xloader | c2276e1e74e979f62298ebfdeab3d4f2ab94ef8d589026e359d88936b9013f40

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe
Size

672KB
MD5

27109f0d4d1e1d20d4a64245bc6604b4
SHA1

ea65d2ff984d14641ee9197ee4bbdbcaf59109e3
SHA256

c2276e1e74e979f62298ebfdeab3d4f2ab94ef8d589026e359d88936b9013f40
SHA512

8ae5a44c1dfb75aaa798b8102e9cdac3540a500926558ceb86c755804ace9b31dc75d90828d08045708c0fe1bb3f5b5c9073a9d35cc73187cc07a8ed70037d9e
SSDEEP

12288:IBI4thq6QbSNnW0/VKjONRh7cMF5S4AhUO4anx8GJ4+IDRfr08/d5cam:IBJQz6W0tIi7cMFkf8ax/URfrL7ca

Score

10^/10

xloader p980 loader rat

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

p980

Decoy

iwantgoddessevelyn.com

attorneysiraq.com

stfairytale-gakuin.site

mybazaartrip.com

alexjrtransport.com

present-sense.store

bigbucks4you.com

westernwings.info

qrs4u.com

knightsbridgehouse.com

fanamfoods.com

ediblesareincredible.com

revinedbypao.com

psychsolutionsofdurham.com

xn--mykyr-kra.com

sweettreatsepiceats.com

quarnetta.com

femaletopic.com

rockstoneofblue.com

btbaidu.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1472-11-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe

description	pid	process	target process
PID 3364 set thread context of 1472	3364	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe

pid	process
3364	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe
3364	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe
3364	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe
1472	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe
1472	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 3364 27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3364	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe

description	pid	process	target process
PID 3364 wrote to memory of 1472	3364	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe
PID 3364 wrote to memory of 1472	3364	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe
PID 3364 wrote to memory of 1472	3364	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe
PID 3364 wrote to memory of 1472	3364	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe
PID 3364 wrote to memory of 1472	3364	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe
PID 3364 wrote to memory of 1472	3364	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe	27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Local\Temp\27109f0d4d1e1d20d4a64245bc6604b4_JaffaCakes118.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3144,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
1⤵
PID:2216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1472-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1472-14-0x0000000001520000-0x000000000186A000-memory.dmp

Filesize
3.3MB

Download
memory/3364-6-0x0000000007790000-0x000000000782C000-memory.dmp

Filesize
624KB

Download
memory/3364-3-0x0000000004E60000-0x0000000004EF2000-memory.dmp

Filesize
584KB

Download
memory/3364-4-0x0000000004E50000-0x0000000004E5A000-memory.dmp

Filesize
40KB

Download
memory/3364-5-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/3364-0-0x00000000750CE000-0x00000000750CF000-memory.dmp

Filesize
4KB

Download
memory/3364-7-0x00000000050F0000-0x0000000005102000-memory.dmp

Filesize
72KB

Download
memory/3364-8-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/3364-9-0x0000000007950000-0x00000000079D8000-memory.dmp

Filesize
544KB

Download
memory/3364-10-0x000000000A110000-0x000000000A182000-memory.dmp

Filesize
456KB

Download
memory/3364-2-0x0000000005370000-0x0000000005914000-memory.dmp

Filesize
5.6MB

Download
memory/3364-13-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/3364-1-0x00000000003E0000-0x000000000048E000-memory.dmp

Filesize
696KB

Download