Analysis

  • max time kernel
    92s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2024 02:48

General

  • Target

    15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    15dd0af6a94ff8295c72a83ef9bd359a

  • SHA1

    1e5236e252f24dbe1231cc18aecdfeac6b0d9a1f

  • SHA256

    6931c7d4ab556ccd3cee7b8ddc9107f73551dd8cf5f293ec88d0ded26f52a9f6

  • SHA512

    f5aff225a83d6899c76059f9b7463777278b724118fd928a365cf437a272dfaf6e055168dff5ae8018d243aaa3adef44326b79607755ff26b31553689795cd42

  • SSDEEP

    12288:QWawIfK0f08jrRhidCMrC5Hr6LVEmBFt0ULGZbRSTHh3TS6np1I4vOODhgaPGNSi:HHTSmkWDZvSuPoT3

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

m6b5

Decoy

ixtarbelize.com

pheamal.com

daiyncc.com

staydoubted.com

laagerlitigation.club

sukrantastansakarya.com

esupport.ltd

vetscontracting.net

themuslimlife.coach

salmanairs.com

somatictherapyservices.com

lastminuteminister.com

comunicarbuenosaires.com

kazuya.tech

insightlyservicedev.com

redevelopment38subhashnagar.com

thefutureinvestor.com

simplysu.com

lagu45.com

livingstonpistolpermit.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\AppData\Local\Temp\15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\15dd0af6a94ff8295c72a83ef9bd359a_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1596-10-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1596-13-0x0000000000F80000-0x00000000012CA000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-6-0x0000000074FF0000-0x00000000757A0000-memory.dmp

    Filesize

    7.7MB

  • memory/1808-3-0x0000000005820000-0x00000000058B2000-memory.dmp

    Filesize

    584KB

  • memory/1808-4-0x00000000058C0000-0x0000000005936000-memory.dmp

    Filesize

    472KB

  • memory/1808-5-0x0000000005940000-0x00000000059DC000-memory.dmp

    Filesize

    624KB

  • memory/1808-0-0x0000000074FFE000-0x0000000074FFF000-memory.dmp

    Filesize

    4KB

  • memory/1808-7-0x00000000057B0000-0x00000000057CE000-memory.dmp

    Filesize

    120KB

  • memory/1808-8-0x0000000005A70000-0x0000000005AF0000-memory.dmp

    Filesize

    512KB

  • memory/1808-9-0x00000000057E0000-0x00000000057F6000-memory.dmp

    Filesize

    88KB

  • memory/1808-2-0x0000000005D30000-0x00000000062D4000-memory.dmp

    Filesize

    5.6MB

  • memory/1808-12-0x0000000074FF0000-0x00000000757A0000-memory.dmp

    Filesize

    7.7MB

  • memory/1808-1-0x0000000000D00000-0x0000000000E18000-memory.dmp

    Filesize

    1.1MB