xloader | 9aa14501574506627270d8fd1ffba77663640ade1feba0deabbc9ece1f06c0d6

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

200f1b6cc32e01d765242406ce1cc63a_JaffaCakes118.exe
Size

237KB
MD5

200f1b6cc32e01d765242406ce1cc63a
SHA1

1f8e8097b9ef57eb099a0b9dcc68465e4159c8db
SHA256

9aa14501574506627270d8fd1ffba77663640ade1feba0deabbc9ece1f06c0d6
SHA512

7983cfac2deed7954125c3ec5bef920bde1cb1ca95fa2e5b2e284e34848fc4e2fced7e8bef7ee0e276784d396f212bf5e31cde51be6442a7ee55e26be23e9566
SSDEEP

6144:rKoRJD+6EukNMO09vfjTY8+ZpdZQt9FXFZ0KcSTdUwxAEA8:xRRtKNMv9vrcZpXyFXr555AEA8

Score

10^/10

xloader mpus discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

mpus

Decoy

iptcancer.com

jackrabbitpaintllc.com

advancedctech.com

qualitypcth.com

financialfirm.net

tj-troila.asia

torkifood.net

lindsaymanagementgroup.com

ferreiramaquinas.com

handmadebysinead.com

siendotucoach.com

mattinglybrewing.com

bestemployeetests.com

mindenegybenblog.net

longhornbarn.com

jifuopportunity.com

e-studying.com

fuelonwater.com

tokyohotchicken.com

wpactpro.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1928-3-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1292 set thread context of 1928	1292	200f1b6cc32e01d765242406ce1cc63a_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	200f1b6cc32e01d765242406ce1cc63a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1928	200f1b6cc32e01d765242406ce1cc63a_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1292	200f1b6cc32e01d765242406ce1cc63a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1928	1292	200f1b6cc32e01d765242406ce1cc63a_JaffaCakes118.exe	30
PID 1292 wrote to memory of 1928	1292	200f1b6cc32e01d765242406ce1cc63a_JaffaCakes118.exe	30
PID 1292 wrote to memory of 1928	1292	200f1b6cc32e01d765242406ce1cc63a_JaffaCakes118.exe	30
PID 1292 wrote to memory of 1928	1292	200f1b6cc32e01d765242406ce1cc63a_JaffaCakes118.exe	30
PID 1292 wrote to memory of 1928	1292	200f1b6cc32e01d765242406ce1cc63a_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\200f1b6cc32e01d765242406ce1cc63a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\200f1b6cc32e01d765242406ce1cc63a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\200f1b6cc32e01d765242406ce1cc63a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\200f1b6cc32e01d765242406ce1cc63a_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1292-2-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/1292-1-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/1928-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1928-4-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download