Analysis

  • max time kernel
    148s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-07-2024 15:41

General

  • Target

    39bda2c1b3b6565b12b3462ddb5084c5_JaffaCakes118.exe

  • Size

    170KB

  • MD5

    39bda2c1b3b6565b12b3462ddb5084c5

  • SHA1

    fd0423711923c8ecc53627cd99cbd81aa209e504

  • SHA256

    13e7fab40ed235fd23a36efb90492fc9d05fb3bc87120706ef823d03d85519f7

  • SHA512

    c6b42286636ecc0aae7be9ba4d35dfa6c98101c78a531bd66380b8f58adad1b78c1033e217b1768d06451bc4e112c0438307ee84e7ed9326a61ffbdf09ea2a6e

  • SSDEEP

    3072:TKEKmrDUskUVIKkAX/0L0rZmm1sJmvxHfi/R1+aJe1mgawzxsBub861jIHxownLj:TKE5IIL7JnYRUTV5nLrQLulIGsZ

Malware Config

Signatures

  • Detect XtremeRAT payload 8 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39bda2c1b3b6565b12b3462ddb5084c5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\39bda2c1b3b6565b12b3462ddb5084c5_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Users\Admin\AppData\Local\Temp\39bda2c1b3b6565b12b3462ddb5084c5_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\39bda2c1b3b6565b12b3462ddb5084c5_JaffaCakes118.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        PID:3524
      • C:\Windows\SysWOW64\notepad.exe
        notepad.exe
        3⤵
          PID:3800
        • C:\Windows\SysWOW64\notepad.exe
          notepad.exe
          3⤵
            PID:1376
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe
            3⤵
              PID:4076
            • C:\Windows\SysWOW64\notepad.exe
              notepad.exe
              3⤵
                PID:3180
              • C:\Windows\SysWOW64\notepad.exe
                notepad.exe
                3⤵
                • Suspicious use of SetWindowsHookEx
                PID:3920

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\microsoft\xtreme.exe

            Filesize

            170KB

            MD5

            39bda2c1b3b6565b12b3462ddb5084c5

            SHA1

            fd0423711923c8ecc53627cd99cbd81aa209e504

            SHA256

            13e7fab40ed235fd23a36efb90492fc9d05fb3bc87120706ef823d03d85519f7

            SHA512

            c6b42286636ecc0aae7be9ba4d35dfa6c98101c78a531bd66380b8f58adad1b78c1033e217b1768d06451bc4e112c0438307ee84e7ed9326a61ffbdf09ea2a6e

          • memory/2228-2-0x0000000000C80000-0x0000000000C93000-memory.dmp

            Filesize

            76KB

          • memory/2228-3-0x0000000000C80000-0x0000000000C93000-memory.dmp

            Filesize

            76KB

          • memory/2228-5-0x0000000000C80000-0x0000000000C93000-memory.dmp

            Filesize

            76KB

          • memory/2228-6-0x0000000000C80000-0x0000000000C93000-memory.dmp

            Filesize

            76KB

          • memory/2228-13-0x0000000000C80000-0x0000000000C93000-memory.dmp

            Filesize

            76KB

          • memory/2824-1-0x0000000002170000-0x000000000217D000-memory.dmp

            Filesize

            52KB

          • memory/2824-0-0x0000000002170000-0x000000000217D000-memory.dmp

            Filesize

            52KB

          • memory/2824-4-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

          • memory/3524-10-0x0000000000C80000-0x0000000000C93000-memory.dmp

            Filesize

            76KB

          • memory/3920-12-0x0000000000C80000-0x0000000000C93000-memory.dmp

            Filesize

            76KB

          • memory/3920-15-0x0000000000C80000-0x0000000000C93000-memory.dmp

            Filesize

            76KB