xloader | 842898cfb97f8c01b55ea1aaf32ffffb5497e1dbe6ea309bfa715e37212bb6da

Analysis

max time kernel
139s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe
Size

2.4MB
MD5

5a53f07640f66b7e88ac3d0b4acd5f9a
SHA1

f8fbe7bbf85d97e557257c9fe09414a804da4a36
SHA256

842898cfb97f8c01b55ea1aaf32ffffb5497e1dbe6ea309bfa715e37212bb6da
SHA512

c0de15838eb3f87f0846f6c132db4e7c31630092d8af1552eac89a9f10cba3fd06373e0768f7504814c9728716ceaa9623db151a0b7f41354bd23c5d32b61242
SSDEEP

49152:uooZ0ajbQzlq5O+l4QOnn8jeX+l8uvlhfNf5lWLPNyeL9+hw/USGy7Xk/51HwgGQ:eX0zlC6mJ98BVF/Q1a7

Score

10^/10

xloader u2km loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

u2km

Decoy

fairhygiene.com

adminnovicepro.xyz

mysteptofreedom.com

beachstoreonline.com

outofmyfacemace.com

jjudit.com

x-box2send22.club

genuineconsultingservices.com

avreeaylwomackoneil.online

englandisrael.com

wealthwelb.com

ettransfertest.com

digitalrealestate.computer

aryamansaigoa.com

caterinebat.com

bostonm.info

n1nte.net

newvisiontravels.com

ma-apo.com

samrcaldwell.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

resource	yara_rule
behavioral2/memory/4556-4-0x0000000005880000-0x0000000005AE8000-memory.dmp	beds_protector

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4716-8-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4556 set thread context of 4716	4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4640	4556	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe
4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe
4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe
4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe
4716	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe
4716	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 3372	4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe	87
PID 4556 wrote to memory of 3372	4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe	87
PID 4556 wrote to memory of 3372	4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe	87
PID 4556 wrote to memory of 816	4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe	88
PID 4556 wrote to memory of 816	4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe	88
PID 4556 wrote to memory of 816	4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe	88
PID 4556 wrote to memory of 4716	4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe	89
PID 4556 wrote to memory of 4716	4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe	89
PID 4556 wrote to memory of 4716	4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe	89
PID 4556 wrote to memory of 4716	4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe	89
PID 4556 wrote to memory of 4716	4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe	89
PID 4556 wrote to memory of 4716	4556	5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Local\Temp\5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe"
  2⤵
  PID:3372
- C:\Users\Admin\AppData\Local\Temp\5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe"
  2⤵
  PID:816
- C:\Users\Admin\AppData\Local\Temp\5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5a53f07640f66b7e88ac3d0b4acd5f9a_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1156
  2⤵
  - Program crash
  PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4556 -ip 4556
1⤵
PID:776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4556-0-0x000000007485E000-0x000000007485F000-memory.dmp

Filesize
4KB

Download
memory/4556-1-0x00000000009B0000-0x0000000000C26000-memory.dmp

Filesize
2.5MB

Download
memory/4556-2-0x0000000074850000-0x0000000075000000-memory.dmp

Filesize
7.7MB

Download
memory/4556-3-0x0000000005C80000-0x0000000006224000-memory.dmp

Filesize
5.6MB

Download
memory/4556-4-0x0000000005880000-0x0000000005AE8000-memory.dmp

Filesize
2.4MB

Download
memory/4556-5-0x0000000005B90000-0x0000000005C22000-memory.dmp

Filesize
584KB

Download
memory/4556-6-0x0000000006230000-0x00000000062CC000-memory.dmp

Filesize
624KB

Download
memory/4556-7-0x00000000055B0000-0x00000000055C6000-memory.dmp

Filesize
88KB

Download
memory/4556-10-0x0000000074850000-0x0000000075000000-memory.dmp

Filesize
7.7MB

Download
memory/4716-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4716-9-0x0000000001B60000-0x0000000001EAA000-memory.dmp

Filesize
3.3MB

Download