Analysis
-
max time kernel
92s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2024 02:48
Static task
static1
Behavioral task
behavioral1
Sample
15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
15dd0af6a94ff8295c72a83ef9bd359a
-
SHA1
1e5236e252f24dbe1231cc18aecdfeac6b0d9a1f
-
SHA256
6931c7d4ab556ccd3cee7b8ddc9107f73551dd8cf5f293ec88d0ded26f52a9f6
-
SHA512
f5aff225a83d6899c76059f9b7463777278b724118fd928a365cf437a272dfaf6e055168dff5ae8018d243aaa3adef44326b79607755ff26b31553689795cd42
-
SSDEEP
12288:QWawIfK0f08jrRhidCMrC5Hr6LVEmBFt0ULGZbRSTHh3TS6np1I4vOODhgaPGNSi:HHTSmkWDZvSuPoT3
Malware Config
Extracted
xloader
2.3
m6b5
ixtarbelize.com
pheamal.com
daiyncc.com
staydoubted.com
laagerlitigation.club
sukrantastansakarya.com
esupport.ltd
vetscontracting.net
themuslimlife.coach
salmanairs.com
somatictherapyservices.com
lastminuteminister.com
comunicarbuenosaires.com
kazuya.tech
insightlyservicedev.com
redevelopment38subhashnagar.com
thefutureinvestor.com
simplysu.com
lagu45.com
livingstonpistolpermit.com
youngedbg.club
askmeboost.com
hizmetbasvuru-girisi.com
fourteenfoodsdq.net
discoglosse.com
shareusall.com
armseducationassociates.com
twilio123.com
hofmann.red
autoanyway.com
duckvlog.com
raceleagues.com
foleyautomotivehydraulics.com
foreverbefaithfultoyou.com
junrui-tech.com
angelinateofilovic.com
justinandsarahgetmarried.com
carlsmithcarlsmith.com
novopeugeot208.com
citestftcwaut17.com
theproductivitygroup.com
cohen-asset.com
trumpismysugardaddy.com
wishcida.com
buncheese.com
dietrichcompanies.com
zafav.xyz
commodore-gravel.com
juport.men
hyanggips.com
aliyunwangpan.com
nuturessoap.com
networksloss.club
blackcouplesofhtown.com
saadiawhite.net
girasmboize.com
melissabelmontefotografias.com
landprorentals.com
bonacrypto.com
meeuba.com
lknstump.com
iregentos.info
linguisticpartner.com
mpsaklera.com
inverservi.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1596-10-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exedescription pid Process procid_target PID 1808 set thread context of 1596 1808 15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exepid Process 1596 15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe 1596 15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exedescription pid Process procid_target PID 1808 wrote to memory of 1596 1808 15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe 82 PID 1808 wrote to memory of 1596 1808 15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe 82 PID 1808 wrote to memory of 1596 1808 15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe 82 PID 1808 wrote to memory of 1596 1808 15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe 82 PID 1808 wrote to memory of 1596 1808 15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe 82 PID 1808 wrote to memory of 1596 1808 15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1596
-