Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 07:53
Static task
static1
Behavioral task
behavioral1
Sample
2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe
-
Size
455KB
-
MD5
2f89d68a23b1a9eed55a6dc0565549f1
-
SHA1
8f34ff1749aa25483341e22eedd867565a33b0b1
-
SHA256
6b043d0032718af4354f8af36a1f97dd236a0026011215f8674c623ac5a66697
-
SHA512
b2388d6952c06c9dea5ba1f6c4180072107ca467a5d8cbe8e5ffa90706dc8c477cc80d9964abd9450dd5af34711396f53410b07bb758d62c4d1b0c637d4aebb1
-
SSDEEP
12288:faGNY/D1RGxGOs+baytUqTdQT5gkP0gUbp9n5sEOL1kqb1gMa:9NY+bDYCk1Ubp9n5sEUhz
Malware Config
Extracted
xloader
2.3
vpz6
upscalejob.com
gzjy138.com
sexyyin.com
lapptv.com
joinplshere.com
cheapwatchband.com
bostonm.info
dschazy.com
pleetly.com
lamaradas.com
preventroofcollapse.com
richmondparents.com
elegantoshop.com
alabamasgulfcoast.info
asiastreetballleague.com
medinaprojectconstruction.com
theramone.com
findhydraulicparts.com
wzqp5.com
toppickaustralia.com
05355d.com
outdoorworklife.com
rebootmonkeys.network
chaosmeetsclaire.com
souncouraner.online
hxlbj.com
ehgenial.com
heartoneis.com
3rwrdesign.com
ebet.pro
giovannabariani.com
gunstoremarketing.com
shlyuhi-anal.site
baccarattip.net
fanswantin.com
lift-prize.xyz
domain.exchange
a-v-r.com
bjpj.net
pembertonoutfittersltd.com
blessedjourneys.net
trykaraokeidol.com
gundemcizgi.com
alexiswolfephotos.com
premiumrac.com
greatdaysvcs.com
cbc888.com
conceiteddollhouseboutique.com
whiteglovemunicipal.com
nursewell-int.com
nomanslandtennis.com
influencecoders.net
ipvsevsem.com
oliviahartclothing.com
guardiadeorixa.com
blingbotcreations.com
saloncrushtx.com
prichardfarms.com
morganrealtorteam.com
shapiro.group
new-life-with-jesus.com
angeles-fashion.com
llgcjx.com
berhorstgroup.com
orofty.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3628-11-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exedescription pid Process procid_target PID 4280 set thread context of 3628 4280 2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe 85 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exepid Process 3628 2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe 3628 2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exedescription pid Process Token: SeDebugPrivilege 4280 2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exedescription pid Process procid_target PID 4280 wrote to memory of 3628 4280 2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe 85 PID 4280 wrote to memory of 3628 4280 2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe 85 PID 4280 wrote to memory of 3628 4280 2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe 85 PID 4280 wrote to memory of 3628 4280 2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe 85 PID 4280 wrote to memory of 3628 4280 2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe 85 PID 4280 wrote to memory of 3628 4280 2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3628
-