xloader | 6b043d0032718af4354f8af36a1f97dd236a0026011215f8674c623ac5a66697

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe
Size

455KB
MD5

2f89d68a23b1a9eed55a6dc0565549f1
SHA1

8f34ff1749aa25483341e22eedd867565a33b0b1
SHA256

6b043d0032718af4354f8af36a1f97dd236a0026011215f8674c623ac5a66697
SHA512

b2388d6952c06c9dea5ba1f6c4180072107ca467a5d8cbe8e5ffa90706dc8c477cc80d9964abd9450dd5af34711396f53410b07bb758d62c4d1b0c637d4aebb1
SSDEEP

12288:faGNY/D1RGxGOs+baytUqTdQT5gkP0gUbp9n5sEOL1kqb1gMa:9NY+bDYCk1Ubp9n5sEUhz

Score

10^/10

xloader vpz6 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

vpz6

Decoy

upscalejob.com

gzjy138.com

sexyyin.com

lapptv.com

joinplshere.com

cheapwatchband.com

bostonm.info

dschazy.com

pleetly.com

lamaradas.com

preventroofcollapse.com

richmondparents.com

elegantoshop.com

alabamasgulfcoast.info

asiastreetballleague.com

medinaprojectconstruction.com

theramone.com

findhydraulicparts.com

wzqp5.com

toppickaustralia.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2744-13-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2548 set thread context of 2744	2548	2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe	31

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe

pid	Process
2744	2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	2548	2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2548 wrote to memory of 2744	2548	2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2744	2548	2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2744	2548	2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2744	2548	2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2744	2548	2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2744	2548	2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2744	2548	2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\2f89d68a23b1a9eed55a6dc0565549f1_JaffaCakes118.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2548-6-0x0000000001190000-0x00000000011F4000-memory.dmp

Filesize
400KB

Download
memory/2548-1-0x0000000001390000-0x000000000140A000-memory.dmp

Filesize
488KB

Download
memory/2548-2-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2548-3-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2548-4-0x00000000744FE000-0x00000000744FF000-memory.dmp

Filesize
4KB

Download
memory/2548-5-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2548-0-0x00000000744FE000-0x00000000744FF000-memory.dmp

Filesize
4KB

Download
memory/2548-14-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2744-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2744-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2744-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2744-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-15-0x0000000000880000-0x0000000000B83000-memory.dmp

Filesize
3.0MB

Download