Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 19:55
Static task
static1
Behavioral task
behavioral1
Sample
fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe
-
Size
1014KB
-
MD5
fd84eb337a51966294ba08722170bf46
-
SHA1
1f529d60e2dc50deaac59af322708039da33c3be
-
SHA256
8da806444010084307c77bf3a69f66ca36c15920bd7b9f60fdcf35fccd460701
-
SHA512
a522ba8c6daddbf69f711ef859c7e8fb79e2ab00372e6626af9119d82ef8cf22b0e2ebcc1897cd88810be5ee01b11e0950dbf0853ceb630de3e916ac3bacd847
-
SSDEEP
12288:rFhlsU1cTDO+emag5IFyPK7yMmeP1vwdyAook1GZEUFA1Vk82C867LiuNyxv2AdU:rFhlXcOyeL3JStX+PbLk2QHQ
Malware Config
Extracted
xloader
2.3
p6f2
redsnews.com
vr859.com
postmasterstudios.com
hampsteadorganizer.com
hangshop.net
maheshwaramlawcollege.com
5156087.com
gtaaddict.com
faj.xyz
drivechicagoillinois.com
neerutech.com
b2brahmas.com
freshlookks.com
propertyparallel.tech
tlwbyads.com
sellektorkids.com
dexs.fyi
kileybrock.com
nervstudio.com
tosg-ltd.com
admibd.com
hilariousfakenews.com
lub-additive.com
securecloudinfo.com
xn--jde.com
andtheskywentred.com
nearestgreenbeverage.net
tipthemusician.com
koziolwojciech.com
ryosecurity.com
cosypromotion.com
qvvn.life
emcelt.com
ersatzair.com
blassmail.online
florianlecerf.com
shannonsmithcounseling.com
litorin.com
plusproduce.net
sandersonfarnns.com
medicservic.com
mostmegaproductions.com
eldorado88casino.com
hordlife.com
drgunjankumaribhagwat.com
iregentos.info
lifeonprimroselane.com
playstoreaddps.com
anacquiredtastepodcast.com
chinachaohuo.com
xn--80aafif4agv1ai.xn--p1acf
flmoisture.com
framebooth.net
wildhare.media
1000praises.com
tna.zone
kravmagatacticalacademy.com
jasonwang.online
suruyorum.com
concretepill.com
alfarouqco.com
reliefpaypal.com
xn--fujtherma-xpb.com
petgsafetyseal.com
jantesetaccessoires.com
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4076-9-0x0000000005270000-0x0000000005286000-memory.dmp family_zgrat_v1 -
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1048-10-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fd84eb337a51966294ba08722170bf46_JaffaCakes118.exedescription pid process target process PID 4076 set thread context of 1048 4076 fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fd84eb337a51966294ba08722170bf46_JaffaCakes118.exepid process 1048 fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe 1048 fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fd84eb337a51966294ba08722170bf46_JaffaCakes118.exedescription pid process target process PID 4076 wrote to memory of 1048 4076 fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe PID 4076 wrote to memory of 1048 4076 fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe PID 4076 wrote to memory of 1048 4076 fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe PID 4076 wrote to memory of 1048 4076 fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe PID 4076 wrote to memory of 1048 4076 fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe PID 4076 wrote to memory of 1048 4076 fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1048-10-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1048-14-0x0000000001790000-0x0000000001ADA000-memory.dmpFilesize
3.3MB
-
memory/1048-12-0x0000000001790000-0x0000000001ADA000-memory.dmpFilesize
3.3MB
-
memory/4076-6-0x0000000005410000-0x0000000005420000-memory.dmpFilesize
64KB
-
memory/4076-4-0x0000000005140000-0x00000000051B6000-memory.dmpFilesize
472KB
-
memory/4076-5-0x00000000051D0000-0x000000000526C000-memory.dmpFilesize
624KB
-
memory/4076-0-0x0000000074D90000-0x0000000075540000-memory.dmpFilesize
7.7MB
-
memory/4076-7-0x0000000005050000-0x000000000506E000-memory.dmpFilesize
120KB
-
memory/4076-8-0x0000000005320000-0x00000000053A0000-memory.dmpFilesize
512KB
-
memory/4076-9-0x0000000005270000-0x0000000005286000-memory.dmpFilesize
88KB
-
memory/4076-3-0x00000000050A0000-0x0000000005132000-memory.dmpFilesize
584KB
-
memory/4076-2-0x0000000005780000-0x0000000005D24000-memory.dmpFilesize
5.6MB
-
memory/4076-13-0x0000000074D90000-0x0000000075540000-memory.dmpFilesize
7.7MB
-
memory/4076-1-0x00000000005D0000-0x00000000006D4000-memory.dmpFilesize
1.0MB