Overview

overview

10

Static

static

5

4a12be812c...18.exe

windows7-x64

10

4a12be812c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-07-2024 14:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe

  • Size

    3.7MB

  • MD5

    4a12be812cd0675296bd5846528b5dac

  • SHA1

    e1609ddc6315ec0f28b088ff0cd7fd21faa83834

  • SHA256

    96bd83c30943e45b4bfd457aecccbc05f041f897da86340d5be89280d50c486e

  • SHA512

    1f5f51f3522daab1feae6f8e97a58dfb41463ca03bbba689c2ce1569a04ac9d6445cd9624792d263484f8aa5077b22ae6899a2cdd36cdcb7d5e016b7b607cf66

  • SSDEEP

    24576:lAHnh+eWsN3skA4RV1Hom2KXMmHa0ifaOza5Gmuk0eJSKTXyxcdgdfQCdaQ6+RRE:Uh+ZkldoPK8Ya055

Score
10/10
isrstealerxtremeratcollectionpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

xtremerat

C2

dferwest.net

Signatures

  • Detect XtremeRAT payload 6 IoCs
  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 2 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Detected Nirsoft tools 1 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Users\Admin\AppData\Local\Temp\4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
          PID:4292
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
          3⤵
            PID:2044
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            3⤵
              PID:4316
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
              3⤵
                PID:2364
              • C:\Windows\SysWOW64\explorer.exe
                explorer.exe
                3⤵
                  PID:1264
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                  3⤵
                    PID:4992
                  • C:\Windows\SysWOW64\explorer.exe
                    explorer.exe
                    3⤵
                      PID:2028
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                      3⤵
                        PID:4732
                      • C:\Windows\SysWOW64\explorer.exe
                        explorer.exe
                        3⤵
                          PID:2144
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                          3⤵
                            PID:2520
                          • C:\Windows\SysWOW64\explorer.exe
                            explorer.exe
                            3⤵
                            • Suspicious use of SetWindowsHookEx
                            PID:2296
                          • C:\Users\Admin\AppData\Local\Temp\476ysdew.exe
                            "C:\Users\Admin\AppData\Local\Temp\476ysdew.exe"
                            3⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            • Suspicious use of WriteProcessMemory
                            PID:2544
                            • C:\Users\Admin\AppData\Local\Temp\476ysdew.exe
                              "C:\Users\Admin\AppData\Local\Temp\476ysdew.exe"
                              4⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • Suspicious use of SetWindowsHookEx
                              • Suspicious use of WriteProcessMemory
                              PID:1180
                              • C:\Users\Admin\AppData\Local\Temp\476ysdew.exe
                                /scomma "C:\Users\Admin\AppData\Local\Temp\BDlaN8fA35.ini"
                                5⤵
                                • Executes dropped EXE
                                PID:4780
                              • C:\Users\Admin\AppData\Local\Temp\476ysdew.exe
                                /scomma "C:\Users\Admin\AppData\Local\Temp\EfDvyhX0rv.ini"
                                5⤵
                                • Executes dropped EXE
                                • Accesses Microsoft Outlook accounts
                                PID:1900

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\476ysdew.exe
                        Filesize

                        1.4MB

                        MD5

                        16999cb991e710ce52bb229edcbb08e6

                        SHA1

                        25cc4dd8bd104a9f2e173b4d04a49d4da5971a78

                        SHA256

                        9985be36ed003ca85d3ac687251d7e00294d60d3afd2ad521cffa8c41ce1f048

                        SHA512

                        4218ba5e7dc8c2e486f8d82e4ba9101c210395616f2f649577d92557247673eb497014e3b28ee335ea1e36d66c3089dbc1e70f3e6bad167a1c40c3a0288b19d6

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\BDlaN8fA35.ini
                        Filesize

                        5B

                        MD5

                        d1ea279fb5559c020a1b4137dc4de237

                        SHA1

                        db6f8988af46b56216a6f0daf95ab8c9bdb57400

                        SHA256

                        fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

                        SHA512

                        720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

                        Download Submit

                      • memory/1032-2-0x0000000002750000-0x0000000002751000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1180-35-0x0000000000400000-0x0000000000442000-memory.dmp

                        Filesize

                        264KB

                        Download

                      • memory/1180-40-0x0000000000400000-0x0000000000442000-memory.dmp

                        Filesize

                        264KB

                        Download

                      • memory/1900-52-0x0000000000400000-0x000000000041F000-memory.dmp

                        Filesize

                        124KB

                        Download

                      • memory/1900-51-0x0000000000400000-0x000000000041F000-memory.dmp

                        Filesize

                        124KB

                        Download

                      • memory/1900-49-0x0000000000400000-0x000000000041F000-memory.dmp

                        Filesize

                        124KB

                        Download

                      • memory/2296-19-0x0000000000C80000-0x0000000000DFA000-memory.dmp

                        Filesize

                        1.5MB

                        Download

                      • memory/2296-22-0x0000000000C80000-0x0000000000DFA000-memory.dmp

                        Filesize

                        1.5MB

                        Download

                      • memory/2296-20-0x0000000000C80000-0x0000000000DFA000-memory.dmp

                        Filesize

                        1.5MB

                        Download

                      • memory/2404-0-0x0000000000C80000-0x0000000000DFA000-memory.dmp

                        Filesize

                        1.5MB

                        Download

                      • memory/2404-12-0x0000000000C80000-0x0000000000DFA000-memory.dmp

                        Filesize

                        1.5MB

                        Download

                      • memory/2404-11-0x0000000000C80000-0x0000000000DFA000-memory.dmp

                        Filesize

                        1.5MB

                        Download

                      • memory/4780-43-0x0000000000400000-0x0000000000453000-memory.dmp

                        Filesize

                        332KB

                        Download

                      • memory/4780-46-0x0000000000400000-0x0000000000453000-memory.dmp

                        Filesize

                        332KB

                        Download

                      • memory/4780-45-0x0000000000400000-0x0000000000453000-memory.dmp

                        Filesize

                        332KB

                        Download