xloader | 5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a

General

Target

4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe
Size

1.1MB
MD5

4b32fb4d21ff7225187b42d4c9722dce
SHA1

331e10b03dc5cf994d3985aea2570f08e2707560
SHA256

5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a
SHA512

d4031c8069d11d78007f215471a982d12ab6059b973477961943dc33d2bf3d0547c95776ebc4b514130964ea9c5e77d2e1b855515c0dea7edf3498e501e2531d
SSDEEP

12288:2Gy2V8gP2iNdmth0+QHU6fm5LJHdkhjn+IZjxwRyCVWHz3T/J4GLIh+wT4P:b1yh0+CcFdyjSkCVm/Jql0

Score

10^/10

xloader w56m discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

w56m

Decoy

damai.zone

mywishbookweb.cloud

sandilakeclothing.bid

joysell.net

hackedwhores.com

sjdibang.com

memaquiahiga.com

bleeckerbobs.net

emmettthomas.com

thesheetz.com

mimik33.info

prettyprettybartending.com

3173596.com

shwangjia.com

sightuiop.com

tinnitusnow.online

mahadevexporters.com

cleaninglanarkshire.com

ibiaozhi.net

upinfame.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/2108-18-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2108-23-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4140-29-0x00000000001B0000-0x00000000001D9000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3240 set thread context of 2108	3240	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	99
PID 2108 set thread context of 3460	2108	RegSvcs.exe	56
PID 4140 set thread context of 3460	4140	raserver.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2108	RegSvcs.exe
2108	RegSvcs.exe
2108	RegSvcs.exe
2108	RegSvcs.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe
4140	raserver.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2108	RegSvcs.exe
2108	RegSvcs.exe
2108	RegSvcs.exe
4140	raserver.exe
4140	raserver.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	RegSvcs.exe
Token: SeDebugPrivilege	4140	raserver.exe
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3460	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 4548	3240	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	97
PID 3240 wrote to memory of 4548	3240	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	97
PID 3240 wrote to memory of 4548	3240	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	97
PID 3240 wrote to memory of 2108	3240	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	99
PID 3240 wrote to memory of 2108	3240	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	99
PID 3240 wrote to memory of 2108	3240	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	99
PID 3240 wrote to memory of 2108	3240	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	99
PID 3240 wrote to memory of 2108	3240	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	99
PID 3240 wrote to memory of 2108	3240	4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe	99
PID 3460 wrote to memory of 4140	3460	Explorer.EXE	100
PID 3460 wrote to memory of 4140	3460	Explorer.EXE	100
PID 3460 wrote to memory of 4140	3460	Explorer.EXE	100
PID 4140 wrote to memory of 4188	4140	raserver.exe	101
PID 4140 wrote to memory of 4188	4140	raserver.exe	101
PID 4140 wrote to memory of 4188	4140	raserver.exe	101

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Local\Temp\4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RkaONosqCQHta" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3AC2.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4548
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3AC2.tmp

Filesize
1KB

MD5
97e2e76dbbaa6edb264d9bc9c23a06c0

SHA1
bc8f7256a371cc722fab7e3af2412e425d1ce2bd

SHA256
a754624112372d78c3be981265a41274cfab094c30df4df007fb08cb340d46ae

SHA512
d111d68119582f1c35c949b2b917429a05e04d11e0eafc21070ea7d51f2837a156c232ac582a6b3c95e8b1cb86528a218ad33406c3d64f99ce0f1dc821b66e32

Download Submit
memory/2108-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-24-0x0000000001630000-0x0000000001641000-memory.dmp

Filesize
68KB

Download
memory/2108-21-0x00000000016D0000-0x0000000001A1A000-memory.dmp

Filesize
3.3MB

Download
memory/2108-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3240-6-0x0000000005850000-0x00000000058A6000-memory.dmp

Filesize
344KB

Download
memory/3240-3-0x0000000005B80000-0x0000000006124000-memory.dmp

Filesize
5.6MB

Download
memory/3240-7-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3240-8-0x0000000006130000-0x000000000614E000-memory.dmp

Filesize
120KB

Download
memory/3240-9-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/3240-10-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3240-11-0x0000000004EF0000-0x0000000004F90000-memory.dmp

Filesize
640KB

Download
memory/3240-12-0x0000000006D00000-0x0000000006D2E000-memory.dmp

Filesize
184KB

Download
memory/3240-5-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/3240-4-0x0000000005670000-0x0000000005702000-memory.dmp

Filesize
584KB

Download
memory/3240-20-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3240-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/3240-2-0x00000000054B0000-0x000000000554C000-memory.dmp

Filesize
624KB

Download
memory/3240-1-0x0000000000A40000-0x0000000000B54000-memory.dmp

Filesize
1.1MB

Download
memory/3460-25-0x0000000009150000-0x00000000092B6000-memory.dmp

Filesize
1.4MB

Download
memory/3460-30-0x0000000009150000-0x00000000092B6000-memory.dmp

Filesize
1.4MB

Download
memory/3460-34-0x0000000003820000-0x00000000038E3000-memory.dmp

Filesize
780KB

Download
memory/3460-35-0x0000000003820000-0x00000000038E3000-memory.dmp

Filesize
780KB

Download
memory/4140-26-0x0000000000230000-0x000000000024F000-memory.dmp

Filesize
124KB

Download
memory/4140-28-0x0000000000230000-0x000000000024F000-memory.dmp

Filesize
124KB

Download
memory/4140-29-0x00000000001B0000-0x00000000001D9000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads