xloader | 5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a

Analysis

max time kernel
147s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/10/2024, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe
Size

1.1MB
MD5

4b32fb4d21ff7225187b42d4c9722dce
SHA1

331e10b03dc5cf994d3985aea2570f08e2707560
SHA256

5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a
SHA512

d4031c8069d11d78007f215471a982d12ab6059b973477961943dc33d2bf3d0547c95776ebc4b514130964ea9c5e77d2e1b855515c0dea7edf3498e501e2531d
SSDEEP

12288:2Gy2V8gP2iNdmth0+QHU6fm5LJHdkhjn+IZjxwRyCVWHz3T/J4GLIh+wT4P:b1yh0+CcFdyjSkCVm/Jql0

Score

10^/10

xloader w56m discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

w56m

Decoy

damai.zone

mywishbookweb.cloud

sandilakeclothing.bid

joysell.net

hackedwhores.com

sjdibang.com

memaquiahiga.com

bleeckerbobs.net

emmettthomas.com

thesheetz.com

mimik33.info

prettyprettybartending.com

3173596.com

shwangjia.com

sightuiop.com

tinnitusnow.online

mahadevexporters.com

cleaninglanarkshire.com

ibiaozhi.net

upinfame.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2560-17-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2560-21-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2560-25-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2664-31-0x00000000000D0000-0x00000000000F9000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3052 set thread context of 2560	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	34
PID 2560 set thread context of 1204	2560	RegSvcs.exe	21
PID 2560 set thread context of 1204	2560	RegSvcs.exe	21
PID 2664 set thread context of 1204	2664	cmstp.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe
3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe
2560	RegSvcs.exe
2560	RegSvcs.exe
2560	RegSvcs.exe
2664	cmstp.exe
2664	cmstp.exe
2664	cmstp.exe
2664	cmstp.exe
2664	cmstp.exe
2664	cmstp.exe
2664	cmstp.exe
2664	cmstp.exe
2664	cmstp.exe
2664	cmstp.exe
2664	cmstp.exe
2664	cmstp.exe
2664	cmstp.exe
2664	cmstp.exe
2664	cmstp.exe
2664	cmstp.exe
2664	cmstp.exe
2664	cmstp.exe
2664	cmstp.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2560	RegSvcs.exe
2560	RegSvcs.exe
2560	RegSvcs.exe
2560	RegSvcs.exe
2664	cmstp.exe
2664	cmstp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe
Token: SeDebugPrivilege	2560	RegSvcs.exe
Token: SeDebugPrivilege	2664	cmstp.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2780	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2780	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2780	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2780	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2564	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	33
PID 3052 wrote to memory of 2564	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	33
PID 3052 wrote to memory of 2564	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	33
PID 3052 wrote to memory of 2564	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	33
PID 3052 wrote to memory of 2564	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	33
PID 3052 wrote to memory of 2564	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	33
PID 3052 wrote to memory of 2564	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	33
PID 3052 wrote to memory of 2560	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2560	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2560	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2560	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2560	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2560	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2560	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2560	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2560	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2560	3052	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	34
PID 2560 wrote to memory of 2664	2560	RegSvcs.exe	35
PID 2560 wrote to memory of 2664	2560	RegSvcs.exe	35
PID 2560 wrote to memory of 2664	2560	RegSvcs.exe	35
PID 2560 wrote to memory of 2664	2560	RegSvcs.exe	35
PID 2560 wrote to memory of 2664	2560	RegSvcs.exe	35
PID 2560 wrote to memory of 2664	2560	RegSvcs.exe	35
PID 2560 wrote to memory of 2664	2560	RegSvcs.exe	35
PID 2664 wrote to memory of 1768	2664	cmstp.exe	36
PID 2664 wrote to memory of 1768	2664	cmstp.exe	36
PID 2664 wrote to memory of 1768	2664	cmstp.exe	36
PID 2664 wrote to memory of 1768	2664	cmstp.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RkaONosqCQHta" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7BA5.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:2564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7BA5.tmp

Filesize
1KB

MD5
d61992439b88664854fd3192c1a6d053

SHA1
eb955410bd9298b31a749ec85603427b5424d224

SHA256
4add94e4881825d61c04be7c961de367d0080737d8a07f70b05055b797634cb7

SHA512
cc364aea05dce6adb6e0eeb0555175e7cd2e92cb6af743d5b3437754e0c67083f02e3d132d0685ef6d64c99fe0c497c3379c7ab5da43de9284a7bf62cf1c45d8

Download Submit
memory/1204-30-0x0000000005070000-0x0000000005166000-memory.dmp

Filesize
984KB

Download
memory/1204-27-0x0000000005070000-0x0000000005166000-memory.dmp

Filesize
984KB

Download
memory/1204-23-0x0000000004ED0000-0x0000000004FD8000-memory.dmp

Filesize
1.0MB

Download
memory/2560-26-0x00000000001F0000-0x0000000000201000-memory.dmp

Filesize
68KB

Download
memory/2560-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2560-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2560-22-0x00000000001A0000-0x00000000001B1000-memory.dmp

Filesize
68KB

Download
memory/2560-20-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/2560-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2560-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2560-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2560-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2664-28-0x0000000000690000-0x00000000006A8000-memory.dmp

Filesize
96KB

Download
memory/2664-29-0x0000000000690000-0x00000000006A8000-memory.dmp

Filesize
96KB

Download
memory/2664-31-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/3052-18-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/3052-4-0x00000000740EE000-0x00000000740EF000-memory.dmp

Filesize
4KB

Download
memory/3052-5-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/3052-7-0x0000000000C50000-0x0000000000C7E000-memory.dmp

Filesize
184KB

Download
memory/3052-3-0x0000000000460000-0x000000000047E000-memory.dmp

Filesize
120KB

Download
memory/3052-0-0x00000000740EE000-0x00000000740EF000-memory.dmp

Filesize
4KB

Download
memory/3052-2-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/3052-6-0x00000000009E0000-0x0000000000A80000-memory.dmp

Filesize
640KB

Download
memory/3052-1-0x0000000000CB0000-0x0000000000DC4000-memory.dmp

Filesize
1.1MB

Download