Overview

overview

10

Static

static

3

fc5e7180f8...18.exe

windows7-x64

1

fc5e7180f8...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fc5e7180f8df26c39560f18d7e4f17a3_JaffaCakes118

  • Size

    566KB

  • Sample

    240420-km6jcscg89

  • MD5

    fc5e7180f8df26c39560f18d7e4f17a3

  • SHA1

    9d8adf3384edea39294d970f87834ddf55896463

  • SHA256

    51861af4be587112d2827d71c2c2c3adddc9e7531aa4bf2850d205be3dc50113

  • SHA512

    fded849636c297663144d7bf7835064de4c26aa78df666765c686d286508e92a60f085bfc0781b46d98836a728b6b0d1970bfcd7c1acaad13939b9c5c64fff77

  • SSDEEP

    6144:XwnMNVAKl5Y6SZ70111uX5KNYGo0KyDsZuRc4+bLQg+83Me3ae+QzfE:XwCmKlpzuXCzXDUOr8LQg+83MEl+E

Score
10/10
xloaderrca2loaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

rca2

Decoy

bapzcosmetics.com

skillsgage.com

mingshiweiye.com

dcc-compliance.com

emprenbook.com

firn.site

haryanaricemil.com

fleetwoodfoods.com

jlnxhbkj.com

surajsanyal.com

jubakey.com

auroraunitedshippingco.com

propolis-surabaya.com

vasinvestments.com

breederschallenge.com

tafcoo.com

417motoringparts.com

livemis.com

drainassist.com

kristenguestart.com

Targets

    • Target

      fc5e7180f8df26c39560f18d7e4f17a3_JaffaCakes118

    • Size

      566KB

    • MD5

      fc5e7180f8df26c39560f18d7e4f17a3

    • SHA1

      9d8adf3384edea39294d970f87834ddf55896463

    • SHA256

      51861af4be587112d2827d71c2c2c3adddc9e7531aa4bf2850d205be3dc50113

    • SHA512

      fded849636c297663144d7bf7835064de4c26aa78df666765c686d286508e92a60f085bfc0781b46d98836a728b6b0d1970bfcd7c1acaad13939b9c5c64fff77

    • SSDEEP

      6144:XwnMNVAKl5Y6SZ70111uX5KNYGo0KyDsZuRc4+bLQg+83Me3ae+QzfE:XwCmKlpzuXCzXDUOr8LQg+83MEl+E

    Score
    10/10
    xloaderrca2loaderpersistencerat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks