xloader | 586401acc75a4f5399beb0d716ccb5ed0fe05e18aeeaa99fef61fd02d6d63389

Analysis

max time kernel
91s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b3976225591d2e9deb13be0795244849.exe
Size

378KB
MD5

b3976225591d2e9deb13be0795244849
SHA1

e20462cc6735566609e86776cf7337e1c80046e5
SHA256

586401acc75a4f5399beb0d716ccb5ed0fe05e18aeeaa99fef61fd02d6d63389
SHA512

fc7af62818ae3792e26f515eed2f741924ad18439e9aba88618637a421cff970a52765d3794e200e564e0a0843c7ad4f752157146b2609a0b7be8a7acba1e363
SSDEEP

6144:ckkdR5XT4Uxk+hN9n3GDlEUyl6SHGYwBP5cK/sFW8E4KSJJ35zR+b:ckERpCCnOfylGxOK/schOzs

Score

10^/10

xloader p4qi discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p4qi

Decoy

muhaart.com

sherwoodrummages.com

asw2utha4l.com

circularsmartcity.com

moebellueckoff.com

bodeguitayolo.com

schotinderoos.com

brandianext.com

shanxichangyou.com

metaversecake.com

fiyatsepetim.com

14ideedumois.com

brillenglas-experte.com

evoprostaf.online

dewaynehotline.com

jadeshelf.com

odhlzujfgl.com

babyboybarozzini.com

inndev.digital

slywnk.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/452-11-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1056 set thread context of 452	1056	JaffaCakes118_b3976225591d2e9deb13be0795244849.exe	97

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b3976225591d2e9deb13be0795244849.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1056	JaffaCakes118_b3976225591d2e9deb13be0795244849.exe
1056	JaffaCakes118_b3976225591d2e9deb13be0795244849.exe
452	JaffaCakes118_b3976225591d2e9deb13be0795244849.exe
452	JaffaCakes118_b3976225591d2e9deb13be0795244849.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	JaffaCakes118_b3976225591d2e9deb13be0795244849.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 3164	1056	JaffaCakes118_b3976225591d2e9deb13be0795244849.exe	96
PID 1056 wrote to memory of 3164	1056	JaffaCakes118_b3976225591d2e9deb13be0795244849.exe	96
PID 1056 wrote to memory of 3164	1056	JaffaCakes118_b3976225591d2e9deb13be0795244849.exe	96
PID 1056 wrote to memory of 452	1056	JaffaCakes118_b3976225591d2e9deb13be0795244849.exe	97
PID 1056 wrote to memory of 452	1056	JaffaCakes118_b3976225591d2e9deb13be0795244849.exe	97
PID 1056 wrote to memory of 452	1056	JaffaCakes118_b3976225591d2e9deb13be0795244849.exe	97
PID 1056 wrote to memory of 452	1056	JaffaCakes118_b3976225591d2e9deb13be0795244849.exe	97
PID 1056 wrote to memory of 452	1056	JaffaCakes118_b3976225591d2e9deb13be0795244849.exe	97
PID 1056 wrote to memory of 452	1056	JaffaCakes118_b3976225591d2e9deb13be0795244849.exe	97

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b3976225591d2e9deb13be0795244849.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b3976225591d2e9deb13be0795244849.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b3976225591d2e9deb13be0795244849.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b3976225591d2e9deb13be0795244849.exe"
  2⤵
  PID:3164
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b3976225591d2e9deb13be0795244849.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b3976225591d2e9deb13be0795244849.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/452-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/452-15-0x00000000019E0000-0x0000000001D2A000-memory.dmp

Filesize
3.3MB

Download
memory/452-14-0x00000000019E0000-0x0000000001D2A000-memory.dmp

Filesize
3.3MB

Download
memory/1056-6-0x0000000006120000-0x000000000612E000-memory.dmp

Filesize
56KB

Download
memory/1056-4-0x0000000004C50000-0x0000000004C5A000-memory.dmp

Filesize
40KB

Download
memory/1056-5-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/1056-0-0x00000000744BE000-0x00000000744BF000-memory.dmp

Filesize
4KB

Download
memory/1056-7-0x00000000744BE000-0x00000000744BF000-memory.dmp

Filesize
4KB

Download
memory/1056-8-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/1056-9-0x00000000061D0000-0x000000000626C000-memory.dmp

Filesize
624KB

Download
memory/1056-10-0x0000000006270000-0x00000000062C2000-memory.dmp

Filesize
328KB

Download
memory/1056-3-0x0000000004C90000-0x0000000004D22000-memory.dmp

Filesize
584KB

Download
memory/1056-13-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/1056-2-0x00000000051A0000-0x0000000005744000-memory.dmp

Filesize
5.6MB

Download
memory/1056-1-0x0000000000210000-0x0000000000274000-memory.dmp

Filesize
400KB

Download