xloader | c2276e1e74e979f62298ebfdeab3d4f2ab94ef8d589026e359d88936b9013f40

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe
Size

672KB
MD5

27109f0d4d1e1d20d4a64245bc6604b4
SHA1

ea65d2ff984d14641ee9197ee4bbdbcaf59109e3
SHA256

c2276e1e74e979f62298ebfdeab3d4f2ab94ef8d589026e359d88936b9013f40
SHA512

8ae5a44c1dfb75aaa798b8102e9cdac3540a500926558ceb86c755804ace9b31dc75d90828d08045708c0fe1bb3f5b5c9073a9d35cc73187cc07a8ed70037d9e
SSDEEP

12288:IBI4thq6QbSNnW0/VKjONRh7cMF5S4AhUO4anx8GJ4+IDRfr08/d5cam:IBJQz6W0tIi7cMFkf8ax/URfrL7ca

Score

10^/10

xloader p980 loader rat

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

p980

Decoy

iwantgoddessevelyn.com

attorneysiraq.com

stfairytale-gakuin.site

mybazaartrip.com

alexjrtransport.com

present-sense.store

bigbucks4you.com

westernwings.info

qrs4u.com

knightsbridgehouse.com

fanamfoods.com

ediblesareincredible.com

revinedbypao.com

psychsolutionsofdurham.com

xn--mykyr-kra.com

sweettreatsepiceats.com

quarnetta.com

femaletopic.com

rockstoneofblue.com

btbaidu.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3052-14-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1684 set thread context of 3052	1684	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe	28

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe

pid	Process
1684	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe
1684	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe
3052	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	1684	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1684 wrote to memory of 3052	1684	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe	28
PID 1684 wrote to memory of 3052	1684	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe	28
PID 1684 wrote to memory of 3052	1684	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe	28
PID 1684 wrote to memory of 3052	1684	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe	28
PID 1684 wrote to memory of 3052	1684	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe	28
PID 1684 wrote to memory of 3052	1684	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe	28
PID 1684 wrote to memory of 3052	1684	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-6-0x0000000005CC0000-0x0000000005D48000-memory.dmp

Filesize
544KB

Download
memory/1684-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/1684-2-0x0000000074D90000-0x000000007547E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-3-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1684-4-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/1684-5-0x0000000074D90000-0x000000007547E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-1-0x0000000000FE0000-0x000000000108E000-memory.dmp

Filesize
696KB

Download
memory/1684-7-0x0000000005D40000-0x0000000005DB2000-memory.dmp

Filesize
456KB

Download
memory/1684-15-0x0000000074D90000-0x000000007547E000-memory.dmp

Filesize
6.9MB

Download
memory/3052-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3052-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3052-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3052-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3052-16-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download