xloader | c85eab78147f680f396925b005564604d84bcff97fec4bfb27e13071e791d985

General

Target

1fd9cebb62fdfd2ee9533e35a6d14aa3_JaffaCakes118.exe
Size

1006KB
MD5

1fd9cebb62fdfd2ee9533e35a6d14aa3
SHA1

d43f787cf9f8c5588f6c267d3983ca5ecf6acc88
SHA256

c85eab78147f680f396925b005564604d84bcff97fec4bfb27e13071e791d985
SHA512

cc965a63a729e0be816c646155ebf201464b6d40362c9eccdab53a3653c361c829069b354f9e38dd24ac2b89ec52c7f733b825e74d45c34ec8b5588065888088
SSDEEP

12288:oErs4ma/bma0cxKGU2fBCRKzPARKhpwAyxRD7U4qZ2vEVBhUSB:o3XaiC/ZCAjAcwAADTqZ2vEVBhU

Score

10^/10

xloader q4kr discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

q4kr

Decoy

realmodapk.com

hanoharuka.com

shivalikspiritualproducts.com

womenshealthclinincagra.com

racketpark.com

startuporig.com

azkachinas.com

klanblog.com

linuxradio.tools

siteoficial-liquida.com

glsbuyer.com

bestdeez.com

teens2cash.com

valleyviewconstruct.com

myfortniteskins.com

cambecare.com

csec2011.com

idookap.com

warmwallsrecords.com

smartmirror.one

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/4936-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4936-18-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/940-23-0x0000000000A60000-0x0000000000A89000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3396 set thread context of 4936	3396	1fd9cebb62fdfd2ee9533e35a6d14aa3_JaffaCakes118.exe	89
PID 4936 set thread context of 3376	4936	RegSvcs.exe	56
PID 940 set thread context of 3376	940	NETSTAT.EXE	56

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fd9cebb62fdfd2ee9533e35a6d14aa3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
940	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
3396	1fd9cebb62fdfd2ee9533e35a6d14aa3_JaffaCakes118.exe
4936	RegSvcs.exe
4936	RegSvcs.exe
4936	RegSvcs.exe
4936	RegSvcs.exe
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE
940	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4936	RegSvcs.exe
4936	RegSvcs.exe
4936	RegSvcs.exe
940	NETSTAT.EXE
940	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3396	1fd9cebb62fdfd2ee9533e35a6d14aa3_JaffaCakes118.exe
Token: SeDebugPrivilege	4936	RegSvcs.exe
Token: SeDebugPrivilege	940	NETSTAT.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3376	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 4936	3396	1fd9cebb62fdfd2ee9533e35a6d14aa3_JaffaCakes118.exe	89
PID 3396 wrote to memory of 4936	3396	1fd9cebb62fdfd2ee9533e35a6d14aa3_JaffaCakes118.exe	89
PID 3396 wrote to memory of 4936	3396	1fd9cebb62fdfd2ee9533e35a6d14aa3_JaffaCakes118.exe	89
PID 3396 wrote to memory of 4936	3396	1fd9cebb62fdfd2ee9533e35a6d14aa3_JaffaCakes118.exe	89
PID 3396 wrote to memory of 4936	3396	1fd9cebb62fdfd2ee9533e35a6d14aa3_JaffaCakes118.exe	89
PID 3396 wrote to memory of 4936	3396	1fd9cebb62fdfd2ee9533e35a6d14aa3_JaffaCakes118.exe	89
PID 3376 wrote to memory of 940	3376	Explorer.EXE	91
PID 3376 wrote to memory of 940	3376	Explorer.EXE	91
PID 3376 wrote to memory of 940	3376	Explorer.EXE	91
PID 940 wrote to memory of 2908	940	NETSTAT.EXE	92
PID 940 wrote to memory of 2908	940	NETSTAT.EXE	92
PID 940 wrote to memory of 2908	940	NETSTAT.EXE	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Users\Admin\AppData\Local\Temp\1fd9cebb62fdfd2ee9533e35a6d14aa3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1fd9cebb62fdfd2ee9533e35a6d14aa3_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4936
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:4016
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/940-23-0x0000000000A60000-0x0000000000A89000-memory.dmp

Filesize
164KB

Download
memory/940-22-0x0000000000490000-0x000000000049B000-memory.dmp

Filesize
44KB

Download
memory/940-21-0x0000000000490000-0x000000000049B000-memory.dmp

Filesize
44KB

Download
memory/3376-20-0x00000000025C0000-0x00000000026DC000-memory.dmp

Filesize
1.1MB

Download
memory/3376-31-0x0000000002910000-0x00000000029A2000-memory.dmp

Filesize
584KB

Download
memory/3376-29-0x0000000002910000-0x00000000029A2000-memory.dmp

Filesize
584KB

Download
memory/3376-28-0x0000000002910000-0x00000000029A2000-memory.dmp

Filesize
584KB

Download
memory/3376-24-0x00000000025C0000-0x00000000026DC000-memory.dmp

Filesize
1.1MB

Download
memory/3396-7-0x0000000005740000-0x0000000005796000-memory.dmp

Filesize
344KB

Download
memory/3396-1-0x0000000000980000-0x0000000000A82000-memory.dmp

Filesize
1.0MB

Download
memory/3396-10-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/3396-11-0x00000000080F0000-0x000000000818C000-memory.dmp

Filesize
624KB

Download
memory/3396-12-0x000000000A460000-0x000000000A48E000-memory.dmp

Filesize
184KB

Download
memory/3396-9-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/3396-15-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/3396-4-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/3396-2-0x0000000005410000-0x00000000054AC000-memory.dmp

Filesize
624KB

Download
memory/3396-3-0x0000000005A70000-0x0000000006014000-memory.dmp

Filesize
5.6MB

Download
memory/3396-8-0x0000000002D60000-0x0000000002D7E000-memory.dmp

Filesize
120KB

Download
memory/3396-6-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/3396-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/3396-5-0x00000000054F0000-0x00000000054FA000-memory.dmp

Filesize
40KB

Download
memory/4936-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4936-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4936-19-0x00000000014A0000-0x00000000014B0000-memory.dmp

Filesize
64KB

Download
memory/4936-16-0x00000000015B0000-0x00000000018FA000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing