Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 14:23
Static task
static1
Behavioral task
behavioral1
Sample
53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exe
-
Size
88KB
-
MD5
53619927cf67acf49e20eace6ff246eb
-
SHA1
ad440daa78e96b7c2497960bcfb73134405abe11
-
SHA256
ccfab06fdcc0737b61bca457962004418ed83a41b04be97feae36f4ff4968acd
-
SHA512
409b6984ead918bfe39ba0d5d82d3d6a9ac46251622c9c2cc49e2052b399da544ca70ebd134dc6c05248f999912af4af377f3c3d6892d1fbc09fcfe930cb7a05
-
SSDEEP
768:YzFJMpPMuijtHf5g7/IIG3bGcYDBSvFIWuePQtv66l2tz7vM+Yvl2yKHJTvP24O3:IYpkNW71rcYDAWeotvXlc3tFyOe4O3
Malware Config
Extracted
xtremerat
ahmad111.no-ip.biz
Signatures
-
Detect XtremeRAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2668-59-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2660-60-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 2 IoCs
Processes:
q11.exeq11 (2).exepid Process 2872 q11.exe 2660 q11 (2).exe -
Loads dropped DLL 9 IoCs
Processes:
53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exeq11.exepid Process 2556 53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exe 2556 53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exe 2556 53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exe 2556 53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exe 2556 53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exe 2872 q11.exe 2872 q11.exe 2872 q11.exe 2872 q11.exe -
Processes:
resource yara_rule behavioral1/files/0x0007000000016c4e-40.dat upx behavioral1/memory/2660-56-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2668-59-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2660-60-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exeq11.exepid Process 2556 53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exe 2872 q11.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exeq11.exeq11 (2).exedescription pid Process procid_target PID 2556 wrote to memory of 2872 2556 53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exe 30 PID 2556 wrote to memory of 2872 2556 53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exe 30 PID 2556 wrote to memory of 2872 2556 53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exe 30 PID 2556 wrote to memory of 2872 2556 53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exe 30 PID 2872 wrote to memory of 2660 2872 q11.exe 31 PID 2872 wrote to memory of 2660 2872 q11.exe 31 PID 2872 wrote to memory of 2660 2872 q11.exe 31 PID 2872 wrote to memory of 2660 2872 q11.exe 31 PID 2660 wrote to memory of 2668 2660 q11 (2).exe 32 PID 2660 wrote to memory of 2668 2660 q11 (2).exe 32 PID 2660 wrote to memory of 2668 2660 q11 (2).exe 32 PID 2660 wrote to memory of 2668 2660 q11 (2).exe 32 PID 2660 wrote to memory of 2668 2660 q11 (2).exe 32 PID 2660 wrote to memory of 1628 2660 q11 (2).exe 33 PID 2660 wrote to memory of 1628 2660 q11 (2).exe 33 PID 2660 wrote to memory of 1628 2660 q11 (2).exe 33 PID 2660 wrote to memory of 1628 2660 q11 (2).exe 33 PID 2660 wrote to memory of 1628 2660 q11 (2).exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\53619927cf67acf49e20eace6ff246eb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\q11.exe"C:\Users\Admin\AppData\Local\Temp\q11.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\q11 (2).exe"C:\Users\Admin\AppData\Local\Temp\q11 (2).exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:2668
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1628
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD55c9771003b235be2c59a2a494c3126ab
SHA1be2503e7c7d14525b9a20a84070182fd4a93a6be
SHA256d5b379d663e2e645f429a349fa9014a7235a7e83e02e1910372507dc3a945419
SHA51299c7b5a0ac001e986d862ac7c580a679ed82588c2487612032a60a7f858b919e8027a398e3d54e6b9df536606fed5e41325ed4a34fa195c2733f1c61d1673f38
-
Filesize
33KB
MD542c33e8e628ba71f0c56ba3a3ebe584f
SHA10abe619d1a5237e8edbd3da6d60aba9bb98a34aa
SHA256419cadc67eee5ccf429e734a7217fc37a18e741fd29233a9bd3c512c1e4e799f
SHA512018543c476302fdfb7ec54c2175bec50667cd684783a5bfc0526c1ebbaf13258535b44eae134c1bc92d676bc9a58783092e06d82b6c70c216c01b47adbaac8ff