Analysis
-
max time kernel
137s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 04:06
Static task
static1
Behavioral task
behavioral1
Sample
f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe
-
Size
517KB
-
MD5
f977d96c98335083d54f9b9b54fb0cd9
-
SHA1
298da015025154518be5739918956b6b96b91090
-
SHA256
9c9a99423087bdfd23df04a29984273ba056021ee54e815d2cd85103a9548eff
-
SHA512
4a339d18aa36a149faecb1d6521008220f33a24177aa27ed4194ff73b57a920ab3b49ec3c2eda787325cad5a554c681fea2cf5603f37e1abaaada82cfc77768d
-
SSDEEP
6144:7FLHgMkhBmA8L8z14cb5TrJbGAdRkx4wSsOXgMx7Dml3SjK:75SBYgWcJrJBdRkpOXk
Malware Config
Extracted
xloader
2.5
mexq
cyebang.com
hcswwsz.com
50003008.com
yfly624.xyz
trungtamhohap.xyz
sotlbb.com
bizhan69.com
brandmty.net
fucibou.xyz
orderinformantmailer.store
nobleminers.com
divinevoid.com
quickappraisal.net
adventuretravelsworld.com
ashainitiativemp.com
ikkbs-a02.com
rd26x.com
goraeda.com
abbastanza.info
andypartridge.photography
xn--aprendes-espaol-brb.com
jrceleste.com
bestwarsawhotels.com
fospine.online
rayofdesign.online
hablamarca.com
nichellejonesrealtor.com
zamarasystem.com
thepropertygoat.com
fightfigures.com
mxconglomerate.com
elecoder.com
mabnapakhsh.com
girlspiter.club
xn--lcka2cufqed6765c4ef1x1g.xyz
cancleaningpros.com
galestorm.net
besrbee.com
sjmdesignstudio.com
kickonlines.com
generateyourart.com
promiseface.com
searchingspacespot.com
jovemmilionario.com
paomovar.com
dogiadunggiare.online
uniqued.net
glassrootsstudio.com
rabenteec.com
asistente-ti.com
xn--l6qw76agwi5rjeuzk9q.com
azapsolutions.com
wmh3gk2fzw2m.biz
districonio.com
dapekdelivery.com
vintagepaseo.com
od0aew1pox.com
iphone13promax.design
texttheruffleddaisy.com
umdasch-lagertechnik.com
growthabove.com
eltacorancherofoodtruck.com
gafoodstamps.com
mzalluom.com
aliexpress-br.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4284-11-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exedescription pid Process procid_target PID 4028 set thread context of 4284 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 103 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exef977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exepid Process 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 4284 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 4284 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exedescription pid Process Token: SeDebugPrivilege 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exedescription pid Process procid_target PID 4028 wrote to memory of 2060 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 100 PID 4028 wrote to memory of 2060 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 100 PID 4028 wrote to memory of 2060 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 100 PID 4028 wrote to memory of 3884 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 101 PID 4028 wrote to memory of 3884 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 101 PID 4028 wrote to memory of 3884 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 101 PID 4028 wrote to memory of 2084 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 102 PID 4028 wrote to memory of 2084 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 102 PID 4028 wrote to memory of 2084 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 102 PID 4028 wrote to memory of 4284 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 103 PID 4028 wrote to memory of 4284 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 103 PID 4028 wrote to memory of 4284 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 103 PID 4028 wrote to memory of 4284 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 103 PID 4028 wrote to memory of 4284 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 103 PID 4028 wrote to memory of 4284 4028 f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe"2⤵PID:2060
-
-
C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe"2⤵PID:3884
-
-
C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe"2⤵PID:2084
-
-
C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:3804