Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2024, 08:51

General

  • Target

    1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe

  • Size

    252KB

  • MD5

    1dbf7e4b0bfbfbaa955a52f01d5ec385

  • SHA1

    dbd591beec7641072c443cc39b6efd14d87508c8

  • SHA256

    247ddda6e2702472217bec887b6e53bbf355e63d45753b4227956ea3e5a0272e

  • SHA512

    4cf1dd447c467d664a5ccc0be8bd84e65c6101534c0c3b09ba8113eb3181b2e32de27d58a252510526c2d5501cdf131e9a8f5624d3125fdf76a1be1e8c9c76d8

  • SSDEEP

    6144:wBlL/cLe5iaEXSSPpWOvxspbRrE+vmQV85qgNPyYE:CeVXSrOvWrEj2B

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dgt9

Decoy

glimpse-media.com

crimsongomidv.xyz

seo-clicks6.com

cloudbreakhq.com

oakabbey.net

findcasinoslots.com

thehelloloveshop.com

havetsuczyli.quest

celestialtransportation.net

nianlun.wiki

valentinaturals.com

808gang.net

tykaa.com

sparoom.store

empregosbr1.online

visaractivateddprocessing.com

industriamadereraargentina.com

ekopressbrake.com

984561.com

oklahomacasinoreviews.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2864
    • C:\Users\Admin\AppData\Local\Temp\1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsi3F71.tmp\bckkx.dll

    Filesize

    42KB

    MD5

    eaddca0182a37dcadc481a26307ad111

    SHA1

    a7aef3dcbd7fffedc716dc70610a1f0f62fcaf42

    SHA256

    a62639b271e480d9aa28d50945051ae35577711d95702f270060d809b062bb56

    SHA512

    9409069ca080c0170a70ec7e5baf7dd4c959362c9f540d525f45644ed95012f87b6818b16085bff2e1ae843281be97183372b8b0721673720bb76e93a5704c3d

  • memory/1608-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1608-11-0x0000000000990000-0x0000000000C93000-memory.dmp

    Filesize

    3.0MB

  • memory/2864-8-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2864-10-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB