Analysis

  • max time kernel
    126s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 17:20

General

  • Target

    3032632f0a00a33817224cb306b18795_JaffaCakes118.exe

  • Size

    325KB

  • MD5

    3032632f0a00a33817224cb306b18795

  • SHA1

    03af6f9714444e6ab41949e67d05cfdfbb0b3faa

  • SHA256

    1c25b56211f31c6b5b12f3f2f108fcbe15095a815475bc1601a80222b1d4b220

  • SHA512

    7196af265617655f6ed60cf51e79d9b671793bd12d17aeb024c7220075fd01e7730bacd8d07236be17537bddf460a5e33532307a6cd6c92b16067e71a7952800

  • SSDEEP

    6144:PZVDcH77hl6sxVoVnwLboDKMv3/NUOdUPUV:PnIHvv5UVwLMD73/NUOdUMV

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

bs85

Decoy

needcoupon.net

studio-nock.com

gladiadorcalistenia.com

proctaur.com

motemo.com

jackedhammerfitness.com

monkeysinthesky.com

milagrotacosandcantina.com

buddyresort.com

liaocheng8.xyz

vegauitdeoven.com

henriquezelectric.net

mxzc365.com

eneeds.net

elementsbuy.com

klinaton.com

choicescapes.net

waveadmit.guru

lakehoustonrugby.com

office-by-experts.com

Signatures

  • Detect ZGRat V1 1 IoCs
  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Xloader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3032632f0a00a33817224cb306b18795_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3032632f0a00a33817224cb306b18795_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3968
    • C:\Users\Admin\AppData\Local\Temp\3032632f0a00a33817224cb306b18795_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3032632f0a00a33817224cb306b18795_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:860
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4068,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:8
    1⤵
      PID:3048

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/860-10-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

    • memory/860-13-0x00000000016E0000-0x0000000001A2A000-memory.dmp

      Filesize

      3.3MB

    • memory/3968-6-0x000000000A670000-0x000000000AC14000-memory.dmp

      Filesize

      5.6MB

    • memory/3968-3-0x0000000074E90000-0x0000000075640000-memory.dmp

      Filesize

      7.7MB

    • memory/3968-4-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

      Filesize

      4KB

    • memory/3968-5-0x0000000074E90000-0x0000000075640000-memory.dmp

      Filesize

      7.7MB

    • memory/3968-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

      Filesize

      4KB

    • memory/3968-7-0x00000000058D0000-0x0000000005908000-memory.dmp

      Filesize

      224KB

    • memory/3968-8-0x0000000005C40000-0x0000000005CD2000-memory.dmp

      Filesize

      584KB

    • memory/3968-9-0x00000000059D0000-0x00000000059E4000-memory.dmp

      Filesize

      80KB

    • memory/3968-2-0x0000000003270000-0x0000000003276000-memory.dmp

      Filesize

      24KB

    • memory/3968-12-0x0000000074E90000-0x0000000075640000-memory.dmp

      Filesize

      7.7MB

    • memory/3968-1-0x0000000000E90000-0x0000000000EE6000-memory.dmp

      Filesize

      344KB