xloader | debc44004d1383a588955e4f11ee66089b302bf041d127470927206642ed35ad

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe
Size

539KB
MD5

f62df66e02f1a6d000acd5bd02eba7c4
SHA1

20bb7c20bbff390a88da1e88942110459f3be3f3
SHA256

debc44004d1383a588955e4f11ee66089b302bf041d127470927206642ed35ad
SHA512

b17d0bbd97b91fc2c0fc0268d4a0a52570cb70515d1dae8fc697fb531a45b5dbd8c50711ebc05fe7cfb5d2bf81dbe4cc0e58e0603f55883eca42d586d845824d
SSDEEP

12288:Avp+gczyhNSvRbBQHR4qz91hI0zSaNsvz+yuWDVId21NaI+E8tyvX9xhobZfoNdb:FWfUdl1y6slERzzuFAn

Score

10^/10

xloader m8uk loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

m8uk

Decoy

corona-mid.com

diatomitetk.com

douyinlanv.info

shaloodeh-bana-ofogh.com

maggierosscats.com

homemadeearring.com

thanhnepgiay.net

orphanscode.net

betterchariot.com

sexforty.com

ceoclubnepal.com

messinacon.com

zaracollections.com

sportsonedeals.com

pooksapotheca.com

android-trust.com

thefilipinoairfryercookbook.com

winouwin.net

theurbanpreserve.com

rbmworld.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2444-13-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe

description pid process target process

PID 2128 set thread context of 2444 2128 f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe RegSvcs.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2472 2444 WerFault.exe RegSvcs.exe

description	pid	process	target process
PID 2128 set thread context of 2444	2128	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	RegSvcs.exe

pid	pid_target	process	target process
2472	2444	WerFault.exe	RegSvcs.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exeRegSvcs.exe

description	pid	process	target process
PID 2128 wrote to memory of 2444	2128	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	RegSvcs.exe
PID 2128 wrote to memory of 2444	2128	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	RegSvcs.exe
PID 2128 wrote to memory of 2444	2128	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	RegSvcs.exe
PID 2128 wrote to memory of 2444	2128	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	RegSvcs.exe
PID 2128 wrote to memory of 2444	2128	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	RegSvcs.exe
PID 2128 wrote to memory of 2444	2128	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	RegSvcs.exe
PID 2128 wrote to memory of 2444	2128	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	RegSvcs.exe
PID 2128 wrote to memory of 2444	2128	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	RegSvcs.exe
PID 2128 wrote to memory of 2444	2128	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	RegSvcs.exe
PID 2128 wrote to memory of 2444	2128	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	RegSvcs.exe
PID 2444 wrote to memory of 2472	2444	RegSvcs.exe	WerFault.exe
PID 2444 wrote to memory of 2472	2444	RegSvcs.exe	WerFault.exe
PID 2444 wrote to memory of 2472	2444	RegSvcs.exe	WerFault.exe
PID 2444 wrote to memory of 2472	2444	RegSvcs.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 36
3⤵
- Program crash
PID:2472

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2128-6-0x00000000056A0000-0x0000000005732000-memory.dmp

Filesize
584KB

Download
memory/2128-1-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/2128-2-0x00000000046A0000-0x00000000046E0000-memory.dmp

Filesize
256KB

Download
memory/2128-3-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2128-4-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/2128-5-0x00000000046A0000-0x00000000046E0000-memory.dmp

Filesize
256KB

Download
memory/2128-0-0x0000000000960000-0x00000000009EC000-memory.dmp

Filesize
560KB

Download
memory/2128-7-0x0000000004570000-0x00000000045B4000-memory.dmp

Filesize
272KB

Download
memory/2128-14-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/2444-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2444-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2444-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2444-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download