Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 16:56
Static task
static1
Behavioral task
behavioral1
Sample
920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe
-
Size
559KB
-
MD5
920e626bea0e4949daea75e2a332f481
-
SHA1
2d82ef86265c1e490744b53de82dc9be163192a7
-
SHA256
08040f352684d740d9fa767c3315fb1636394dec01f35abe84ad7116cd735fb4
-
SHA512
035ad5fe790eff621e5f1b1ded413fec6a2b0af1cbf71c5db33a026ca2a74b5ff3a2e1a05319927d603c64fb7d7403081e5961d3bafd69b56facff1ebb3c3f01
-
SSDEEP
12288:EESo0nmHTrkIv/+p8OD4WnmOQVZMXfK4La/oc13:EESZmHTQIvmp/FnmOGY7LWJ
Malware Config
Extracted
xloader
2.5
hu8c
aliceso.photography
exploitslozdz.xyz
chokefirmbeauty.com
sapix-usa.com
perfectioncheergym.com
igfo.xyz
xc6686.com
aclproreubensnyder.com
xn--bin-2k4mp34c09iwiz.com
daumien.com
atlanticuniombank.com
ookawa.club
cherrywoodranchvacationhome.com
s6gfec.com
ryo-toolset.store
talltailfishing.com
creativelyaustin.com
xn--nqv986be9r.com
grpgg2021.space
michaelsarcona.com
bicoastaldistribution.com
trudssttracking.com
neremont.design
royalluxextensions.com
osmaniyeescortbayan.xyz
10vector.solutions
gfsolutionsgroup.com
wpalpine.com
biombos.store
dividendoylibertad.com
littleeduventuras.com
bestofthehamptons.guide
pkglamsquad.com
texastitlepros.com
badeajans.xyz
fegarbi.com
marketobserve.com
flexogrow.com
uopcreative.com
mendixprogrammer.com
wq7777.club
nftfashionrewards.com
jiafang.show
merchantsimplicity.net
onlinehealthusa.com
insurancesolutionsgroupllc.com
fermers.club
smartsew.online
newalchemi.com
qtr7.com
mentorhrservices.com
wooodamnpig.com
vavaton.com
exaunit.com
repacckeagereredrilevrey.xyz
tksartspace.com
furebotnmedia.com
5145td.com
homewebmailz.com
cobere9.com
ejevisual.com
happilyfilms.info
avaloniq.com
paypfall.store
yoruba.loan
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2932-13-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
920e626bea0e4949daea75e2a332f481_JaffaCakes118.exedescription pid process target process PID 2488 set thread context of 2932 2488 920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe 920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
920e626bea0e4949daea75e2a332f481_JaffaCakes118.exepid process 2932 920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
920e626bea0e4949daea75e2a332f481_JaffaCakes118.exedescription pid process target process PID 2488 wrote to memory of 2932 2488 920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe 920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe PID 2488 wrote to memory of 2932 2488 920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe 920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe PID 2488 wrote to memory of 2932 2488 920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe 920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe PID 2488 wrote to memory of 2932 2488 920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe 920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe PID 2488 wrote to memory of 2932 2488 920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe 920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe PID 2488 wrote to memory of 2932 2488 920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe 920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe PID 2488 wrote to memory of 2932 2488 920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe 920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2932