xloader | 090bc9b1aab3f3efacd0afb55b204001290e87aaf9ddd526e298877b0eb6f416

General

Target

f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe
Size

763KB
MD5

f26c94499e75a2ef55d35ea0a0d2d66f
SHA1

cb863e15848e6665bf6e750de68acd1282e83941
SHA256

090bc9b1aab3f3efacd0afb55b204001290e87aaf9ddd526e298877b0eb6f416
SHA512

cb0060e64076197606b5d70bad4fdc49fcaf731a78e274d03df7e61c01b08b35efcc018e0d18bac31a15b170b3a9b35a5af67a269a21f742fa01534842cc619f
SSDEEP

12288:e5kvqoB4sZ/Bk6Nl0mN/FRk0bKB0XHEmedF6Hv4AnEzcJqLZ5yt:aXoBZZ/Bk6Nl0y/3k0bKB0XH6UHqNk

Score

10^/10

xloader n8ba loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

n8ba

Decoy

thefitflect.com

anytourist.com

blggz.xyz

ascope.club

obyeboss.com

braun-mathematik.online

mtsnurulislamsby.com

jwpropertiestn.com

animalds.com

cunerier.com

sillysocklife.com

shopliyonamaaghin.net

theredcymbalsco.com

lostbikeproject.com

ryggoqlmga.club

realestatetriggers.com

luvlauricephotography.com

cheesehome.cloud

5fashionfix.net

wata-6-rwem.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2768-17-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2768-22-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1404-27-0x0000000000350000-0x0000000000379000-memory.dmp	xloader
behavioral2/memory/1404-29-0x0000000000350000-0x0000000000379000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1344 set thread context of 2768	1344	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	97
PID 2768 set thread context of 3512	2768	MSBuild.exe	56
PID 1404 set thread context of 3512	1404	colorcpl.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
1344	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe
2768	MSBuild.exe
2768	MSBuild.exe
2768	MSBuild.exe
2768	MSBuild.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe
1404	colorcpl.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2768	MSBuild.exe
2768	MSBuild.exe
2768	MSBuild.exe
1404	colorcpl.exe
1404	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe
Token: SeDebugPrivilege	2768	MSBuild.exe
Token: SeDebugPrivilege	1404	colorcpl.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3512	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 2836	1344	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	95
PID 1344 wrote to memory of 2836	1344	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	95
PID 1344 wrote to memory of 2836	1344	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	95
PID 1344 wrote to memory of 2768	1344	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	97
PID 1344 wrote to memory of 2768	1344	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	97
PID 1344 wrote to memory of 2768	1344	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	97
PID 1344 wrote to memory of 2768	1344	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	97
PID 1344 wrote to memory of 2768	1344	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	97
PID 1344 wrote to memory of 2768	1344	f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe	97
PID 3512 wrote to memory of 1404	3512	Explorer.EXE	98
PID 3512 wrote to memory of 1404	3512	Explorer.EXE	98
PID 3512 wrote to memory of 1404	3512	Explorer.EXE	98
PID 1404 wrote to memory of 4312	1404	colorcpl.exe	99
PID 1404 wrote to memory of 4312	1404	colorcpl.exe	99
PID 1404 wrote to memory of 4312	1404	colorcpl.exe	99

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Users\Admin\AppData\Local\Temp\f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f26c94499e75a2ef55d35ea0a0d2d66f_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vKuEoqencJkh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4978.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4978.tmp

Filesize
1KB

MD5
192660335fc827a68e7bacab17b7dc20

SHA1
49a3d405135a37067fd199c8865cd755728f45f3

SHA256
8242455af82328d975f2f38ec519527f1ba6be1e6c9d259162107a6fbf84f1a2

SHA512
de9a08428d86ed2f930268026b60ce461a5bfaef9b5339f046e3188af2a2a81dda460a90632a07a4c9731dfb16a4fca73ca04609714743248972065020930f6e

Download Submit
memory/1344-19-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/1344-3-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/1344-2-0x0000000005940000-0x0000000005EE4000-memory.dmp

Filesize
5.6MB

Download
memory/1344-4-0x00000000054D0000-0x000000000556C000-memory.dmp

Filesize
624KB

Download
memory/1344-5-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/1344-6-0x0000000002D90000-0x0000000002D9A000-memory.dmp

Filesize
40KB

Download
memory/1344-7-0x00000000058D0000-0x00000000058E2000-memory.dmp

Filesize
72KB

Download
memory/1344-8-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/1344-9-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/1344-10-0x0000000006D70000-0x0000000006E0E000-memory.dmp

Filesize
632KB

Download
memory/1344-11-0x0000000006A20000-0x0000000006A50000-memory.dmp

Filesize
192KB

Download
memory/1344-0-0x0000000000910000-0x00000000009D6000-memory.dmp

Filesize
792KB

Download
memory/1344-1-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/1404-26-0x00000000009E0000-0x00000000009F9000-memory.dmp

Filesize
100KB

Download
memory/1404-30-0x0000000002380000-0x0000000002410000-memory.dmp

Filesize
576KB

Download
memory/1404-25-0x00000000009E0000-0x00000000009F9000-memory.dmp

Filesize
100KB

Download
memory/1404-29-0x0000000000350000-0x0000000000379000-memory.dmp

Filesize
164KB

Download
memory/1404-28-0x0000000002650000-0x000000000299A000-memory.dmp

Filesize
3.3MB

Download
memory/1404-27-0x0000000000350000-0x0000000000379000-memory.dmp

Filesize
164KB

Download
memory/2768-20-0x00000000012A0000-0x00000000015EA000-memory.dmp

Filesize
3.3MB

Download
memory/2768-23-0x0000000000FA0000-0x0000000000FB1000-memory.dmp

Filesize
68KB

Download
memory/2768-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2768-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3512-34-0x0000000008D30000-0x0000000008EB2000-memory.dmp

Filesize
1.5MB

Download
memory/3512-24-0x0000000002FA0000-0x00000000030BE000-memory.dmp

Filesize
1.1MB

Download
memory/3512-32-0x0000000002FA0000-0x00000000030BE000-memory.dmp

Filesize
1.1MB

Download
memory/3512-38-0x0000000008D30000-0x0000000008EB2000-memory.dmp

Filesize
1.5MB

Download
memory/3512-35-0x0000000008D30000-0x0000000008EB2000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads