rundll32.exe rundll32.exe PID 4532 wrote to memory of 2360 4532 rundll32.exe rundll32.exe PID 4532 wrote to memory of 2360 4532 rundll32.exe rundll32.exe PID 4532 wrote to memory of 2360 4532 rundll32.exe rundll32.exe PID 3420 wrote to memory of 5092 3420 Explorer.EXE rundll32.exe PID 3420 wrote to memory of 5092 3420 Explorer.EXE rundll32.exe PID 3420 wrote to memory of 5092 3420 Explorer.EXE rundll32.exe PID 5092 wrote to memory of 448 5092 rundll32.exe cmd.exe PID 5092 wrote to memory of 448 5092 rundll32.exe cmd.exe PID 5092 wrote to memory of 448 5092 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\envdl.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\envdl.dll,#13⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\envdl.dll,#14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2360 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\rundll32.exe"3⤵PID:448