xloader | 44dedf5b594d812b996aae7b28fd3489703842b05ff917403f879d728fe15ba0

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe
Size

313KB
MD5

922d3b88f96c3d714ffa416ad5622f0c
SHA1

0e88de8bd426fa388be3f56aaeafc9c542398353
SHA256

44dedf5b594d812b996aae7b28fd3489703842b05ff917403f879d728fe15ba0
SHA512

5fa286189485789c9cadc70429ba8dd307716acc2b11e9c6213e6f929d85de4cae81184f29d68fafd20e5250e28455dfc3b915e7b7383c4dc9a20e480d2971b3
SSDEEP

6144:yGEpIphQKVeA/8kApP9Jn73GTrdHqZ13989j0yF20ETHFCRgJ:xEp1JKTrdHq3yw0sH8Rw

Score

10^/10

xloader mpus discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

mpus

Decoy

iptcancer.com

jackrabbitpaintllc.com

advancedctech.com

qualitypcth.com

financialfirm.net

tj-troila.asia

torkifood.net

lindsaymanagementgroup.com

ferreiramaquinas.com

handmadebysinead.com

siendotucoach.com

mattinglybrewing.com

bestemployeetests.com

mindenegybenblog.net

longhornbarn.com

jifuopportunity.com

e-studying.com

fuelonwater.com

tokyohotchicken.com

wpactpro.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2300-3-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2584 set thread context of 2300	2584	922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2396	2584	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2300	922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2584	922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2300	2584	922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2300	2584	922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2300	2584	922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2300	2584	922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2300	2584	922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2396	2584	922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2396	2584	922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2396	2584	922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2396	2584	922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\922d3b88f96c3d714ffa416ad5622f0c_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 184
  2⤵
  - Program crash
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2300-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2584-1-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2584-2-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download