Analysis
-
max time kernel
91s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 22:29
Static task
static1
Behavioral task
behavioral1
Sample
a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe
-
Size
661KB
-
MD5
a86077cd62754805e944847a8b1aa517
-
SHA1
dbbc4011685d364691ad33c3f0dd9e00f3a45792
-
SHA256
64b041387c3c512a5b43c2a1d811b35f18f4d537c522dafb7b3e736912907426
-
SHA512
accca83b3f7d31f41a67b90e9e3003a2d4bf985e9a5317aa7d22161f8aee19af62313ad4efd7b8f484af469c81eca66fbc7e934a836defbbb908df41e4c6ea07
-
SSDEEP
12288:5j9+hvnUi0k7EU29NE9CO95RCTssx6yeh5PLSkZ:HGvUiL7DBb4TsLyeh5PL
Malware Config
Extracted
xloader
2.5
i6rd
ritotvmount.xyz
szxhpfk.com
yatakturkiye.com
belugacdn.xyz
doralopen.com
gongzyrxzlhurhhhvdclmddi.store
lyvconsulting.com
it-pampering.com
weerwi.com
phdelivery1.store
neofluentsurf.com
lainsurance.xyz
ietaricardocastellarbarrios.com
despachantemedeiros.digital
madnext.online
serenity.holdings
rfvb.club
nickroche.online
hnjst.net
wolkeverts.quest
threepercentapparelllc.com
redstaterevival.com
fortunetomb.com
playfunarena.com
spares245.com
dot925.com
moukse.com
4h0.space
0205168.com
canoliveoilgobad.info
7874515.com
babysecurity.online
grenaliacikinihotel.xyz
znffutve.net
play-to-escape.com
crumplepkljfl.xyz
apostolicbusinesses.com
drmorakchungna.com
tantrapremmoksha.com
ivebeenalone.xyz
newonedrivedocc.com
psmdt.com
clashgame.com
red24bags.com
serviciosgeneralesjba.online
puyallupapartment.com
gzfj888.com
swalayan.digital
marmywordsclo.com
skykiss.one
berylgrote.top
tourparadice.com
arrhythmics.online
lapetiteagencequimonte.com
teamalpha-jaal.com
legalnewsreach.com
blueeyesnewsoutlook.com
goldener-adler-automobile.club
carsonstanford.net
rjrctr.com
laced.xyz
lenyleon.com
calvetpau.store
thebiggreen.today
csuiteweekly.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4140-11-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a86077cd62754805e944847a8b1aa517_JaffaCakes118.exedescription pid process target process PID 1680 set thread context of 4140 1680 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
a86077cd62754805e944847a8b1aa517_JaffaCakes118.exea86077cd62754805e944847a8b1aa517_JaffaCakes118.exepid process 1680 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe 1680 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe 4140 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe 4140 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a86077cd62754805e944847a8b1aa517_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 1680 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a86077cd62754805e944847a8b1aa517_JaffaCakes118.exedescription pid process target process PID 1680 wrote to memory of 2624 1680 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe PID 1680 wrote to memory of 2624 1680 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe PID 1680 wrote to memory of 2624 1680 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe PID 1680 wrote to memory of 4140 1680 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe PID 1680 wrote to memory of 4140 1680 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe PID 1680 wrote to memory of 4140 1680 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe PID 1680 wrote to memory of 4140 1680 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe PID 1680 wrote to memory of 4140 1680 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe PID 1680 wrote to memory of 4140 1680 a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe"2⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a86077cd62754805e944847a8b1aa517_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4140