Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-07-2024 05:06
Static task
static1
Behavioral task
behavioral1
Sample
563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe
-
Size
562KB
-
MD5
563f21a58f7ee7b6148afdde4dd5009a
-
SHA1
d4a07af81b6c02c04a7d651f1bc9e3502d391910
-
SHA256
4e805a41c07e004d9d74a9d77b20a5baa0d939bcd69bf5f60af508528bedb115
-
SHA512
df116924f1ddc665f00edb0d31b7681debed56a5fa49e84797b9b85f2e7bbb7856b465ff6fce01ea4f510cc8eeb455891be857fd83a850d4e70b0bd7da7532ce
-
SSDEEP
6144:aORUQxcBKTxd5udhiNoGSAB5wd6XTdHrC0bf6PaSGIBixZv7tvMeV11nxldq7jPS:aORUwSABOd6DJrpbfYad0irxd9PdqHPS
Malware Config
Signatures
-
Detect XtremeRAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2616-6-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2732-10-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2732-13-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat -
Processes:
563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe -
Processes:
563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Processes:
resource yara_rule behavioral1/memory/2616-3-0x0000000010000000-0x000000001004A000-memory.dmp upx behavioral1/memory/2616-5-0x0000000010000000-0x000000001004A000-memory.dmp upx behavioral1/memory/2616-6-0x0000000010000000-0x000000001004A000-memory.dmp upx behavioral1/memory/2732-10-0x0000000010000000-0x000000001004A000-memory.dmp upx behavioral1/memory/2732-13-0x0000000010000000-0x000000001004A000-memory.dmp upx -
Processes:
563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe -
Processes:
563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exedescription pid Process procid_target PID 2236 set thread context of 2616 2236 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exedescription pid Process Token: SeBackupPrivilege 2236 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exepid Process 2236 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exedescription pid Process procid_target PID 2236 wrote to memory of 2616 2236 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 29 PID 2236 wrote to memory of 2616 2236 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 29 PID 2236 wrote to memory of 2616 2236 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 29 PID 2236 wrote to memory of 2616 2236 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 29 PID 2236 wrote to memory of 2616 2236 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 29 PID 2236 wrote to memory of 2616 2236 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 29 PID 2236 wrote to memory of 2616 2236 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 29 PID 2236 wrote to memory of 2616 2236 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 29 PID 2236 wrote to memory of 2616 2236 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 29 PID 2616 wrote to memory of 2732 2616 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 30 PID 2616 wrote to memory of 2732 2616 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 30 PID 2616 wrote to memory of 2732 2616 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 30 PID 2616 wrote to memory of 2732 2616 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 30 PID 2616 wrote to memory of 2732 2616 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 30 PID 2616 wrote to memory of 2644 2616 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 31 PID 2616 wrote to memory of 2644 2616 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 31 PID 2616 wrote to memory of 2644 2616 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 31 PID 2616 wrote to memory of 2644 2616 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 31 PID 2616 wrote to memory of 2644 2616 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe 31 -
System policy modification 1 TTPs 1 IoCs
Processes:
563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\563f21a58f7ee7b6148afdde4dd5009a_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2732
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2644
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4