Analysis
-
max time kernel
89s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe
-
Size
480KB
-
MD5
9c990c091e85d7c7530e8b3c3e1631f9
-
SHA1
9db0555370cc85e5bd4194e267d84768910d8ac5
-
SHA256
784425a3324d90d5d4028f545c946ac1b39eacd8875f6f182417e9e8621a5e0a
-
SHA512
f077753d9e7dc4a6d12f93131a0849f0855ff0b1a1c2534ce401b4e3ce8e1a8df66f3bbc0c1829199b614193e36ba5e8b8ed4f17bba2f2177278c353eb1d61ca
-
SSDEEP
12288:2XZ8E2OZXGBaepXdDcUu5GPxR4jqH8OQlTD:2ZDVEaepXdTBPHQ
Malware Config
Extracted
xloader
2.5
bkqi
woodbridgelearninglab.com
kalexandynle.xyz
hallibrewerproductions.com
cuevasconencanto.com
starfishexuma.com
douwuba.com
dexandrue.com
aprendes.academy
enderisler.com
alstartnpasumo6.xyz
3dysp.com
myhousesfit.com
thousandoaks-jaglr.com
ikeg-ger.xyz
yuzhou-shen.com
enohydra.com
lesentreprisesgerco.com
fivem-exotic.xyz
soarlend.com
deuxcentsept.com
bbellitia.com
nasshope.net
emasign.com
ksa-onlinetravel.com
auotomoney.com
globalcovidalliance.net
theorigins.xyz
fengshuo99.com
lly03toyof4.xyz
thelifenegotiator.com
sexytessa.com
i8s3.com
mendingplace.net
ddnnaoto.com
lumichargeinfo.com
ehs68.com
digitalfiattrading.com
comouv.com
cunnters.com
bomboninc.com
singeme.com
bnbape.com
wjslhj.com
esiroyuncu.com
99101.net
metagforce.club
odavideo.xyz
strantexop.com
id-214381.store
geektranslate.com
ddpuertorico.com
monespacesanitaire.com
33sexy.com
vitrerie75016.net
tanisan.cloud
vwdtransportllc.com
nnw.photography
covid19.kim
accraacaalumni.com
moleculairescents.com
espeeusa.xyz
terravillaliberia.com
prakunyukmai.com
tennesseewagering.com
phdwiser.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4712-11-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exedescription pid process target process PID 3736 set thread context of 4712 3736 9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe 9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exepid process 4712 9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe 4712 9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exedescription pid process target process PID 3736 wrote to memory of 4712 3736 9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe 9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe PID 3736 wrote to memory of 4712 3736 9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe 9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe PID 3736 wrote to memory of 4712 3736 9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe 9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe PID 3736 wrote to memory of 4712 3736 9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe 9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe PID 3736 wrote to memory of 4712 3736 9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe 9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe PID 3736 wrote to memory of 4712 3736 9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe 9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Users\Admin\AppData\Local\Temp\9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9c990c091e85d7c7530e8b3c3e1631f9_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4712