Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe
-
Size
291KB
-
MD5
55ab2b7bc65ac436b5bf3315d6b60f80
-
SHA1
62bc02d9b17313a5de01864feada7d0de1c187a9
-
SHA256
0fc7568cebbdb2c73b073fed4acfc49932cff1da13c03234e82952d3dee2ab50
-
SHA512
e3fe45484cebad49c3fa7bdc14c3fe77964ad58cb403db0acb518b6afe165a8f5f425fe56cf5e5d44183768d650a044ca87df47ded51d249a71e295f5ba36662
-
SSDEEP
6144:b1dlZro5y+mAWXeLQEBMbNliPVj7zt4xeTnax9INsFiKqM735jI:b1dlZo5y9u0ESbNli1Cqaxosd3dI
Malware Config
Extracted
xtremerat
namehost.dyndns.org
Signatures
-
Detect XtremeRAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1436-33-0x0000000000C80000-0x0000000000CF0000-memory.dmp family_xtremerat behavioral2/memory/3036-34-0x0000000000C80000-0x0000000000CF0000-memory.dmp family_xtremerat behavioral2/memory/1436-36-0x0000000000C80000-0x0000000000CF0000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
Sexy18.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Sexy18.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\wbem\\xml.exe restart" Sexy18.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation 55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
Sexy18.exepid Process 3036 Sexy18.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Sexy18.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\wbem\\xml.exe" Sexy18.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\wbem\\xml.exe" Sexy18.exe -
Drops file in System32 directory 3 IoCs
Processes:
Sexy18.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\wbem\xml.exe Sexy18.exe File created C:\Windows\SysWOW64\wbem\xml.exe Sexy18.exe File opened for modification C:\Windows\SysWOW64\wbem\ Sexy18.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid Process 1436 svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exeSexy18.exedescription pid Process procid_target PID 4628 wrote to memory of 3036 4628 55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe 94 PID 4628 wrote to memory of 3036 4628 55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe 94 PID 4628 wrote to memory of 3036 4628 55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe 94 PID 3036 wrote to memory of 1436 3036 Sexy18.exe 95 PID 3036 wrote to memory of 1436 3036 Sexy18.exe 95 PID 3036 wrote to memory of 1436 3036 Sexy18.exe 95 PID 3036 wrote to memory of 4836 3036 Sexy18.exe 96 PID 3036 wrote to memory of 4836 3036 Sexy18.exe 96 PID 3036 wrote to memory of 4836 3036 Sexy18.exe 96 PID 3036 wrote to memory of 1436 3036 Sexy18.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\55ab2b7bc65ac436b5bf3315d6b60f80_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Extracted\Sexy18.exe"C:\Extracted\Sexy18.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Suspicious use of SetWindowsHookEx
PID:1436
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:4836
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5c2f978e209d70195bec4b23adb0adbcc
SHA1f204c4c0122bd3f9d3c900bf2d8d6562c20a8935
SHA256798cf91e7f3fed0dfcc79ebd0a2b2231b1fd5de1bd1e18740b688d620667b542
SHA5125a7c332decd4195ae29c3b2fc06d8a94c32f2da603907177a8a6c6d11d6c3215726fa2b3e88487fb9148bbf23d4c9befe4c1fb69ef49ddb93598140f0d15012c
-
Filesize
224B
MD5eab078deb98207f051385c5129fc423c
SHA113c6631134a1269235fbfee1006d5dd15b2c1028
SHA256fc2f45419fb387e7668fea7632d30dc43850cd72927edf2f5baa1a04f077ebbc
SHA5125dbd7fdfa3b8ed322ff0e494285fc1c186f885dff235b4807809036adf5a2e99852957be4a59cddb69ed41332a7e4082cb16fe7e9695468111f7f2f383198644