Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 22:37

General

  • Target

    98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe

  • Size

    445KB

  • MD5

    98ffc3c812e6cec919ebd286973e2002

  • SHA1

    b0d1a65445a7923870ad23ec4d80f592e808c987

  • SHA256

    014d0ece0d472eaea73698d634308303ddb9f227f39d339a66416c3cb744d2c1

  • SHA512

    5875f8f2c736cbf501c25635f5c9014e499a7fce01f139315cbf5c0d3c45e1e8568a9fa8ddfe60cb0a44804a7677fdcd411eab4be6177926649b1b691d97a721

  • SSDEEP

    6144:hBlL/NDevWMKIPT48zhmgL58KCjuLkTMm6GBX3KTDDC3cz/3aKkm3HC:n6B8KC4kTrV3KlziKkR

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b2c0

Decoy

bjyxszd520.xyz

hsvfingerprinting.com

elliotpioneer.com

bf396.com

chinaopedia.com

6233v.com

shopeuphoricapparel.com

loccssol.store

truefictionpictures.com

playstarexch.com

peruviancoffee.store

shobhajoshi.com

philme.net

avito-rules.com

independencehomecenters.com

atp-cayenne.com

invetorsbank.com

sasanos.com

scentfreebnb.com

catfuid.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\98ffc3c812e6cec919ebd286973e2002_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsy1575.tmp\nawgsdqut.dll

    Filesize

    104KB

    MD5

    d4233fefc9328cc30b0ef014beb2f51b

    SHA1

    302180a5edb1fd653d7884bb60172e6edfbbeac4

    SHA256

    1827a3002964434b0acff1359241948e334148d3413312cfea326cae8f269758

    SHA512

    b3e19c83e631b6a8b8b0d00ab14af811519765b737f1497f27e8c3a8c3328038967dbb6095671e4095af48d6355b5f13cec20c38ef2dfb14cc2ae8e9482de4af

  • memory/2804-8-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2804-11-0x0000000000770000-0x0000000000A73000-memory.dmp

    Filesize

    3.0MB