Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14-10-2024 18:47
Static task
static1
Behavioral task
behavioral1
Sample
43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
43aa5e8b27546106dd66c0dae83c5f59
-
SHA1
c55656ad4fad7217f1a0e71dd9e13102039eff0d
-
SHA256
e3639a291e120d2ac06f722f0da51fd842cea6469339208ef0ec6e7edf84e310
-
SHA512
b212d6a85571d2f9a6dc5f1a276b5d02ca117e075b3c910a0be53c219da0a2b4841a27abb4d04b6e178f93ba5374123161bb9ba7f751e4fc081f800dd156a21f
-
SSDEEP
12288:Oh5E394sjPBi/7Ui9rI9jGoaft/VEMv/ZkkDOEVTQ6H+Uy1Susr8MmH3jr:FKo8UimctdEA/ZkceZZS5R0
Malware Config
Extracted
xloader
2.3
uisg
editions-doc.com
nbchengfei.com
adepojuolaoluwa.com
wereldsewoorden.com
sjstyles.com
indigo-cambodia.com
avrenue.com
decaturwilbert.com
tech-really.com
kimurayoshino.com
melocotonmx.com
njrxmjg.com
amandadoylecoach.com
miniaide.com
kocaeliescortalev.com
ycxshi.com
f4funda.com
126047cp.com
projecteutopia.com
masksforvoting.com
indi-cali.com
ingam.design
theneighborhoodmasterclass.com
brandstormmediagroup.com
soothinglanguages.com
msmoneymaximiser.com
yduc.net
daniellageorges.com
lvaceu.com
institutoamc.com
hare-sec.com
asd-miris.com
beton-9.com
morehigher.com
cobblestoneroads.com
falhro.com
skincaretrial1.info
insideajazzyminute.net
loginforce.com
alluviumtheater.com
forevercelebration2021.com
wajeofxcv.com
ycshwhcm.com
rustyroselondon.com
forestbathingguru.com
gourmetemarket.com
dna-home-testing.com
assaulttrucking.net
nourgamalyoussef.com
soujson.com
sorelsverige.com
tandooridhaba.com
hypovida.foundation
iregentos.info
bjornadal.info
okdiu.com
857wu.com
3g54.club
xfa80.com
betxtremer.com
autominingsystem.com
ilcarecontinuum.net
eventualitiesofcrime.com
bst-gebaeudereinigung.com
makarimusic2020.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2740-12-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exedescription pid process target process PID 2124 set thread context of 2740 2124 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exepid process 2124 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe 2124 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe 2740 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2124 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exedescription pid process target process PID 2124 wrote to memory of 2960 2124 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe PID 2124 wrote to memory of 2960 2124 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe PID 2124 wrote to memory of 2960 2124 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe PID 2124 wrote to memory of 2960 2124 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe PID 2124 wrote to memory of 2740 2124 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe PID 2124 wrote to memory of 2740 2124 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe PID 2124 wrote to memory of 2740 2124 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe PID 2124 wrote to memory of 2740 2124 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe PID 2124 wrote to memory of 2740 2124 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe PID 2124 wrote to memory of 2740 2124 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe PID 2124 wrote to memory of 2740 2124 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe 43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe"2⤵PID:2960
-
-
C:\Users\Admin\AppData\Local\Temp\43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\43aa5e8b27546106dd66c0dae83c5f59_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2740
-