Analysis
-
max time kernel
141s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
20-04-2024 15:59
General
-
Target
fd203670a1093f4efd07d570cf4ffee7_JaffaCakes118.exe
-
Size
167KB
-
MD5
fd203670a1093f4efd07d570cf4ffee7
-
SHA1
04e4ff6219d57cab37db772130b7ec1ad8087e51
-
SHA256
9d162ad483c6ce5c325a3ca5329e4ca110c40d8b0595fa58bc3dc2db0ab47661
-
SHA512
3bf5583beba5e7d2c2bbedbef7679803b3b1963fb16da2d4891ee5ea8c1235a16756264608c4a18a24712e870e36fd142261bef00d4f619320cd305d5ebd5051
-
SSDEEP
3072:4xlgiukdSZJEpJnohdEJ1MtAe7gn17/C7fyWNCHeODrIN1xuAlWH:Klgil8egEJzqb/4Qxu2WH
Score
10/10
Malware Config
Signatures
-
Detect XtremeRAT payload 12 IoCs
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 7 IoCs
-
UPX packed file 16 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd203670a1093f4efd07d570cf4ffee7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd203670a1093f4efd07d570cf4ffee7_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fd203670a1093f4efd07d570cf4ffee7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd203670a1093f4efd07d570cf4ffee7_JaffaCakes118.exe"2⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Deletes itself
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"6⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"8⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\5460C4DF-B.cfgFilesize
1KB
MD59e963629c38a37f524929ba97bec3744
SHA12fec85627b9f2aaab45a9118a8b4c0bd88908ab6
SHA256b1a2180a8ec2ce8093cc4f5770acfe6d20b01875fdf3d73d2faedba11e8c08fa
SHA51234e1d05ebb4160d1d069e2f33a5e221decdd6f2db9bb75eab332637ccbd21d77532f14614865265e5b63013e724c88d314510a56f6679504d6a6070c381b0298
-
C:\Windows\InstallDir\Server.exeFilesize
167KB
MD5fd203670a1093f4efd07d570cf4ffee7
SHA104e4ff6219d57cab37db772130b7ec1ad8087e51
SHA2569d162ad483c6ce5c325a3ca5329e4ca110c40d8b0595fa58bc3dc2db0ab47661
SHA5123bf5583beba5e7d2c2bbedbef7679803b3b1963fb16da2d4891ee5ea8c1235a16756264608c4a18a24712e870e36fd142261bef00d4f619320cd305d5ebd5051
-
memory/1104-54-0x0000000000C80000-0x0000000000C9C000-memory.dmpFilesize
112KB
-
memory/1104-49-0x0000000000C80000-0x0000000000C9C000-memory.dmpFilesize
112KB
-
memory/1128-21-0x0000000010000000-0x0000000010021000-memory.dmpFilesize
132KB
-
memory/1496-46-0x0000000010000000-0x0000000010021000-memory.dmpFilesize
132KB
-
memory/1676-55-0x0000000010000000-0x0000000010021000-memory.dmpFilesize
132KB
-
memory/2404-42-0x0000000000C80000-0x0000000000C9C000-memory.dmpFilesize
112KB
-
memory/2404-37-0x0000000000C80000-0x0000000000C9C000-memory.dmpFilesize
112KB
-
memory/2404-36-0x0000000000C80000-0x0000000000C9C000-memory.dmpFilesize
112KB
-
memory/2404-35-0x0000000000C80000-0x0000000000C9C000-memory.dmpFilesize
112KB
-
memory/2416-9-0x0000000000C80000-0x0000000000C9C000-memory.dmpFilesize
112KB
-
memory/2940-33-0x0000000010000000-0x0000000010021000-memory.dmpFilesize
132KB
-
memory/3216-3-0x0000000010000000-0x0000000010021000-memory.dmpFilesize
132KB
-
memory/3852-25-0x0000000000C80000-0x0000000000C9C000-memory.dmpFilesize
112KB
-
memory/3852-30-0x0000000000C80000-0x0000000000C9C000-memory.dmpFilesize
112KB
-
memory/3852-24-0x0000000000C80000-0x0000000000C9C000-memory.dmpFilesize
112KB
-
memory/3852-23-0x0000000000C80000-0x0000000000C9C000-memory.dmpFilesize
112KB
-
memory/4112-17-0x0000000000C80000-0x0000000000C9C000-memory.dmpFilesize
112KB
-
memory/4112-0-0x0000000000C80000-0x0000000000C9C000-memory.dmpFilesize
112KB
-
memory/4112-5-0x0000000000C80000-0x0000000000C9C000-memory.dmpFilesize
112KB
-
memory/4112-4-0x0000000000C80000-0x0000000000C9C000-memory.dmpFilesize
112KB
-
memory/4112-2-0x0000000000C80000-0x0000000000C9C000-memory.dmpFilesize
112KB