Overview

overview

10

Static

static

3

cd082d86c8...18.exe

windows7-x64

10

cd082d86c8...18.exe

windows10-2004-x64

10

$PLUGINSDIR/qjlai.dll

windows7-x64

3

$PLUGINSDIR/qjlai.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cd082d86c8243824b21969ef80ebd2e8_JaffaCakes118

  • Size

    248KB

  • Sample

    240405-hytylaeb31

  • MD5

    cd082d86c8243824b21969ef80ebd2e8

  • SHA1

    dae3abb03aaab4bed3733d8756b8ddca512c9806

  • SHA256

    dc79715b1603acf022ff683ea5042eda16428d8d383d3779b292e8ea8c72f81a

  • SHA512

    73218fbaf8b7ee9c6d729f30e88fcf7c491dd6af09bd06af5dd4ef956cc0243e2d4a2c7f04ea9e67f7a6242bdcc2fec174c8d3693e6a629ad04bcbbe86f0a5bf

  • SSDEEP

    6144:wBlL/cyM+BhiUgI4kUV5+bwntgBVJm8QEAfwJYWAYisnAxRZ:Cei60bwtiJm8ZSw7AYissRZ

Score
10/10
xloadermxnuloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mxnu

Decoy

insightmyhome.com

gabriellamaxey.com

029atk.xyz

marshconstructions.com

technichoffghosts.com

blue-ivy-boutique-au.com

1sunsetgroup.com

elfkuhnispb.store

caoliudh.club

verifiedpaypal.net

jellyice-tr.com

gatescres.com

bloomberq.online

crystaltopagent.net

uggs-line.com

ecommerceplatform.xyz

historyofcambridge.com

sattaking-gaziabad.xyz

digisor.com

beachpawsmobilegrooming.com

Targets

    • Target

      cd082d86c8243824b21969ef80ebd2e8_JaffaCakes118

    • Size

      248KB

    • MD5

      cd082d86c8243824b21969ef80ebd2e8

    • SHA1

      dae3abb03aaab4bed3733d8756b8ddca512c9806

    • SHA256

      dc79715b1603acf022ff683ea5042eda16428d8d383d3779b292e8ea8c72f81a

    • SHA512

      73218fbaf8b7ee9c6d729f30e88fcf7c491dd6af09bd06af5dd4ef956cc0243e2d4a2c7f04ea9e67f7a6242bdcc2fec174c8d3693e6a629ad04bcbbe86f0a5bf

    • SSDEEP

      6144:wBlL/cyM+BhiUgI4kUV5+bwntgBVJm8QEAfwJYWAYisnAxRZ:Cei60bwtiJm8ZSw7AYissRZ

    Score
    10/10
    xloadermxnuloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/qjlai.dll

    • Size

      23KB

    • MD5

      6c8b646db465cc86802da2d0998b6f41

    • SHA1

      14718c272ce06b56bd65fc60d17ab19be45f8766

    • SHA256

      ffe13c127deadbd715b04324469a50e3f88f4f2aa1497350052a579ec41cdeeb

    • SHA512

      b957b26f07f31fdc9da2f72f87b4af03f94a8f1b2618d5c1fe1e69ddb571f1cda7412ced4e54e7c328f0695b758bffea5a9a6719ea104872a158d265b1185549

    • SSDEEP

      384:S0pXHbgQvsQPECPkKhCb5Y9Wo+zFA14ivowvPyVmM12rgHQV4V:SEX7TPpPNClo+TOowvPyVnYgHQ+

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Tasks