Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-09-2024 02:51

General

  • Target

    f502c1a5b642c38455fe94ca3ce2eed8_JaffaCakes118.exe

  • Size

    321KB

  • MD5

    f502c1a5b642c38455fe94ca3ce2eed8

  • SHA1

    9423923825b75b210441777977e0c0acaac73d0c

  • SHA256

    4f458d13d054cb8e9cb734d6929fe65b59b2a25e2c460af1fc788ca490118a85

  • SHA512

    93e6b467f79380360704e5783bb82c91cca54d38871a75d82b4326b66c051ede36f04c82776cefaedbf73a42d0308f7f5b9d14a58fbdbf8afb9dca29876b6220

  • SSDEEP

    6144:zLvWHK8wYjlFSqgfdnatyFLnWJM5nuBxZQ1aU3avEMieafbMrE9p6:zCHpdjlFifdnaQWJ+nu7KaU8EMpafQGp

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

o8na

Decoy

www1669099.com

digitalallserv.com

thiszzzwq.info

dallasoswalt.info

ladolcefesta.com

mariamalikially.com

origenbsas.com

antichoc.watch

tropicalbirdtoys.com

bbluedotvrwdbuy.com

racevx.xyz

ut-trustandwill.com

maximumhomeoffers.com

wrapname.com

hypelighystrip.com

oshoum2020.com

parkwestmi.com

themodumall.com

tempuslawnandsnow.com

dailypromo.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f502c1a5b642c38455fe94ca3ce2eed8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f502c1a5b642c38455fe94ca3ce2eed8_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Users\Admin\AppData\Local\Temp\f502c1a5b642c38455fe94ca3ce2eed8_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\f502c1a5b642c38455fe94ca3ce2eed8_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2692-5-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/2692-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2932-2-0x0000000000220000-0x000000000024A000-memory.dmp

    Filesize

    168KB

  • memory/2932-1-0x00000000022F0000-0x00000000023F0000-memory.dmp

    Filesize

    1024KB