xloader | debc44004d1383a588955e4f11ee66089b302bf041d127470927206642ed35ad

General

Target

f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe
Size

539KB
MD5

f62df66e02f1a6d000acd5bd02eba7c4
SHA1

20bb7c20bbff390a88da1e88942110459f3be3f3
SHA256

debc44004d1383a588955e4f11ee66089b302bf041d127470927206642ed35ad
SHA512

b17d0bbd97b91fc2c0fc0268d4a0a52570cb70515d1dae8fc697fb531a45b5dbd8c50711ebc05fe7cfb5d2bf81dbe4cc0e58e0603f55883eca42d586d845824d
SSDEEP

12288:Avp+gczyhNSvRbBQHR4qz91hI0zSaNsvz+yuWDVId21NaI+E8tyvX9xhobZfoNdb:FWfUdl1y6slERzzuFAn

Score

10^/10

xloader m8uk loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

m8uk

Decoy

corona-mid.com

diatomitetk.com

douyinlanv.info

shaloodeh-bana-ofogh.com

maggierosscats.com

homemadeearring.com

thanhnepgiay.net

orphanscode.net

betterchariot.com

sexforty.com

ceoclubnepal.com

messinacon.com

zaracollections.com

sportsonedeals.com

pooksapotheca.com

android-trust.com

thefilipinoairfryercookbook.com

winouwin.net

theurbanpreserve.com

rbmworld.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2308-10-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/2308-15-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/2996-20-0x0000000000D70000-0x0000000000D98000-memory.dmp	xloader
behavioral2/memory/2996-22-0x0000000000D70000-0x0000000000D98000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2092 set thread context of 2308	2092	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	101
PID 2308 set thread context of 3532	2308	RegSvcs.exe	57
PID 2996 set thread context of 3532	2996	chkdsk.exe	57

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2092	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe
2092	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe
2092	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe
2308	RegSvcs.exe
2308	RegSvcs.exe
2308	RegSvcs.exe
2308	RegSvcs.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe
2996	chkdsk.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2308	RegSvcs.exe
2308	RegSvcs.exe
2308	RegSvcs.exe
2996	chkdsk.exe
2996	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe
Token: SeDebugPrivilege	2308	RegSvcs.exe
Token: SeDebugPrivilege	2996	chkdsk.exe
Token: SeShutdownPrivilege	3532	Explorer.EXE
Token: SeCreatePagefilePrivilege	3532	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2340	2092	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	100
PID 2092 wrote to memory of 2340	2092	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	100
PID 2092 wrote to memory of 2340	2092	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	100
PID 2092 wrote to memory of 2308	2092	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	101
PID 2092 wrote to memory of 2308	2092	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	101
PID 2092 wrote to memory of 2308	2092	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	101
PID 2092 wrote to memory of 2308	2092	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	101
PID 2092 wrote to memory of 2308	2092	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	101
PID 2092 wrote to memory of 2308	2092	f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe	101
PID 3532 wrote to memory of 2996	3532	Explorer.EXE	102
PID 3532 wrote to memory of 2996	3532	Explorer.EXE	102
PID 3532 wrote to memory of 2996	3532	Explorer.EXE	102
PID 2996 wrote to memory of 1052	2996	chkdsk.exe	103
PID 2996 wrote to memory of 1052	2996	chkdsk.exe	103
PID 2996 wrote to memory of 1052	2996	chkdsk.exe	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Local\Temp\f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f62df66e02f1a6d000acd5bd02eba7c4_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "{path}"
    3⤵
    PID:2340
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2092-12-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/2092-1-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/2092-2-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/2092-3-0x0000000005700000-0x0000000005708000-memory.dmp

Filesize
32KB

Download
memory/2092-4-0x0000000005940000-0x00000000059D2000-memory.dmp

Filesize
584KB

Download
memory/2092-5-0x00000000059E0000-0x0000000005A7C000-memory.dmp

Filesize
624KB

Download
memory/2092-6-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/2092-7-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/2092-8-0x00000000062E0000-0x0000000006372000-memory.dmp

Filesize
584KB

Download
memory/2092-9-0x00000000061E0000-0x0000000006224000-memory.dmp

Filesize
272KB

Download
memory/2092-0-0x0000000000D10000-0x0000000000D9C000-memory.dmp

Filesize
560KB

Download
memory/2308-13-0x0000000001130000-0x000000000147A000-memory.dmp

Filesize
3.3MB

Download
memory/2308-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2308-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2308-16-0x0000000001040000-0x0000000001050000-memory.dmp

Filesize
64KB

Download
memory/2996-24-0x00000000015D0000-0x000000000165F000-memory.dmp

Filesize
572KB

Download
memory/2996-18-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2996-19-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2996-20-0x0000000000D70000-0x0000000000D98000-memory.dmp

Filesize
160KB

Download
memory/2996-21-0x0000000001790000-0x0000000001ADA000-memory.dmp

Filesize
3.3MB

Download
memory/2996-22-0x0000000000D70000-0x0000000000D98000-memory.dmp

Filesize
160KB

Download
memory/3532-17-0x0000000008F60000-0x00000000090FB000-memory.dmp

Filesize
1.6MB

Download
memory/3532-27-0x0000000009100000-0x0000000009269000-memory.dmp

Filesize
1.4MB

Download
memory/3532-28-0x0000000009100000-0x0000000009269000-memory.dmp

Filesize
1.4MB

Download
memory/3532-31-0x0000000009100000-0x0000000009269000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing