Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 16:56

General

  • Target

    920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe

  • Size

    559KB

  • MD5

    920e626bea0e4949daea75e2a332f481

  • SHA1

    2d82ef86265c1e490744b53de82dc9be163192a7

  • SHA256

    08040f352684d740d9fa767c3315fb1636394dec01f35abe84ad7116cd735fb4

  • SHA512

    035ad5fe790eff621e5f1b1ded413fec6a2b0af1cbf71c5db33a026ca2a74b5ff3a2e1a05319927d603c64fb7d7403081e5961d3bafd69b56facff1ebb3c3f01

  • SSDEEP

    12288:EESo0nmHTrkIv/+p8OD4WnmOQVZMXfK4La/oc13:EESZmHTQIvmp/FnmOGY7LWJ

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

hu8c

Decoy

aliceso.photography

exploitslozdz.xyz

chokefirmbeauty.com

sapix-usa.com

perfectioncheergym.com

igfo.xyz

xc6686.com

aclproreubensnyder.com

xn--bin-2k4mp34c09iwiz.com

daumien.com

atlanticuniombank.com

ookawa.club

cherrywoodranchvacationhome.com

s6gfec.com

ryo-toolset.store

talltailfishing.com

creativelyaustin.com

xn--nqv986be9r.com

grpgg2021.space

michaelsarcona.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4104
    • C:\Users\Admin\AppData\Local\Temp\920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe"
      2⤵
        PID:3824
      • C:\Users\Admin\AppData\Local\Temp\920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\920e626bea0e4949daea75e2a332f481_JaffaCakes118.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3316
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3672 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4392

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3316-11-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

      • memory/3316-13-0x0000000001770000-0x0000000001ABA000-memory.dmp

        Filesize

        3.3MB

      • memory/4104-6-0x0000000006C60000-0x0000000006CFC000-memory.dmp

        Filesize

        624KB

      • memory/4104-3-0x0000000005920000-0x00000000059B2000-memory.dmp

        Filesize

        584KB

      • memory/4104-4-0x0000000005B90000-0x0000000005BA0000-memory.dmp

        Filesize

        64KB

      • memory/4104-5-0x00000000059C0000-0x00000000059CA000-memory.dmp

        Filesize

        40KB

      • memory/4104-0-0x0000000074FE0000-0x0000000075790000-memory.dmp

        Filesize

        7.7MB

      • memory/4104-7-0x0000000005DD0000-0x0000000005DE2000-memory.dmp

        Filesize

        72KB

      • memory/4104-8-0x0000000074FE0000-0x0000000075790000-memory.dmp

        Filesize

        7.7MB

      • memory/4104-9-0x0000000005B90000-0x0000000005BA0000-memory.dmp

        Filesize

        64KB

      • memory/4104-10-0x0000000007040000-0x0000000007094000-memory.dmp

        Filesize

        336KB

      • memory/4104-2-0x0000000005E30000-0x00000000063D4000-memory.dmp

        Filesize

        5.6MB

      • memory/4104-1-0x0000000000EC0000-0x0000000000F52000-memory.dmp

        Filesize

        584KB

      • memory/4104-14-0x0000000074FE0000-0x0000000075790000-memory.dmp

        Filesize

        7.7MB