xloader | 72320946e28ee9117b85cb1a83e5e122c3938e4a79c9be1551595103cb2c311a

General

Target

fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe
Size

303KB
MD5

fea794d22d11c7eda7af63545fc5f9ba
SHA1

7d30f8fa2652c0e36a82fbbf6a5995bdb1d056f9
SHA256

72320946e28ee9117b85cb1a83e5e122c3938e4a79c9be1551595103cb2c311a
SHA512

49d6b9c8b7ca35652a72f949bf4cdf5dc5f595391db052786a6333befde7dbf28afe3dd9fda177135dc90fd45c46c00826f8a936d1458e6d91b6cd146124da55
SSDEEP

6144:UDsmb8RHBESKs3hnD13HIMq/3WdCVdKrL:UD8WSKsBDpaWdCi/

Score

10^/10

xloader att3 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

att3

Decoy

oakbridgefundservices.com

fancyforts.com

coisadoce.com

learnfrommymentor.com

digitalgurughana.com

phk0.com

jantiprojeekspertiz.com

xiabyhuc.com

todayonly8.info

pgzapgmn.icu

sistemasarafranco.com

nest-estudio.com

2259.xyz

kenobi.tech

mortgageloansbyjeff.com

thameensa.com

navigators.digital

ecocleanmalta.com

advancedrecyclinginc.com

pmotriz.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2596-40-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Drops startup file 2 IoCs

Processes:

PowerShell.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sfgdfgdfd.exe	PowerShell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sfgdfgdfd.exe	PowerShell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2352 set thread context of 2596	2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe	31

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exePowerShell.exefea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe

pid	Process
2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe
2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe
2108	PowerShell.exe
2596	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exePowerShell.exe

description	pid	Process
Token: SeDebugPrivilege	2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	PowerShell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2352 wrote to memory of 2108	2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2108	2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2108	2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2108	2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2604	2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2604	2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2604	2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2604	2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2596	2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe	31
PID 2352 wrote to memory of 2596	2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe	31
PID 2352 wrote to memory of 2596	2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe	31
PID 2352 wrote to memory of 2596	2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe	31
PID 2352 wrote to memory of 2596	2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe	31
PID 2352 wrote to memory of 2596	2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe	31
PID 2352 wrote to memory of 2596	2352	fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
  "PowerShell" copy-item 'C:\Users\Admin\AppData\Local\Temp\fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sfgdfgdfd.exe'
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Users\Admin\AppData\Local\Temp\fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe"
  2⤵
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fea794d22d11c7eda7af63545fc5f9ba_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2108-32-0x0000000070730000-0x0000000070CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2108-43-0x0000000070730000-0x0000000070CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2108-33-0x0000000070730000-0x0000000070CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2108-39-0x0000000002980000-0x00000000029C0000-memory.dmp

Filesize
256KB

Download
memory/2108-37-0x0000000002980000-0x00000000029C0000-memory.dmp

Filesize
256KB

Download
memory/2352-26-0x0000000000650000-0x0000000000665000-memory.dmp

Filesize
84KB

Download
memory/2352-30-0x0000000000650000-0x0000000000665000-memory.dmp

Filesize
84KB

Download
memory/2352-0-0x00000000002D0000-0x0000000000322000-memory.dmp

Filesize
328KB

Download
memory/2352-24-0x0000000000650000-0x0000000000665000-memory.dmp

Filesize
84KB

Download
memory/2352-22-0x0000000000650000-0x0000000000665000-memory.dmp

Filesize
84KB

Download
memory/2352-20-0x0000000000650000-0x0000000000665000-memory.dmp

Filesize
84KB

Download
memory/2352-18-0x0000000000650000-0x0000000000665000-memory.dmp

Filesize
84KB

Download
memory/2352-16-0x0000000000650000-0x0000000000665000-memory.dmp

Filesize
84KB

Download
memory/2352-14-0x0000000000650000-0x0000000000665000-memory.dmp

Filesize
84KB

Download
memory/2352-12-0x0000000000650000-0x0000000000665000-memory.dmp

Filesize
84KB

Download
memory/2352-10-0x0000000000650000-0x0000000000665000-memory.dmp

Filesize
84KB

Download
memory/2352-8-0x0000000000650000-0x0000000000665000-memory.dmp

Filesize
84KB

Download
memory/2352-7-0x0000000000650000-0x0000000000665000-memory.dmp

Filesize
84KB

Download
memory/2352-28-0x0000000000650000-0x0000000000665000-memory.dmp

Filesize
84KB

Download
memory/2352-44-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2352-1-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2352-4-0x0000000004B20000-0x0000000004B60000-memory.dmp

Filesize
256KB

Download
memory/2352-3-0x0000000000650000-0x000000000066C000-memory.dmp

Filesize
112KB

Download
memory/2352-35-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2352-2-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2596-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2596-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2596-41-0x0000000000B50000-0x0000000000E53000-memory.dmp

Filesize
3.0MB

Download
memory/2596-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2596-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2596-45-0x0000000000B50000-0x0000000000E53000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads