Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-07-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe
-
Size
291KB
-
MD5
55ab2b7bc65ac436b5bf3315d6b60f80
-
SHA1
62bc02d9b17313a5de01864feada7d0de1c187a9
-
SHA256
0fc7568cebbdb2c73b073fed4acfc49932cff1da13c03234e82952d3dee2ab50
-
SHA512
e3fe45484cebad49c3fa7bdc14c3fe77964ad58cb403db0acb518b6afe165a8f5f425fe56cf5e5d44183768d650a044ca87df47ded51d249a71e295f5ba36662
-
SSDEEP
6144:b1dlZro5y+mAWXeLQEBMbNliPVj7zt4xeTnax9INsFiKqM735jI:b1dlZo5y9u0ESbNli1Cqaxosd3dI
Malware Config
Extracted
xtremerat
namehost.dyndns.org
Signatures
-
Detect XtremeRAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2836-29-0x0000000000C80000-0x0000000000CF0000-memory.dmp family_xtremerat behavioral1/memory/2688-44-0x0000000000C80000-0x0000000000CF0000-memory.dmp family_xtremerat behavioral1/memory/2624-41-0x0000000000C80000-0x0000000000CF0000-memory.dmp family_xtremerat behavioral1/memory/2836-46-0x0000000000C80000-0x0000000000CF0000-memory.dmp family_xtremerat behavioral1/memory/2688-48-0x0000000000C80000-0x0000000000CF0000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
Sexy18.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Sexy18.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\wbem\\xml.exe restart" Sexy18.exe -
Executes dropped EXE 1 IoCs
Processes:
Sexy18.exepid Process 2836 Sexy18.exe -
Loads dropped DLL 2 IoCs
Processes:
55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exepid Process 2028 55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe 2028 55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Sexy18.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\wbem\\xml.exe" Sexy18.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\wbem\\xml.exe" Sexy18.exe -
Drops file in System32 directory 3 IoCs
Processes:
Sexy18.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\wbem\xml.exe Sexy18.exe File created C:\Windows\SysWOW64\wbem\xml.exe Sexy18.exe File opened for modification C:\Windows\SysWOW64\wbem\ Sexy18.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid Process 2172 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid Process 2688 svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exeSexy18.exedescription pid Process procid_target PID 2028 wrote to memory of 2836 2028 55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe 31 PID 2028 wrote to memory of 2836 2028 55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe 31 PID 2028 wrote to memory of 2836 2028 55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe 31 PID 2028 wrote to memory of 2836 2028 55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe 31 PID 2836 wrote to memory of 2688 2836 Sexy18.exe 32 PID 2836 wrote to memory of 2688 2836 Sexy18.exe 32 PID 2836 wrote to memory of 2688 2836 Sexy18.exe 32 PID 2836 wrote to memory of 2688 2836 Sexy18.exe 32 PID 2836 wrote to memory of 2624 2836 Sexy18.exe 33 PID 2836 wrote to memory of 2624 2836 Sexy18.exe 33 PID 2836 wrote to memory of 2624 2836 Sexy18.exe 33 PID 2836 wrote to memory of 2624 2836 Sexy18.exe 33 PID 2836 wrote to memory of 2624 2836 Sexy18.exe 33 PID 2836 wrote to memory of 2688 2836 Sexy18.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Extracted\Sexy18.exe"C:\Extracted\Sexy18.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Suspicious use of SetWindowsHookEx
PID:2688
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2624
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5c2f978e209d70195bec4b23adb0adbcc
SHA1f204c4c0122bd3f9d3c900bf2d8d6562c20a8935
SHA256798cf91e7f3fed0dfcc79ebd0a2b2231b1fd5de1bd1e18740b688d620667b542
SHA5125a7c332decd4195ae29c3b2fc06d8a94c32f2da603907177a8a6c6d11d6c3215726fa2b3e88487fb9148bbf23d4c9befe4c1fb69ef49ddb93598140f0d15012c
-
Filesize
44KB
MD563434a6d804cb171cfe904cd719b76c2
SHA1e866542b62d3b722fb848db030ba176cf5840fda
SHA256172219a63ef471e48ef7ad6e5968326b4e8e0105ba7f4a7269eb94e970b7f282
SHA51289a7e222f388a7ba5abcb0fdfe0245422232b380e5e80ba154c1db5f58be6aff230bf716fe16c736ab6c56f7c930bc960aa4b06565eac748d4b8c39d078649a9
-
Filesize
224B
MD5eab078deb98207f051385c5129fc423c
SHA113c6631134a1269235fbfee1006d5dd15b2c1028
SHA256fc2f45419fb387e7668fea7632d30dc43850cd72927edf2f5baa1a04f077ebbc
SHA5125dbd7fdfa3b8ed322ff0e494285fc1c186f885dff235b4807809036adf5a2e99852957be4a59cddb69ed41332a7e4082cb16fe7e9695468111f7f2f383198644