Analysis
-
max time kernel
140s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 01:09
Static task
static1
Behavioral task
behavioral1
Sample
5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe
-
Size
366KB
-
MD5
5590cf08ee9bf90504a41f2cb80246b0
-
SHA1
2aac70d1aee288bb1e6f4440613b04f93ddeb751
-
SHA256
edcdbcf4639df0a95f4ed008b1c49be3f2da6e6f2e32e231eab861eef1c9faf2
-
SHA512
7c6acc889982b5c97905acb796c406d766387e26ba3076bffb70a7b198bc85876d07d067d8d26014c535f5572eb9c3d89ca238605bc0f77522a5dc1e94c78ff9
-
SSDEEP
6144:E42KoS4DZ3A+E0I8IQB2vI1CDitFuZtzzk7fPxSnyVNck/iPJgsROBevh+1HNX4H:xHoS493ACIl7vI1kiqHNnyVek/a4QmHG
Malware Config
Extracted
xtremerat
maradona.no-ip.org
Signatures
-
Detect XtremeRAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1784-9-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/3692-12-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/3692-13-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Processes:
resource yara_rule behavioral2/memory/1784-5-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/1784-7-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/1784-9-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3692-12-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3692-13-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exedescription pid Process procid_target PID 1808 set thread context of 1784 1808 5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 4948 3692 WerFault.exe 85 4660 3692 WerFault.exe 85 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exepid Process 1808 5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exedescription pid Process procid_target PID 1808 wrote to memory of 1784 1808 5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe 84 PID 1808 wrote to memory of 1784 1808 5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe 84 PID 1808 wrote to memory of 1784 1808 5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe 84 PID 1808 wrote to memory of 1784 1808 5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe 84 PID 1808 wrote to memory of 1784 1808 5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe 84 PID 1808 wrote to memory of 1784 1808 5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe 84 PID 1808 wrote to memory of 1784 1808 5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe 84 PID 1808 wrote to memory of 1784 1808 5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe 84 PID 1784 wrote to memory of 3692 1784 5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe 85 PID 1784 wrote to memory of 3692 1784 5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe 85 PID 1784 wrote to memory of 3692 1784 5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe 85 PID 1784 wrote to memory of 3692 1784 5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe 85 PID 1784 wrote to memory of 3020 1784 5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe 87 PID 1784 wrote to memory of 3020 1784 5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe 87 PID 1784 wrote to memory of 3020 1784 5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5590cf08ee9bf90504a41f2cb80246b0_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:3692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 4844⤵
- Program crash
PID:4948
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 4924⤵
- Program crash
PID:4660
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3020
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3692 -ip 36921⤵PID:3044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3692 -ip 36921⤵PID:4572