Overview

overview

10

Static

static

3

095d3e149a...18.exe

windows7-x64

10

095d3e149a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-06-2024 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    095d3e149a73c5daa7da04428ee3d561_JaffaCakes118.exe

  • Size

    345KB

  • MD5

    095d3e149a73c5daa7da04428ee3d561

  • SHA1

    a2bee1c142d50ef4f821e30eae5a1a30efa8f009

  • SHA256

    a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570

  • SHA512

    69912e46c134c99f03af4dbc9dd9dbd7da100e56c513d7be6f92d38a69eae2094c85aab239dff41d5a84dfe3e92dc730e0653f74e668e556d9c84d4ad677b650

  • SSDEEP

    6144:vv0M3Nkx/86kMUoM4fonNsK1UQR24dkyc1QCPBvHgy8DPlJB7F9GzypL1yO42s2b:vcM3H6kM7gnRBR24yRPBPgy8DNFwe7ya

Score
10/10
xloaderm3deloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

m3de

Decoy

ad-unity.com

republicans2032.com

blackculturewriters.com

wallnewphoto.com

etripideas.com

solarphlare.com

consultoranexo.com

hayasalon.com

pillowcasefactory.club

service-manbzcsexer.com

medicinerx.today

oliviarescigno.com

tomcruise.club

tetsim.com

atonalai.net

malcomsons.com

straitskids.com

luca-cci.com

pero.financial

wowbdshop.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Core1 .NET packer 1 IoCs

    Detects packer/loader used by .NET malware.

  • Xloader payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Users\Admin\AppData\Local\Temp\095d3e149a73c5daa7da04428ee3d561_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\095d3e149a73c5daa7da04428ee3d561_JaffaCakes118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3896
      • C:\Windows\SysWow64\svchost.exe
        "C:\\Windows\\SysWow64\\svchost.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:952
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4040
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWow64\svchost.exe"
        3⤵
          PID:4608

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/952-13-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/952-11-0x0000000001400000-0x000000000174A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/952-12-0x0000000001130000-0x0000000001140000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3520-27-0x00000000086F0000-0x0000000008824000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3520-24-0x00000000086F0000-0x0000000008824000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3520-23-0x00000000086F0000-0x0000000008824000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3520-20-0x000000000AA40000-0x000000000ABAE000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3520-14-0x000000000AA40000-0x000000000ABAE000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3896-4-0x0000000000F40000-0x0000000000F56000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3896-9-0x00007FFCFA420000-0x00007FFCFAEE1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3896-6-0x00007FFCFA420000-0x00007FFCFAEE1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3896-5-0x00000000011F0000-0x00000000011F4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/3896-0-0x00007FFCFA423000-0x00007FFCFA425000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3896-3-0x00000000011F0000-0x0000000001218000-memory.dmp
      Filesize

      160KB

      Download
    • memory/3896-2-0x0000000000EE0000-0x0000000000F22000-memory.dmp
      Filesize

      264KB

      Download
    • memory/3896-1-0x00000000005F0000-0x000000000064A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/4040-17-0x00000000004C0000-0x00000000004CE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4040-15-0x00000000004C0000-0x00000000004CE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4040-18-0x00000000001D0000-0x00000000001F8000-memory.dmp
      Filesize

      160KB

      Download