Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
11-07-2024 19:52
Behavioral task
behavioral1
Sample
3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe
-
Size
194KB
-
MD5
3a819e1ce4c18ecce8115195043a0c50
-
SHA1
462f26db8f151bb0f77882ca788f864c7f767aa6
-
SHA256
3e97b2fc541b3a23e2fb612f7b272a9619b25cd446e288bbb0a4c94944712513
-
SHA512
786ece052f1272062cfe060a9e06ec3b8381f8e79c0ec433d5193a928b63c32fa4611f3eaa1befb4d27957b431af0addd9a6456ffba6e88b6daa2f95b74fdd3a
-
SSDEEP
3072:L3gbjAOEY4TjVzg8252TDH+U0p+Cjey9NxOjCzYsKF8ttY8QoQAEJ0by:T+81Y4TZg8ZH+U0hj19NxECzYBKMq/u
Malware Config
Extracted
xtremerat
wolfwolf3007.no-ip.org
Signatures
-
Detect XtremeRAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\abc2.exe family_xtremerat behavioral1/memory/2812-26-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral1/memory/2952-27-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat -
Modifies firewall policy service 3 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\abc1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\abc1.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\wolf.exe = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe:*:Enabled:Windows Messanger" reg.exe -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
abc1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run abc1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" abc1.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
abc1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4195D6B-BE6B-ABD8-EDEA-BFEDAF11B12F} abc1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4195D6B-BE6B-ABD8-EDEA-BFEDAF11B12F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" abc1.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{A4195D6B-BE6B-ABD8-EDEA-BFEDAF11B12F} abc1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Active Setup\Installed Components\{A4195D6B-BE6B-ABD8-EDEA-BFEDAF11B12F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" abc1.exe -
Executes dropped EXE 2 IoCs
Processes:
abc1.exeabc2.exepid process 2100 abc1.exe 2952 abc2.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\abc1.exe upx behavioral1/memory/2100-13-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2100-28-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2100-29-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2100-31-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2100-32-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2100-33-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2100-35-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2100-36-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2100-37-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2100-41-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2100-44-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2100-45-0x0000000000400000-0x000000000045D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
abc1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" abc1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" abc1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 2628 reg.exe 2644 reg.exe 2744 reg.exe 2960 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
abc1.exedescription pid process Token: 1 2100 abc1.exe Token: SeCreateTokenPrivilege 2100 abc1.exe Token: SeAssignPrimaryTokenPrivilege 2100 abc1.exe Token: SeLockMemoryPrivilege 2100 abc1.exe Token: SeIncreaseQuotaPrivilege 2100 abc1.exe Token: SeMachineAccountPrivilege 2100 abc1.exe Token: SeTcbPrivilege 2100 abc1.exe Token: SeSecurityPrivilege 2100 abc1.exe Token: SeTakeOwnershipPrivilege 2100 abc1.exe Token: SeLoadDriverPrivilege 2100 abc1.exe Token: SeSystemProfilePrivilege 2100 abc1.exe Token: SeSystemtimePrivilege 2100 abc1.exe Token: SeProfSingleProcessPrivilege 2100 abc1.exe Token: SeIncBasePriorityPrivilege 2100 abc1.exe Token: SeCreatePagefilePrivilege 2100 abc1.exe Token: SeCreatePermanentPrivilege 2100 abc1.exe Token: SeBackupPrivilege 2100 abc1.exe Token: SeRestorePrivilege 2100 abc1.exe Token: SeShutdownPrivilege 2100 abc1.exe Token: SeDebugPrivilege 2100 abc1.exe Token: SeAuditPrivilege 2100 abc1.exe Token: SeSystemEnvironmentPrivilege 2100 abc1.exe Token: SeChangeNotifyPrivilege 2100 abc1.exe Token: SeRemoteShutdownPrivilege 2100 abc1.exe Token: SeUndockPrivilege 2100 abc1.exe Token: SeSyncAgentPrivilege 2100 abc1.exe Token: SeEnableDelegationPrivilege 2100 abc1.exe Token: SeManageVolumePrivilege 2100 abc1.exe Token: SeImpersonatePrivilege 2100 abc1.exe Token: SeCreateGlobalPrivilege 2100 abc1.exe Token: 31 2100 abc1.exe Token: 32 2100 abc1.exe Token: 33 2100 abc1.exe Token: 34 2100 abc1.exe Token: 35 2100 abc1.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
abc1.exepid process 2100 abc1.exe 2100 abc1.exe 2100 abc1.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exeabc2.exeabc1.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2352 wrote to memory of 2100 2352 3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe abc1.exe PID 2352 wrote to memory of 2100 2352 3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe abc1.exe PID 2352 wrote to memory of 2100 2352 3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe abc1.exe PID 2352 wrote to memory of 2100 2352 3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe abc1.exe PID 2352 wrote to memory of 2952 2352 3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe abc2.exe PID 2352 wrote to memory of 2952 2352 3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe abc2.exe PID 2352 wrote to memory of 2952 2352 3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe abc2.exe PID 2352 wrote to memory of 2952 2352 3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe abc2.exe PID 2952 wrote to memory of 2812 2952 abc2.exe svchost.exe PID 2952 wrote to memory of 2812 2952 abc2.exe svchost.exe PID 2952 wrote to memory of 2812 2952 abc2.exe svchost.exe PID 2952 wrote to memory of 2812 2952 abc2.exe svchost.exe PID 2100 wrote to memory of 2864 2100 abc1.exe cmd.exe PID 2100 wrote to memory of 2864 2100 abc1.exe cmd.exe PID 2100 wrote to memory of 2864 2100 abc1.exe cmd.exe PID 2100 wrote to memory of 2864 2100 abc1.exe cmd.exe PID 2100 wrote to memory of 2840 2100 abc1.exe cmd.exe PID 2100 wrote to memory of 2840 2100 abc1.exe cmd.exe PID 2100 wrote to memory of 2840 2100 abc1.exe cmd.exe PID 2100 wrote to memory of 2840 2100 abc1.exe cmd.exe PID 2100 wrote to memory of 3008 2100 abc1.exe cmd.exe PID 2100 wrote to memory of 3008 2100 abc1.exe cmd.exe PID 2100 wrote to memory of 3008 2100 abc1.exe cmd.exe PID 2100 wrote to memory of 3008 2100 abc1.exe cmd.exe PID 2100 wrote to memory of 2760 2100 abc1.exe cmd.exe PID 2100 wrote to memory of 2760 2100 abc1.exe cmd.exe PID 2100 wrote to memory of 2760 2100 abc1.exe cmd.exe PID 2100 wrote to memory of 2760 2100 abc1.exe cmd.exe PID 2952 wrote to memory of 2812 2952 abc2.exe svchost.exe PID 2952 wrote to memory of 2724 2952 abc2.exe iexplore.exe PID 2952 wrote to memory of 2724 2952 abc2.exe iexplore.exe PID 2952 wrote to memory of 2724 2952 abc2.exe iexplore.exe PID 2952 wrote to memory of 2724 2952 abc2.exe iexplore.exe PID 2760 wrote to memory of 2744 2760 cmd.exe reg.exe PID 2760 wrote to memory of 2744 2760 cmd.exe reg.exe PID 2760 wrote to memory of 2744 2760 cmd.exe reg.exe PID 2760 wrote to memory of 2744 2760 cmd.exe reg.exe PID 3008 wrote to memory of 2628 3008 cmd.exe reg.exe PID 3008 wrote to memory of 2628 3008 cmd.exe reg.exe PID 3008 wrote to memory of 2628 3008 cmd.exe reg.exe PID 3008 wrote to memory of 2628 3008 cmd.exe reg.exe PID 2840 wrote to memory of 2644 2840 cmd.exe reg.exe PID 2840 wrote to memory of 2644 2840 cmd.exe reg.exe PID 2840 wrote to memory of 2644 2840 cmd.exe reg.exe PID 2840 wrote to memory of 2644 2840 cmd.exe reg.exe PID 2864 wrote to memory of 2960 2864 cmd.exe reg.exe PID 2864 wrote to memory of 2960 2864 cmd.exe reg.exe PID 2864 wrote to memory of 2960 2864 cmd.exe reg.exe PID 2864 wrote to memory of 2960 2864 cmd.exe reg.exe PID 2952 wrote to memory of 2724 2952 abc2.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\abc1.exe"C:\Users\Admin\AppData\Local\Temp\abc1.exe"2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:2960 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\abc1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\abc1.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\abc1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\abc1.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:2644 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:2628 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\wolf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\wolf.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\wolf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\wolf.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\abc2.exe"C:\Users\Admin\AppData\Local\Temp\abc2.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2812
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2724
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD582805e4f9baddb787a2f94635c47e4a3
SHA1fac7ba94e0d2ce74da1219753847f6bcbde80df5
SHA2560ba4cbfab6470cdf91b616be53af002a6d99329abc45371e63dfc39493a2f0f6
SHA5129d41d79a812a5620515e4f27584c91bb116678111458e91ce361fb31f4f4cbb4383a6861333bf19be18a76b5620827a1220c8a4e7d2c355af38588d13ebb2681
-
Filesize
65KB
MD5c2a608b49ee909733839cb54a07ecffa
SHA1cc8dac87a9c71fab0468cd66a399a73004ea745c
SHA256e4fc7a02a191853604cc170c97b05e12eb4d8bb468aeecff1b5a6690fd7bcaf6
SHA512518eb069fcbcac2c504dd3c73840acdc950ee3911d0a852139e58fac3650a889fa17722588b71d51180fab6e6e36b463fdff28b1792c91d8d56f5f5a9ab32eaa