Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-07-2024 01:43

General

  • Target

    55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe

  • Size

    291KB

  • MD5

    55ab2b7bc65ac436b5bf3315d6b60f80

  • SHA1

    62bc02d9b17313a5de01864feada7d0de1c187a9

  • SHA256

    0fc7568cebbdb2c73b073fed4acfc49932cff1da13c03234e82952d3dee2ab50

  • SHA512

    e3fe45484cebad49c3fa7bdc14c3fe77964ad58cb403db0acb518b6afe165a8f5f425fe56cf5e5d44183768d650a044ca87df47ded51d249a71e295f5ba36662

  • SSDEEP

    6144:b1dlZro5y+mAWXeLQEBMbNliPVj7zt4xeTnax9INsFiKqM735jI:b1dlZo5y9u0ESbNli1Cqaxosd3dI

Malware Config

Extracted

Family

xtremerat

C2

namehost.dyndns.org

Signatures

  • Detect XtremeRAT payload 3 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4628
    • C:\Extracted\Sexy18.exe
      "C:\Extracted\Sexy18.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1436
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        3⤵
          PID:4836

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Extracted\Sexy18.exe

      Filesize

      211KB

      MD5

      c2f978e209d70195bec4b23adb0adbcc

      SHA1

      f204c4c0122bd3f9d3c900bf2d8d6562c20a8935

      SHA256

      798cf91e7f3fed0dfcc79ebd0a2b2231b1fd5de1bd1e18740b688d620667b542

      SHA512

      5a7c332decd4195ae29c3b2fc06d8a94c32f2da603907177a8a6c6d11d6c3215726fa2b3e88487fb9148bbf23d4c9befe4c1fb69ef49ddb93598140f0d15012c

    • C:\Users\Admin\AppData\Local\Temp\sfx.ini

      Filesize

      224B

      MD5

      eab078deb98207f051385c5129fc423c

      SHA1

      13c6631134a1269235fbfee1006d5dd15b2c1028

      SHA256

      fc2f45419fb387e7668fea7632d30dc43850cd72927edf2f5baa1a04f077ebbc

      SHA512

      5dbd7fdfa3b8ed322ff0e494285fc1c186f885dff235b4807809036adf5a2e99852957be4a59cddb69ed41332a7e4082cb16fe7e9695468111f7f2f383198644

    • memory/1436-33-0x0000000000C80000-0x0000000000CF0000-memory.dmp

      Filesize

      448KB

    • memory/1436-36-0x0000000000C80000-0x0000000000CF0000-memory.dmp

      Filesize

      448KB

    • memory/3036-25-0x0000000000C80000-0x0000000000CF0000-memory.dmp

      Filesize

      448KB

    • memory/3036-26-0x0000000000540000-0x0000000000543000-memory.dmp

      Filesize

      12KB

    • memory/3036-34-0x0000000000C80000-0x0000000000CF0000-memory.dmp

      Filesize

      448KB