Overview

overview

10

Static

static

3

7419a11c48...18.exe

windows7-x64

10

7419a11c48...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-10-2024 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7419a11c48f0ed31dc35a63d44f61392_JaffaCakes118.exe

  • Size

    913KB

  • MD5

    7419a11c48f0ed31dc35a63d44f61392

  • SHA1

    be4a8c7b4bd5232bdc4021215dab6140376ca26a

  • SHA256

    ccad88cfcaf9a2b65b29af3fe6b85559efe3ffcf032ada3919cfa656eef60e54

  • SHA512

    8f2e443c8846660f769d8fe5712279b4a0c5267e99df1f195cc6b87508a7dc93177f6965303a7b529068eff22711ce557e3eec62ddb0557eaeda4c5b5f490b3c

  • SSDEEP

    12288:w3LeA2Ei6hYnM2VBnQ1QB7g5r9B0hlskjES3bBzP5mWK1VU68YYi2tHK7zjzKbo0:2Lsyz+qQhgnWTdBzPUWQBp9zKbo0

Score
10/10
xloaderw56mdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

w56m

Decoy

damai.zone

mywishbookweb.cloud

sandilakeclothing.bid

joysell.net

hackedwhores.com

sjdibang.com

memaquiahiga.com

bleeckerbobs.net

emmettthomas.com

thesheetz.com

mimik33.info

prettyprettybartending.com

3173596.com

shwangjia.com

sightuiop.com

tinnitusnow.online

mahadevexporters.com

cleaninglanarkshire.com

ibiaozhi.net

upinfame.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 3 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3396
    • C:\Users\Admin\AppData\Local\Temp\7419a11c48f0ed31dc35a63d44f61392_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\7419a11c48f0ed31dc35a63d44f61392_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4728
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\achsLLSCRXvSN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EE4.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4736
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4952
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3188
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5EE4.tmp
    Filesize

    1KB

    MD5

    4f1b0d0c46a3ae8611897c9e45594118

    SHA1

    b4ed9d462760351283ac67936fa79715ca781cdf

    SHA256

    d3e3aa1bf44acbd497250a9d65afde384d4639c7ff1fbb75b4bbc59fd76c60cb

    SHA512

    b1c5a142a445e200ff22119502c22a1c929c5512cafc4bf3d0303dbe9334aabcf367fb0ae1ed1181079cd7a0c445efe7740a2c39b267a2df7eb330d3a8915031

    Download Submit

  • memory/3188-28-0x0000000000460000-0x0000000000489000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3188-27-0x0000000000BB0000-0x0000000000C07000-memory.dmp

    Filesize

    348KB

    Download

  • memory/3188-26-0x0000000000BB0000-0x0000000000C07000-memory.dmp

    Filesize

    348KB

    Download

  • memory/3396-34-0x0000000008310000-0x0000000008430000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3396-33-0x0000000008310000-0x0000000008430000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3396-29-0x0000000007E90000-0x0000000007FF8000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3396-25-0x0000000007E90000-0x0000000007FF8000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4728-7-0x0000000074540000-0x0000000074CF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4728-6-0x0000000005860000-0x00000000058B6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4728-10-0x0000000074540000-0x0000000074CF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4728-11-0x0000000006DD0000-0x0000000006E70000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4728-12-0x0000000009400000-0x000000000942E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4728-8-0x0000000005B90000-0x0000000005BA6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4728-1-0x0000000000AE0000-0x0000000000BCA000-memory.dmp

    Filesize

    936KB

    Download

  • memory/4728-20-0x0000000074540000-0x0000000074CF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4728-2-0x00000000055D0000-0x000000000566C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4728-3-0x0000000005C20000-0x00000000061C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4728-5-0x0000000005580000-0x000000000558A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4728-4-0x0000000005670000-0x0000000005702000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4728-0-0x000000007454E000-0x000000007454F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4728-9-0x000000007454E000-0x000000007454F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4952-24-0x0000000001400000-0x0000000001411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4952-23-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/4952-21-0x00000000015B0000-0x00000000018FA000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4952-18-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download