Analysis Overview
SHA256
def69bd673ae57b70c20087596b787eb27c1f0da7053ba2991e87cf7f032c43c
Threat Level: Known bad
The file 9aad1149c17535bf37fe98c564958ef6_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Xloader
Xloader payload
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-03 00:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 00:01
Reported
2024-04-03 00:04
Platform
win7-20240215-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2084 set thread context of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe"
Network
Files
memory/2084-0-0x0000000000A40000-0x0000000000A9C000-memory.dmp
memory/2084-1-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2084-2-0x0000000004510000-0x0000000004550000-memory.dmp
memory/2084-3-0x0000000004510000-0x0000000004550000-memory.dmp
memory/2084-4-0x00000000009F0000-0x00000000009FE000-memory.dmp
memory/2084-5-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2084-6-0x0000000004510000-0x0000000004550000-memory.dmp
memory/2084-7-0x00000000086B0000-0x0000000008702000-memory.dmp
memory/2800-8-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2800-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2800-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2800-12-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2084-13-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2800-14-0x0000000000AA0000-0x0000000000DA3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 00:01
Reported
2024-04-03 00:04
Platform
win10v2004-20231215-en
Max time kernel
91s
Max time network
121s
Command Line
Signatures
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4960 set thread context of 5284 | N/A | C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9aad1149c17535bf37fe98c564958ef6_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.33.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/4960-1-0x0000000074670000-0x0000000074E20000-memory.dmp
memory/4960-0-0x0000000000250000-0x00000000002AC000-memory.dmp
memory/4960-2-0x00000000050E0000-0x0000000005684000-memory.dmp
memory/4960-3-0x0000000004BD0000-0x0000000004C62000-memory.dmp
memory/4960-4-0x0000000002680000-0x0000000002690000-memory.dmp
memory/4960-5-0x0000000004B40000-0x0000000004B4A000-memory.dmp
memory/4960-6-0x0000000002680000-0x0000000002690000-memory.dmp
memory/4960-7-0x00000000080D0000-0x00000000080DE000-memory.dmp
memory/4960-8-0x0000000074670000-0x0000000074E20000-memory.dmp
memory/4960-9-0x0000000002680000-0x0000000002690000-memory.dmp
memory/4960-10-0x0000000002680000-0x0000000002690000-memory.dmp
memory/4960-11-0x0000000002680000-0x0000000002690000-memory.dmp
memory/4960-12-0x0000000008780000-0x000000000881C000-memory.dmp
memory/4960-13-0x00000000088C0000-0x0000000008912000-memory.dmp
memory/5284-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4960-16-0x0000000074670000-0x0000000074E20000-memory.dmp
memory/5284-17-0x0000000001580000-0x00000000018CA000-memory.dmp