xloader | 978dc84bb7f09dde1c5d3adb3b7a28ed7dec8b5a8967c039d4752fda9d93af6c

Analysis

max time kernel
143s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fea8d67890a35c1607a85f708ab3144a_JaffaCakes118.exe
Size

233KB
MD5

fea8d67890a35c1607a85f708ab3144a
SHA1

aa6d96204032bcef99b5c24ea91e13ddd1c21c49
SHA256

978dc84bb7f09dde1c5d3adb3b7a28ed7dec8b5a8967c039d4752fda9d93af6c
SHA512

9ebc219c8b3f955d0d3a068628ff62635248a3649741c493f9a9b275e8701674989634e92b50b2f911220f453eb3637f28fa72d868a09011fb526f7dd28dc3bc
SSDEEP

6144:SDS2xEBsywXxY9UjclZsmBZLmaVuAZEKrTNsO9zCI:SDSGssLBY9UjtmBZL8oEcTNsej

Score

10^/10

xloader snaa loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

snaa

Decoy

ivetau.com

jupstudios.com

myvintagespecs.com

nineliveslabs.xyz

linahaljarad.com

itbling.com

bqmmw.com

danmgg.com

savalanxe.com

gasolinestation.info

blankedu.com

virginiacannabislawyer.com

jochichicago.com

herbwarts.com

bigcitygigs.com

gheeduvine.com

underwoodway.net

philosophia-perennis.club

milanodesk.com

myrandr.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4448-3-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3604 set thread context of 4448	3604	fea8d67890a35c1607a85f708ab3144a_JaffaCakes118.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4448	fea8d67890a35c1607a85f708ab3144a_JaffaCakes118.exe
4448	fea8d67890a35c1607a85f708ab3144a_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3604	fea8d67890a35c1607a85f708ab3144a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 4448	3604	fea8d67890a35c1607a85f708ab3144a_JaffaCakes118.exe	91
PID 3604 wrote to memory of 4448	3604	fea8d67890a35c1607a85f708ab3144a_JaffaCakes118.exe	91
PID 3604 wrote to memory of 4448	3604	fea8d67890a35c1607a85f708ab3144a_JaffaCakes118.exe	91
PID 3604 wrote to memory of 4448	3604	fea8d67890a35c1607a85f708ab3144a_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\fea8d67890a35c1607a85f708ab3144a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fea8d67890a35c1607a85f708ab3144a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\AppData\Local\Temp\fea8d67890a35c1607a85f708ab3144a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fea8d67890a35c1607a85f708ab3144a_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:1256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3604-1-0x0000000001200000-0x0000000001300000-memory.dmp

Filesize
1024KB

Download
memory/3604-2-0x0000000001420000-0x0000000001422000-memory.dmp

Filesize
8KB

Download
memory/4448-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4448-4-0x00000000011E0000-0x000000000152A000-memory.dmp

Filesize
3.3MB

Download