Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 16:52
Static task
static1
Behavioral task
behavioral1
Sample
fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe
-
Size
345KB
-
MD5
fd30d28fcbcb1355343d594752b78772
-
SHA1
33cb0811591d84b68ce5cb07e1050e4dea0ce6cf
-
SHA256
d00f87049fb2c7cbbf506ca2361e8295fe06926f17e1d2c16cfe3e88a2902f5a
-
SHA512
5367ea6f2fea98f3942abc25b0c628d34443280f90eeae3d22d10686b428113237dd5708160ee5c790dc12c14a3a5b3505afc2c143d1392b93949cf3749e0f6b
-
SSDEEP
6144:5CU7yTJH63y+Ah44w19QG3pLKSiUZrNVfs8V:oU7sOp4nS9QuNN2
Malware Config
Extracted
xloader
2.3
iq3g
itbcx.com
katielegget.com
myneighorsbasement.com
charts.wiki
toricolucci.com
ntlichengmodel.com
onsaleja.com
nailsbyleentje.com
freya-lux.com
moodyblack.com
mseoljaehwi.com
successfulsend.com
dr-roach.com
nargilegalerisi.com
animalhoney.com
indiarankers.com
botcantaysitokata.club
okinawakurashinavi.com
ceev-japan.com
shsqyy.com
simplenorwegian.com
sbnl.net
thethrive-master.com
thesayge.com
kuppers.info
maxiguias.com
huiigo.com
060986.com
themedicarebenefits.com
facegamex.com
tortanuragica.com
lostgunsofaz.com
ubodylines.com
himomall.com
ftldm.com
kupfererforcoroner.com
thevortexny.com
prismabilisim.com
newparadisedallyshome.com
buymorerei.com
mymtube.com
brightfuture.network
dewadurian.com
collegesportsagency.com
fallsguys-mobile.com
scdcs.net
gedejasa.com
pupiscatering.com
thehealingpharm.com
kansascityradonpro.com
computertechhouse.club
proteinmunch.com
azdieselhd.com
thepoetjewelry.com
hustlerhotrods.net
kt.digital
proseandconn.com
betterlife-247.com
listoflodges.net
funkysouptimetv.com
lpdautosupply.com
themalayalinewsclub.com
kindredhearteams.com
flagsmile.com
mojoprintable.com
Signatures
-
Xloader payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2020-4-0x00000000002C0000-0x00000000002EA000-memory.dmp xloader behavioral1/memory/2784-5-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exedescription pid process target process PID 2020 set thread context of 2784 2020 fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exepid process 2784 fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exedescription pid process target process PID 2020 wrote to memory of 2784 2020 fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe PID 2020 wrote to memory of 2784 2020 fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe PID 2020 wrote to memory of 2784 2020 fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe PID 2020 wrote to memory of 2784 2020 fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe PID 2020 wrote to memory of 2784 2020 fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe PID 2020 wrote to memory of 2784 2020 fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe PID 2020 wrote to memory of 2784 2020 fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2020-2-0x00000000014C0000-0x00000000015C0000-memory.dmpFilesize
1024KB
-
memory/2020-4-0x00000000002C0000-0x00000000002EA000-memory.dmpFilesize
168KB
-
memory/2784-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2784-5-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2784-8-0x00000000006F0000-0x00000000009F3000-memory.dmpFilesize
3.0MB
-
memory/2784-9-0x00000000006F0000-0x00000000009F3000-memory.dmpFilesize
3.0MB