xloader | e7d82461eec08c88e23ad2651e86e3a25d113dcce4402ccac789f0cffda7b71d

General

Target

0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe
Size

819KB
MD5

0250e6bc6bd00b67b62440914f4f9d86
SHA1

71ccf512311d0dc53e8cee5e05afe4253efee7f2
SHA256

e7d82461eec08c88e23ad2651e86e3a25d113dcce4402ccac789f0cffda7b71d
SHA512

4fc1eba75e8d5207270efa58298771c366c08eaefde275bf1c365a8d0aa9559593b52407d2159131cbfa7d254d558c63bcdd52dc524a8b2151776fbf02e6cb0c
SSDEEP

24576:EbQ+X8+UiDLbRHahtNrcI1UCHNda/wv7L8O3VjW:gCrj1dt2wjL8X

Score

10^/10

xloader cuig discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cuig

Decoy

sofiathinks-elderly.net

lahamicoast.info

2shengman.com

cbsautoplex.com

arcana-candles.com

genrage.com

kukumiou.xyz

thequizerking.com

sonataproductions.com

rebuildgomnmf.xyz

ubcoin.store

yiyouxue.net

firstlifehome.com

mdx-inc.net

gotbn-c01.com

dinobrindes.store

jcm-iso.com

cliente-mais.com

mloujewelry.com

correoversoi.quest

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2724-14-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe

description	pid	Process	procid_target
PID 3000 set thread context of 2724	3000	0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe

pid	Process
3000	0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe
3000	0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe
3000	0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe
3000	0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe
3000	0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe
3000	0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe
2724	0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	3000	0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe

description	pid	Process	procid_target
PID 3000 wrote to memory of 2724	3000	0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2724	3000	0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2724	3000	0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2724	3000	0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2724	3000	0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2724	3000	0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2724	3000	0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0250e6bc6bd00b67b62440914f4f9d86_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2724-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-16-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/2724-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2724-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3000-3-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/3000-6-0x0000000004490000-0x00000000044F4000-memory.dmp

Filesize
400KB

Download
memory/3000-7-0x00000000020E0000-0x0000000002110000-memory.dmp

Filesize
192KB

Download
memory/3000-5-0x00000000745E0000-0x0000000074CCE000-memory.dmp

Filesize
6.9MB

Download
memory/3000-4-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/3000-0-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/3000-2-0x00000000745E0000-0x0000000074CCE000-memory.dmp

Filesize
6.9MB

Download
memory/3000-15-0x00000000745E0000-0x0000000074CCE000-memory.dmp

Filesize
6.9MB

Download
memory/3000-1-0x00000000002D0000-0x00000000003A2000-memory.dmp

Filesize
840KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads