Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
11-07-2024 19:52
Behavioral task
behavioral1
Sample
3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe
-
Size
194KB
-
MD5
3a819e1ce4c18ecce8115195043a0c50
-
SHA1
462f26db8f151bb0f77882ca788f864c7f767aa6
-
SHA256
3e97b2fc541b3a23e2fb612f7b272a9619b25cd446e288bbb0a4c94944712513
-
SHA512
786ece052f1272062cfe060a9e06ec3b8381f8e79c0ec433d5193a928b63c32fa4611f3eaa1befb4d27957b431af0addd9a6456ffba6e88b6daa2f95b74fdd3a
-
SSDEEP
3072:L3gbjAOEY4TjVzg8252TDH+U0p+Cjey9NxOjCzYsKF8ttY8QoQAEJ0by:T+81Y4TZg8ZH+U0hj19NxECzYBKMq/u
Malware Config
Extracted
xtremerat
wolfwolf3007.no-ip.org
Signatures
-
Detect XtremeRAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\abc2.exe family_xtremerat behavioral2/memory/2712-30-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/2424-31-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/2712-32-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat -
Modifies firewall policy service 3 TTPs 10 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\abc1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\abc1.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\wolf.exe = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe:*:Enabled:Windows Messanger" reg.exe -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
abc1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run abc1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" abc1.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
abc1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4195D6B-BE6B-ABD8-EDEA-BFEDAF11B12F} abc1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4195D6B-BE6B-ABD8-EDEA-BFEDAF11B12F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" abc1.exe Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{A4195D6B-BE6B-ABD8-EDEA-BFEDAF11B12F} abc1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{A4195D6B-BE6B-ABD8-EDEA-BFEDAF11B12F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" abc1.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation 3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
abc1.exeabc2.exepid process 4116 abc1.exe 2424 abc2.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\abc1.exe upx behavioral2/memory/4116-18-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4116-33-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4116-34-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4116-36-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4116-37-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4116-38-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4116-40-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4116-41-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4116-44-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4116-45-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4116-47-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4116-49-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4116-50-0x0000000000400000-0x000000000045D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
abc1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" abc1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" abc1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4336 2712 WerFault.exe svchost.exe 1588 2712 WerFault.exe svchost.exe -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 4000 reg.exe 5056 reg.exe 1864 reg.exe 3940 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
abc1.exedescription pid process Token: 1 4116 abc1.exe Token: SeCreateTokenPrivilege 4116 abc1.exe Token: SeAssignPrimaryTokenPrivilege 4116 abc1.exe Token: SeLockMemoryPrivilege 4116 abc1.exe Token: SeIncreaseQuotaPrivilege 4116 abc1.exe Token: SeMachineAccountPrivilege 4116 abc1.exe Token: SeTcbPrivilege 4116 abc1.exe Token: SeSecurityPrivilege 4116 abc1.exe Token: SeTakeOwnershipPrivilege 4116 abc1.exe Token: SeLoadDriverPrivilege 4116 abc1.exe Token: SeSystemProfilePrivilege 4116 abc1.exe Token: SeSystemtimePrivilege 4116 abc1.exe Token: SeProfSingleProcessPrivilege 4116 abc1.exe Token: SeIncBasePriorityPrivilege 4116 abc1.exe Token: SeCreatePagefilePrivilege 4116 abc1.exe Token: SeCreatePermanentPrivilege 4116 abc1.exe Token: SeBackupPrivilege 4116 abc1.exe Token: SeRestorePrivilege 4116 abc1.exe Token: SeShutdownPrivilege 4116 abc1.exe Token: SeDebugPrivilege 4116 abc1.exe Token: SeAuditPrivilege 4116 abc1.exe Token: SeSystemEnvironmentPrivilege 4116 abc1.exe Token: SeChangeNotifyPrivilege 4116 abc1.exe Token: SeRemoteShutdownPrivilege 4116 abc1.exe Token: SeUndockPrivilege 4116 abc1.exe Token: SeSyncAgentPrivilege 4116 abc1.exe Token: SeEnableDelegationPrivilege 4116 abc1.exe Token: SeManageVolumePrivilege 4116 abc1.exe Token: SeImpersonatePrivilege 4116 abc1.exe Token: SeCreateGlobalPrivilege 4116 abc1.exe Token: 31 4116 abc1.exe Token: 32 4116 abc1.exe Token: 33 4116 abc1.exe Token: 34 4116 abc1.exe Token: 35 4116 abc1.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
abc1.exepid process 4116 abc1.exe 4116 abc1.exe 4116 abc1.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exeabc1.exeabc2.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2920 wrote to memory of 4116 2920 3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe abc1.exe PID 2920 wrote to memory of 4116 2920 3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe abc1.exe PID 2920 wrote to memory of 4116 2920 3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe abc1.exe PID 2920 wrote to memory of 2424 2920 3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe abc2.exe PID 2920 wrote to memory of 2424 2920 3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe abc2.exe PID 2920 wrote to memory of 2424 2920 3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe abc2.exe PID 4116 wrote to memory of 792 4116 abc1.exe cmd.exe PID 4116 wrote to memory of 792 4116 abc1.exe cmd.exe PID 4116 wrote to memory of 792 4116 abc1.exe cmd.exe PID 4116 wrote to memory of 5100 4116 abc1.exe cmd.exe PID 4116 wrote to memory of 5100 4116 abc1.exe cmd.exe PID 4116 wrote to memory of 5100 4116 abc1.exe cmd.exe PID 4116 wrote to memory of 4276 4116 abc1.exe cmd.exe PID 4116 wrote to memory of 4276 4116 abc1.exe cmd.exe PID 4116 wrote to memory of 4276 4116 abc1.exe cmd.exe PID 4116 wrote to memory of 3004 4116 abc1.exe cmd.exe PID 4116 wrote to memory of 3004 4116 abc1.exe cmd.exe PID 4116 wrote to memory of 3004 4116 abc1.exe cmd.exe PID 2424 wrote to memory of 2712 2424 abc2.exe svchost.exe PID 2424 wrote to memory of 2712 2424 abc2.exe svchost.exe PID 2424 wrote to memory of 2712 2424 abc2.exe svchost.exe PID 3004 wrote to memory of 4000 3004 cmd.exe reg.exe PID 3004 wrote to memory of 4000 3004 cmd.exe reg.exe PID 3004 wrote to memory of 4000 3004 cmd.exe reg.exe PID 2424 wrote to memory of 2712 2424 abc2.exe svchost.exe PID 2424 wrote to memory of 5072 2424 abc2.exe msedge.exe PID 2424 wrote to memory of 5072 2424 abc2.exe msedge.exe PID 792 wrote to memory of 5056 792 cmd.exe reg.exe PID 792 wrote to memory of 5056 792 cmd.exe reg.exe PID 792 wrote to memory of 5056 792 cmd.exe reg.exe PID 5100 wrote to memory of 3940 5100 cmd.exe reg.exe PID 5100 wrote to memory of 3940 5100 cmd.exe reg.exe PID 5100 wrote to memory of 3940 5100 cmd.exe reg.exe PID 4276 wrote to memory of 1864 4276 cmd.exe reg.exe PID 4276 wrote to memory of 1864 4276 cmd.exe reg.exe PID 4276 wrote to memory of 1864 4276 cmd.exe reg.exe PID 2424 wrote to memory of 5072 2424 abc2.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\abc1.exe"C:\Users\Admin\AppData\Local\Temp\abc1.exe"2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:5056 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\abc1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\abc1.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\abc1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\abc1.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:3940 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1864 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\wolf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\wolf.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\wolf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\wolf.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\abc2.exe"C:\Users\Admin\AppData\Local\Temp\abc2.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 4844⤵
- Program crash
PID:4336 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 4924⤵
- Program crash
PID:1588 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:5072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2712 -ip 27121⤵PID:3924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2712 -ip 27121⤵PID:5016
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD582805e4f9baddb787a2f94635c47e4a3
SHA1fac7ba94e0d2ce74da1219753847f6bcbde80df5
SHA2560ba4cbfab6470cdf91b616be53af002a6d99329abc45371e63dfc39493a2f0f6
SHA5129d41d79a812a5620515e4f27584c91bb116678111458e91ce361fb31f4f4cbb4383a6861333bf19be18a76b5620827a1220c8a4e7d2c355af38588d13ebb2681
-
Filesize
65KB
MD5c2a608b49ee909733839cb54a07ecffa
SHA1cc8dac87a9c71fab0468cd66a399a73004ea745c
SHA256e4fc7a02a191853604cc170c97b05e12eb4d8bb468aeecff1b5a6690fd7bcaf6
SHA512518eb069fcbcac2c504dd3c73840acdc950ee3911d0a852139e58fac3650a889fa17722588b71d51180fab6e6e36b463fdff28b1792c91d8d56f5f5a9ab32eaa