Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 19:36
Static task
static1
Behavioral task
behavioral1
Sample
547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe
-
Size
66KB
-
MD5
547846eaecf08317d469425b55f2e86a
-
SHA1
ad53ba5cbce1111d986db7eb2a275f2cabcb271d
-
SHA256
d6edda1ae2c1570dbdb4573f7bd22d430b0f4199f107584dff9ccfe6c101bdf1
-
SHA512
1cb7e003ebb351604d711951a4d9c0fe7b8c7e42eb0e8c8730ec26a7d9f94b038edccdbe230cdc740387382708688087e94e2d5dacd32f0a80d984d46d44d9ec
-
SSDEEP
1536:34eQxz5mSgaNBMx08WdoMdYwAP+dsAeCAn82erA:oLN0Z/q8lMSwAPAsAPASA
Malware Config
Extracted
xtremerat
memozzz.no-ip.org
Signatures
-
Detect XtremeRAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1664-19-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/2480-20-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/1812-21-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/2480-24-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Processes:
resource yara_rule behavioral2/memory/1664-13-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral2/memory/1664-18-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral2/memory/1664-19-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral2/memory/2480-20-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral2/memory/1812-21-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral2/memory/2480-24-0x0000000010000000-0x0000000010048000-memory.dmp upx -
Suspicious use of SetThreadContext 2 IoCs
Processes:
547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe547846eaecf08317d469425b55f2e86a_JaffaCakes118.exedescription pid Process procid_target PID 2392 set thread context of 1728 2392 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 84 PID 1728 set thread context of 1664 1728 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 3064 1812 WerFault.exe 90 2456 2480 WerFault.exe 88 1512 1812 WerFault.exe 90 4176 2480 WerFault.exe 88 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
547846eaecf08317d469425b55f2e86a_JaffaCakes118.exepid Process 1728 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe547846eaecf08317d469425b55f2e86a_JaffaCakes118.exedescription pid Process procid_target PID 2392 wrote to memory of 1728 2392 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 84 PID 2392 wrote to memory of 1728 2392 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 84 PID 2392 wrote to memory of 1728 2392 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 84 PID 2392 wrote to memory of 1728 2392 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 84 PID 2392 wrote to memory of 1728 2392 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 84 PID 2392 wrote to memory of 1728 2392 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 84 PID 2392 wrote to memory of 1728 2392 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 84 PID 2392 wrote to memory of 1728 2392 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 84 PID 1728 wrote to memory of 1664 1728 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 85 PID 1728 wrote to memory of 1664 1728 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 85 PID 1728 wrote to memory of 1664 1728 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 85 PID 1728 wrote to memory of 1664 1728 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 85 PID 1728 wrote to memory of 1664 1728 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 85 PID 1728 wrote to memory of 1664 1728 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 85 PID 1728 wrote to memory of 1664 1728 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 85 PID 1728 wrote to memory of 1664 1728 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 85 PID 1664 wrote to memory of 2480 1664 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 88 PID 1664 wrote to memory of 2480 1664 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 88 PID 1664 wrote to memory of 2480 1664 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 88 PID 1664 wrote to memory of 2480 1664 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 88 PID 1664 wrote to memory of 1812 1664 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 90 PID 1664 wrote to memory of 1812 1664 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 90 PID 1664 wrote to memory of 1812 1664 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 90 PID 1664 wrote to memory of 1812 1664 547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\547846eaecf08317d469425b55f2e86a_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\547846eaecf08317d469425b55f2e86a_JaffaCakes118.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:2480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 4805⤵
- Program crash
PID:2456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 4885⤵
- Program crash
PID:4176
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:1812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 4765⤵
- Program crash
PID:3064
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 4845⤵
- Program crash
PID:1512
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2480 -ip 24801⤵PID:1988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1812 -ip 18121⤵PID:2748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1812 -ip 18121⤵PID:1336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2480 -ip 24801⤵PID:4788