xloader | 37a101ec34e0a952b841554cd7e9f78091166c8e6c5f352da65fbabdaf7ec146

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d118b4c9ab86717e36c9f2fc6bf7be56.exe
Size

616KB
MD5

d118b4c9ab86717e36c9f2fc6bf7be56
SHA1

bd4f36443ef11158caf0bd2c6c932fdc1d6903dc
SHA256

37a101ec34e0a952b841554cd7e9f78091166c8e6c5f352da65fbabdaf7ec146
SHA512

f6b87599e4b8681202d7c6f1e0d7e6a061fcb958e380108afed70f8c1a78809d984b2dc2ed9e8bed079c32c084b409cf26c70c75268901080a5e0ff1259fa7a6
SSDEEP

12288:7ypMe9AlMc2737t1dqsBl+7V7kPH/kpJQ59D6uuPbJ0TbCNjg:7xB2737tzqs67bQ5J6uuPbJ8Cjg

Score

10^/10

xloader hqvn discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

hqvn

Decoy

foodhub-pay-link.com

signalplusnigeria.com

unprocreated.info

fondidal1936.com

opendialogmonaco.com

labessentials.xyz

scientechic.com

lakesidepointeatlakenorman.com

teklis.biz

jibberes.info

dellere.com

camaras.store

car2govancouver.com

maximizer.icu

morningafterskin.com

kode-buy.com

stogecoin.com

grv.digital

weihao-autoparts.com

jhaww.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1048-2-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1656 set thread context of 1048	1656	JaffaCakes118_d118b4c9ab86717e36c9f2fc6bf7be56.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d118b4c9ab86717e36c9f2fc6bf7be56.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1048	JaffaCakes118_d118b4c9ab86717e36c9f2fc6bf7be56.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1656	JaffaCakes118_d118b4c9ab86717e36c9f2fc6bf7be56.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1048	1656	JaffaCakes118_d118b4c9ab86717e36c9f2fc6bf7be56.exe	30
PID 1656 wrote to memory of 1048	1656	JaffaCakes118_d118b4c9ab86717e36c9f2fc6bf7be56.exe	30
PID 1656 wrote to memory of 1048	1656	JaffaCakes118_d118b4c9ab86717e36c9f2fc6bf7be56.exe	30
PID 1656 wrote to memory of 1048	1656	JaffaCakes118_d118b4c9ab86717e36c9f2fc6bf7be56.exe	30
PID 1656 wrote to memory of 1048	1656	JaffaCakes118_d118b4c9ab86717e36c9f2fc6bf7be56.exe	30
PID 1656 wrote to memory of 1048	1656	JaffaCakes118_d118b4c9ab86717e36c9f2fc6bf7be56.exe	30
PID 1656 wrote to memory of 1048	1656	JaffaCakes118_d118b4c9ab86717e36c9f2fc6bf7be56.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d118b4c9ab86717e36c9f2fc6bf7be56.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d118b4c9ab86717e36c9f2fc6bf7be56.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d118b4c9ab86717e36c9f2fc6bf7be56.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d118b4c9ab86717e36c9f2fc6bf7be56.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download