xloader | 090bc9b1aab3f3efacd0afb55b204001290e87aaf9ddd526e298877b0eb6f416

General

Target

f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe
Size

763KB
MD5

f26c94499e75a2ef55d35ea0a0d2d66f
SHA1

cb863e15848e6665bf6e750de68acd1282e83941
SHA256

090bc9b1aab3f3efacd0afb55b204001290e87aaf9ddd526e298877b0eb6f416
SHA512

cb0060e64076197606b5d70bad4fdc49fcaf731a78e274d03df7e61c01b08b35efcc018e0d18bac31a15b170b3a9b35a5af67a269a21f742fa01534842cc619f
SSDEEP

12288:e5kvqoB4sZ/Bk6Nl0mN/FRk0bKB0XHEmedF6Hv4AnEzcJqLZ5yt:aXoBZZ/Bk6Nl0y/3k0bKB0XH6UHqNk

Score

10^/10

xloader n8ba loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

n8ba

Decoy

thefitflect.com

anytourist.com

blggz.xyz

ascope.club

obyeboss.com

braun-mathematik.online

mtsnurulislamsby.com

jwpropertiestn.com

animalds.com

cunerier.com

sillysocklife.com

shopliyonamaaghin.net

theredcymbalsco.com

lostbikeproject.com

ryggoqlmga.club

realestatetriggers.com

luvlauricephotography.com

cheesehome.cloud

5fashionfix.net

wata-6-rwem.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2828-16-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2828-22-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2656-26-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader
behavioral1/memory/2656-28-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exeMSBuild.exeNETSTAT.EXE

description	pid	process	target process
PID 2916 set thread context of 2828	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	MSBuild.exe
PID 2828 set thread context of 1256	2828	MSBuild.exe	Explorer.EXE
PID 2656 set thread context of 1256	2656	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2732 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXE

pid process

2656 NETSTAT.EXE

pid	process
2732	schtasks.exe

pid	process
2656	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exeMSBuild.exeNETSTAT.EXE

pid	process
2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe
2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe
2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe
2828	MSBuild.exe
2828	MSBuild.exe
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE
2656	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

MSBuild.exeNETSTAT.EXE

pid process

2828 MSBuild.exe
2828 MSBuild.exe
2828 MSBuild.exe
2656 NETSTAT.EXE
2656 NETSTAT.EXE

pid	process
2828	MSBuild.exe
2828	MSBuild.exe
2828	MSBuild.exe
2656	NETSTAT.EXE
2656	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exeMSBuild.exeNETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe
Token: SeDebugPrivilege	2828	MSBuild.exe
Token: SeDebugPrivilege	2656	NETSTAT.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 2916 wrote to memory of 2732	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	schtasks.exe
PID 2916 wrote to memory of 2732	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	schtasks.exe
PID 2916 wrote to memory of 2732	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	schtasks.exe
PID 2916 wrote to memory of 2732	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	schtasks.exe
PID 2916 wrote to memory of 2736	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	MSBuild.exe
PID 2916 wrote to memory of 2736	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	MSBuild.exe
PID 2916 wrote to memory of 2736	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	MSBuild.exe
PID 2916 wrote to memory of 2736	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	MSBuild.exe
PID 2916 wrote to memory of 2456	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	MSBuild.exe
PID 2916 wrote to memory of 2456	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	MSBuild.exe
PID 2916 wrote to memory of 2456	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	MSBuild.exe
PID 2916 wrote to memory of 2456	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	MSBuild.exe
PID 2916 wrote to memory of 2828	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	MSBuild.exe
PID 2916 wrote to memory of 2828	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	MSBuild.exe
PID 2916 wrote to memory of 2828	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	MSBuild.exe
PID 2916 wrote to memory of 2828	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	MSBuild.exe
PID 2916 wrote to memory of 2828	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	MSBuild.exe
PID 2916 wrote to memory of 2828	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	MSBuild.exe
PID 2916 wrote to memory of 2828	2916	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	MSBuild.exe
PID 1256 wrote to memory of 2656	1256	Explorer.EXE	NETSTAT.EXE
PID 1256 wrote to memory of 2656	1256	Explorer.EXE	NETSTAT.EXE
PID 1256 wrote to memory of 2656	1256	Explorer.EXE	NETSTAT.EXE
PID 1256 wrote to memory of 2656	1256	Explorer.EXE	NETSTAT.EXE
PID 2656 wrote to memory of 2644	2656	NETSTAT.EXE	cmd.exe
PID 2656 wrote to memory of 2644	2656	NETSTAT.EXE	cmd.exe
PID 2656 wrote to memory of 2644	2656	NETSTAT.EXE	cmd.exe
PID 2656 wrote to memory of 2644	2656	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vKuEoqencJkh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp"
3⤵
- Creates scheduled task(s)
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:2736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:2456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:2644

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Command and Scripting Interpreter

1

T1059

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp
Filesize
1KB

MD5
6ff05d22bc6a420db5eacc3cd151f5a0

SHA1
555823487253430e8331b51e3ee4ffeddb36712d

SHA256
c378c81c301d05bb15912d972c61f3af892608e9e5d4a948c608b3114d716d49

SHA512
b058e767cb68be99b3a6e47de1398abe260abd7e6ef43f9f1450bbf738f457dcd99ea901581ccc3c94373ffeef34a0b2dc5bf4eebc6e17b251cc97b4013a5e31

Download Submit
memory/1256-20-0x0000000003A20000-0x0000000003B20000-memory.dmp

Filesize
1024KB

Download
memory/1256-23-0x00000000047A0000-0x000000000488A000-memory.dmp

Filesize
936KB

Download
memory/2656-30-0x0000000001EC0000-0x0000000001F50000-memory.dmp

Filesize
576KB

Download
memory/2656-28-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2656-27-0x00000000021F0000-0x00000000024F3000-memory.dmp

Filesize
3.0MB

Download
memory/2656-26-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2656-25-0x0000000000790000-0x0000000000799000-memory.dmp

Filesize
36KB

Download
memory/2656-24-0x0000000000790000-0x0000000000799000-memory.dmp

Filesize
36KB

Download
memory/2828-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-15-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2828-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-19-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/2828-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-21-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/2916-17-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-7-0x00000000009C0000-0x00000000009F0000-memory.dmp

Filesize
192KB

Download
memory/2916-0-0x00000000001C0000-0x0000000000286000-memory.dmp

Filesize
792KB

Download
memory/2916-6-0x0000000005880000-0x000000000591E000-memory.dmp

Filesize
632KB

Download
memory/2916-5-0x0000000005060000-0x00000000050A0000-memory.dmp

Filesize
256KB

Download
memory/2916-4-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-3-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2916-2-0x0000000005060000-0x00000000050A0000-memory.dmp

Filesize
256KB

Download
memory/2916-1-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads