Overview

overview

10

Static

static

1

scn14092020.scr

windows7-x64

10

scn14092020.scr

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    235f4fc0aed323eacf697e1fd5b1aaeb_JaffaCakes118

  • Size

    1.2MB

  • Sample

    240508-f1pesacf9v

  • MD5

    235f4fc0aed323eacf697e1fd5b1aaeb

  • SHA1

    94ff17fe6f766a677b0f26b65e9e808ff7abdbbf

  • SHA256

    d72b2c9f7dc00da9c2933bdd67a59dc0f8923d1478d2b22efc3ab1d52196a5c4

  • SHA512

    d46120b65078d9b8a43bd5e2f9c86d1e00de7964fcf748e711a8fc989ed27055d5b00ec36e17a57d778f37621d767b5aa9459d22c29c454c23cfab477d155492

  • SSDEEP

    6144:fr5KTzUvCH42ZGb9XF1csV2DoT/oENADXgjDxGXMSwGxDUxQTf2ujAhzs7g8LX:z5KEvCH4kGvqfPrDg3kXMitohz38LX

Score
10/10
xloaderd9s8loaderpersistenceratspywarestealer

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

d9s8

Decoy

adriaguest.com

connerparty.com

jblmhomestore.net

23works.com

environmentsafetymemphis.com

hqxmf.com

hivepublications.com

keebcat.com

smalltownlawns.com

brasserie-lafayette.com

kq-iot.com

theghostfestival.com

dmhowardstudio.com

nittayabeauty.com

thebardi.com

transcash-pocket-money.com

stick.tips

revolucaomindfulness.com

clicrhonealpes.com

ekcraftmasters.com

Targets

    • Target

      scn14092020.scr

    • Size

      380KB

    • MD5

      f028d6c9991258c5c75e9f234d4dee79

    • SHA1

      2f6b7f76bb4a3342f3450e1cc9ef539c2028c59e

    • SHA256

      576f0ed5ae69ececc1bb11492479101c0281af46cb86a73eae9195376ab02717

    • SHA512

      d3fd7200dad40ce073d477205abf7736e9aa9aab492fec1f42c318f65c2a9e132ab45d6b9c52fa3d7c535db63c392d370e2ee2b4787845c4f5f5408ba352f8be

    • SSDEEP

      6144:Jr5KTzUvCH42ZGb9XF1csV2DoT/oENADXgjDxGXMSwGxDUxQTf2ujAhzs7g8LX9:Z5KEvCH4kGvqfPrDg3kXMitohz38LX9

    Score
    10/10
    xloaderd9s8loaderratpersistencespywarestealer

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks