Overview

overview

10

Static

static

3

f57bb0fe02...18.exe

windows7-x64

10

f57bb0fe02...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 09:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f57bb0fe028ef8153ef5f35f49bc4814_JaffaCakes118.exe

  • Size

    704KB

  • MD5

    f57bb0fe028ef8153ef5f35f49bc4814

  • SHA1

    6097194ce764014cbc95fe96a1b4e2acccd33ab4

  • SHA256

    f6f805093e3fcd072baf272acaa57da57ac20f7e686414a866e215817f4062e8

  • SHA512

    30e2cbdf3628808c5425607bff5abe3888fc4925dd062a3b711ecf45e4424fc1f977ae5336d31c8209e2c979fffca71285643e7a1c3954ee403816fb643163de

  • SSDEEP

    12288:QhJPU97PU9mso3htgYHOsBgo0q4wMsKwgPW1jPFmkxMeFk3orpXd7mPnjC6dvbWC:QhdYHOsBgo0q4wMsTgORgCMEmSXd7mmh

Score
10/10
xloaderp086loaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

p086

Decoy

jinshichain.com

worldpettraveler.com

hightecforpc.com

kj97fm.com

streetnewstv.com

webrew.club

wheretogodubai.com

apostapolitica.net

thecafy.com

vinelosangeles.com

gashinc.com

gutitout.net

bvd-invest.com

realtoroutdesk.com

lawnbowlstournaments.net

nobodyisillegal.com

abogadoorihuela.net

sanistela.com

jksecurityworld.com

peppermintproject.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Xloader payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f57bb0fe028ef8153ef5f35f49bc4814_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f57bb0fe028ef8153ef5f35f49bc4814_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Users\Admin\AppData\Local\Temp\f57bb0fe028ef8153ef5f35f49bc4814_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\f57bb0fe028ef8153ef5f35f49bc4814_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2220-6-0x0000000004BF0000-0x0000000004C6C000-memory.dmp
    Filesize

    496KB

    Download
  • memory/2220-0-0x0000000001370000-0x0000000001426000-memory.dmp
    Filesize

    728KB

    Download
  • memory/2220-2-0x0000000004CD0000-0x0000000004D10000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2220-3-0x0000000000350000-0x0000000000362000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2220-4-0x0000000074180000-0x000000007486E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2220-5-0x0000000004CD0000-0x0000000004D10000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2220-1-0x0000000074180000-0x000000007486E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2220-7-0x0000000000D20000-0x0000000000D54000-memory.dmp
    Filesize

    208KB

    Download
  • memory/2220-15-0x0000000074180000-0x000000007486E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2360-10-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/2360-8-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/2360-14-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/2360-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2360-16-0x0000000000840000-0x0000000000B43000-memory.dmp
    Filesize

    3.0MB

    Download