xloader | d0834d9c3b1c362289e0905285aeb0b28490cc5eacb5752080c6553c75d4b00b

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3eea48c7d0cd1c1ac13ff3bf81ce5ff_JaffaCakes118.exe
Size

616KB
MD5

a3eea48c7d0cd1c1ac13ff3bf81ce5ff
SHA1

d69bed5b1751958cb9bb667539a5c6422f2c1492
SHA256

d0834d9c3b1c362289e0905285aeb0b28490cc5eacb5752080c6553c75d4b00b
SHA512

3a1caf398353daea530c674061be1ecba09a4ff1e8cf8aed73527baf4e7dde3f60a788bd7794faa53a770f21dd386b0dd6aa7199d5d0c7707ea102096bf59a4c
SSDEEP

12288:EfkvTYBcDUiRWshAgd2ptNiNZ9c5mbjCQg2WOesJcaC:Kcjdd2m6sGQ5Wraca

Score

10^/10

xloader agwz loader rat

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

agwz

Decoy

organicsifa.com

microlivros.com

kharestudio.com

processautomationsystem.com

359192.com

user-id06783.com

hoopletesonline.com

camrashos.com

xfgyzzm.icu

jjjllcbooking.com

ztouh.info

mynetlfis.info

honeydigi.com

claytelier.com

hbozoom.com

theleftreports.net

drmenelaou.com

ignoringracism.com

querofalardesaude.com

smithysminicharters.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4644-11-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4952 set thread context of 4644	4952	a3eea48c7d0cd1c1ac13ff3bf81ce5ff_JaffaCakes118.exe	91

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4952	a3eea48c7d0cd1c1ac13ff3bf81ce5ff_JaffaCakes118.exe
4952	a3eea48c7d0cd1c1ac13ff3bf81ce5ff_JaffaCakes118.exe
4952	a3eea48c7d0cd1c1ac13ff3bf81ce5ff_JaffaCakes118.exe
4644	a3eea48c7d0cd1c1ac13ff3bf81ce5ff_JaffaCakes118.exe
4644	a3eea48c7d0cd1c1ac13ff3bf81ce5ff_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4952	a3eea48c7d0cd1c1ac13ff3bf81ce5ff_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 4644	4952	a3eea48c7d0cd1c1ac13ff3bf81ce5ff_JaffaCakes118.exe	91
PID 4952 wrote to memory of 4644	4952	a3eea48c7d0cd1c1ac13ff3bf81ce5ff_JaffaCakes118.exe	91
PID 4952 wrote to memory of 4644	4952	a3eea48c7d0cd1c1ac13ff3bf81ce5ff_JaffaCakes118.exe	91
PID 4952 wrote to memory of 4644	4952	a3eea48c7d0cd1c1ac13ff3bf81ce5ff_JaffaCakes118.exe	91
PID 4952 wrote to memory of 4644	4952	a3eea48c7d0cd1c1ac13ff3bf81ce5ff_JaffaCakes118.exe	91
PID 4952 wrote to memory of 4644	4952	a3eea48c7d0cd1c1ac13ff3bf81ce5ff_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\a3eea48c7d0cd1c1ac13ff3bf81ce5ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3eea48c7d0cd1c1ac13ff3bf81ce5ff_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Local\Temp\a3eea48c7d0cd1c1ac13ff3bf81ce5ff_JaffaCakes118.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4644-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4644-15-0x00000000011A0000-0x00000000014EA000-memory.dmp

Filesize
3.3MB

Download
memory/4644-14-0x00000000011A0000-0x00000000014EA000-memory.dmp

Filesize
3.3MB

Download
memory/4952-5-0x0000000005280000-0x000000000531C000-memory.dmp

Filesize
624KB

Download
memory/4952-4-0x0000000004F60000-0x0000000004F6A000-memory.dmp

Filesize
40KB

Download
memory/4952-6-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4952-0-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download
memory/4952-7-0x0000000004F50000-0x0000000004F62000-memory.dmp

Filesize
72KB

Download
memory/4952-8-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4952-9-0x0000000005F50000-0x0000000005FC4000-memory.dmp

Filesize
464KB

Download
memory/4952-10-0x00000000085A0000-0x00000000085FE000-memory.dmp

Filesize
376KB

Download
memory/4952-3-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/4952-13-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4952-2-0x0000000005560000-0x0000000005B04000-memory.dmp

Filesize
5.6MB

Download
memory/4952-1-0x0000000000510000-0x00000000005B0000-memory.dmp

Filesize
640KB

Download