Malware Analysis Report

2024-11-13 18:41

Sample ID 240711-n16casvflp
Target 3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118
SHA256 320f50297a53c683ea9775b1fa0a3928a260a3a005d152618018ee60405f3530
Tags
xtremerat persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

320f50297a53c683ea9775b1fa0a3928a260a3a005d152618018ee60405f3530

Threat Level: Known bad

The file 3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware

Xtremerat family

XtremeRAT

Boot or Logon Autostart Execution: Active Setup

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-11 11:52

Signatures

Xtremerat family

xtremerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-11 11:52

Reported

2024-07-11 11:55

Platform

win7-20240708-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe"

Signatures

XtremeRAT

persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{13O574N7-5M0L-O653-YOTA-7SFS8480XAY6} C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13O574N7-5M0L-O653-YOTA-7SFS8480XAY6}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart" C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{13O574N7-5M0L-O653-YOTA-7SFS8480XAY6} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13O574N7-5M0L-O653-YOTA-7SFS8480XAY6}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart" C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\server.exe C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe N/A
File created C:\Windows\InstallDir\server.exe C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2624 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2624 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2624 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2624 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2624 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2624 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2624 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2624 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2624 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp
N/A 127.0.0.1:82 tcp

Files

memory/2132-4-0x0000000000C80000-0x0000000000C93000-memory.dmp

C:\Windows\InstallDir\server.exe

MD5 3900bb3a90b8d5f3e57c44ca748dc2da
SHA1 5e52957a229c1380b27c6b29ab24666e29981339
SHA256 320f50297a53c683ea9775b1fa0a3928a260a3a005d152618018ee60405f3530
SHA512 be1b6129a9f1f34e251f5c048c1006bb6abab4c4a83e7f8ccab09efb731f1cb72513a26c9ddb7610287d5bf010910e6f87927bff95a1eeca23c0f71e21d449fe

memory/2132-5-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1524-9-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2624-10-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1524-12-0x0000000000C80000-0x0000000000C93000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-11 11:52

Reported

2024-07-11 11:55

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe"

Signatures

XtremeRAT

persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13O574N7-5M0L-O653-YOTA-7SFS8480XAY6}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{13O574N7-5M0L-O653-YOTA-7SFS8480XAY6} C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13O574N7-5M0L-O653-YOTA-7SFS8480XAY6}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart" C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{13O574N7-5M0L-O653-YOTA-7SFS8480XAY6} C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\server.exe C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe N/A
File created C:\Windows\InstallDir\server.exe C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3900bb3a90b8d5f3e57c44ca748dc2da_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
N/A 127.0.0.1:82 tcp
US 8.8.8.8:53 microsoft2012.no-ip.biz udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:82 tcp

Files

memory/1068-3-0x0000000000C80000-0x0000000000C93000-memory.dmp

C:\Windows\InstallDir\server.exe

MD5 3900bb3a90b8d5f3e57c44ca748dc2da
SHA1 5e52957a229c1380b27c6b29ab24666e29981339
SHA256 320f50297a53c683ea9775b1fa0a3928a260a3a005d152618018ee60405f3530
SHA512 be1b6129a9f1f34e251f5c048c1006bb6abab4c4a83e7f8ccab09efb731f1cb72513a26c9ddb7610287d5bf010910e6f87927bff95a1eeca23c0f71e21d449fe

memory/2040-5-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2032-6-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2040-8-0x0000000000C80000-0x0000000000C93000-memory.dmp