Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 23:51
Static task
static1
Behavioral task
behavioral1
Sample
0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe
-
Size
725KB
-
MD5
0cfa2a654fcca2a9f12f034d643027d5
-
SHA1
0c78acaba049a37e7436b0df828057decc6e0378
-
SHA256
e14a0391577635a7e1121a2ff8c81df2c7d2787015c83839665c469a24f9ce0f
-
SHA512
6460bb422c3b7b20aef15b4fc1de38c1eabda7db4a9045eb1dca41c4e7bdb56a2c14ef97ce9a75d2829283cffae3c828d59a081a62093ab7de8f1b7a157f40c4
-
SSDEEP
12288:2VJt2iNeHK7znunNexM5fUql0ZdVvjY+8AMMbb77G9LTUL5yo4XUSD3MvYV8cz1r:2Vz1b7tdTZUMnK/ZPD3aYXz1
Malware Config
Extracted
xloader
2.3
n8ba
thefitflect.com
anytourist.com
blggz.xyz
ascope.club
obyeboss.com
braun-mathematik.online
mtsnurulislamsby.com
jwpropertiestn.com
animalds.com
cunerier.com
sillysocklife.com
shopliyonamaaghin.net
theredcymbalsco.com
lostbikeproject.com
ryggoqlmga.club
realestatetriggers.com
luvlauricephotography.com
cheesehome.cloud
5fashionfix.net
wata-6-rwem.net
ominvestment.net
rrinuwsq643do2.xyz
teamtacozzzz.com
newjerseyreosales.com
theresahovo.com
wowmovies.today
77k6tgikpbs39.net
americagoldenwheels.com
digitaladbasket.com
gcagame.com
arielatkins.net
2020coaches.com
effthisshit.com
nycabl.com
fbvanminh.com
lovebirdsgifts.com
anxietyxpill.com
recaptcha-lnc.com
aprendelspr.com
expatinsur.com
backtothesimplethings.com
pcf-it.services
wintonplaceoh.com
designermotherhood.com
naamt.com
lifestylebykendra.com
thehighstatusemporium.com
oneninelacrosse.com
mariasmoworldwide.com
kitesurf-piraten.net
atelierbond.com
mynjelderlaw.com
moucopia.com
hauhome.club
imroundtable.com
thralink.com
baoequities.com
nassy.cloud
goldenstatelabradoodles.com
revenueremedyintensive.com
dfendglobal.com
pugliaandgastronomy.com
cypios.net
trinioware.com
narrowpathwc.com
Signatures
-
Xloader payload 3 IoCs
resource yara_rule behavioral1/memory/2576-16-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2576-20-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2552-26-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 984 set thread context of 2576 984 0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe 31 PID 2576 set thread context of 1244 2576 MSBuild.exe 20 PID 2552 set thread context of 1244 2552 svchost.exe 20 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1792 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 984 0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe 2576 MSBuild.exe 2576 MSBuild.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2576 MSBuild.exe 2576 MSBuild.exe 2576 MSBuild.exe 2552 svchost.exe 2552 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 984 0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe Token: SeDebugPrivilege 2576 MSBuild.exe Token: SeDebugPrivilege 2552 svchost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 984 wrote to memory of 1792 984 0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe 29 PID 984 wrote to memory of 1792 984 0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe 29 PID 984 wrote to memory of 1792 984 0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe 29 PID 984 wrote to memory of 1792 984 0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe 29 PID 984 wrote to memory of 2576 984 0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe 31 PID 984 wrote to memory of 2576 984 0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe 31 PID 984 wrote to memory of 2576 984 0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe 31 PID 984 wrote to memory of 2576 984 0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe 31 PID 984 wrote to memory of 2576 984 0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe 31 PID 984 wrote to memory of 2576 984 0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe 31 PID 984 wrote to memory of 2576 984 0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe 31 PID 1244 wrote to memory of 2552 1244 Explorer.EXE 32 PID 1244 wrote to memory of 2552 1244 Explorer.EXE 32 PID 1244 wrote to memory of 2552 1244 Explorer.EXE 32 PID 1244 wrote to memory of 2552 1244 Explorer.EXE 32 PID 2552 wrote to memory of 2616 2552 svchost.exe 33 PID 2552 wrote to memory of 2616 2552 svchost.exe 33 PID 2552 wrote to memory of 2616 2552 svchost.exe 33 PID 2552 wrote to memory of 2616 2552 svchost.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0cfa2a654fcca2a9f12f034d643027d5_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dglKKF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB6A2.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2616
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c7b1bfdbf13dd4db848244b1b1ff5add
SHA1419676b56d8d80ef2726a6d813c0d68d2e6afd96
SHA25699a029094959eaf151ddd689f315ea352bb58bdfbe2a56d775defd0990262a2b
SHA512b4eaaa7e82a453d7cc002b6194844cb55739e7d239aeb7ca240c74088415de7c26a33c08cabc049cff99e5f0a6e0706083b3f013c7a1012c40b7d847bce9842a