Analysis
-
max time kernel
145s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 00:50
Static task
static1
Behavioral task
behavioral1
Sample
f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe
-
Size
100KB
-
MD5
f92322b3b28f947cb9d7cd80eb571c28
-
SHA1
4a1e272a0b4f3fc0243ba8c7ea027cc77cc46ce7
-
SHA256
64001fe73360c8d022d61377852fee9d66ad79f267378638509419531d44b263
-
SHA512
fd23af2f8c4dc36619d552a916a517a78c3d0c077a75240a6b9008a3d753c77dcfc8f25dc023c096bc4f6136e45cdc24da1180285df586e667db00d00d1c7904
-
SSDEEP
1536:y9ZQxjwFxx08go02rJR40g5zMLJWtInstC6ak/G+W2PNr5:y/QUeto02E5zMEtsstC6p/9r5
Malware Config
Extracted
xtremerat
netkore.no-ip.org
Signatures
-
Detect XtremeRAT payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\xmpp.exe family_xtremerat behavioral1/memory/2532-14-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2192-15-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2532-17-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 1 IoCs
Processes:
xmpp.exepid process 2192 xmpp.exe -
Loads dropped DLL 2 IoCs
Processes:
f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exepid process 2524 f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe 2524 f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 2532 explorer.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exexmpp.exedescription pid process target process PID 2524 wrote to memory of 2192 2524 f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe xmpp.exe PID 2524 wrote to memory of 2192 2524 f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe xmpp.exe PID 2524 wrote to memory of 2192 2524 f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe xmpp.exe PID 2524 wrote to memory of 2192 2524 f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe xmpp.exe PID 2192 wrote to memory of 2532 2192 xmpp.exe explorer.exe PID 2192 wrote to memory of 2532 2192 xmpp.exe explorer.exe PID 2192 wrote to memory of 2532 2192 xmpp.exe explorer.exe PID 2192 wrote to memory of 2532 2192 xmpp.exe explorer.exe PID 2192 wrote to memory of 2532 2192 xmpp.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\xmpp.exe"C:\Users\Admin\AppData\Roaming\xmpp.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\xmpp.exeFilesize
44KB
MD581208a1371ee42e0ec31235c4a646155
SHA157bc44daad8f454fcd28c6b550bf44d4961aef76
SHA256304cab82fe5b4ca84518e6dca96bce5e90b82bfcd093a904bdbb36b3604a64e5
SHA512aeea63a1dc816c853277a2c804beb8e11d547c23fbeb7e4f9548272def3a8fb26116de4b5be850b42870fd221d1c0d3bf7a24f10d40102fa12d765a7e9c373b4
-
memory/2192-15-0x0000000000C80000-0x0000000000C93000-memory.dmpFilesize
76KB
-
memory/2532-12-0x0000000000C80000-0x0000000000C93000-memory.dmpFilesize
76KB
-
memory/2532-14-0x0000000000C80000-0x0000000000C93000-memory.dmpFilesize
76KB
-
memory/2532-17-0x0000000000C80000-0x0000000000C93000-memory.dmpFilesize
76KB