Analysis
-
max time kernel
146s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-04-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe
-
Size
328KB
-
MD5
e3638eb021abab9b63f1c8cc03875fc2
-
SHA1
2cf98c18d71f99b2c3956bfb2138652e724cac01
-
SHA256
119083152acde86fc8c2dc8099732dbe039e7f136535a61bced6d7c6c3197857
-
SHA512
1e0549568385d0a0fced59cf5a2f5f173440f6b72d2cca2b0e71a164e45dc1877321d8afb50579cb2d213c2db24d7e0f893b83e6130e83e72f181f38aa086707
-
SSDEEP
3072:lEa7mT5oh6vnFAiEhV78dB7uA2ZaHU+PUPaTbn1CMUah:la1RU
Malware Config
Extracted
xtremerat
jbxxx.no-ip.biz
Signatures
-
Detect XtremeRAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3780-5-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral2/memory/3780-6-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral2/memory/1596-7-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral2/memory/3780-8-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral2/memory/1596-9-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Processes:
resource yara_rule behavioral2/memory/3780-2-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/3780-4-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/3780-5-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/3780-6-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/1596-7-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/3780-8-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/1596-9-0x0000000010000000-0x000000001004B000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exedescription pid process target process PID 2688 set thread context of 3780 2688 e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1844 1596 WerFault.exe svchost.exe 3596 1596 WerFault.exe svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exepid process 2688 e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exee3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exedescription pid process target process PID 2688 wrote to memory of 3780 2688 e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe PID 2688 wrote to memory of 3780 2688 e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe PID 2688 wrote to memory of 3780 2688 e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe PID 2688 wrote to memory of 3780 2688 e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe PID 2688 wrote to memory of 3780 2688 e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe PID 2688 wrote to memory of 3780 2688 e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe PID 2688 wrote to memory of 3780 2688 e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe PID 2688 wrote to memory of 3780 2688 e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe PID 3780 wrote to memory of 1596 3780 e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe svchost.exe PID 3780 wrote to memory of 1596 3780 e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe svchost.exe PID 3780 wrote to memory of 1596 3780 e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe svchost.exe PID 3780 wrote to memory of 1596 3780 e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe svchost.exe PID 3780 wrote to memory of 4136 3780 e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe msedge.exe PID 3780 wrote to memory of 4136 3780 e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe msedge.exe PID 3780 wrote to memory of 4136 3780 e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e3638eb021abab9b63f1c8cc03875fc2_JaffaCakes118.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:1596
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 4804⤵
- Program crash
PID:1844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 4884⤵
- Program crash
PID:3596 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1596 -ip 15961⤵PID:2756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1596 -ip 15961⤵PID:1800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1596-7-0x0000000010000000-0x000000001004B000-memory.dmpFilesize
300KB
-
memory/1596-9-0x0000000010000000-0x000000001004B000-memory.dmpFilesize
300KB
-
memory/3780-2-0x0000000010000000-0x000000001004B000-memory.dmpFilesize
300KB
-
memory/3780-4-0x0000000010000000-0x000000001004B000-memory.dmpFilesize
300KB
-
memory/3780-5-0x0000000010000000-0x000000001004B000-memory.dmpFilesize
300KB
-
memory/3780-6-0x0000000010000000-0x000000001004B000-memory.dmpFilesize
300KB
-
memory/3780-8-0x0000000010000000-0x000000001004B000-memory.dmpFilesize
300KB