Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
03-04-2024 00:01
Static task
static1
Behavioral task
behavioral1
Sample
9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe
-
Size
344KB
-
MD5
9aad1149c17535bf37fe98c564958ef6
-
SHA1
47e9710ccdef23f1b45dcc2d459148461359462a
-
SHA256
def69bd673ae57b70c20087596b787eb27c1f0da7053ba2991e87cf7f032c43c
-
SHA512
44a8dc3abd400c2a5ce04717a14fd349a1b6a55ad4da9d1c218d31cb15acbcde714a05084b8416e6e3b2eeb09f1614185b18bfd08d308b1cdbc27ed8507d0d55
-
SSDEEP
6144:VbqYJkNHwD3sLJCLI9d6yPzQWptHSYbTvZC0NRO87UzJXo3Nj1:VHSNUAC4dtHrAH8Y14v
Malware Config
Extracted
xloader
2.3
ssee
portalcanaa.com
korzino.com
dlylms.net
smartearphoneshop.com
olimiloshop.com
auvdigitalstack.com
ydxc.chat
yhk868.com
lifeinthedport.com
self-sciencelabs.com
scandicpack.com
hold-sometimes.xyz
beiputei.com
yourrealtorcoach.com
rxods.com
fundsoption.com
ahlstromclothes.com
ksdieselparts.com
accountmangerford.com
kuwaitlogistic.com
xuanthanhpham.com
uybike.com
babyacademycy.com
zhongbuwujin.com
reclaimminnesota.net
yurunhuatian.com
eigowith.com
pharmviewfarms.com
mcmillan-phillips.com
xinkseo.com
dabaichuihl.com
modifiedmkt.com
magnificocreative.com
energytrainingireland.com
special-beauty.net
solutionexperts.xyz
upstaff.info
taravelis.online
lushthingz.com
harwestco.com
126034cp.com
lamdep-gluwhitevn.website
megenep.com
upperreceiver.com
healthywayservices.com
groupebpcenatixis.com
blackledorganizations.net
carolinasoares.com
bureaultd.com
smartcontractlegalfirm.com
perfecshipping.com
aktarbaba.com
bulukx.com
wazolerino.info
account.farm
skstchers.com
perwiranusa.com
ourtown.directory
cuidomiforma.com
thecodestage.com
0898htt.com
yamalo.club
hdzj365.xyz
canaldotenis.com
idt-metrofireandsecurity.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2800-12-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exedescription pid process target process PID 2084 set thread context of 2800 2084 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exepid process 2800 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exepid process 2084 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe 2084 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exedescription pid process target process PID 2084 wrote to memory of 2800 2084 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe PID 2084 wrote to memory of 2800 2084 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe PID 2084 wrote to memory of 2800 2084 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe PID 2084 wrote to memory of 2800 2084 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe PID 2084 wrote to memory of 2800 2084 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe PID 2084 wrote to memory of 2800 2084 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe PID 2084 wrote to memory of 2800 2084 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2800