Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-04-2024 00:23

General

  • Target

    9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe

  • Size

    252KB

  • MD5

    9b20c6a0c05584185da23f0892a7a982

  • SHA1

    dfc1531489c4a803b0125c95b93609989dc3b138

  • SHA256

    53fb1511812b33448fb51c4a6a7f4095600f2d30251546466ab1d401191fa59a

  • SHA512

    2321b765bc891e89970457a47886dba583d68d588ac163d65c1dc1188fc2cd2935497a0a1413a5f23daa5628ffd17e252b121a0e856332aa5de155b3e56bedae

  • SSDEEP

    3072:wBynOpL12riocLMRcjGk4bKcahjDTAZ2rhS1FhySMsQuK89M2NvkskmtjIk9qcCX:wBlL/cRzZ5aVTA2khy3MRks91Xxazt

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mxnu

Decoy

insightmyhome.com

gabriellamaxey.com

029atk.xyz

marshconstructions.com

technichoffghosts.com

blue-ivy-boutique-au.com

1sunsetgroup.com

elfkuhnispb.store

caoliudh.club

verifiedpaypal.net

jellyice-tr.com

gatescres.com

bloomberq.online

crystaltopagent.net

uggs-line.com

ecommerceplatform.xyz

historyofcambridge.com

sattaking-gaziabad.xyz

digisor.com

beachpawsmobilegrooming.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsy401D.tmp\cwehlkdexhf.dll

    Filesize

    28KB

    MD5

    201dec4f5cfe9c448804d504da2b9f50

    SHA1

    4a565158eb3ee42694427374e11fc052a0bd3dad

    SHA256

    f70b1ff393e0aaf8c737ec09a41598d9e51fbdde8bb19a7051aecc8d0752c965

    SHA512

    52771f45ca9d51fe84d125fcb741ea9485ffef8620c5bf7c4cf233f66540dc27e48bc1b83d7a16dfd2faaafa66903dd7504620721385ce106addbde15a1bac82

  • memory/1356-8-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1356-10-0x00000000008E0000-0x0000000000BE3000-memory.dmp

    Filesize

    3.0MB