Overview

overview

10

Static

static

3

fdb8b9c805...18.exe

windows7-x64

10

fdb8b9c805...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    20-04-2024 21:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdb8b9c8056a552461e493d3f1b4b2d8_JaffaCakes118.exe

  • Size

    253KB

  • MD5

    fdb8b9c8056a552461e493d3f1b4b2d8

  • SHA1

    87ea5998b4f6831c99bdce8cd48d3c238833d2c7

  • SHA256

    e33f9dbf56b2850d44ff3f6dff7b0631abbc52836b97cc41c4e4907538ed749a

  • SHA512

    59217111d51a555867dac4df8e3e609706d671d1802f8c70daad3f913965dcb10cca6d878a3963e1aff7527628c7392de6b95fbf72564227a1d0b8ddea99a1b9

  • SSDEEP

    6144:bd53TvpHeIl0SQCoocCvKrcIxJYAsXfpuUVbbNGw411hwpXHRqjoEt60R0bAM:bd53TvpHeIl0SVoA83YAAuUV/AHhQgPu

Score
10/10
xloaderum8eloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

um8e

Decoy

theypretend.com

hopeschildren.com

kuly.cloud

maniflexx.net

bedtimesocietyblog.com

spenglerwetlandpreserve.com

unity-play.net

bonap56.com

consciencevc.com

deluxeluxe.com

officialjuliep.com

cttrade.club

quietflyt.com

mcabspl.com

lippocaritahotel.com

tolanfilms.xyz

momenaagro.com

slingshotart.com

thefoundershuddle.com

mobilbaris.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdb8b9c8056a552461e493d3f1b4b2d8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fdb8b9c8056a552461e493d3f1b4b2d8_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Users\Admin\AppData\Local\Temp\fdb8b9c8056a552461e493d3f1b4b2d8_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\fdb8b9c8056a552461e493d3f1b4b2d8_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2484
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 140
      2⤵
      • Program crash
      PID:2844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1952-1-0x0000000000090000-0x0000000000190000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1952-2-0x0000000000260000-0x0000000000262000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2484-3-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/2484-6-0x00000000006E0000-0x00000000009E3000-memory.dmp
    Filesize

    3.0MB

    Download