Managed XDR

jahi1264.pn (Campo Loader) — malware analysis report

File info

Filename
jahi1264.pn
File type
PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
File size
39.5 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
b22a0d35636bda3b79e27f9abccef48905a5b025
SHA256
b8212f866c5cdf1a823031e24fe10444aab103d8fb55a25821e1c7c7366e580f
MD5
0a8d825d553010e21a0ccaf054b74992

Malwares

  • Campo Loader

Signatures

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Other

yara_rules: Static rules
dead_host: Connects to IP addresses that do not respond to requests
process_crashed: One of the processes has failed
no_graphical_activity: No graphic activity
message_box: Displays a message
error_drawtext: An error occured while executing the file
test_check_service: Starts services

Related reports