Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 09:20
Static task
static1
Behavioral task
behavioral1
Sample
0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe
-
Size
448KB
-
MD5
0d85eac1231895c7931dfe36d50a44eb
-
SHA1
e03ae2b24473ac46440af570c1b48aa3b22bb032
-
SHA256
6ea117d4d58dd5ad3dca68457e9d64629c6fb4279fcaf733710988cbf6d36685
-
SHA512
db3e582ea5090836817cd4f60a5780fec2df7f3b8a11e4b85de30420e7c9ddb9a0ff1cd6dd69856d0cb363368f2dd0fddcb3b60f0399fe6fa644e71c6f48aede
-
SSDEEP
3072:J2fiQUShCEJneq1DT3AZMA1b1DT3AZMA1liqbTKgLF3pp341DT3AZMA1:xo1W1UKgLF81
Malware Config
Extracted
xtremerat
dfuso.zapto.org
Signatures
-
Detect XtremeRAT payload 5 IoCs
resource yara_rule behavioral2/memory/2476-5-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/2476-6-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/2552-7-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/2476-8-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/2552-9-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
resource yara_rule behavioral2/memory/2476-2-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/2476-4-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/2476-5-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/2476-6-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/2552-7-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/2476-8-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/2552-9-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2848 set thread context of 2476 2848 0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe 81 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2128 2552 WerFault.exe 82 1852 2552 WerFault.exe 82 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2848 0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2476 2848 0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe 81 PID 2848 wrote to memory of 2476 2848 0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe 81 PID 2848 wrote to memory of 2476 2848 0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe 81 PID 2848 wrote to memory of 2476 2848 0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe 81 PID 2848 wrote to memory of 2476 2848 0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe 81 PID 2848 wrote to memory of 2476 2848 0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe 81 PID 2848 wrote to memory of 2476 2848 0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe 81 PID 2848 wrote to memory of 2476 2848 0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe 81 PID 2476 wrote to memory of 2552 2476 0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe 82 PID 2476 wrote to memory of 2552 2476 0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe 82 PID 2476 wrote to memory of 2552 2476 0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe 82 PID 2476 wrote to memory of 2552 2476 0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe 82 PID 2476 wrote to memory of 3568 2476 0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe 83 PID 2476 wrote to memory of 3568 2476 0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe 83 PID 2476 wrote to memory of 3568 2476 0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d85eac1231895c7931dfe36d50a44eb_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 4804⤵
- Program crash
PID:2128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 4884⤵
- Program crash
PID:1852
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3568
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2552 -ip 25521⤵PID:2772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2552 -ip 25521⤵PID:4576