xloader | 7e99dc28bcc8be32fb1477bc6b67da52d67195e1e9ebc9612118a9e180675af7

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbc0a38898145f58ec52b75a6a0d4f58_JaffaCakes118.exe
Size

867KB
MD5

fbc0a38898145f58ec52b75a6a0d4f58
SHA1

0e1b7baa19c708aada04ebe148575996eb5ee7cb
SHA256

7e99dc28bcc8be32fb1477bc6b67da52d67195e1e9ebc9612118a9e180675af7
SHA512

19dc73d78176cae92fa3e6223107a965e72cd54b26ce69cb47b4bc696e67afae4d9a35a927cd75d7df583bf062b5fa129c7d49bf3e565e26167633c91085107a
SSDEEP

12288:bPvDc9F3nC0Py3gAhI3cPtgRBKmSL4NT29PnrpTtQ/wFkXih3cHIy2P5K:bPaK/LS2VnRK/w6wcHh6

Score

10^/10

xloader ubqk loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ubqk

Decoy

thewanderers.info

nowthinasten.com

salesnewage.com

fzgjx.club

transformationcamp.net

thewaltongroup30a.com

bitdoubler.info

elveronac.com

tabupolitico.com

thecureisweed.com

collegesupermatch.com

bbluedotpanowd.com

joakimrexperience.com

philorise.com

beelippy.com

glitchedcode.com

northwoodsremodeling.com

healrrr.com

precisadiagnostics.com

1crude.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2380-13-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2896 set thread context of 2380	2896	fbc0a38898145f58ec52b75a6a0d4f58_JaffaCakes118.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2392	2380	WerFault.exe	30

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2380	2896	fbc0a38898145f58ec52b75a6a0d4f58_JaffaCakes118.exe	30
PID 2896 wrote to memory of 2380	2896	fbc0a38898145f58ec52b75a6a0d4f58_JaffaCakes118.exe	30
PID 2896 wrote to memory of 2380	2896	fbc0a38898145f58ec52b75a6a0d4f58_JaffaCakes118.exe	30
PID 2896 wrote to memory of 2380	2896	fbc0a38898145f58ec52b75a6a0d4f58_JaffaCakes118.exe	30
PID 2896 wrote to memory of 2380	2896	fbc0a38898145f58ec52b75a6a0d4f58_JaffaCakes118.exe	30
PID 2896 wrote to memory of 2380	2896	fbc0a38898145f58ec52b75a6a0d4f58_JaffaCakes118.exe	30
PID 2896 wrote to memory of 2380	2896	fbc0a38898145f58ec52b75a6a0d4f58_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2392	2380	fbc0a38898145f58ec52b75a6a0d4f58_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2392	2380	fbc0a38898145f58ec52b75a6a0d4f58_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2392	2380	fbc0a38898145f58ec52b75a6a0d4f58_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2392	2380	fbc0a38898145f58ec52b75a6a0d4f58_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\fbc0a38898145f58ec52b75a6a0d4f58_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbc0a38898145f58ec52b75a6a0d4f58_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\fbc0a38898145f58ec52b75a6a0d4f58_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fbc0a38898145f58ec52b75a6a0d4f58_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 36
    3⤵
    - Program crash
    PID:2392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2380-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2380-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2380-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2380-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2896-3-0x00000000003F0000-0x0000000000408000-memory.dmp

Filesize
96KB

Download
memory/2896-5-0x0000000005010000-0x0000000005050000-memory.dmp

Filesize
256KB

Download
memory/2896-6-0x0000000005640000-0x00000000056EE000-memory.dmp

Filesize
696KB

Download
memory/2896-7-0x0000000000C70000-0x0000000000CB0000-memory.dmp

Filesize
256KB

Download
memory/2896-4-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/2896-0-0x0000000000CD0000-0x0000000000DB0000-memory.dmp

Filesize
896KB

Download
memory/2896-2-0x0000000005010000-0x0000000005050000-memory.dmp

Filesize
256KB

Download
memory/2896-1-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/2896-14-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download