Analysis
-
max time kernel
132s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 22:08
Static task
static1
Behavioral task
behavioral1
Sample
7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe
Resource
win7-20241023-en
General
-
Target
7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe
-
Size
338KB
-
MD5
7107c22585cca5ac62b9fe39dbd9daaa
-
SHA1
f0ec4ac5425b96d44725d6530527aae591f5ad57
-
SHA256
07f0dc41af2d35f2cdddc5e1d2e38b49db0dbfa7a80840633206c77002d019c8
-
SHA512
ae1211188cbae541f5f6b349e5750f838a9502f8ad8abac7ce1c00d2888e855edca3d7dfbffeb833c17ba77dc9c18f47731c138fb178022267bc1aa69aa9e200
-
SSDEEP
6144:yl9bet/TLOCbWUyoEmxIlhM0fwZ+4FMxlJ/5OCVdKrLfF0lYmuQ4pf:yYnyoEmxIlhM0YZ9Cxlh5OCi/cYvQ4pf
Malware Config
Extracted
xloader
2.3
att3
oakbridgefundservices.com
fancyforts.com
coisadoce.com
learnfrommymentor.com
digitalgurughana.com
phk0.com
jantiprojeekspertiz.com
xiabyhuc.com
todayonly8.info
pgzapgmn.icu
sistemasarafranco.com
nest-estudio.com
2259.xyz
kenobi.tech
mortgageloansbyjeff.com
thameensa.com
navigators.digital
ecocleanmalta.com
advancedrecyclinginc.com
pmotriz.com
rjb355.xyz
theharbour1217.com
videomarketing.tips
quisroyalfactory.com
megatexxas.com
seedmanusa.com
niewiederpickel.net
dfhgiushds.xyz
womenshealthnewyork.com
mbhbuyingguide.com
cnaiyouyue.com
starcityrealty.homes
prepspiritwear.com
closingdesk.net
reintegrated.education
thedovaway.com
kutasureblue.com
arkhuman.com
iloverealstate.com
eating4mentalhealth.com
touchnoc.com
astrofriedchicken.com
wateristore.com
chloeallgeyer.com
herobet147.com
en-bmw-basvuruformu.com
otherneeds.com
chanek4.com
vn7snuk25.xyz
bifboawdq.icu
gofshoes.com
spartaplus.com
msmilkoskythemathematician.com
clublacey.com
visionchief.com
bestrefractor.com
newshopyou.com
theratesentinel.com
cunerier.com
theaustinsandalfactory.com
cisticron.com
bayhypesf.com
spanenter.net
loveofficial.net
travelscappadocia.com
Signatures
-
Xloader payload 1 IoCs
resource yara_rule behavioral2/memory/4000-38-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghdgstdhs.exe PowerShell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghdgstdhs.exe PowerShell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2964 set thread context of 4000 2964 7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe 103 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PowerShell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 448 PowerShell.exe 4000 7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe 4000 7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe 448 PowerShell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 448 PowerShell.exe Token: SeDebugPrivilege 2964 7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2964 wrote to memory of 448 2964 7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe 101 PID 2964 wrote to memory of 448 2964 7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe 101 PID 2964 wrote to memory of 448 2964 7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe 101 PID 2964 wrote to memory of 4000 2964 7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe 103 PID 2964 wrote to memory of 4000 2964 7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe 103 PID 2964 wrote to memory of 4000 2964 7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe 103 PID 2964 wrote to memory of 4000 2964 7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe 103 PID 2964 wrote to memory of 4000 2964 7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe 103 PID 2964 wrote to memory of 4000 2964 7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell" copy-item 'C:\Users\Admin\AppData\Local\Temp\7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghdgstdhs.exe'2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
C:\Users\Admin\AppData\Local\Temp\7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7107c22585cca5ac62b9fe39dbd9daaa_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82