Analysis
-
max time kernel
141s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 00:32
Static task
static1
Behavioral task
behavioral1
Sample
f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe
-
Size
760KB
-
MD5
f6e864629bc2117fb5cc3da3e33d6483
-
SHA1
57ce16786eb6a4c49cfc6c794d012187a1ab7eaf
-
SHA256
050249009735072542f00c432d35a71de4516aaee6fe7d5bfac1c8cda838e1f1
-
SHA512
aba973473ba7dd58e7aa25a8ab17390f90b5aca627771b5cb1fe3d3cb0f88c5ff936dfbba7b1a71bd798ce68e3e3adfbdc2fc9e7eed2434150c6f377795a0730
-
SSDEEP
12288:yuHHfYnbiuj4BiEOyHpBvygTUxiAuG0fEXj8l2hh/khmwizg:yunfYnbiuj40+pBvygA8WzC2hlRwl
Malware Config
Extracted
xloader
2.3
nwru
zjkhyo.com
mogreener.com
galanpresente.com
anthologistliving.com
jfl-info.net
cascobaycuttlerly.com
nefertityeg.com
greatescapefurniture.com
primulashop.com
xn--cittinrete-k4a.com
drugstoire.com
kefaloniabride.com
viralgenstudents.com
makerwl.com
rubyweed.com
badenio.com
smartcontracttraders.com
lcscards-veilig.icu
qf553.com
dnhsxm.com
hellonikitashetty.com
hblkeys.com
ka1288.com
gemzstore.com
petersgarages.com
daria-s-secrets.com
perteprampram10.com
destinedtofail.net
kathuku.com
7ssas.com
delta5.pro
delladonne.com
geraldinegosse.club
ethereumpays.com
lange-creative.com
allthingsbridal.net
thehacking.net
spanishoakscirclehome.com
mobiletech.systems
cruisingthrough.com
mraskinglowid.com
docs-nurses-caps.com
testxyy.xyz
rugbycubzni.com
001block.com
xn--639a399bi5af5p.com
arlingtonhvaccontractor.net
kuppers.info
newenglandcookbooks.com
lakilive.com
baetalks.com
yx0510.com
binggodz.com
wuxkfowev.icu
epicfxtrading.com
solfa.tech
cheapestwithheart.net
jadedene.com
pd1lws7k-666.com
oggstaxidermy.com
circulatetheapp.net
ahjjbxg.com
corona-entschuldung.com
ewfulfilment.com
tyrantthemes.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3292-15-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4160-7-0x0000000006BB0000-0x0000000006BD8000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exedescription pid process target process PID 4160 set thread context of 3292 4160 f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exef6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exepid process 4160 f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe 4160 f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe 4160 f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe 3292 f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe 3292 f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 4160 f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exedescription pid process target process PID 4160 wrote to memory of 3292 4160 f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe PID 4160 wrote to memory of 3292 4160 f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe PID 4160 wrote to memory of 3292 4160 f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe PID 4160 wrote to memory of 3292 4160 f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe PID 4160 wrote to memory of 3292 4160 f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe PID 4160 wrote to memory of 3292 4160 f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4164 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3292-15-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3292-16-0x00000000011F0000-0x000000000153A000-memory.dmpFilesize
3.3MB
-
memory/4160-8-0x0000000005610000-0x0000000005620000-memory.dmpFilesize
64KB
-
memory/4160-9-0x0000000006BE0000-0x0000000006C46000-memory.dmpFilesize
408KB
-
memory/4160-4-0x0000000005410000-0x00000000054AC000-memory.dmpFilesize
624KB
-
memory/4160-5-0x0000000074C10000-0x00000000753C0000-memory.dmpFilesize
7.7MB
-
memory/4160-6-0x0000000005610000-0x0000000005620000-memory.dmpFilesize
64KB
-
memory/4160-7-0x0000000006BB0000-0x0000000006BD8000-memory.dmpFilesize
160KB
-
memory/4160-0-0x0000000074C10000-0x00000000753C0000-memory.dmpFilesize
7.7MB
-
memory/4160-3-0x0000000005370000-0x0000000005402000-memory.dmpFilesize
584KB
-
memory/4160-10-0x0000000006A20000-0x0000000006A42000-memory.dmpFilesize
136KB
-
memory/4160-11-0x0000000005610000-0x0000000005620000-memory.dmpFilesize
64KB
-
memory/4160-12-0x0000000005610000-0x0000000005620000-memory.dmpFilesize
64KB
-
memory/4160-13-0x00000000013D0000-0x00000000013E4000-memory.dmpFilesize
80KB
-
memory/4160-14-0x00000000013E0000-0x00000000013E6000-memory.dmpFilesize
24KB
-
memory/4160-2-0x0000000005880000-0x0000000005E24000-memory.dmpFilesize
5.6MB
-
memory/4160-1-0x0000000000850000-0x0000000000914000-memory.dmpFilesize
784KB
-
memory/4160-18-0x0000000074C10000-0x00000000753C0000-memory.dmpFilesize
7.7MB