xloader | b241d39387ebd04a46935432e7abb733d850aa1bbbd4ca686539821f41772e05

General

Target

3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Size

813KB
MD5

3e730659320a4ed6b437558f585313ce
SHA1

d4daac30adcf04725cdb8477ec26241f8150c1ef
SHA256

b241d39387ebd04a46935432e7abb733d850aa1bbbd4ca686539821f41772e05
SHA512

b8e8438c18d6c4b3e7b7f1ce057d4d31c86e72fc9205f687e1eebea9dd06f43f3890d0bf1be4fac1f7d6669a123a875c9dbae3304dea36cb91d71ec8326fa02d
SSDEEP

12288:pBGiY6H3FuFp8K3hdHHMUT5FZ6huvYBoU//0dmVmtiK5oxEy:pA6XFur8edHHhT5YuvYBoi0dE+Foxx

Score

10^/10

xloader h5jc loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

h5jc

Decoy

sindiranhalus.xyz

ttimecracker.com

bugroster.com

mentication.com

douyinliu.com

newenglandfineproperties.com

oliverchilde.top

one-seo.xyz

alabamahealthywomen.com

bordadosads.com

raapmanagement.com

mujeresenfarmalatinoamerica.com

tiendakimera.com

testingwss.com

barbiluchia.com

avnft.store

tp-great.com

buytheeye.com

802snowboards.com

sz2bj.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2820-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 976 set thread context of 2820	976	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	98

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\.gmkasm	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\GMKAssembler.Project	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\GMKAssembler.Project\Shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe\" \"%1\""	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\GMKAssembler.Project\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe"	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\.gmkasm\ = "GMKAssembler.Project"	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\GMKAssembler.Project\Shell\open\command	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\GMKAssembler.Project\Shell	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\GMKAssembler.Project\Shell\open	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\GMKAssembler.Project\DefaultIcon	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
976	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
976	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
2820	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
2820	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 3680	976	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	97
PID 976 wrote to memory of 3680	976	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	97
PID 976 wrote to memory of 3680	976	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	97
PID 976 wrote to memory of 2820	976	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	98
PID 976 wrote to memory of 2820	976	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	98
PID 976 wrote to memory of 2820	976	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	98
PID 976 wrote to memory of 2820	976	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	98
PID 976 wrote to memory of 2820	976	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	98
PID 976 wrote to memory of 2820	976	3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe	98

C:\Users\Admin\AppData\Local\Temp\3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe"
  2⤵
  PID:3680
- C:\Users\Admin\AppData\Local\Temp\3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3e730659320a4ed6b437558f585313ce_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/976-8-0x000000007498E000-0x000000007498F000-memory.dmp

Filesize
4KB

Download
memory/976-9-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/976-2-0x0000000005510000-0x0000000005AB4000-memory.dmp

Filesize
5.6MB

Download
memory/976-3-0x0000000005000000-0x0000000005092000-memory.dmp

Filesize
584KB

Download
memory/976-4-0x0000000004F60000-0x0000000004FC6000-memory.dmp

Filesize
408KB

Download
memory/976-5-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/976-1-0x00000000005E0000-0x00000000006B2000-memory.dmp

Filesize
840KB

Download
memory/976-6-0x0000000005F30000-0x0000000005F3A000-memory.dmp

Filesize
40KB

Download
memory/976-0-0x000000007498E000-0x000000007498F000-memory.dmp

Filesize
4KB

Download
memory/976-7-0x0000000006D00000-0x0000000006D22000-memory.dmp

Filesize
136KB

Download
memory/976-10-0x0000000006DC0000-0x0000000006E5C000-memory.dmp

Filesize
624KB

Download
memory/976-11-0x00000000071D0000-0x000000000723E000-memory.dmp

Filesize
440KB

Download
memory/976-12-0x00000000072C0000-0x00000000072FC000-memory.dmp

Filesize
240KB

Download
memory/976-15-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/2820-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2820-16-0x00000000010E0000-0x000000000142A000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing