xloader | b241d39387ebd04a46935432e7abb733d850aa1bbbd4ca686539821f41772e05

General

Target

3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Size

813KB
MD5

3e730659320a4ed6b437558f585313ce
SHA1

d4daac30adcf04725cdb8477ec26241f8150c1ef
SHA256

b241d39387ebd04a46935432e7abb733d850aa1bbbd4ca686539821f41772e05
SHA512

b8e8438c18d6c4b3e7b7f1ce057d4d31c86e72fc9205f687e1eebea9dd06f43f3890d0bf1be4fac1f7d6669a123a875c9dbae3304dea36cb91d71ec8326fa02d
SSDEEP

12288:pBGiY6H3FuFp8K3hdHHMUT5FZ6huvYBoU//0dmVmtiK5oxEy:pA6XFur8edHHhT5YuvYBoi0dE+Foxx

Score

10^/10

xloader h5jc loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

h5jc

Decoy

sindiranhalus.xyz

ttimecracker.com

bugroster.com

mentication.com

douyinliu.com

newenglandfineproperties.com

oliverchilde.top

one-seo.xyz

alabamahealthywomen.com

bordadosads.com

raapmanagement.com

mujeresenfarmalatinoamerica.com

tiendakimera.com

testingwss.com

barbiluchia.com

avnft.store

tp-great.com

buytheeye.com

802snowboards.com

sz2bj.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2192-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2192-15-0x0000000000970000-0x0000000000C73000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1892 set thread context of 2192	1892	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	34

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\GMKAssembler.Project\Shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe\" \"%1\""	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\GMKAssembler.Project\DefaultIcon	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\GMKAssembler.Project\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe"	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.gmkasm	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\GMKAssembler.Project	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\GMKAssembler.Project\Shell	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\GMKAssembler.Project\Shell\open	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.gmkasm\ = "GMKAssembler.Project"	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\GMKAssembler.Project\Shell\open\command	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1892	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
1892	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
2192	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1892	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 2080	1892	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	33
PID 1892 wrote to memory of 2080	1892	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	33
PID 1892 wrote to memory of 2080	1892	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	33
PID 1892 wrote to memory of 2080	1892	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	33
PID 1892 wrote to memory of 2192	1892	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	34
PID 1892 wrote to memory of 2192	1892	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	34
PID 1892 wrote to memory of 2192	1892	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	34
PID 1892 wrote to memory of 2192	1892	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	34
PID 1892 wrote to memory of 2192	1892	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	34
PID 1892 wrote to memory of 2192	1892	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	34
PID 1892 wrote to memory of 2192	1892	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Local\Temp\3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe"
  2⤵
  PID:2080
- C:\Users\Admin\AppData\Local\Temp\3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1892-6-0x0000000005570000-0x00000000055DE000-memory.dmp

Filesize
440KB

Download
memory/1892-13-0x0000000073C00000-0x00000000742EE000-memory.dmp

Filesize
6.9MB

Download
memory/1892-2-0x0000000073C00000-0x00000000742EE000-memory.dmp

Filesize
6.9MB

Download
memory/1892-3-0x0000000000B40000-0x0000000000B62000-memory.dmp

Filesize
136KB

Download
memory/1892-4-0x0000000073C0E000-0x0000000073C0F000-memory.dmp

Filesize
4KB

Download
memory/1892-5-0x0000000073C00000-0x00000000742EE000-memory.dmp

Filesize
6.9MB

Download
memory/1892-1-0x0000000000D90000-0x0000000000E62000-memory.dmp

Filesize
840KB

Download
memory/1892-7-0x0000000000D50000-0x0000000000D8C000-memory.dmp

Filesize
240KB

Download
memory/1892-0-0x0000000073C0E000-0x0000000073C0F000-memory.dmp

Filesize
4KB

Download
memory/2192-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2192-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2192-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2192-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2192-14-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/2192-15-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing