xloader | 247ddda6e2702472217bec887b6e53bbf355e63d45753b4227956ea3e5a0272e

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe
Size

252KB
MD5

1dbf7e4b0bfbfbaa955a52f01d5ec385
SHA1

dbd591beec7641072c443cc39b6efd14d87508c8
SHA256

247ddda6e2702472217bec887b6e53bbf355e63d45753b4227956ea3e5a0272e
SHA512

4cf1dd447c467d664a5ccc0be8bd84e65c6101534c0c3b09ba8113eb3181b2e32de27d58a252510526c2d5501cdf131e9a8f5624d3125fdf76a1be1e8c9c76d8
SSDEEP

6144:wBlL/cLe5iaEXSSPpWOvxspbRrE+vmQV85qgNPyYE:CeVXSrOvWrEj2B

Score

10^/10

xloader dgt9 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dgt9

Decoy

glimpse-media.com

crimsongomidv.xyz

seo-clicks6.com

cloudbreakhq.com

oakabbey.net

findcasinoslots.com

thehelloloveshop.com

havetsuczyli.quest

celestialtransportation.net

nianlun.wiki

valentinaturals.com

808gang.net

tykaa.com

sparoom.store

empregosbr1.online

visaractivateddprocessing.com

industriamadereraargentina.com

ekopressbrake.com

984561.com

oklahomacasinoreviews.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1608-9-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

pid	Process
2864	1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2864 set thread context of 1608	2864	1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1608	1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 1608	2864	1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe	28
PID 2864 wrote to memory of 1608	2864	1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe	28
PID 2864 wrote to memory of 1608	2864	1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe	28
PID 2864 wrote to memory of 1608	2864	1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe	28
PID 2864 wrote to memory of 1608	2864	1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe	28
PID 2864 wrote to memory of 1608	2864	1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe	28
PID 2864 wrote to memory of 1608	2864	1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1dbf7e4b0bfbfbaa955a52f01d5ec385_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsi3F71.tmp\bckkx.dll

Filesize
42KB

MD5
eaddca0182a37dcadc481a26307ad111

SHA1
a7aef3dcbd7fffedc716dc70610a1f0f62fcaf42

SHA256
a62639b271e480d9aa28d50945051ae35577711d95702f270060d809b062bb56

SHA512
9409069ca080c0170a70ec7e5baf7dd4c959362c9f540d525f45644ed95012f87b6818b16085bff2e1ae843281be97183372b8b0721673720bb76e93a5704c3d

Download Submit
memory/1608-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1608-11-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/2864-8-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2864-10-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download