xloader | 778a433f0c438f5f4ad261e0c14d350e37f10d8fe4ca7794da84052aa114f94c

General

Target

247e2ce013cbda5db987f42355048389_JaffaCakes118.exe
Size

708KB
MD5

247e2ce013cbda5db987f42355048389
SHA1

1709f83e2066fbbfc9cac502807cb733ebafed6d
SHA256

778a433f0c438f5f4ad261e0c14d350e37f10d8fe4ca7794da84052aa114f94c
SHA512

118680110ef4ba7d344861f052a9d28a1d3a2b2095c0e365ede6341fda44a06faf74b75ab087cd3618020e7c4ef3eca556fbbb4aa63106beb9ea23e04751f5f3
SSDEEP

12288:NNSj3CYRyjC5bhPCd16IUjlNktoJEq/y6INX6LRgU7e9Yn33PZfqFszaldJmlgeF:5CVhPfNDktoGq/wKgDC3hiUaldq5LgA6

Score

10^/10

xloader s32s discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

s32s

Decoy

pointsfans.com

eternalbybri.com

rajspices.com

evisucdn.com

cunerier.com

meteoagriculture.com

uplighting.net

tomigata.com

dilemmastudio.com

13kirikiriroad.com

lostboysworld.online

anemonashop.com

baiexpress.com

1033391.com

healthandsafetygadgets.com

hawaiiicelimited.com

wheels.works

post89paks.com

hangsicantho.com

theforteners.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2084-15-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2084-21-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4872-27-0x00000000009A0000-0x00000000009C9000-memory.dmp	xloader

Executes dropped EXE 1 IoCs

Processes:

AddInProcess32.exe

pid	Process
2084	AddInProcess32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

247e2ce013cbda5db987f42355048389_JaffaCakes118.exeAddInProcess32.exeNETSTAT.EXE

description	pid	Process	procid_target
PID 1176 set thread context of 2084	1176	247e2ce013cbda5db987f42355048389_JaffaCakes118.exe	91
PID 2084 set thread context of 3456	2084	AddInProcess32.exe	56
PID 4872 set thread context of 3456	4872	NETSTAT.EXE	56

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

247e2ce013cbda5db987f42355048389_JaffaCakes118.exeNETSTAT.EXEcmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	247e2ce013cbda5db987f42355048389_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

NETSTAT.EXE

pid	Process
4872	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

247e2ce013cbda5db987f42355048389_JaffaCakes118.exeAddInProcess32.exeNETSTAT.EXE

pid	Process
1176	247e2ce013cbda5db987f42355048389_JaffaCakes118.exe
1176	247e2ce013cbda5db987f42355048389_JaffaCakes118.exe
2084	AddInProcess32.exe
2084	AddInProcess32.exe
2084	AddInProcess32.exe
2084	AddInProcess32.exe
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE
4872	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

AddInProcess32.exeNETSTAT.EXE

pid	Process
2084	AddInProcess32.exe
2084	AddInProcess32.exe
2084	AddInProcess32.exe
4872	NETSTAT.EXE
4872	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

247e2ce013cbda5db987f42355048389_JaffaCakes118.exeAddInProcess32.exeNETSTAT.EXE

description	pid	Process
Token: SeDebugPrivilege	1176	247e2ce013cbda5db987f42355048389_JaffaCakes118.exe
Token: SeDebugPrivilege	2084	AddInProcess32.exe
Token: SeDebugPrivilege	4872	NETSTAT.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid	Process
3456	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

247e2ce013cbda5db987f42355048389_JaffaCakes118.exeExplorer.EXENETSTAT.EXE

description	pid	Process	procid_target
PID 1176 wrote to memory of 2084	1176	247e2ce013cbda5db987f42355048389_JaffaCakes118.exe	91
PID 1176 wrote to memory of 2084	1176	247e2ce013cbda5db987f42355048389_JaffaCakes118.exe	91
PID 1176 wrote to memory of 2084	1176	247e2ce013cbda5db987f42355048389_JaffaCakes118.exe	91
PID 1176 wrote to memory of 2084	1176	247e2ce013cbda5db987f42355048389_JaffaCakes118.exe	91
PID 1176 wrote to memory of 2084	1176	247e2ce013cbda5db987f42355048389_JaffaCakes118.exe	91
PID 1176 wrote to memory of 2084	1176	247e2ce013cbda5db987f42355048389_JaffaCakes118.exe	91
PID 3456 wrote to memory of 4872	3456	Explorer.EXE	92
PID 3456 wrote to memory of 4872	3456	Explorer.EXE	92
PID 3456 wrote to memory of 4872	3456	Explorer.EXE	92
PID 4872 wrote to memory of 1308	4872	NETSTAT.EXE	93
PID 4872 wrote to memory of 1308	4872	NETSTAT.EXE	93
PID 4872 wrote to memory of 1308	4872	NETSTAT.EXE	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Users\Admin\AppData\Local\Temp\247e2ce013cbda5db987f42355048389_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\247e2ce013cbda5db987f42355048389_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2084
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
memory/1176-13-0x00000000051D0000-0x00000000051D6000-memory.dmp

Filesize
24KB

Download
memory/1176-3-0x0000000006170000-0x0000000006714000-memory.dmp

Filesize
5.6MB

Download
memory/1176-1-0x0000000000D30000-0x0000000000DE8000-memory.dmp

Filesize
736KB

Download
memory/1176-18-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/1176-5-0x0000000005C60000-0x0000000005CFC000-memory.dmp

Filesize
624KB

Download
memory/1176-6-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/1176-7-0x00000000072E0000-0x0000000007318000-memory.dmp

Filesize
224KB

Download
memory/1176-8-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/1176-9-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/1176-10-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/1176-12-0x00000000051B0000-0x00000000051C4000-memory.dmp

Filesize
80KB

Download
memory/1176-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/1176-4-0x0000000005BC0000-0x0000000005C52000-memory.dmp

Filesize
584KB

Download
memory/1176-2-0x0000000005720000-0x0000000005A74000-memory.dmp

Filesize
3.3MB

Download
memory/2084-19-0x0000000001550000-0x000000000189A000-memory.dmp

Filesize
3.3MB

Download
memory/2084-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2084-22-0x0000000001260000-0x0000000001271000-memory.dmp

Filesize
68KB

Download
memory/2084-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-35-0x00000000081D0000-0x0000000008352000-memory.dmp

Filesize
1.5MB

Download
memory/3456-23-0x0000000007CC0000-0x0000000007E3D000-memory.dmp

Filesize
1.5MB

Download
memory/3456-28-0x0000000007CC0000-0x0000000007E3D000-memory.dmp

Filesize
1.5MB

Download
memory/3456-32-0x00000000081D0000-0x0000000008352000-memory.dmp

Filesize
1.5MB

Download
memory/3456-33-0x00000000081D0000-0x0000000008352000-memory.dmp

Filesize
1.5MB

Download
memory/4872-24-0x0000000000DB0000-0x0000000000DBB000-memory.dmp

Filesize
44KB

Download
memory/4872-25-0x0000000000DB0000-0x0000000000DBB000-memory.dmp

Filesize
44KB

Download
memory/4872-27-0x00000000009A0000-0x00000000009C9000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads