Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    01-04-2024 04:55

General

  • Target

    6850ea10453df9ba55f19aaab9322445_JaffaCakes118.exe

  • Size

    981KB

  • MD5

    6850ea10453df9ba55f19aaab9322445

  • SHA1

    55daafbcb4e4ccd9b64802dae321d31660d2502d

  • SHA256

    cdf04db4f38a3af95ce0441810eaa0919ec5b5f61d53976a8dcd2469d134de79

  • SHA512

    6756a6639ba95942c3c0fd6c237f8f281a301ab17c0f49499a967c5d674846e1173048b04ab79a977738247d04c255086adcb6517bcadb34e342738db572cd6e

  • SSDEEP

    24576:vWNWgJJKiiXCxh8eC/9qS64JGIS543eHS4PP0:vWWmKMgtJGIh6S4E

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

g91q

Decoy

familiengeschichtsforschung.com

brandingperspective.com

qctxcyagmn.com

gabrielecancilla.com

consultjenhome.com

raquelshaye.com

catix.store

cafemargaritastreet.com

649521.com

jhugiugiyfogiyfof.space

ktnspace.xyz

server-ku.com

dlatrxs.com

answertitles.com

tyzdia.com

thedavidhearne.com

verbenalifestyle.com

eniso-team.com

xn--jger-loa.media

ejassatuenam.xyz

Signatures

  • Detect ZGRat V1 1 IoCs
  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Xloader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6850ea10453df9ba55f19aaab9322445_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6850ea10453df9ba55f19aaab9322445_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Admin\AppData\Local\Temp\6850ea10453df9ba55f19aaab9322445_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\6850ea10453df9ba55f19aaab9322445_JaffaCakes118.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2316-0-0x0000000000D40000-0x0000000000E3A000-memory.dmp

    Filesize

    1000KB

  • memory/2316-1-0x0000000074990000-0x000000007507E000-memory.dmp

    Filesize

    6.9MB

  • memory/2316-2-0x0000000004D50000-0x0000000004E46000-memory.dmp

    Filesize

    984KB

  • memory/2316-3-0x0000000074990000-0x000000007507E000-memory.dmp

    Filesize

    6.9MB

  • memory/2316-4-0x0000000004A30000-0x0000000004A70000-memory.dmp

    Filesize

    256KB

  • memory/2316-5-0x00000000006A0000-0x00000000006CE000-memory.dmp

    Filesize

    184KB

  • memory/2316-13-0x0000000074990000-0x000000007507E000-memory.dmp

    Filesize

    6.9MB

  • memory/2816-6-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2816-8-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2816-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2816-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2816-14-0x00000000008A0000-0x0000000000BA3000-memory.dmp

    Filesize

    3.0MB