Overview

overview

10

Static

static

3

JaffaCakes...4c.exe

windows7-x64

10

JaffaCakes...4c.exe

windows10-2004-x64

7

$PLUGINSDI...ga.dll

windows7-x64

10

$PLUGINSDI...ga.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-01-2025 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/hkdklixzga.dll

  • Size

    19KB

  • MD5

    fe53df25d11886ebd5c24164328ca8bf

  • SHA1

    3d051e82d0bd8bbd4c5647ab11a36e8fe0407631

  • SHA256

    d3827d83d541e98cff0bb89a27c2db75e59b62ed57a934cc8c9e6a9623864716

  • SHA512

    578a786ea59572ae33b245314493bfda501eadde6bfcad2e20fd45e39e7d2e6e237403ed912f38aebd3fa79c582f27e7846f0896e22e01d1e276abcb8b32eecc

  • SSDEEP

    192:JPEvK1NldFntndU2KQb3s63lfap1J24HrrdbY2T2/pa7Na7x36Af6TdzFIiqsXQ/:xEC1rdFtdUsnap1o4HOXpa7hAClH4f

Score
10/10
xloaderu5ehdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u5eh

Decoy

tryafaq.com

bobcathntshop.com

oglead.com

026skz.xyz

brasbux.com

adna17.com

noveltyrofjiy.xyz

realestatecompanys.com

leman-web.com

df5686.com

jonathonhawkins.com

juliedominyfloralartistry.com

classyeventsco.com

aquaticatt.com

iotworld.xyz

hoc8.com

disposablediapers.store

peregovorim.online

advancebits.club

getaburialplan.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\hkdklixzga.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\hkdklixzga.dll,#1
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1416
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\hkdklixzga.dll,#1
          4⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2312
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\rundll32.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1144-7-0x00000000048B0000-0x0000000004A0D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1144-11-0x00000000048B0000-0x0000000004A0D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1416-0-0x0000000075105000-0x0000000075107000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2080-8-0x0000000000E10000-0x0000000000E28000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2080-9-0x0000000000E10000-0x0000000000E28000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2080-10-0x0000000000090000-0x00000000000B9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2312-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2312-2-0x0000000002240000-0x0000000002543000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2312-5-0x0000000000230000-0x0000000000241000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2312-4-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download