Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 03:32

General

  • Target

    8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe

  • Size

    389KB

  • MD5

    8279edc14cc42685f7fceefe384ddf0d

  • SHA1

    d6b01e94dd1528eb364e16db7bc6a5e06a66bde6

  • SHA256

    5a573da6707c9373b0f49b049b07ddc21bc6976195b834473d0be2daaf52c173

  • SHA512

    6a1963004eb2cbfc49c48b638d70a9f7a9fa9ad24629bb78f2cdd31ad84d3a3908d707d51d88f5cb2f8acc7c9cab0725d84ca8957b3d32ea194205e3390d6f95

  • SSDEEP

    6144:kKq6ZZmDQ+3HwOEjhH+KU8b1Qy6mK8WRAYfnsdtGfBYmP6tKX:skoq1BTbKy6x8/vdMfBRX

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

shjn

Decoy

trendlito.com

myspoiledbytchcreations.com

skinsotight.com

merakii.art

sakina.digital

qumpan.com

juxing666.com

andrewolivercounselling.com

blastaerobics.com

linevshaper.store

legendvacationrentals.com

adna17.com

ingodwetrustdaycare.com

j98066.com

noordinarybusiness.com

pacelicensedelectrician.com

istanbulmadencilik.com

roboscop.com

njhude.com

eaglelures.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Users\Admin\AppData\Local\Temp\8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\8279edc14cc42685f7fceefe384ddf0d_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1184-6-0x0000000006400000-0x000000000649C000-memory.dmp

    Filesize

    624KB

  • memory/1184-0-0x0000000000600000-0x0000000000668000-memory.dmp

    Filesize

    416KB

  • memory/1184-2-0x00000000055B0000-0x0000000005B54000-memory.dmp

    Filesize

    5.6MB

  • memory/1184-3-0x00000000050A0000-0x0000000005132000-memory.dmp

    Filesize

    584KB

  • memory/1184-4-0x00000000051F0000-0x0000000005200000-memory.dmp

    Filesize

    64KB

  • memory/1184-5-0x0000000005030000-0x000000000503A000-memory.dmp

    Filesize

    40KB

  • memory/1184-1-0x0000000074B30000-0x00000000752E0000-memory.dmp

    Filesize

    7.7MB

  • memory/1184-7-0x00000000051A0000-0x00000000051B2000-memory.dmp

    Filesize

    72KB

  • memory/1184-10-0x0000000006740000-0x0000000006794000-memory.dmp

    Filesize

    336KB

  • memory/1184-9-0x00000000051F0000-0x0000000005200000-memory.dmp

    Filesize

    64KB

  • memory/1184-8-0x0000000074B30000-0x00000000752E0000-memory.dmp

    Filesize

    7.7MB

  • memory/1184-13-0x0000000074B30000-0x00000000752E0000-memory.dmp

    Filesize

    7.7MB

  • memory/4212-11-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/4212-14-0x0000000001780000-0x0000000001ACA000-memory.dmp

    Filesize

    3.3MB