Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
03-04-2024 02:55
Static task
static1
Behavioral task
behavioral1
Sample
9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe
-
Size
473KB
-
MD5
9e2c5b22680ba4bbd6a878359de06f25
-
SHA1
0fd148f8548e00ce55546cb8f47c7ed45a91b33d
-
SHA256
76ae8a066744d281de1a7b1db736994aee95488fdf4bb8721f82348236e87521
-
SHA512
bba4977afd82b635fc2f4071996d7dc501afe80ad8c92da202559b0966182b2394e64c963dcdc8efa3871f65e54460f26b8b226db01c1e67752e7cd2a58b82d6
-
SSDEEP
6144:c2VKqAFfdPb+Gg+RxG5Rq8OC8zo3mV2Ex5SjOSB48OYIOqC1cJsoDvjllYj:BVKqAFfdKGleRTOiI76jG8OYIx4Svoj
Malware Config
Extracted
xloader
2.5
s9ns
livehd7.onl
comprosuasucata.com
rouvar.com
zamenapodani.quest
villahummingbird.com
vendaaprovadanosite.com
activeator.com
lapinlauluveikot.com
watch-tbn.net
schwesteroutfits.com
viviendactiva.com
quaythuocquynhchi.xyz
dasrekop.online
ch34k-3yfb124.club
fxb2bhub.com
lightlyenlightened.com
workdayconvert.com
pintod.com
mariimportados.com
globoicon.com
treefellingservicesusaweb.com
truthwatch.club
aw9900.com
cxhy.online
lejouetcoupdecoeur.com
bailbondsvegas.net
pdwhtwm.com
jsconcreteprosfremont.com
3-ply.com
fftt11.com
deliciouslysavingtheplanet.com
noledgetest.xyz
accreditslots.com
solutionrd.com
kaboomslots3.online
jamesplaces-merthyr.wales
swapkiddies.com
getampifire.digital
st666.email
ecato.xyz
getaudionow.com
66q9.com
wisetoys.club
oa-nft.xyz
int-utente-dati.com
olimpotorrent.com
womensclothingonlineshop.com
ht9088.com
yiceqk.com
496921.com
nu865ci.com
quanqiu88888.com
smartfinder.tech
rugbyclubarras.com
thekingsalliancellc.com
y8dv.xyz
mmhappymask.com
virtualstaffphoenix.com
kingdomhome.watch
naturalperuoriginal.com
view-one.online
reflectforjlt.xyz
kidsmaps.net
triplepointrefrigeration.com
andgelstore.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2624-11-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exedescription pid process target process PID 2964 set thread context of 2624 2964 9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe 9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exepid process 2624 9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exedescription pid process target process PID 2964 wrote to memory of 2624 2964 9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe 9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe PID 2964 wrote to memory of 2624 2964 9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe 9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe PID 2964 wrote to memory of 2624 2964 9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe 9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe PID 2964 wrote to memory of 2624 2964 9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe 9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe PID 2964 wrote to memory of 2624 2964 9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe 9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe PID 2964 wrote to memory of 2624 2964 9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe 9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe PID 2964 wrote to memory of 2624 2964 9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe 9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9e2c5b22680ba4bbd6a878359de06f25_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2624