Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

09f047a6d0...18.exe

windows7-x64

10

09f047a6d0...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 17:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09f047a6d071e09e1b0e0c694b80f1d7_JaffaCakes118.exe

  • Size

    359KB

  • MD5

    09f047a6d071e09e1b0e0c694b80f1d7

  • SHA1

    b89063cc88a20972d12b5acf12b66e486ba9f707

  • SHA256

    5f99c57306396751d427291cb3db1a56fa25a715e5889fa16223f02e36db551a

  • SHA512

    76b464be11411539c9c614fa788e610268c679eafb232bd4e83c40a6d3e1f34fd6f861ec37de82a54de2b7b9f92d7fdc406f9ee077f575910c41911cfa49540d

  • SSDEEP

    6144:U0KoS4DZ3A+E0I8IQB2vI1CDitFuZtzzk7fPxSnyVNck/iPJgsROBe/h+1HNX46w:UdoS493ACIl7vI1kiqHNnyVek/a4AmH8

Score
10/10
xtremeratpersistenceratspywareupx

Malware Config

Signatures

  • Detect XtremeRAT payload 5 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09f047a6d071e09e1b0e0c694b80f1d7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\09f047a6d071e09e1b0e0c694b80f1d7_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4400
    • C:\Users\Admin\AppData\Local\Temp\09f047a6d071e09e1b0e0c694b80f1d7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\09f047a6d071e09e1b0e0c694b80f1d7_JaffaCakes118.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        PID:1800
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:4196
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        3⤵
        • Deletes itself
        PID:3132
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3208 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2112

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\teste\Server.exe
      Filesize

      359KB

      MD5

      09f047a6d071e09e1b0e0c694b80f1d7

      SHA1

      b89063cc88a20972d12b5acf12b66e486ba9f707

      SHA256

      5f99c57306396751d427291cb3db1a56fa25a715e5889fa16223f02e36db551a

      SHA512

      76b464be11411539c9c614fa788e610268c679eafb232bd4e83c40a6d3e1f34fd6f861ec37de82a54de2b7b9f92d7fdc406f9ee077f575910c41911cfa49540d

      Download Submit

    • memory/1800-16-0x0000000000C80000-0x0000000000C95000-memory.dmp

      Filesize

      84KB

      Download

    • memory/3132-18-0x0000000000C80000-0x0000000000C95000-memory.dmp

      Filesize

      84KB

      Download

    • memory/3180-6-0x0000000000C80000-0x0000000000C95000-memory.dmp

      Filesize

      84KB

      Download

    • memory/3180-9-0x0000000000C80000-0x0000000000C95000-memory.dmp

      Filesize

      84KB

      Download

    • memory/3180-10-0x0000000000400000-0x000000000054A000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3180-4-0x0000000000C80000-0x0000000000C95000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4196-19-0x0000000000C80000-0x0000000000C95000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4196-22-0x0000000000C80000-0x0000000000C95000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4400-8-0x0000000000401000-0x000000000040E000-memory.dmp

      Filesize

      52KB

      Download

    • memory/4400-7-0x0000000000400000-0x000000000054A000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4400-0-0x0000000000400000-0x000000000054A000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4400-1-0x0000000000401000-0x000000000040E000-memory.dmp

      Filesize

      52KB

      Download