xloader | 068acc71b449db8c8b13a3b4ae214425b5b37919d465102d53f74b4fed65a027

General

Target

d68fcd5576cca039034fc707cb289e89_JaffaCakes118.exe
Size

887KB
MD5

d68fcd5576cca039034fc707cb289e89
SHA1

153d82297b26fbcf026f4cc456d59233e6827bb7
SHA256

068acc71b449db8c8b13a3b4ae214425b5b37919d465102d53f74b4fed65a027
SHA512

61df5d7ab9c8ddbc54d14da25fc3e098dbc910d46d5b5c46bb6960754dd1554493ab4c8ad8e2b13ef46aff986461f5c8b1ac9ae636ff2414e40be41e925641b7
SSDEEP

12288:ScNjbrdVTjp8yOZsZodjlcRRjpwa4tVjco2vqKEmpt9M3HK7z4zKboASLF:3N3d8PeZkoNuTVj6CApYKSKboF

Score

10^/10

xloader nvq4 discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

nvq4

Decoy

emorytxinsurance.com

bastansonatarih.com

ysainasen.com

hillbilliesunite.net

lshuinai.com

consultpapers.com

digontorekha.com

diaobi.net

moonlightclayco.com

sh-junshen.com

maksavit.site

ushasoftbd.com

vienesacarnicos.com

milkonphone.com

lifeinthelineofduty.com

blackamericanoutlaw.com

wonkrushop.com

elearnium.com

scottbruce.info

anantaonline.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/828-18-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/828-23-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3920-28-0x0000000000600000-0x0000000000628000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	d68fcd5576cca039034fc707cb289e89_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1788 set thread context of 828	1788	d68fcd5576cca039034fc707cb289e89_JaffaCakes118.exe	93
PID 828 set thread context of 3420	828	RegSvcs.exe	56
PID 3920 set thread context of 3420	3920	cscript.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d68fcd5576cca039034fc707cb289e89_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
444	schtasks.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
1788	d68fcd5576cca039034fc707cb289e89_JaffaCakes118.exe
828	RegSvcs.exe
828	RegSvcs.exe
828	RegSvcs.exe
828	RegSvcs.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe
3920	cscript.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
828	RegSvcs.exe
828	RegSvcs.exe
828	RegSvcs.exe
3920	cscript.exe
3920	cscript.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	d68fcd5576cca039034fc707cb289e89_JaffaCakes118.exe
Token: SeDebugPrivilege	828	RegSvcs.exe
Token: SeDebugPrivilege	3920	cscript.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 444	1788	d68fcd5576cca039034fc707cb289e89_JaffaCakes118.exe	91
PID 1788 wrote to memory of 444	1788	d68fcd5576cca039034fc707cb289e89_JaffaCakes118.exe	91
PID 1788 wrote to memory of 444	1788	d68fcd5576cca039034fc707cb289e89_JaffaCakes118.exe	91
PID 1788 wrote to memory of 828	1788	d68fcd5576cca039034fc707cb289e89_JaffaCakes118.exe	93
PID 1788 wrote to memory of 828	1788	d68fcd5576cca039034fc707cb289e89_JaffaCakes118.exe	93
PID 1788 wrote to memory of 828	1788	d68fcd5576cca039034fc707cb289e89_JaffaCakes118.exe	93
PID 1788 wrote to memory of 828	1788	d68fcd5576cca039034fc707cb289e89_JaffaCakes118.exe	93
PID 1788 wrote to memory of 828	1788	d68fcd5576cca039034fc707cb289e89_JaffaCakes118.exe	93
PID 1788 wrote to memory of 828	1788	d68fcd5576cca039034fc707cb289e89_JaffaCakes118.exe	93
PID 3420 wrote to memory of 3920	3420	Explorer.EXE	94
PID 3420 wrote to memory of 3920	3420	Explorer.EXE	94
PID 3420 wrote to memory of 3920	3420	Explorer.EXE	94
PID 3920 wrote to memory of 3060	3920	cscript.exe	95
PID 3920 wrote to memory of 3060	3920	cscript.exe	95
PID 3920 wrote to memory of 3060	3920	cscript.exe	95

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Local\Temp\d68fcd5576cca039034fc707cb289e89_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d68fcd5576cca039034fc707cb289e89_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODEaOSinO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3AB2.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:444
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:828
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3AB2.tmp

Filesize
1KB

MD5
3c7bac105c70316b667a8ad7ac7bcd26

SHA1
317b2bdadc960a0fac6450aade95903c105f5598

SHA256
654b412b435b4d3b5c3c3d735d5b59ab608f1affacbc45842e5d69e86bd1d2d4

SHA512
cc6127c17baf07a94f4751c938607ad73f1e3b8dcbbfb763c037468a0df550f207c969acc70d73c72a380d18caac14eaba7835a735645dca1c0b957771d68de8

Download Submit
memory/828-23-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/828-24-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/828-21-0x00000000014E0000-0x000000000182A000-memory.dmp

Filesize
3.3MB

Download
memory/828-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1788-6-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/1788-3-0x0000000005D70000-0x0000000006314000-memory.dmp

Filesize
5.6MB

Download
memory/1788-7-0x0000000005A60000-0x0000000005AB6000-memory.dmp

Filesize
344KB

Download
memory/1788-8-0x0000000005C40000-0x0000000005C56000-memory.dmp

Filesize
88KB

Download
memory/1788-9-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download
memory/1788-10-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/1788-11-0x0000000007340000-0x00000000073DE000-memory.dmp

Filesize
632KB

Download
memory/1788-12-0x00000000099A0000-0x00000000099CE000-memory.dmp

Filesize
184KB

Download
memory/1788-5-0x00000000057F0000-0x00000000057FA000-memory.dmp

Filesize
40KB

Download
memory/1788-4-0x0000000005860000-0x00000000058F2000-memory.dmp

Filesize
584KB

Download
memory/1788-20-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/1788-0-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download
memory/1788-2-0x0000000005720000-0x00000000057BC000-memory.dmp

Filesize
624KB

Download
memory/1788-1-0x0000000000CC0000-0x0000000000DA2000-memory.dmp

Filesize
904KB

Download
memory/3420-25-0x0000000003140000-0x00000000031ED000-memory.dmp

Filesize
692KB

Download
memory/3420-29-0x0000000003140000-0x00000000031ED000-memory.dmp

Filesize
692KB

Download
memory/3420-33-0x00000000031F0000-0x00000000032A6000-memory.dmp

Filesize
728KB

Download
memory/3420-34-0x00000000031F0000-0x00000000032A6000-memory.dmp

Filesize
728KB

Download
memory/3420-36-0x00000000031F0000-0x00000000032A6000-memory.dmp

Filesize
728KB

Download
memory/3920-27-0x0000000000190000-0x00000000001B7000-memory.dmp

Filesize
156KB

Download
memory/3920-26-0x0000000000190000-0x00000000001B7000-memory.dmp

Filesize
156KB

Download
memory/3920-28-0x0000000000600000-0x0000000000628000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads