xloader | 94ab46851c076f66017869f7ac4a50f9225e688d894010110fcd4839f138b949

General

Target

ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe
Size

312KB
MD5

ec234effdb4a0bf8257f2bb41fd784aa
SHA1

7fce8adcb4821ba20ac33520f0c4f4690d258f75
SHA256

94ab46851c076f66017869f7ac4a50f9225e688d894010110fcd4839f138b949
SHA512

f44777c79fa8edb8d7b8beef91005d9cb08ca77950e54aff39c397f04d47d6fb2b5b89bfa4b98f2f44ce0d4a0ffb5342f2c98c4e43acc964e57643a6011a0673
SSDEEP

6144:3+9boAXQe4AUF8oI9cAiDFNCVdKrLt2J8L:apUF81cAACi/t

Score

10^/10

xloader att3 discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

att3

Decoy

oakbridgefundservices.com

fancyforts.com

coisadoce.com

learnfrommymentor.com

digitalgurughana.com

phk0.com

jantiprojeekspertiz.com

xiabyhuc.com

todayonly8.info

pgzapgmn.icu

sistemasarafranco.com

nest-estudio.com

2259.xyz

kenobi.tech

mortgageloansbyjeff.com

thameensa.com

navigators.digital

ecocleanmalta.com

advancedrecyclinginc.com

pmotriz.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2940-38-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sysapp.exe	PowerShell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sysapp.exe	PowerShell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 2940	2128	ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe	33

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerShell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2940	ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe
2508	PowerShell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe
Token: SeDebugPrivilege	2508	PowerShell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2508	2128	ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2508	2128	ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2508	2128	ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2508	2128	ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2940	2128	ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe	33
PID 2128 wrote to memory of 2940	2128	ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe	33
PID 2128 wrote to memory of 2940	2128	ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe	33
PID 2128 wrote to memory of 2940	2128	ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe	33
PID 2128 wrote to memory of 2940	2128	ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe	33
PID 2128 wrote to memory of 2940	2128	ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe	33
PID 2128 wrote to memory of 2940	2128	ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
  "PowerShell" copy-item 'C:\Users\Admin\AppData\Local\Temp\ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sysapp.exe'
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Users\Admin\AppData\Local\Temp\ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ec234effdb4a0bf8257f2bb41fd784aa_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2128-8-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2128-28-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2128-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

Filesize
4KB

Download
memory/2128-5-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2128-6-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2128-26-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2128-24-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2128-22-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2128-20-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2128-18-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2128-16-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2128-44-0x0000000074EC0000-0x00000000755AE000-memory.dmp

Filesize
6.9MB

Download
memory/2128-12-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2128-10-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2128-4-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/2128-1-0x0000000000390000-0x00000000003E4000-memory.dmp

Filesize
336KB

Download
memory/2128-14-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2128-34-0x0000000074EC0000-0x00000000755AE000-memory.dmp

Filesize
6.9MB

Download
memory/2128-37-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2508-39-0x0000000070801000-0x0000000070802000-memory.dmp

Filesize
4KB

Download
memory/2508-36-0x0000000070802000-0x0000000070804000-memory.dmp

Filesize
8KB

Download
memory/2508-41-0x0000000070800000-0x0000000070DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2508-43-0x0000000070800000-0x0000000070DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2508-35-0x0000000002B90000-0x0000000002BD0000-memory.dmp

Filesize
256KB

Download
memory/2940-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2940-40-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/2940-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2940-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2940-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing