Overview

overview

10

Static

static

3

fdaa7ea645...18.exe

windows7-x64

10

fdaa7ea645...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2024, 21:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe

  • Size

    688KB

  • MD5

    fdaa7ea645b190b5049db5e11ee65456

  • SHA1

    c96956ef38e91160217379b008b4534d5c7862c6

  • SHA256

    e94ab3e9bc6dfb0889e82075cbef674de3c160a8d4bbf9b3d596381bebf492af

  • SHA512

    95cb0f1614d065db83e7ac94f9fb3587f02d72118ce2b91e7480eb801b484acca64a388eb1e2c944abdc069698d4e888307c1a2d534bfae1fd903d34a577ef9f

  • SSDEEP

    12288:DeZh7/duQkE35lyl9JTY7lVWrMQ4ZwCFaGZS2m:D8dZ5le87zWoQ4ZlaGZy

Score
10/10
xloadermej0loaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

mej0

Decoy

mtxs8.com

quickskiplondon.com

sltplanner.com

generatedate.com

amsinspections.com

tomrings.com

109friends.com

freelovereading.com

avalapartners.com

nordiqueluxury.com

inmbex.com

everybankatm.com

bo1899.com

ashymeadow.com

pubgm-chickendinner.com

takudolunch.com

carlagremiao.com

actonetheatre.com

wemhealth.com

khasomat.net

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Users\Admin\AppData\Local\Temp\fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4016
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3460 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3616

    Network

    • flag-us
      DNS
      81.171.91.138.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.171.91.138.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      75.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      75.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      26.165.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.165.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      134.71.91.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      134.71.91.104.in-addr.arpa
      IN PTR
      Response
      134.71.91.104.in-addr.arpa
      IN PTR
      a104-91-71-134deploystaticakamaitechnologiescom
    • flag-us
      DNS
      chromewebstore.googleapis.com
      Remote address:
      8.8.8.8:53
      Request
      chromewebstore.googleapis.com
      IN A
      Response
      chromewebstore.googleapis.com
      IN A
      142.250.179.234
      chromewebstore.googleapis.com
      IN A
      142.250.180.10
      chromewebstore.googleapis.com
      IN A
      142.250.187.202
      chromewebstore.googleapis.com
      IN A
      142.250.187.234
      chromewebstore.googleapis.com
      IN A
      142.250.178.10
      chromewebstore.googleapis.com
      IN A
      172.217.16.234
      chromewebstore.googleapis.com
      IN A
      142.250.200.10
      chromewebstore.googleapis.com
      IN A
      142.250.200.42
      chromewebstore.googleapis.com
      IN A
      216.58.201.106
      chromewebstore.googleapis.com
      IN A
      216.58.204.74
      chromewebstore.googleapis.com
      IN A
      216.58.213.10
      chromewebstore.googleapis.com
      IN A
      172.217.169.10
      chromewebstore.googleapis.com
      IN A
      216.58.212.234
      chromewebstore.googleapis.com
      IN A
      172.217.169.74
    • flag-us
      DNS
      chromewebstore.googleapis.com
      Remote address:
      8.8.8.8:53
      Request
      chromewebstore.googleapis.com
      IN Unknown
      Response
    • flag-us
      DNS
      pki.goog
      Remote address:
      8.8.8.8:53
      Request
      pki.goog
      IN A
      Response
      pki.goog
      IN A
      216.239.32.29
    • flag-us
      DNS
      pki.goog
      Remote address:
      8.8.8.8:53
      Request
      pki.goog
      IN Unknown
      Response
    • flag-us
      GET
      http://pki.goog/gsr1/gsr1.crt
      Remote address:
      216.239.32.29:80
      Request
      GET /gsr1/gsr1.crt HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Encoding: gzip
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 797
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Sat, 20 Apr 2024 21:10:19 GMT
      Expires: Sat, 20 Apr 2024 22:00:19 GMT
      Cache-Control: public, max-age=3000
      Age: 415
      Last-Modified: Wed, 20 May 2020 16:45:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      GET
      http://pki.goog/repo/certs/gtsr1.der
      Remote address:
      216.239.32.29:80
      Request
      GET /repo/certs/gtsr1.der HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1371
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Sat, 20 Apr 2024 21:10:19 GMT
      Expires: Sat, 20 Apr 2024 22:00:19 GMT
      Cache-Control: public, max-age=3000
      Age: 415
      Last-Modified: Sun, 25 Jun 2023 02:58:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      GET
      http://pki.goog/repo/certs/gts1c3.der
      Remote address:
      216.239.32.29:80
      Request
      GET /repo/certs/gts1c3.der HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Encoding: gzip
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1304
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Sat, 20 Apr 2024 21:10:35 GMT
      Expires: Sat, 20 Apr 2024 22:00:35 GMT
      Cache-Control: public, max-age=3000
      Age: 399
      Last-Modified: Mon, 17 Aug 2020 09:45:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      DNS
      234.179.250.142.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      234.179.250.142.in-addr.arpa
      IN PTR
      Response
      234.179.250.142.in-addr.arpa
      IN PTR
      lhr25s31-in-f101e100net
    • flag-us
      DNS
      29.32.239.216.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.32.239.216.in-addr.arpa
      IN PTR
      Response
      29.32.239.216.in-addr.arpa
      IN PTR
      any-in-201d1e100net
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      48.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      48.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      48.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      48.229.111.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      67.112.168.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      67.112.168.52.in-addr.arpa
      IN PTR
      Response
    • 13.107.253.64:443
      92 B
       40 B
       2
      1
    • 142.250.179.234:443
      chromewebstore.googleapis.com
      tls
      1.0kB
       5.2kB
       9
      7
    • 142.250.179.234:443
      chromewebstore.googleapis.com
      tls
      1.6kB
       5.2kB
       12
      8
    • 216.239.32.29:80
      pki.goog
      294 B
       156 B
       6
      3
    • 216.239.32.29:80
      http://pki.goog/repo/certs/gts1c3.der
      http
      1.3kB
       6.0kB
       10
      8

      HTTP Request

      GET http://pki.goog/gsr1/gsr1.crt

      HTTP Response

      200

      HTTP Request

      GET http://pki.goog/repo/certs/gtsr1.der

      HTTP Response

      200

      HTTP Request

      GET http://pki.goog/repo/certs/gts1c3.der

      HTTP Response

      200
    • 8.8.8.8:53
      81.171.91.138.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      81.171.91.138.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      75.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      75.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      26.165.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      26.165.165.52.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      134.71.91.104.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      134.71.91.104.in-addr.arpa

    • 8.8.8.8:53
      chromewebstore.googleapis.com
      dns
      75 B
       299 B
       1
      1

      DNS Request

      chromewebstore.googleapis.com

      DNS Response

      142.250.179.234
      142.250.180.10
      142.250.187.202
      142.250.187.234
      142.250.178.10
      172.217.16.234
      142.250.200.10
      142.250.200.42
      216.58.201.106
      216.58.204.74
      216.58.213.10
      172.217.169.10
      216.58.212.234
      172.217.169.74

    • 8.8.8.8:53
      chromewebstore.googleapis.com
      dns
      75 B
       132 B
       1
      1

      DNS Request

      chromewebstore.googleapis.com

    • 8.8.8.8:53
      pki.goog
      dns
      54 B
       70 B
       1
      1

      DNS Request

      pki.goog

      DNS Response

      216.239.32.29

    • 8.8.8.8:53
      pki.goog
      dns
      54 B
       128 B
       1
      1

      DNS Request

      pki.goog

    • 8.8.8.8:53
      234.179.250.142.in-addr.arpa
      dns
      74 B
       113 B
       1
      1

      DNS Request

      234.179.250.142.in-addr.arpa

    • 8.8.8.8:53
      29.32.239.216.in-addr.arpa
      dns
      72 B
       107 B
       1
      1

      DNS Request

      29.32.239.216.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      219 B
       147 B
       3
      1

      DNS Request

      104.219.191.52.in-addr.arpa

      DNS Request

      104.219.191.52.in-addr.arpa

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      144 B
       158 B
       2
      1

      DNS Request

      154.239.44.20.in-addr.arpa

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      48.229.111.52.in-addr.arpa
      dns
      144 B
       158 B
       2
      1

      DNS Request

      48.229.111.52.in-addr.arpa

      DNS Request

      48.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      67.112.168.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      67.112.168.52.in-addr.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4016-12-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/4016-14-0x0000000001A10000-0x0000000001D5A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4820-6-0x00000000051A0000-0x00000000051BC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4820-3-0x0000000004BF0000-0x0000000004C82000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4820-4-0x0000000004D10000-0x0000000004D20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4820-5-0x0000000004CC0000-0x0000000004CCA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4820-0-0x0000000074E00000-0x00000000755B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4820-7-0x0000000006310000-0x00000000063AC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4820-8-0x0000000074E00000-0x00000000755B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4820-9-0x0000000004D10000-0x0000000004D20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4820-10-0x00000000008C0000-0x0000000000926000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4820-11-0x0000000000960000-0x000000000098E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4820-2-0x0000000005250000-0x00000000057F4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4820-1-0x00000000001A0000-0x0000000000252000-memory.dmp

      Filesize

      712KB

      Download

    • memory/4820-15-0x0000000074E00000-0x00000000755B0000-memory.dmp

      Filesize

      7.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.