Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
11-07-2024 20:46
Static task
static1
Behavioral task
behavioral1
Sample
3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe
-
Size
81KB
-
MD5
3aa8042b959d01f9bad93546c7d8c298
-
SHA1
76136463338e1f5291818193ea8623b1b4ebbc70
-
SHA256
8f90fb235e7f992c5731d71ad5d47e5c08448c53f93e97846b1ea146b586babd
-
SHA512
0132fcae80df171f5813ea3d3902dcaa0f4d38b0419f1abbde4dad45e50e1dae10820fc73c3fca6949791ab5e998ec4d8ac044aa49b9e8cffdb444131506376a
-
SSDEEP
1536:k90G3jdMXF8kqNYFwrLRIgK++/0KFGlCB4exfJ4c2o3wlQo:uyXCkAY6IgmMK8AB4edScp3wSo
Malware Config
Signatures
-
Detect XtremeRAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2688-27-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2688-28-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2756-31-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2688-32-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2756-33-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Processes:
resource yara_rule behavioral1/memory/2688-27-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2688-28-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2688-20-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2688-26-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2688-25-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2688-21-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2756-31-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2688-32-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2756-33-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exedescription pid process target process PID 2352 set thread context of 2688 2352 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2568 2352 WerFault.exe 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exepid process 2352 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exedescription pid process target process PID 2352 wrote to memory of 2688 2352 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe PID 2352 wrote to memory of 2688 2352 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe PID 2352 wrote to memory of 2688 2352 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe PID 2352 wrote to memory of 2688 2352 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe PID 2352 wrote to memory of 2688 2352 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe PID 2352 wrote to memory of 2688 2352 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe PID 2352 wrote to memory of 2688 2352 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe PID 2352 wrote to memory of 2688 2352 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe PID 2352 wrote to memory of 2568 2352 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe WerFault.exe PID 2352 wrote to memory of 2568 2352 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe WerFault.exe PID 2352 wrote to memory of 2568 2352 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe WerFault.exe PID 2352 wrote to memory of 2568 2352 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe WerFault.exe PID 2688 wrote to memory of 2756 2688 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe svchost.exe PID 2688 wrote to memory of 2756 2688 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe svchost.exe PID 2688 wrote to memory of 2756 2688 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe svchost.exe PID 2688 wrote to memory of 2756 2688 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe svchost.exe PID 2688 wrote to memory of 2756 2688 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe svchost.exe PID 2688 wrote to memory of 2808 2688 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe iexplore.exe PID 2688 wrote to memory of 2808 2688 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe iexplore.exe PID 2688 wrote to memory of 2808 2688 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe iexplore.exe PID 2688 wrote to memory of 2808 2688 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe iexplore.exe PID 2688 wrote to memory of 2808 2688 3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3aa8042b959d01f9bad93546c7d8c298_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2756
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2808
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 2282⤵
- Program crash
PID:2568