Overview

overview

10

Static

static

3

1d2ebab3ed...18.exe

windows7-x64

10

1d2ebab3ed...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 00:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d2ebab3ed572cc11daf9d4ff90b5e0c_JaffaCakes118.exe

  • Size

    614KB

  • MD5

    1d2ebab3ed572cc11daf9d4ff90b5e0c

  • SHA1

    b3ad1752b059ed8ea2f747ef6c07035c9990aca4

  • SHA256

    c05c2e532b550a79508842fe8f4ab75316c86752bebd912ac84eaed0cdb4ebf4

  • SHA512

    a2c644c5a78307c7f09f6de7dfef5768063918362ae4de8d6760f63679e1f617a7a86149c0f27a43471e818f1bef0d0852df9ee85853e7417d9115dff42ea463

  • SSDEEP

    12288:foNNbQ+X8+UiDLbRHahRyMgtPDwd+0J5rRUqRBEOyMn8oyx:MbQ+X8+UiDLbRHahRiP0d+0PReBKs

Score
10/10
xloadershjnloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

shjn

Decoy

trendlito.com

myspoiledbytchcreations.com

skinsotight.com

merakii.art

sakina.digital

qumpan.com

juxing666.com

andrewolivercounselling.com

blastaerobics.com

linevshaper.store

legendvacationrentals.com

adna17.com

ingodwetrustdaycare.com

j98066.com

noordinarybusiness.com

pacelicensedelectrician.com

istanbulmadencilik.com

roboscop.com

njhude.com

eaglelures.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d2ebab3ed572cc11daf9d4ff90b5e0c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1d2ebab3ed572cc11daf9d4ff90b5e0c_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Users\Admin\AppData\Local\Temp\1d2ebab3ed572cc11daf9d4ff90b5e0c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\1d2ebab3ed572cc11daf9d4ff90b5e0c_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1972-6-0x00000000076F0000-0x000000000778C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1972-8-0x000000007527E000-0x000000007527F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1972-2-0x00000000053B0000-0x0000000005954000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1972-3-0x0000000004CE0000-0x0000000004D72000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1972-5-0x0000000075270000-0x0000000075A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1972-4-0x0000000004C80000-0x0000000004C8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1972-1-0x0000000000230000-0x00000000002D0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1972-7-0x0000000005360000-0x000000000536C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1972-0-0x000000007527E000-0x000000007527F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1972-9-0x0000000075270000-0x0000000075A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1972-10-0x0000000007AF0000-0x0000000007B54000-memory.dmp

    Filesize

    400KB

    Download

  • memory/1972-11-0x0000000007C70000-0x0000000007CA0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1972-14-0x0000000075270000-0x0000000075A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3392-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3392-15-0x0000000000FB0000-0x00000000012FA000-memory.dmp

    Filesize

    3.3MB

    Download