Analysis
-
max time kernel
147s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-07-2024 12:32
Static task
static1
Behavioral task
behavioral1
Sample
576451579cdafea43c2061ab41728187_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
576451579cdafea43c2061ab41728187_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
576451579cdafea43c2061ab41728187_JaffaCakes118.exe
-
Size
643KB
-
MD5
576451579cdafea43c2061ab41728187
-
SHA1
8281dbb47ec31366faeb878ec26ad8cc056a06d2
-
SHA256
602ae1b840761cda082940ead7a025aa9e2d28d570d86d9cdfaf79e5ea466544
-
SHA512
86824fd32a290162060bc2785abf890fa94655b645f803cf620a2a65332a17741dbc65209a866926000cedf68f800cafdd321ad487cf9e57d19c6ba4053a0341
-
SSDEEP
12288:LX8N4mHr8vKfE5V0VQwQB7sOQ3AFYGq6gJLZH2USEIsWF7gcBcoFnDQ:uL8bn17sOQ3UYygJ8USQWF752
Malware Config
Signatures
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
seri7.exesvchost.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} seri7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\seri7.exe restart" seri7.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\seri7.exe" svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
seri7.exeseri7.exepid Process 2628 seri7.exe 3068 seri7.exe -
Loads dropped DLL 2 IoCs
Processes:
576451579cdafea43c2061ab41728187_JaffaCakes118.exeseri7.exepid Process 2072 576451579cdafea43c2061ab41728187_JaffaCakes118.exe 2628 seri7.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
seri7.exesvchost.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\seri7.exe" seri7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\seri7.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\seri7.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\seri7.exe" seri7.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
seri7.exedescription pid Process procid_target PID 2628 set thread context of 3068 2628 seri7.exe 31 PID 2628 set thread context of 0 2628 seri7.exe -
Drops file in Windows directory 1 IoCs
Processes:
seri7.exedescription ioc Process File opened for modification C:\Windows\InstallDir\Server.exe seri7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
576451579cdafea43c2061ab41728187_JaffaCakes118.exeseri7.exedescription pid Process Token: 33 2072 576451579cdafea43c2061ab41728187_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2072 576451579cdafea43c2061ab41728187_JaffaCakes118.exe Token: 33 2072 576451579cdafea43c2061ab41728187_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2072 576451579cdafea43c2061ab41728187_JaffaCakes118.exe Token: 33 2072 576451579cdafea43c2061ab41728187_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2072 576451579cdafea43c2061ab41728187_JaffaCakes118.exe Token: 33 2072 576451579cdafea43c2061ab41728187_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2072 576451579cdafea43c2061ab41728187_JaffaCakes118.exe Token: 33 2628 seri7.exe Token: SeIncBasePriorityPrivilege 2628 seri7.exe Token: 33 2628 seri7.exe Token: SeIncBasePriorityPrivilege 2628 seri7.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
seri7.exepid Process 2628 seri7.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
576451579cdafea43c2061ab41728187_JaffaCakes118.exeseri7.exeseri7.exedescription pid Process procid_target PID 2072 wrote to memory of 2628 2072 576451579cdafea43c2061ab41728187_JaffaCakes118.exe 30 PID 2072 wrote to memory of 2628 2072 576451579cdafea43c2061ab41728187_JaffaCakes118.exe 30 PID 2072 wrote to memory of 2628 2072 576451579cdafea43c2061ab41728187_JaffaCakes118.exe 30 PID 2072 wrote to memory of 2628 2072 576451579cdafea43c2061ab41728187_JaffaCakes118.exe 30 PID 2628 wrote to memory of 3068 2628 seri7.exe 31 PID 2628 wrote to memory of 3068 2628 seri7.exe 31 PID 2628 wrote to memory of 3068 2628 seri7.exe 31 PID 2628 wrote to memory of 3068 2628 seri7.exe 31 PID 2628 wrote to memory of 3068 2628 seri7.exe 31 PID 2628 wrote to memory of 3068 2628 seri7.exe 31 PID 2628 wrote to memory of 3068 2628 seri7.exe 31 PID 2628 wrote to memory of 3068 2628 seri7.exe 31 PID 2628 wrote to memory of 3068 2628 seri7.exe 31 PID 2628 wrote to memory of 0 2628 seri7.exe PID 2628 wrote to memory of 0 2628 seri7.exe PID 2628 wrote to memory of 0 2628 seri7.exe PID 2628 wrote to memory of 0 2628 seri7.exe PID 2628 wrote to memory of 0 2628 seri7.exe PID 3068 wrote to memory of 2948 3068 seri7.exe 32 PID 3068 wrote to memory of 2948 3068 seri7.exe 32 PID 3068 wrote to memory of 2948 3068 seri7.exe 32 PID 3068 wrote to memory of 2948 3068 seri7.exe 32 PID 3068 wrote to memory of 2948 3068 seri7.exe 32 PID 3068 wrote to memory of 2760 3068 seri7.exe 33 PID 3068 wrote to memory of 2760 3068 seri7.exe 33 PID 3068 wrote to memory of 2760 3068 seri7.exe 33 PID 3068 wrote to memory of 2760 3068 seri7.exe 33 PID 3068 wrote to memory of 2760 3068 seri7.exe 33 PID 3068 wrote to memory of 2524 3068 seri7.exe 34 PID 3068 wrote to memory of 2524 3068 seri7.exe 34 PID 3068 wrote to memory of 2524 3068 seri7.exe 34 PID 3068 wrote to memory of 2524 3068 seri7.exe 34 PID 3068 wrote to memory of 2524 3068 seri7.exe 34 PID 3068 wrote to memory of 2836 3068 seri7.exe 35 PID 3068 wrote to memory of 2836 3068 seri7.exe 35 PID 3068 wrote to memory of 2836 3068 seri7.exe 35 PID 3068 wrote to memory of 2836 3068 seri7.exe 35 PID 3068 wrote to memory of 2836 3068 seri7.exe 35 PID 3068 wrote to memory of 2844 3068 seri7.exe 36 PID 3068 wrote to memory of 2844 3068 seri7.exe 36 PID 3068 wrote to memory of 2844 3068 seri7.exe 36 PID 3068 wrote to memory of 2844 3068 seri7.exe 36 PID 3068 wrote to memory of 2844 3068 seri7.exe 36 PID 3068 wrote to memory of 2556 3068 seri7.exe 37 PID 3068 wrote to memory of 2556 3068 seri7.exe 37 PID 3068 wrote to memory of 2556 3068 seri7.exe 37 PID 3068 wrote to memory of 2556 3068 seri7.exe 37 PID 3068 wrote to memory of 2556 3068 seri7.exe 37 PID 3068 wrote to memory of 2804 3068 seri7.exe 38 PID 3068 wrote to memory of 2804 3068 seri7.exe 38 PID 3068 wrote to memory of 2804 3068 seri7.exe 38 PID 3068 wrote to memory of 2804 3068 seri7.exe 38 PID 3068 wrote to memory of 2804 3068 seri7.exe 38 PID 3068 wrote to memory of 1732 3068 seri7.exe 39 PID 3068 wrote to memory of 1732 3068 seri7.exe 39 PID 3068 wrote to memory of 1732 3068 seri7.exe 39 PID 3068 wrote to memory of 1732 3068 seri7.exe 39 PID 3068 wrote to memory of 1732 3068 seri7.exe 39 PID 3068 wrote to memory of 2204 3068 seri7.exe 40 PID 3068 wrote to memory of 2204 3068 seri7.exe 40 PID 3068 wrote to memory of 2204 3068 seri7.exe 40 PID 3068 wrote to memory of 2204 3068 seri7.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\576451579cdafea43c2061ab41728187_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe"C:\Users\Admin\AppData\Local\Temp\seri7.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe"C:\Users\Admin\AppData\Local\Temp\seri7.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:2948
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2760
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2524
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2836
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2844
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2556
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2804
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1732
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2204
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1432.12.24T23.29\Virtual\STUBEXE\@APPDATALOCAL@\Temp\seri7.exe
Filesize17KB
MD591b04c9117ab49ef8f8cf4150bec9f1d
SHA1c919eed86b9c692441c516cf130d2fd97bde505b
SHA256dc7eef8ef6640cfcafdc3aa0b7a2b3b86b6952b018e405f0efe89aea400af446
SHA512db11be15ac6662cf89c1f0aed7ddee2f2c2ad2f261d2bb57dc7fe21fba5746158215a8d42e4b03b43e0c8d6fb7fd59568a8ff48a63c064a7bcbc433aa3540373