xloader | eaa038a0020fee7ddfe2919203f20f15ca1d7eb19d90b168cade93b5cf8d7f43

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f841c72b1c4cadc4c98903ad26a96a16_JaffaCakes118.exe
Size

281KB
MD5

f841c72b1c4cadc4c98903ad26a96a16
SHA1

06359aaf42a5ce60889ab7a93d8af7702b34630a
SHA256

eaa038a0020fee7ddfe2919203f20f15ca1d7eb19d90b168cade93b5cf8d7f43
SHA512

b80671d608aab3309567326b552a969245e448cd272e635a74abde9082d455e11f9d264928c61647d4b52b183c85425d3933fcffa4093b4453463e295f768f37
SSDEEP

6144:wBlL/cQMpuMEI8xf6S6s4SOTJoR6qMdayJ5rSFb1e7uuUI0vVLM:CeQMzEDxf6I8J3dTXuuUbI

Score

10^/10

xloader u9xn loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u9xn

Decoy

lifeguardingcoursenearme.com

bolsaspapelcdmx.com

parsleypkllqu.xyz

68134.online

shopthatlookboutique.com

canlibahisportal.com

oligopoly.city

srchwithus.online

151motors.com

17yue.info

auntmarysnj.com

hanansalman.com

heyunshangcheng.info

doorslamersplus.com

sfcn-dng.com

highvizpeople.com

seoexpertinbangladesh.com

christinegagnonjewellery.com

artifactorie.biz

mre3.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2216-8-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

pid	Process
2796	f841c72b1c4cadc4c98903ad26a96a16_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 2216	2796	f841c72b1c4cadc4c98903ad26a96a16_JaffaCakes118.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2216	f841c72b1c4cadc4c98903ad26a96a16_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2216	2796	f841c72b1c4cadc4c98903ad26a96a16_JaffaCakes118.exe	28
PID 2796 wrote to memory of 2216	2796	f841c72b1c4cadc4c98903ad26a96a16_JaffaCakes118.exe	28
PID 2796 wrote to memory of 2216	2796	f841c72b1c4cadc4c98903ad26a96a16_JaffaCakes118.exe	28
PID 2796 wrote to memory of 2216	2796	f841c72b1c4cadc4c98903ad26a96a16_JaffaCakes118.exe	28
PID 2796 wrote to memory of 2216	2796	f841c72b1c4cadc4c98903ad26a96a16_JaffaCakes118.exe	28
PID 2796 wrote to memory of 2216	2796	f841c72b1c4cadc4c98903ad26a96a16_JaffaCakes118.exe	28
PID 2796 wrote to memory of 2216	2796	f841c72b1c4cadc4c98903ad26a96a16_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\f841c72b1c4cadc4c98903ad26a96a16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f841c72b1c4cadc4c98903ad26a96a16_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\f841c72b1c4cadc4c98903ad26a96a16_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f841c72b1c4cadc4c98903ad26a96a16_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso1621.tmp\xpbpx.dll

Filesize
104KB

MD5
4eb0e08649f542fd0e44bef7845956fc

SHA1
5fac196ee8af08f8f954f3086c0250a905986c02

SHA256
15ed84b6d171b6b6834aa6a39150b6165b2c83411929a8c6963b6e446df44ed1

SHA512
de809b359ccd7b65b41fd8320a16793c74ae1eecfee3f25d8a9943ca4d2cda675733794ec944e11d62fcd0f6ad9a0bfd7748e74841c68c6796255235b3d0b68f

Download Submit
memory/2216-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-11-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/2216-12-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download