Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    11-07-2024 19:52

General

  • Target

    3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe

  • Size

    194KB

  • MD5

    3a819e1ce4c18ecce8115195043a0c50

  • SHA1

    462f26db8f151bb0f77882ca788f864c7f767aa6

  • SHA256

    3e97b2fc541b3a23e2fb612f7b272a9619b25cd446e288bbb0a4c94944712513

  • SHA512

    786ece052f1272062cfe060a9e06ec3b8381f8e79c0ec433d5193a928b63c32fa4611f3eaa1befb4d27957b431af0addd9a6456ffba6e88b6daa2f95b74fdd3a

  • SSDEEP

    3072:L3gbjAOEY4TjVzg8252TDH+U0p+Cjey9NxOjCzYsKF8ttY8QoQAEJ0by:T+81Y4TZg8ZH+U0hj19NxECzYBKMq/u

Malware Config

Extracted

Family

xtremerat

C2

wolfwolf3007.no-ip.org

Signatures

  • Detect XtremeRAT payload 3 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\abc1.exe
      "C:\Users\Admin\AppData\Local\Temp\abc1.exe"
      2⤵
      • Adds policy Run key to start application
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:2960
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\abc1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\abc1.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\abc1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\abc1.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:2644
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3008
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:2628
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\wolf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\wolf.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\wolf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\wolf.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:2744
    • C:\Users\Admin\AppData\Local\Temp\abc2.exe
      "C:\Users\Admin\AppData\Local\Temp\abc2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
          PID:2812
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:2724

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\abc1.exe

        Filesize

        113KB

        MD5

        82805e4f9baddb787a2f94635c47e4a3

        SHA1

        fac7ba94e0d2ce74da1219753847f6bcbde80df5

        SHA256

        0ba4cbfab6470cdf91b616be53af002a6d99329abc45371e63dfc39493a2f0f6

        SHA512

        9d41d79a812a5620515e4f27584c91bb116678111458e91ce361fb31f4f4cbb4383a6861333bf19be18a76b5620827a1220c8a4e7d2c355af38588d13ebb2681

      • C:\Users\Admin\AppData\Local\Temp\abc2.exe

        Filesize

        65KB

        MD5

        c2a608b49ee909733839cb54a07ecffa

        SHA1

        cc8dac87a9c71fab0468cd66a399a73004ea745c

        SHA256

        e4fc7a02a191853604cc170c97b05e12eb4d8bb468aeecff1b5a6690fd7bcaf6

        SHA512

        518eb069fcbcac2c504dd3c73840acdc950ee3911d0a852139e58fac3650a889fa17722588b71d51180fab6e6e36b463fdff28b1792c91d8d56f5f5a9ab32eaa

      • memory/2100-33-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/2100-32-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/2100-45-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/2100-13-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/2100-44-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/2100-41-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/2100-37-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/2100-36-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/2100-35-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/2100-28-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/2100-29-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/2100-31-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/2352-23-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

        Filesize

        9.6MB

      • memory/2352-0-0x000007FEF574E000-0x000007FEF574F000-memory.dmp

        Filesize

        4KB

      • memory/2352-3-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

        Filesize

        9.6MB

      • memory/2352-1-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

        Filesize

        9.6MB

      • memory/2352-2-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

        Filesize

        9.6MB

      • memory/2812-26-0x0000000010000000-0x0000000010048000-memory.dmp

        Filesize

        288KB

      • memory/2812-24-0x0000000010000000-0x0000000010048000-memory.dmp

        Filesize

        288KB

      • memory/2952-27-0x0000000010000000-0x0000000010048000-memory.dmp

        Filesize

        288KB