Analysis
-
max time kernel
136s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2024 06:41
Static task
static1
Behavioral task
behavioral1
Sample
4650af5882a76acbb99b4545b37bd54d_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
4650af5882a76acbb99b4545b37bd54d_JaffaCakes118.exe
-
Size
481KB
-
MD5
4650af5882a76acbb99b4545b37bd54d
-
SHA1
86aa307ba05607db60f0f43eb9094a04a9e89454
-
SHA256
c7151fd1d673aaf17c560cf8156f1bf3e6a909bd4a3ac4307edc25fa3bc04b42
-
SHA512
4d7c35708ef6aaaddb76008e64c56f973214956b920a4d1f8b4818a0d0f85f91e22e35c378fc42f1066f215eb2a79e3beea69559b047401217de4c27a9f94c36
-
SSDEEP
12288:c+mJL0S8rKgcZrFx4Oi5kThktSlkY9PT/nMmR:YXlHx4Oi5kThktSlkY9TnvR
Malware Config
Extracted
xloader
2.5
qs23
alimentosafc.com
noveltyporpak.xyz
fleteszoom.com
crabcompanions.com
metumuskfinance.com
perfectwatch.store
thweddingstory.com
ameliasongsforever.com
enowrecords.com
mywebcrown.com
silianceconseil.com
moodoven.com
generalwholesalestore.com
laguiza.com
gionakpil.com
nftfreemarket.com
astrainconsultora.com
favoritepedia.com
mycprguru.com
estateadmin.services
licensedbenefitscenter.com
z7ips4jnhi.com
thefamilysmatterlawfirm.com
charronteam.com
sapphiremodule.com
carcharginginstaller.com
pledgenwork.com
glasscityrentals.com
lihsin.com
putaojiau.com
justnft.xyz
choiceandpossibilities.com
stark.agency
theandrewjbrady.com
cheaterbnuahe.xyz
ayf1236.com
techvirtys.xyz
simsheating.com
blendeqes.com
nashvillehomesell.com
christialana.com
vvp-bij.info
legalcoloradosprings.com
thanhstudiowedding.com
sogginesses.info
babadebabajiaoshimo11.xyz
bittywire.com
suothernprop.net
palisadestahoeoutlook.com
competitionproduct.com
cateringpairs.com
privatejetsthai.com
motodevi.com
tunaudc.com
disconnect.travel
sjwholesale.biz
roofingslobyo.xyz
doskonale-samopoczucie.com
dazzledayspa.com
riwaq-international.com
2cute2care.com
borzv.com
geraldkbell.store
xsqj888.com
thanhnguyenedu.com
Signatures
-
Xloader payload 1 IoCs
resource yara_rule behavioral2/memory/4860-8-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3840 set thread context of 4860 3840 4650af5882a76acbb99b4545b37bd54d_JaffaCakes118.exe 98 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4650af5882a76acbb99b4545b37bd54d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4860 4650af5882a76acbb99b4545b37bd54d_JaffaCakes118.exe 4860 4650af5882a76acbb99b4545b37bd54d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3840 4650af5882a76acbb99b4545b37bd54d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3840 wrote to memory of 4860 3840 4650af5882a76acbb99b4545b37bd54d_JaffaCakes118.exe 98 PID 3840 wrote to memory of 4860 3840 4650af5882a76acbb99b4545b37bd54d_JaffaCakes118.exe 98 PID 3840 wrote to memory of 4860 3840 4650af5882a76acbb99b4545b37bd54d_JaffaCakes118.exe 98 PID 3840 wrote to memory of 4860 3840 4650af5882a76acbb99b4545b37bd54d_JaffaCakes118.exe 98 PID 3840 wrote to memory of 4860 3840 4650af5882a76acbb99b4545b37bd54d_JaffaCakes118.exe 98 PID 3840 wrote to memory of 4860 3840 4650af5882a76acbb99b4545b37bd54d_JaffaCakes118.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\4650af5882a76acbb99b4545b37bd54d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4650af5882a76acbb99b4545b37bd54d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\4650af5882a76acbb99b4545b37bd54d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4650af5882a76acbb99b4545b37bd54d_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4860
-