xloader | 7ec1e15224d90dfaf4898e771aa9997de11ad6794dce01f6c7d8b8cf479eb0fa

General

Target

108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
Size

494KB
MD5

108d9f901a58b91dea720c89bdaf6424
SHA1

27c84fd7da3576f056d3c216cc1602839b6afaa4
SHA256

7ec1e15224d90dfaf4898e771aa9997de11ad6794dce01f6c7d8b8cf479eb0fa
SHA512

e33be9e7465239f07ffadf9439abe8d12aacab55587f8cf8a7f3e8fa0d64bb76abcfc5b71dbfc7710b871b55145292d6cff89d827e96d413f66d33d7d9b8555d
SSDEEP

12288:zIwKYKwWHGKS8R2jLmgyKlIPoI6sG7I9LKpOjSSbwUw:ZeGtXDyRP6JF7

Score

10^/10

xloader cuig loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cuig

Decoy

sofiathinks-elderly.net

lahamicoast.info

2shengman.com

cbsautoplex.com

arcana-candles.com

genrage.com

kukumiou.xyz

thequizerking.com

sonataproductions.com

rebuildgomnmf.xyz

ubcoin.store

yiyouxue.net

firstlifehome.com

mdx-inc.net

gotbn-c01.com

dinobrindes.store

jcm-iso.com

cliente-mais.com

mloujewelry.com

correoversoi.quest

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4328-11-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe

description	pid	process	target process
PID 3192 set thread context of 4328	3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe

pid	process
3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
4328	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
4328	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 3192 108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe

description	pid	process	target process
PID 3192 wrote to memory of 1604	3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
PID 3192 wrote to memory of 1604	3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
PID 3192 wrote to memory of 1604	3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
PID 3192 wrote to memory of 4328	3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
PID 3192 wrote to memory of 4328	3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
PID 3192 wrote to memory of 4328	3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
PID 3192 wrote to memory of 4328	3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
PID 3192 wrote to memory of 4328	3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
PID 3192 wrote to memory of 4328	3192	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe	108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\AppData\Local\Temp\108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe"
2⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\108d9f901a58b91dea720c89bdaf6424_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:2996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3192-6-0x0000000007650000-0x000000000765E000-memory.dmp

Filesize
56KB

Download
memory/3192-8-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/3192-2-0x00000000076A0000-0x0000000007C44000-memory.dmp

Filesize
5.6MB

Download
memory/3192-3-0x00000000070F0000-0x0000000007182000-memory.dmp

Filesize
584KB

Download
memory/3192-4-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/3192-5-0x0000000004D50000-0x0000000004D5A000-memory.dmp

Filesize
40KB

Download
memory/3192-1-0x00000000001D0000-0x0000000000250000-memory.dmp

Filesize
512KB

Download
memory/3192-7-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3192-0-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3192-9-0x00000000087F0000-0x000000000888C000-memory.dmp

Filesize
624KB

Download
memory/3192-10-0x000000000C020000-0x000000000C072000-memory.dmp

Filesize
328KB

Download
memory/3192-13-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/4328-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4328-14-0x0000000001160000-0x00000000014AA000-memory.dmp

Filesize
3.3MB

Download
memory/4328-15-0x0000000001160000-0x00000000014AA000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads