xloader | 33b5454f7d305d2be3b59aef5cb73077820e63bb6f812358bd5f8a72c17cc5e6

General

Target

f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
Size

837KB
MD5

f3a7017cd3bd289fcf75769b73de473d
SHA1

d6361efe1dcaf124118fc1315e081d698815b80f
SHA256

33b5454f7d305d2be3b59aef5cb73077820e63bb6f812358bd5f8a72c17cc5e6
SHA512

344a3d563fb14c1ceece19dde5e73c1bcba41e459f9308503af506cf3895364fe93e5b971d4bc43f302db461d60e7c032ba8f58d2c408cdfa22840d3e1044934
SSDEEP

12288:IYicjeYrA7Z/oR65AXwgFvuSSjImRQucjdhcSsBpnNZAuZcyFXTPp/pFc0b86XzU:IYooR6qg5Xm01BpjZcyFjB/pDBDpW

Score

10^/10

xloader adn9 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

adn9

Decoy

suffrage19.com

desmareesmontantes.net

polishchuk-myroslava.com

compro-online.com

leadenhallstreettrustees.com

beixiyb.com

startlite.net

thewavelengthco.com

shop-sign-drive.com

angeliquestidhum.com

kaanins.com

reversemortgageloantexas.com

alveolo.net

everythingwholesalers.com

islacros.digital

bainrix.com

brittanyinbloom.com

zfezx08.com

yongqingfanhuali.com

gypsyjewelint.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2928-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

description	pid	process	target process
PID 1420 set thread context of 2928	1420	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exef3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

pid	process
1420	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
1420	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
2928	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 1420 f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1420	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

description	pid	process	target process
PID 1420 wrote to memory of 2560	1420	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1420 wrote to memory of 2560	1420	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1420 wrote to memory of 2560	1420	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1420 wrote to memory of 2560	1420	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1420 wrote to memory of 2928	1420	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1420 wrote to memory of 2928	1420	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1420 wrote to memory of 2928	1420	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1420 wrote to memory of 2928	1420	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1420 wrote to memory of 2928	1420	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1420 wrote to memory of 2928	1420	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1420 wrote to memory of 2928	1420	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe"
2⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2928

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1420-6-0x0000000005760000-0x0000000005800000-memory.dmp

Filesize
640KB

Download
memory/1420-0-0x0000000000ED0000-0x0000000000FA8000-memory.dmp

Filesize
864KB

Download
memory/1420-2-0x0000000000DC0000-0x0000000000E00000-memory.dmp

Filesize
256KB

Download
memory/1420-3-0x0000000000910000-0x000000000092A000-memory.dmp

Filesize
104KB

Download
memory/1420-4-0x0000000074AE0000-0x00000000751CE000-memory.dmp

Filesize
6.9MB

Download
memory/1420-5-0x0000000000DC0000-0x0000000000E00000-memory.dmp

Filesize
256KB

Download
memory/1420-1-0x0000000074AE0000-0x00000000751CE000-memory.dmp

Filesize
6.9MB

Download
memory/1420-7-0x0000000000AE0000-0x0000000000B0E000-memory.dmp

Filesize
184KB

Download
memory/1420-13-0x0000000074AE0000-0x00000000751CE000-memory.dmp

Filesize
6.9MB

Download
memory/2928-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-14-0x0000000000A00000-0x0000000000D03000-memory.dmp

Filesize
3.0MB

Download
memory/2928-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads