Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-04-2024 22:29
Static task
static1
Behavioral task
behavioral1
Sample
a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe
-
Size
661KB
-
MD5
a86077cd62754805e944847a8b1aa517
-
SHA1
dbbc4011685d364691ad33c3f0dd9e00f3a45792
-
SHA256
64b041387c3c512a5b43c2a1d811b35f18f4d537c522dafb7b3e736912907426
-
SHA512
accca83b3f7d31f41a67b90e9e3003a2d4bf985e9a5317aa7d22161f8aee19af62313ad4efd7b8f484af469c81eca66fbc7e934a836defbbb908df41e4c6ea07
-
SSDEEP
12288:5j9+hvnUi0k7EU29NE9CO95RCTssx6yeh5PLSkZ:HGvUiL7DBb4TsLyeh5PL
Malware Config
Extracted
xloader
2.5
i6rd
ritotvmount.xyz
szxhpfk.com
yatakturkiye.com
belugacdn.xyz
doralopen.com
gongzyrxzlhurhhhvdclmddi.store
lyvconsulting.com
it-pampering.com
weerwi.com
phdelivery1.store
neofluentsurf.com
lainsurance.xyz
ietaricardocastellarbarrios.com
despachantemedeiros.digital
madnext.online
serenity.holdings
rfvb.club
nickroche.online
hnjst.net
wolkeverts.quest
threepercentapparelllc.com
redstaterevival.com
fortunetomb.com
playfunarena.com
spares245.com
dot925.com
moukse.com
4h0.space
0205168.com
canoliveoilgobad.info
7874515.com
babysecurity.online
grenaliacikinihotel.xyz
znffutve.net
play-to-escape.com
crumplepkljfl.xyz
apostolicbusinesses.com
drmorakchungna.com
tantrapremmoksha.com
ivebeenalone.xyz
newonedrivedocc.com
psmdt.com
clashgame.com
red24bags.com
serviciosgeneralesjba.online
puyallupapartment.com
gzfj888.com
swalayan.digital
marmywordsclo.com
skykiss.one
berylgrote.top
tourparadice.com
arrhythmics.online
lapetiteagencequimonte.com
teamalpha-jaal.com
legalnewsreach.com
blueeyesnewsoutlook.com
goldener-adler-automobile.club
carsonstanford.net
rjrctr.com
laced.xyz
lenyleon.com
calvetpau.store
thebiggreen.today
csuiteweekly.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2628-13-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a86077cd62754805e944847a8b1aa517_JaffaCakes118.exedescription pid process target process PID 1220 set thread context of 2628 1220 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a86077cd62754805e944847a8b1aa517_JaffaCakes118.exepid process 2628 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
a86077cd62754805e944847a8b1aa517_JaffaCakes118.exedescription pid process target process PID 1220 wrote to memory of 2628 1220 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe PID 1220 wrote to memory of 2628 1220 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe PID 1220 wrote to memory of 2628 1220 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe PID 1220 wrote to memory of 2628 1220 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe PID 1220 wrote to memory of 2628 1220 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe PID 1220 wrote to memory of 2628 1220 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe PID 1220 wrote to memory of 2628 1220 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2628