Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
12-07-2024 08:52
Static task
static1
Behavioral task
behavioral1
Sample
3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe
-
Size
130KB
-
MD5
3cb77d150322e6eff418c2a9de93434c
-
SHA1
dea7693e530c3ba5a40e90ebedf2200e12ad6e83
-
SHA256
d78cd4e79e26eba296f9ee7fd9ca872dd5d948d12ee4aaa6f9484f725c6b4ef0
-
SHA512
3fdf3539a9057038c78ae2b0188226625494fab84c9c119a0e6daa33cb81f2bf3269bdeb06609fa344a7f94871ef459217f0abec455a35dbef96240923dc131b
-
SSDEEP
3072:Xj9DWdxkKdDN336MdMfLir4N336MdMfLir5omn9Uv41cxTl2G:XRWRqqULiryqqULir5w+Q
Malware Config
Extracted
xtremerat
medoo.no-ip.org
Signatures
-
Detect XtremeRAT payload 13 IoCs
Processes:
resource yara_rule behavioral1/memory/2944-0-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral1/memory/2312-6-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral1/memory/2456-10-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral1/memory/2944-13-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral1/memory/2944-14-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral1/memory/2944-15-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral1/memory/2944-17-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral1/memory/2944-18-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral1/memory/2944-19-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral1/memory/2944-20-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral1/memory/2944-21-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral1/memory/2944-23-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral1/memory/2944-28-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{H6OHF7S2-4BO3-380R-MPHO-BQGOB7642818} 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H6OHF7S2-4BO3-380R-MPHO-BQGOB7642818}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\InstallDir\Server.exe 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe File created C:\Windows\InstallDir\Server.exe 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exepid process 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exedescription pid process target process PID 2944 wrote to memory of 2312 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe svchost.exe PID 2944 wrote to memory of 2312 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe svchost.exe PID 2944 wrote to memory of 2312 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe svchost.exe PID 2944 wrote to memory of 2312 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe svchost.exe PID 2944 wrote to memory of 2312 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe svchost.exe PID 2944 wrote to memory of 2456 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2456 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2456 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2456 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2456 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 3052 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 3052 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 3052 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 3052 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2128 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2128 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2128 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2128 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2608 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2608 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2608 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2608 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2612 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2612 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2612 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2612 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2900 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2900 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2900 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2900 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2716 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2716 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2716 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2716 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2712 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2712 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2712 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2712 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2748 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2748 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2748 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2748 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2784 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2784 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2784 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2784 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2800 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2800 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2800 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2800 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2708 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2708 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2708 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2708 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2660 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2660 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2660 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2660 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2628 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2628 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2628 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 2628 2944 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2312
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2456
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:3052
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2128
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2608
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2612
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2900
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2716
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2712
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2748
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2784
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2800
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2708
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2660
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2628