Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 11:27
Static task
static1
Behavioral task
behavioral1
Sample
f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe
Resource
win7-20240319-en
General
-
Target
f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe
-
Size
817KB
-
MD5
f7e4da015c11e085e6f4e48b3dc2176d
-
SHA1
d52c29c80fb82f4774b7624d8a1d429aae69e8f3
-
SHA256
9c667699c6643d42dd1264b3657141bf3b23b56f47e527e33ae83030d937cb5a
-
SHA512
e062a9fe4f8caf24ae313101702d1bcc9bdb9aea7f1464b6323f83ace65abaa2e13740ecd74b676e5334a908525a876fd091792e415f1b049551a5804d34eebc
-
SSDEEP
12288:HSeTwrmpRw3viRidw1G3lZBpqNFevbOEykaGKNR70ZJUt2NjFr:HSwJUf8E5pKFGbOEy70LUMNjR
Malware Config
Extracted
xloader
2.3
wufn
rsautoluxe.com
theroseofsharonsalon.com
singnema.com
nathanielwhite108.com
theforumonline.com
iqpt.info
joneshondaservice.com
fafene.com
solanohomebuyerclass.com
zwq.xyz
searchlakeconroehomes.com
briative.com
frystmor.city
systemofyouth.com
sctsmney.com
tv-safetrading.com
thesweetboy.com
occulusblu.com
pawsthemomentpetphotography.com
travelstipsguide.com
verifypurchase.online
333s998.com
amsmapped.com
mimortgageexpert.com
joshuatreeresearch.com
brasilupshop.com
support24h.site
recipesdunnright.com
feathertiara.net
intoxickiss.com
greenmommarket.com
prinothhusky.com
800pls.info
martabaroagency.com
neosinder.com
davidwarburg.com
chinanl168.com
organicdiscover.com
kingdomvets.com
thetravellingwitch.com
kyg-cpa.com
bigarius.com
collegevillepaareahomes.com
ashestore.site
rizqebooks.com
techwhose.com
peak-valleyadvertising.com
craftbychristians.com
laterlifelendingsupermarket.com
setadragon.com
pon.xyz
reshemporium.com
missk-hair.com
hk6628.com
rootmoover.com
thetew.com
mybodysaver.com
cuadorcoast.com
goteclift.com
solisdq.info
hsicclassactionsettlement.com
cummingsforum.com
talleresmulticar.com
qq4004.com
gaigoilaocai.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2636-14-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exedescription pid Process procid_target PID 2200 set thread context of 2636 2200 f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe 31 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exef7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exepid Process 2200 f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe 2636 f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exedescription pid Process Token: SeDebugPrivilege 2200 f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exedescription pid Process procid_target PID 2200 wrote to memory of 2740 2200 f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe 30 PID 2200 wrote to memory of 2740 2200 f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe 30 PID 2200 wrote to memory of 2740 2200 f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe 30 PID 2200 wrote to memory of 2740 2200 f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe 30 PID 2200 wrote to memory of 2636 2200 f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe 31 PID 2200 wrote to memory of 2636 2200 f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe 31 PID 2200 wrote to memory of 2636 2200 f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe 31 PID 2200 wrote to memory of 2636 2200 f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe 31 PID 2200 wrote to memory of 2636 2200 f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe 31 PID 2200 wrote to memory of 2636 2200 f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe 31 PID 2200 wrote to memory of 2636 2200 f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe"2⤵PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7e4da015c11e085e6f4e48b3dc2176d_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2636
-