Analysis

  • max time kernel
    137s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 04:06

General

  • Target

    f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe

  • Size

    517KB

  • MD5

    f977d96c98335083d54f9b9b54fb0cd9

  • SHA1

    298da015025154518be5739918956b6b96b91090

  • SHA256

    9c9a99423087bdfd23df04a29984273ba056021ee54e815d2cd85103a9548eff

  • SHA512

    4a339d18aa36a149faecb1d6521008220f33a24177aa27ed4194ff73b57a920ab3b49ec3c2eda787325cad5a554c681fea2cf5603f37e1abaaada82cfc77768d

  • SSDEEP

    6144:7FLHgMkhBmA8L8z14cb5TrJbGAdRkx4wSsOXgMx7Dml3SjK:75SBYgWcJrJBdRkpOXk

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mexq

Decoy

cyebang.com

hcswwsz.com

50003008.com

yfly624.xyz

trungtamhohap.xyz

sotlbb.com

bizhan69.com

brandmty.net

fucibou.xyz

orderinformantmailer.store

nobleminers.com

divinevoid.com

quickappraisal.net

adventuretravelsworld.com

ashainitiativemp.com

ikkbs-a02.com

rd26x.com

goraeda.com

abbastanza.info

andypartridge.photography

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe"
      2⤵
        PID:2060
      • C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe"
        2⤵
          PID:3884
        • C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe"
          2⤵
            PID:2084
          • C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\f977d96c98335083d54f9b9b54fb0cd9_JaffaCakes118.exe"
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4284
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:3804

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/4028-6-0x0000000005330000-0x000000000533A000-memory.dmp

            Filesize

            40KB

          • memory/4028-0-0x0000000074CB0000-0x0000000075460000-memory.dmp

            Filesize

            7.7MB

          • memory/4028-2-0x0000000005780000-0x0000000005D24000-memory.dmp

            Filesize

            5.6MB

          • memory/4028-3-0x0000000005090000-0x0000000005122000-memory.dmp

            Filesize

            584KB

          • memory/4028-4-0x00000000053B0000-0x00000000053C0000-memory.dmp

            Filesize

            64KB

          • memory/4028-5-0x0000000005050000-0x000000000505A000-memory.dmp

            Filesize

            40KB

          • memory/4028-1-0x0000000000610000-0x0000000000696000-memory.dmp

            Filesize

            536KB

          • memory/4028-7-0x0000000074CB0000-0x0000000075460000-memory.dmp

            Filesize

            7.7MB

          • memory/4028-10-0x00000000060C0000-0x0000000006112000-memory.dmp

            Filesize

            328KB

          • memory/4028-9-0x0000000005ED0000-0x0000000005F6C000-memory.dmp

            Filesize

            624KB

          • memory/4028-8-0x00000000053B0000-0x00000000053C0000-memory.dmp

            Filesize

            64KB

          • memory/4028-14-0x0000000074CB0000-0x0000000075460000-memory.dmp

            Filesize

            7.7MB

          • memory/4284-13-0x0000000001510000-0x000000000185A000-memory.dmp

            Filesize

            3.3MB

          • memory/4284-11-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB