Overview

overview

10

Static

static

3

fdbfac3db3...18.exe

windows7-x64

10

fdbfac3db3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    20-04-2024 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdbfac3db38e579f28f6a51e55e7b01b_JaffaCakes118.exe

  • Size

    831KB

  • MD5

    fdbfac3db38e579f28f6a51e55e7b01b

  • SHA1

    88e11b109d1f9e6e4be019561ab6429e4ad838ad

  • SHA256

    7854503f3fc57a985d64d1b24fe2517497f6ec23338156a25a77dc5c0e7c6e17

  • SHA512

    249af205b79510db4e10bcb3d8d0419af5a7005b6c66810e4d9221ba7bc44e600f1ed087d991a91b6eb70c85209e9770ad6051fe83b61a3a96f06ad58f4f352a

  • SSDEEP

    12288:Hbi3JClVEQxWpU/01Y2mVVZRDvlC2kZlxin119bua3lz:HbiiERpUM1Y2mhV3gAndbuK

Score
10/10
xloadern8baloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

n8ba

Decoy

thefitflect.com

anytourist.com

blggz.xyz

ascope.club

obyeboss.com

braun-mathematik.online

mtsnurulislamsby.com

jwpropertiestn.com

animalds.com

cunerier.com

sillysocklife.com

shopliyonamaaghin.net

theredcymbalsco.com

lostbikeproject.com

ryggoqlmga.club

realestatetriggers.com

luvlauricephotography.com

cheesehome.cloud

5fashionfix.net

wata-6-rwem.net

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 5 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\fdbfac3db38e579f28f6a51e55e7b01b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\fdbfac3db38e579f28f6a51e55e7b01b_JaffaCakes118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bsWPlgF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2724
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2804
    • C:\Windows\SysWOW64\wuapp.exe
      "C:\Windows\SysWOW64\wuapp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:2972

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp
      Filesize

      1KB

      MD5

      9ad32f8ffefe73fa5a32eefd498eaf96

      SHA1

      76a41d2cd609afad97cabcd803e69220570a3a8e

      SHA256

      f5fa79f3c773421e6edca47e1197b9249b756fef7b790dfbb642212e8f47cf64

      SHA512

      0e04d83ea9e66ecf88b2f0ede035d5b7f4f3214be348eb88e15628c36c7be0c580096e246b381cc0d9762e563157f5f4ae49a8acfe0e1ae27451a94a8e730fcd

      Download Submit
    • memory/1256-29-0x00000000076E0000-0x0000000007864000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1256-24-0x00000000047A0000-0x0000000004851000-memory.dmp
      Filesize

      708KB

      Download
    • memory/1256-21-0x0000000003A20000-0x0000000003B20000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2804-19-0x0000000000B00000-0x0000000000E03000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/2804-22-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2804-28-0x0000000000370000-0x0000000000381000-memory.dmp
      Filesize

      68KB

      Download
    • memory/2804-27-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2804-23-0x0000000000130000-0x0000000000141000-memory.dmp
      Filesize

      68KB

      Download
    • memory/2804-13-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2804-14-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2804-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2804-17-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2816-30-0x0000000001090000-0x000000000109B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/2816-36-0x0000000000450000-0x00000000004E0000-memory.dmp
      Filesize

      576KB

      Download
    • memory/2816-34-0x0000000000090000-0x00000000000B9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2816-33-0x0000000000B20000-0x0000000000E23000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/2816-32-0x0000000000090000-0x00000000000B9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2816-31-0x0000000001090000-0x000000000109B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/2932-3-0x0000000000510000-0x0000000000528000-memory.dmp
      Filesize

      96KB

      Download
    • memory/2932-6-0x0000000005780000-0x0000000005826000-memory.dmp
      Filesize

      664KB

      Download
    • memory/2932-1-0x0000000074260000-0x000000007494E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2932-7-0x0000000000B10000-0x0000000000B46000-memory.dmp
      Filesize

      216KB

      Download
    • memory/2932-2-0x00000000048A0000-0x00000000048E0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2932-4-0x0000000074260000-0x000000007494E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2932-18-0x0000000074260000-0x000000007494E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2932-5-0x00000000048A0000-0x00000000048E0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2932-0-0x00000000008A0000-0x0000000000976000-memory.dmp
      Filesize

      856KB

      Download