xloader | 03122f0024975ef8688129a291f7a5398a8ef02cf65f452daf3bfb2edbb3ae80

General

Target

fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
Size

935KB
MD5

fe93fd7b777639146c4927a698ab4c33
SHA1

43d8501440f8df5e5429090f9af6335c6b32c292
SHA256

03122f0024975ef8688129a291f7a5398a8ef02cf65f452daf3bfb2edbb3ae80
SHA512

e6ddc3e452e37f6b69d7066ff8f1b3e4e6eb93f53e64398ef01993fa2d412497189af8f9e085e7c3f58ddc894589bb507ab7909474ebb19447b3d59c6cc02743
SSDEEP

12288:gqaDADB/q7EhGteOdlClsYKWa52SyhvvzhJrOIpPjYeiMSs3p+:gvQ/vQenTW5YvLTCIpHiiE

Score

10^/10

xloader di4p loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

di4p

Decoy

thegeeksbeanie.net

ertugrulefendi.com

avwastemanagement.com

themindfulayurveda.com

jackietalk.com

medicineshome.com

infiniteactuaries.com

brightergreens.com

titchlondon.com

kisuke-jinbocho.com

bloggerpremiumtemplates.com

fixxatag.com

windinder.com

xn--gs-prcision-fbb.com

touteslesmaisons.com

dispute72-paypal.com

redchairsewingroom.com

comparisontech.net

fazedrop.com

tradein-car.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2436-14-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1992 set thread context of 2436	1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	30

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exefe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe

pid	Process
1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
2436	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1992 wrote to memory of 2440	1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2440	1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2440	1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2440	1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2724	1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	29
PID 1992 wrote to memory of 2724	1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	29
PID 1992 wrote to memory of 2724	1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	29
PID 1992 wrote to memory of 2724	1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	29
PID 1992 wrote to memory of 2436	1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2436	1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2436	1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2436	1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2436	1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2436	1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2436	1992	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe"
  2⤵
  PID:2440
- C:\Users\Admin\AppData\Local\Temp\fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe"
  2⤵
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1992-6-0x00000000057C0000-0x0000000005860000-memory.dmp

Filesize
640KB

Download
memory/1992-0-0x0000000000AF0000-0x0000000000BE0000-memory.dmp

Filesize
960KB

Download
memory/1992-2-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1992-3-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1992-4-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-5-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1992-1-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-7-0x0000000005860000-0x00000000058CE000-memory.dmp

Filesize
440KB

Download
memory/1992-15-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/2436-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2436-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2436-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2436-16-0x0000000000BE0000-0x0000000000EE3000-memory.dmp

Filesize
3.0MB

Download
memory/2436-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads