Overview

overview

10

Static

static

1

jabastin.exe

windows7_x64

10

jabastin.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-03-2021 03:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jabastin.exe

  • Size

    219KB

  • MD5

    bf2280363178076f4f5e4f6b1560c4bb

  • SHA1

    8cff680cbc56da797f68e234901b16a8067abbd8

  • SHA256

    c0c03ed0990ed10f1f253b8db22d6126a344388797b920909c64f5307c42da40

  • SHA512

    b2b652de7fa1341d8b868c7d995a2713e25184cc12255dc9831ca6d4b04a60d060ecd1b9364deed565114906fae423bd36f4c43182d4215d3505a9f69253aee9

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

C2

http://www.injectionhub.com/nppk/

Decoy

jwfbc.com

thebroncooutfitters.com

andaplafonpadang.com

zixi20.com

lanzhoubuxiugang.com

saielectronicsonline.com

amazonishop.com

theblindshops.com

polyanom.com

stunningsinglemama.com

softfsafawt.site

fuyunniu.com

choose-deal.com

pornstarpimp.com

hairthatshappy.com

one-etz.com

sharonbrandman.com

servidordigital.company

don-dejohn.com

malaysianwhitecoffee.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Users\Admin\AppData\Local\Temp\jabastin.exe
      "C:\Users\Admin\AppData\Local\Temp\jabastin.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4684
      • C:\Users\Admin\AppData\Local\Temp\jabastin.exe
        "C:\Users\Admin\AppData\Local\Temp\jabastin.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:5096
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4232
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\jabastin.exe"
        3⤵
          PID:3304

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsu2B9B.tmp\p3tkf.dll
      MD5

      d4f92f1c48fff5c30de03897eee21c95

      SHA1

      3341a9ca0906f94e95856453b19385a7957e101f

      SHA256

      2036564a7e2ffa08e02d3e52a51727e28297e7d7901b3cf659a1142719a52cd4

      SHA512

      e53bd79f0e853f5b699d54482bc94ebbaa627e0ea861e3fc82ff38d3049f04034c91ea85910731dccaec0434ea63b6f78581b26f8872c7d9039a1e768f24411b

      Download Submit
    • memory/3128-8-0x0000000004F00000-0x000000000502D000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3128-15-0x0000000005030000-0x0000000005180000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3304-12-0x0000000000000000-mapping.dmp
      Download
    • memory/4232-9-0x0000000000000000-mapping.dmp
      Download
    • memory/4232-10-0x0000000000150000-0x0000000000166000-memory.dmp
      Filesize

      88KB

      Download
    • memory/4232-11-0x0000000002DB0000-0x0000000002DD9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/4232-13-0x0000000004500000-0x0000000004820000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/4232-14-0x00000000048B0000-0x0000000004940000-memory.dmp
      Filesize

      576KB

      Download
    • memory/5096-5-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/5096-7-0x00000000008E0000-0x00000000008F1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/5096-6-0x00000000009D0000-0x0000000000CF0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/5096-3-0x000000000041D090-mapping.dmp
      Download