Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 08:52
Static task
static1
Behavioral task
behavioral1
Sample
3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe
-
Size
130KB
-
MD5
3cb77d150322e6eff418c2a9de93434c
-
SHA1
dea7693e530c3ba5a40e90ebedf2200e12ad6e83
-
SHA256
d78cd4e79e26eba296f9ee7fd9ca872dd5d948d12ee4aaa6f9484f725c6b4ef0
-
SHA512
3fdf3539a9057038c78ae2b0188226625494fab84c9c119a0e6daa33cb81f2bf3269bdeb06609fa344a7f94871ef459217f0abec455a35dbef96240923dc131b
-
SSDEEP
3072:Xj9DWdxkKdDN336MdMfLir4N336MdMfLir5omn9Uv41cxTl2G:XRWRqqULiryqqULir5w+Q
Malware Config
Extracted
xtremerat
medoo.no-ip.org
Signatures
-
Detect XtremeRAT payload 30 IoCs
Processes:
resource yara_rule behavioral2/memory/4068-4-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/2176-6-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/3980-8-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/648-10-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/3104-12-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/904-14-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/4460-16-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/3620-18-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/4764-28-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/4304-32-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/1116-34-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/1592-36-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/3944-38-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/816-40-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/1432-42-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/4872-46-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/3220-51-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/3480-53-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/4892-55-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/3156-57-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/1224-59-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/3052-61-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/2076-63-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/2320-67-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/2808-72-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/1452-74-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/2736-76-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/3800-78-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/3332-80-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat behavioral2/memory/1688-83-0x0000000000C80000-0x0000000000CBD000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
Server.exe3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exeServer.exeServer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H6OHF7S2-4BO3-380R-MPHO-BQGOB7642818}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{H6OHF7S2-4BO3-380R-MPHO-BQGOB7642818} 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H6OHF7S2-4BO3-380R-MPHO-BQGOB7642818}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{H6OHF7S2-4BO3-380R-MPHO-BQGOB7642818} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H6OHF7S2-4BO3-380R-MPHO-BQGOB7642818}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{H6OHF7S2-4BO3-380R-MPHO-BQGOB7642818} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H6OHF7S2-4BO3-380R-MPHO-BQGOB7642818}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{H6OHF7S2-4BO3-380R-MPHO-BQGOB7642818} Server.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Server.exeServer.exe3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
Processes:
Server.exeServer.exeServer.exepid process 4872 Server.exe 2320 Server.exe 1688 Server.exe -
Drops file in Windows directory 2 IoCs
Processes:
3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\InstallDir\Server.exe 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe File created C:\Windows\InstallDir\Server.exe 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Server.exepid process 1688 Server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exeServer.exedescription pid process target process PID 4764 wrote to memory of 4068 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe svchost.exe PID 4764 wrote to memory of 4068 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe svchost.exe PID 4764 wrote to memory of 4068 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe svchost.exe PID 4764 wrote to memory of 4068 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe svchost.exe PID 4764 wrote to memory of 2176 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 2176 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 2176 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 2176 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 3980 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 3980 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 3980 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 3980 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 648 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 648 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 648 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 648 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 3104 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 3104 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 3104 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 3104 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 904 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 904 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 904 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 904 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 4460 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 4460 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 4460 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 4460 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 3620 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 3620 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 3620 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 3620 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 2044 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 2044 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 2044 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe explorer.exe PID 4764 wrote to memory of 4872 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe Server.exe PID 4764 wrote to memory of 4872 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe Server.exe PID 4764 wrote to memory of 4872 4764 3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe Server.exe PID 4872 wrote to memory of 3200 4872 Server.exe svchost.exe PID 4872 wrote to memory of 3200 4872 Server.exe svchost.exe PID 4872 wrote to memory of 3200 4872 Server.exe svchost.exe PID 4872 wrote to memory of 4304 4872 Server.exe explorer.exe PID 4872 wrote to memory of 4304 4872 Server.exe explorer.exe PID 4872 wrote to memory of 4304 4872 Server.exe explorer.exe PID 4872 wrote to memory of 4304 4872 Server.exe explorer.exe PID 4872 wrote to memory of 1116 4872 Server.exe explorer.exe PID 4872 wrote to memory of 1116 4872 Server.exe explorer.exe PID 4872 wrote to memory of 1116 4872 Server.exe explorer.exe PID 4872 wrote to memory of 1116 4872 Server.exe explorer.exe PID 4872 wrote to memory of 1188 4872 Server.exe explorer.exe PID 4872 wrote to memory of 1188 4872 Server.exe explorer.exe PID 4872 wrote to memory of 1188 4872 Server.exe explorer.exe PID 4872 wrote to memory of 4560 4872 Server.exe explorer.exe PID 4872 wrote to memory of 4560 4872 Server.exe explorer.exe PID 4872 wrote to memory of 4560 4872 Server.exe explorer.exe PID 4872 wrote to memory of 1592 4872 Server.exe explorer.exe PID 4872 wrote to memory of 1592 4872 Server.exe explorer.exe PID 4872 wrote to memory of 1592 4872 Server.exe explorer.exe PID 4872 wrote to memory of 1592 4872 Server.exe explorer.exe PID 4872 wrote to memory of 3944 4872 Server.exe explorer.exe PID 4872 wrote to memory of 3944 4872 Server.exe explorer.exe PID 4872 wrote to memory of 3944 4872 Server.exe explorer.exe PID 4872 wrote to memory of 3944 4872 Server.exe explorer.exe PID 4872 wrote to memory of 816 4872 Server.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3cb77d150322e6eff418c2a9de93434c_JaffaCakes118.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:4068
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2176
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:3980
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:648
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:3104
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:904
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:4460
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:3620
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2044
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:3200
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:4304
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1116
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1188
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:4560
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1592
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:3944
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:816
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1432
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1772
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:3220
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3480
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4892
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3156
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1224
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1708
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1176
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3052
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2076
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1736
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1688 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:2808
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:1452
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:4248
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:4696
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:2736
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:3800
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:4912
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:2088
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:3332
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:3556
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:4664
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:3236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD582565a809e3a31a7fbdf980225991024
SHA188c352ac70dae92176e8bfba9cc4af5c095014ff
SHA256036b902a2026d7ff7a02aa4832e5ba120c014522c3ef295b101a43a3882c1227
SHA512dc5f278005c66bc846fd74abac17c3a3c0f852c927ca5a0f5f13d43df4f08ce1799b3ddd3d8863665b73b3fc65e8c7b1da9bdaa1328444889a3a82c8efed8109
-
Filesize
130KB
MD53cb77d150322e6eff418c2a9de93434c
SHA1dea7693e530c3ba5a40e90ebedf2200e12ad6e83
SHA256d78cd4e79e26eba296f9ee7fd9ca872dd5d948d12ee4aaa6f9484f725c6b4ef0
SHA5123fdf3539a9057038c78ae2b0188226625494fab84c9c119a0e6daa33cb81f2bf3269bdeb06609fa344a7f94871ef459217f0abec455a35dbef96240923dc131b