Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 05:06

General

  • Target

    846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe

  • Size

    256KB

  • MD5

    846d3c6c1ce0237c373de8ec0403f0e1

  • SHA1

    06fd0d16804228e0f4b50393f18d78457055a640

  • SHA256

    7946718754bb669d3c7a80e355a20047e3e87dbfa9446927ceb6fabab21847d1

  • SHA512

    d630de0d71fc09327fa09d10304168ef8704e6136f78025ce8420d6c6e048a5d91803e096f8d56c46ea42fc5d3f8cbdb02d5206bb556316b5d78391205419ee0

  • SSDEEP

    6144:F8LxBs4OJ4RU5hy+AoHXCUqalLDsktt54JnzO7eIt:/4acZOXR7xKJzv4

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nqn4

Decoy

posadaluna.com

ztwl2000.com

cvmu.net

marvellouslles.com

tiromiesu.com

allinsqadminn.com

8straps.com

buyfood.store

jipodh.xyz

earthsidesoulalchemist.com

overiodize.xyz

weed.enterprises

minuseasy.com

konchord.com

14attrayanteoffre.com

brasbux.com

aog.group

hairuno.com

solheimdesign.com

cosmetictreat.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Users\Admin\AppData\Local\Temp\846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\846d3c6c1ce0237c373de8ec0403f0e1_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nso86B.tmp\envdl.dll

    Filesize

    21KB

    MD5

    4a7f4f8dddc69b711134773bc01482c5

    SHA1

    7c3e00bfff4bcfaf2ccdce971cd247f7be3cdb0f

    SHA256

    d12d71c87dbbe93303a1402e368e5e8827d512aa54bae78347077ca468abdbc6

    SHA512

    19548dd1400535a606c1d6d82f7b9e6c41ecfedbeed269c7e62009f60fff12a96a24c837e8332e31d529b0a81e09e1ac470c1b7b500cc39fccae23cae12b8e2a

  • memory/384-7-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

  • memory/384-10-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

  • memory/2492-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2492-13-0x00000000008E0000-0x0000000000BE3000-memory.dmp

    Filesize

    3.0MB

  • memory/2492-14-0x00000000008E0000-0x0000000000BE3000-memory.dmp

    Filesize

    3.0MB