Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 15:55
Static task
static1
Behavioral task
behavioral1
Sample
ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe
Resource
win10v2004-20240319-en
General
-
Target
ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe
-
Size
344KB
-
MD5
ea5b81ef79adb077ed832aae119fb0be
-
SHA1
85078dda8bfe43db70d3cc85fb877a1fa5132f33
-
SHA256
40fda4ca6342e7bff03b1a55cf1414b9099b86a4beab4a65eedfdc98103c388d
-
SHA512
4a7783ffd50a669cc58b4b9d518648f8e4bfdb6399b555b231a5f0695c7d69aaad4b6ee28878e63e204d26a86818429b6d98647fa52586b87c3d18b180caf92d
-
SSDEEP
6144:SNW7mvIZNC7rGN3bkty0Mki8787O71rkhJSammcmZq:QW7SIa7rGNrkty0fkhAlmvq
Malware Config
Signatures
-
Detect XtremeRAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1748-24-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/5060-25-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/1748-26-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
server.exestub.exepid process 5060 server.exe 3092 stub.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\server.exe upx behavioral2/memory/5060-12-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/1748-24-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/5060-25-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/1748-26-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2788 1748 WerFault.exe svchost.exe 2684 1748 WerFault.exe svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exestub.exepid process 3752 ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe 3092 stub.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exeserver.exedescription pid process target process PID 3752 wrote to memory of 5060 3752 ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe server.exe PID 3752 wrote to memory of 5060 3752 ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe server.exe PID 3752 wrote to memory of 5060 3752 ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe server.exe PID 3752 wrote to memory of 3092 3752 ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe stub.exe PID 3752 wrote to memory of 3092 3752 ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe stub.exe PID 3752 wrote to memory of 3092 3752 ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe stub.exe PID 5060 wrote to memory of 1748 5060 server.exe svchost.exe PID 5060 wrote to memory of 1748 5060 server.exe svchost.exe PID 5060 wrote to memory of 1748 5060 server.exe svchost.exe PID 5060 wrote to memory of 1748 5060 server.exe svchost.exe PID 5060 wrote to memory of 468 5060 server.exe msedge.exe PID 5060 wrote to memory of 468 5060 server.exe msedge.exe PID 5060 wrote to memory of 468 5060 server.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe" 02⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 4804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 4884⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\stub.exe"C:\Users\Admin\AppData\Local\Temp\stub.exe" 02⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1748 -ip 17481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1748 -ip 17481⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3988 --field-trial-handle=2256,i,5035714022000286426,16259316383734940314,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
33KB
MD56ba9aeea2cfc136a045b3b4c291e85b5
SHA17d38a526512bb3bbf92225c25702753e6eaacecd
SHA256161a15b89f83419c96cb73f83176e6845b51a682e3a39592639950880e35bca9
SHA512c0d3bba772ab70a4491701b833fc151c79987a540e928b9d21e166a2029f73800d4a54e7bd533d17999b7fa3022c1fc064a63b1cbc56103a7278f492dca93f18
-
C:\Users\Admin\AppData\Local\Temp\stub.exeFilesize
300KB
MD58a45fe85898666c75dc0ce2fd878d340
SHA18346d03c553a85c5046a154123adb1af454e3717
SHA25647a6e501e51c466d43bb7638de421b4c30b80e24cdfeeedafab82b06ba41534a
SHA5120941c2c170ce2a1991f301caad8a237cd67f5df972718acfe7b7b6c0beb5be0ba7bc817d21405b0981d90993aa6e725d4b4f76ac54686e47e299cf6fc396a1bb
-
memory/1748-24-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/1748-26-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/5060-12-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/5060-25-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB