xloader | 090bc9b1aab3f3efacd0afb55b204001290e87aaf9ddd526e298877b0eb6f416

Analysis

max time kernel
147s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe
Size

763KB
MD5

f26c94499e75a2ef55d35ea0a0d2d66f
SHA1

cb863e15848e6665bf6e750de68acd1282e83941
SHA256

090bc9b1aab3f3efacd0afb55b204001290e87aaf9ddd526e298877b0eb6f416
SHA512

cb0060e64076197606b5d70bad4fdc49fcaf731a78e274d03df7e61c01b08b35efcc018e0d18bac31a15b170b3a9b35a5af67a269a21f742fa01534842cc619f
SSDEEP

12288:e5kvqoB4sZ/Bk6Nl0mN/FRk0bKB0XHEmedF6Hv4AnEzcJqLZ5yt:aXoBZZ/Bk6Nl0y/3k0bKB0XH6UHqNk

Score

10^/10

xloader n8ba loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

n8ba

Decoy

thefitflect.com

anytourist.com

blggz.xyz

ascope.club

obyeboss.com

braun-mathematik.online

mtsnurulislamsby.com

jwpropertiestn.com

animalds.com

cunerier.com

sillysocklife.com

shopliyonamaaghin.net

theredcymbalsco.com

lostbikeproject.com

ryggoqlmga.club

realestatetriggers.com

luvlauricephotography.com

cheesehome.cloud

5fashionfix.net

wata-6-rwem.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2828-16-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2828-22-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2656-26-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader
behavioral1/memory/2656-28-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 2828	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	32
PID 2828 set thread context of 1256	2828	MSBuild.exe	21
PID 2656 set thread context of 1256	2656	NETSTAT.EXE	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2732	schtasks.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2656	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe
2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe
2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe
2828	MSBuild.exe
2828	MSBuild.exe
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2828	MSBuild.exe
2828	MSBuild.exe
2828	MSBuild.exe
2656	NETSTAT.EXE
2656	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe
Token: SeDebugPrivilege	2828	MSBuild.exe
Token: SeDebugPrivilege	2656	NETSTAT.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2732	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	28
PID 2916 wrote to memory of 2732	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	28
PID 2916 wrote to memory of 2732	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	28
PID 2916 wrote to memory of 2732	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	28
PID 2916 wrote to memory of 2736	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2736	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2736	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2736	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2456	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	31
PID 2916 wrote to memory of 2456	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	31
PID 2916 wrote to memory of 2456	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	31
PID 2916 wrote to memory of 2456	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	31
PID 2916 wrote to memory of 2828	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	32
PID 2916 wrote to memory of 2828	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	32
PID 2916 wrote to memory of 2828	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	32
PID 2916 wrote to memory of 2828	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	32
PID 2916 wrote to memory of 2828	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	32
PID 2916 wrote to memory of 2828	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	32
PID 2916 wrote to memory of 2828	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	32
PID 1256 wrote to memory of 2656	1256	Explorer.EXE	33
PID 1256 wrote to memory of 2656	1256	Explorer.EXE	33
PID 1256 wrote to memory of 2656	1256	Explorer.EXE	33
PID 1256 wrote to memory of 2656	1256	Explorer.EXE	33
PID 2656 wrote to memory of 2644	2656	NETSTAT.EXE	34
PID 2656 wrote to memory of 2644	2656	NETSTAT.EXE	34
PID 2656 wrote to memory of 2644	2656	NETSTAT.EXE	34
PID 2656 wrote to memory of 2644	2656	NETSTAT.EXE	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vKuEoqencJkh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2456
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp

Filesize
1KB

MD5
6ff05d22bc6a420db5eacc3cd151f5a0

SHA1
555823487253430e8331b51e3ee4ffeddb36712d

SHA256
c378c81c301d05bb15912d972c61f3af892608e9e5d4a948c608b3114d716d49

SHA512
b058e767cb68be99b3a6e47de1398abe260abd7e6ef43f9f1450bbf738f457dcd99ea901581ccc3c94373ffeef34a0b2dc5bf4eebc6e17b251cc97b4013a5e31

Download Submit
memory/1256-20-0x0000000003A20000-0x0000000003B20000-memory.dmp

Filesize
1024KB

Download
memory/1256-23-0x00000000047A0000-0x000000000488A000-memory.dmp

Filesize
936KB

Download
memory/2656-30-0x0000000001EC0000-0x0000000001F50000-memory.dmp

Filesize
576KB

Download
memory/2656-28-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2656-27-0x00000000021F0000-0x00000000024F3000-memory.dmp

Filesize
3.0MB

Download
memory/2656-26-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2656-25-0x0000000000790000-0x0000000000799000-memory.dmp

Filesize
36KB

Download
memory/2656-24-0x0000000000790000-0x0000000000799000-memory.dmp

Filesize
36KB

Download
memory/2828-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-15-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2828-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-19-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/2828-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-21-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/2916-17-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-7-0x00000000009C0000-0x00000000009F0000-memory.dmp

Filesize
192KB

Download
memory/2916-0-0x00000000001C0000-0x0000000000286000-memory.dmp

Filesize
792KB

Download
memory/2916-6-0x0000000005880000-0x000000000591E000-memory.dmp

Filesize
632KB

Download
memory/2916-5-0x0000000005060000-0x00000000050A0000-memory.dmp

Filesize
256KB

Download
memory/2916-4-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-3-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2916-2-0x0000000005060000-0x00000000050A0000-memory.dmp

Filesize
256KB

Download
memory/2916-1-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download