Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 00:50
Static task
static1
Behavioral task
behavioral1
Sample
f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe
-
Size
100KB
-
MD5
f92322b3b28f947cb9d7cd80eb571c28
-
SHA1
4a1e272a0b4f3fc0243ba8c7ea027cc77cc46ce7
-
SHA256
64001fe73360c8d022d61377852fee9d66ad79f267378638509419531d44b263
-
SHA512
fd23af2f8c4dc36619d552a916a517a78c3d0c077a75240a6b9008a3d753c77dcfc8f25dc023c096bc4f6136e45cdc24da1180285df586e667db00d00d1c7904
-
SSDEEP
1536:y9ZQxjwFxx08go02rJR40g5zMLJWtInstC6ak/G+W2PNr5:y/QUeto02E5zMEtsstC6p/9r5
Malware Config
Extracted
xtremerat
netkore.no-ip.org
Signatures
-
Detect XtremeRAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\xmpp.exe family_xtremerat behavioral2/memory/1252-11-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/3616-12-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1252-14-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
xmpp.exepid process 3616 xmpp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 1252 explorer.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exexmpp.exedescription pid process target process PID 1920 wrote to memory of 3616 1920 f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe xmpp.exe PID 1920 wrote to memory of 3616 1920 f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe xmpp.exe PID 1920 wrote to memory of 3616 1920 f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe xmpp.exe PID 3616 wrote to memory of 1252 3616 xmpp.exe explorer.exe PID 3616 wrote to memory of 1252 3616 xmpp.exe explorer.exe PID 3616 wrote to memory of 1252 3616 xmpp.exe explorer.exe PID 3616 wrote to memory of 1252 3616 xmpp.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f92322b3b28f947cb9d7cd80eb571c28_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\xmpp.exe"C:\Users\Admin\AppData\Roaming\xmpp.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\xmpp.exeFilesize
44KB
MD581208a1371ee42e0ec31235c4a646155
SHA157bc44daad8f454fcd28c6b550bf44d4961aef76
SHA256304cab82fe5b4ca84518e6dca96bce5e90b82bfcd093a904bdbb36b3604a64e5
SHA512aeea63a1dc816c853277a2c804beb8e11d547c23fbeb7e4f9548272def3a8fb26116de4b5be850b42870fd221d1c0d3bf7a24f10d40102fa12d765a7e9c373b4
-
memory/1252-11-0x0000000000C80000-0x0000000000C93000-memory.dmpFilesize
76KB
-
memory/1252-14-0x0000000000C80000-0x0000000000C93000-memory.dmpFilesize
76KB
-
memory/3616-12-0x0000000000C80000-0x0000000000C93000-memory.dmpFilesize
76KB