xloader | 748c630f8ec02411ebb563f2434619bc4b695eaaa6d254ed22f63e01d3775aa5

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-10-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

677768067d4d3af26b769528b9f1eda3_JaffaCakes118.exe
Size

1.1MB
MD5

677768067d4d3af26b769528b9f1eda3
SHA1

701f0d306afbc48082a18befbe293640d7f31173
SHA256

748c630f8ec02411ebb563f2434619bc4b695eaaa6d254ed22f63e01d3775aa5
SHA512

eafbca515c7f00009f763022d22837abe99ec5125faf037be1a59d579dfe9a19a6246ae8d1c95c768ff74728512b5a80ce58d7085c6647eaa4d2ba7ff01a2104
SSDEEP

24576:qOf982sLr4W7xNZJretG/91XVavfHXl5YJu:W7xNj0GVa3vY

Score

10^/10

xloader owws discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

owws

Decoy

mytestin.com

thenakedjoypodcast.com

elsegundotequilabar.com

thefurryfriendsplace.com

sitowebcasavacanze.com

satellitepublishing.com

lowdownsports.net

angelsvideoproductions.com

bair-er.com

abilitycapitalpartners.com

bestmultifunctiontool.com

bloghappness.com

xn--xhq99jp6i75j.com

obxhwy12.com

dematoffer.com

ladderuptoday.com

christianipitts.com

shakambaricottons.com

dondelivery.net

ibextravetrailers.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2236-15-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 2236	2304	677768067d4d3af26b769528b9f1eda3_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	677768067d4d3af26b769528b9f1eda3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2236	677768067d4d3af26b769528b9f1eda3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2236	2304	677768067d4d3af26b769528b9f1eda3_JaffaCakes118.exe	31
PID 2304 wrote to memory of 2236	2304	677768067d4d3af26b769528b9f1eda3_JaffaCakes118.exe	31
PID 2304 wrote to memory of 2236	2304	677768067d4d3af26b769528b9f1eda3_JaffaCakes118.exe	31
PID 2304 wrote to memory of 2236	2304	677768067d4d3af26b769528b9f1eda3_JaffaCakes118.exe	31
PID 2304 wrote to memory of 2236	2304	677768067d4d3af26b769528b9f1eda3_JaffaCakes118.exe	31
PID 2304 wrote to memory of 2236	2304	677768067d4d3af26b769528b9f1eda3_JaffaCakes118.exe	31
PID 2304 wrote to memory of 2236	2304	677768067d4d3af26b769528b9f1eda3_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\677768067d4d3af26b769528b9f1eda3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\677768067d4d3af26b769528b9f1eda3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\677768067d4d3af26b769528b9f1eda3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\677768067d4d3af26b769528b9f1eda3_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2236-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-17-0x0000000000A80000-0x0000000000D83000-memory.dmp

Filesize
3.0MB

Download
memory/2236-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2236-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2304-3-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/2304-6-0x0000000005BF0000-0x0000000005C8E000-memory.dmp

Filesize
632KB

Download
memory/2304-7-0x00000000046A0000-0x00000000046CE000-memory.dmp

Filesize
184KB

Download
memory/2304-5-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2304-4-0x000000007413E000-0x000000007413F000-memory.dmp

Filesize
4KB

Download
memory/2304-0-0x000000007413E000-0x000000007413F000-memory.dmp

Filesize
4KB

Download
memory/2304-2-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2304-16-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2304-1-0x0000000000950000-0x0000000000A76000-memory.dmp

Filesize
1.1MB

Download