Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11-07-2024 22:39
Static task
static1
Behavioral task
behavioral1
Sample
3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe
-
Size
117KB
-
MD5
3afe93318c8a99ef125b8a25954f0f66
-
SHA1
a8831bc02621320920298fe4bdd16e897b761244
-
SHA256
d0bed5af2021e65de2697abdfc76b98d3c692603859de35b2e06602ad20303bd
-
SHA512
63d68b2ea96fc9ade0b53dc430eb09f517eba99f5250a42c2b071bad0306d9e2215995b832c7e7cbfa764bf6276915c7b3a40201f52e3d073e6f4f6466a6f2cf
-
SSDEEP
1536:+ReaCi4LtqlqHrwr2zST+T/f8pDYJ0TFsII2jENAxOSwrXk:+ReaCi4JMr4ST+T/EJDsIIKvxnok
Malware Config
Extracted
xtremerat
franco1.no-ip.org
Signatures
-
Detect XtremeRAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/388-6-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/388-7-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/1392-8-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/388-9-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/1392-10-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Processes:
resource yara_rule behavioral2/memory/388-3-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/388-5-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/388-6-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/388-7-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/1392-8-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/388-9-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/1392-10-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exedescription pid process target process PID 1252 set thread context of 388 1252 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2836 1392 WerFault.exe svchost.exe 880 1392 WerFault.exe svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exepid process 1252 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exedescription pid process target process PID 1252 wrote to memory of 388 1252 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe PID 1252 wrote to memory of 388 1252 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe PID 1252 wrote to memory of 388 1252 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe PID 1252 wrote to memory of 388 1252 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe PID 1252 wrote to memory of 388 1252 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe PID 1252 wrote to memory of 388 1252 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe PID 1252 wrote to memory of 388 1252 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe PID 1252 wrote to memory of 388 1252 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe PID 388 wrote to memory of 1392 388 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe svchost.exe PID 388 wrote to memory of 1392 388 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe svchost.exe PID 388 wrote to memory of 1392 388 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe svchost.exe PID 388 wrote to memory of 1392 388 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe svchost.exe PID 388 wrote to memory of 3712 388 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe msedge.exe PID 388 wrote to memory of 3712 388 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe msedge.exe PID 388 wrote to memory of 3712 388 3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\3afe93318c8a99ef125b8a25954f0f66_JaffaCakes118.exe2⤵
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:1392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 4844⤵
- Program crash
PID:2836 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 4924⤵
- Program crash
PID:880 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1392 -ip 13921⤵PID:3932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1392 -ip 13921⤵PID:4648