Malware Analysis Report

2025-01-02 02:48

Sample ID 240718-qh9m4szell
Target 578a78ff215af0588458ddb15ac3428b_JaffaCakes118
SHA256 776627766f395ed035b1bbbf1f502fe70b35d2bd36769e067bb8699ddd1a063c
Tags
upx xtremerat persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

776627766f395ed035b1bbbf1f502fe70b35d2bd36769e067bb8699ddd1a063c

Threat Level: Known bad

The file 578a78ff215af0588458ddb15ac3428b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx xtremerat persistence rat spyware

XtremeRAT

Detect XtremeRAT payload

Boot or Logon Autostart Execution: Active Setup

Deletes itself

UPX packed file

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-18 13:16

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-18 13:16

Reported

2024-07-18 13:26

Platform

win7-20240705-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{H10YKD0R-08D6-7DCE-5O73-34AUE2W1CP46} C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H10YKD0R-08D6-7DCE-5O73-34AUE2W1CP46}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\MediaVisio\\adobe.exe restart" C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{H10YKD0R-08D6-7DCE-5O73-34AUE2W1CP46} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H10YKD0R-08D6-7DCE-5O73-34AUE2W1CP46}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\MediaVisio\\adobe.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\MediaVisio\\adobe.exe" C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\MediaVisio\\adobe.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\MediaVisio\\adobe.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\MediaVisio\\adobe.exe" C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1620 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1620 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1620 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1620 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1620 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 1620 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 1620 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 1620 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 1620 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 1620 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 1620 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 1620 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 1620 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 1620 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cliupdate.sytes.net udp
ES 94.73.32.191:3321 cliupdate.sytes.net tcp
ES 94.73.32.191:3321 cliupdate.sytes.net tcp
ES 94.73.32.191:3321 cliupdate.sytes.net tcp
ES 94.73.32.191:3321 cliupdate.sytes.net tcp
ES 94.73.32.191:3321 cliupdate.sytes.net tcp
ES 94.73.32.191:3321 cliupdate.sytes.net tcp

Files

memory/1620-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1620-1-0x0000000000220000-0x0000000000226000-memory.dmp

memory/1620-2-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2448-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2448-10-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Roaming\MediaVisio\adobe.exe

MD5 578a78ff215af0588458ddb15ac3428b
SHA1 c460b5360f23e51d0aac0abea752fa0549bd43d1
SHA256 776627766f395ed035b1bbbf1f502fe70b35d2bd36769e067bb8699ddd1a063c
SHA512 aa16fefe2926fbf84748287b35b614fa0aa278f248220975b221607e072dddb36c39d69a84afd3a2ec10e4df38fdeb10eb0faf61a3192529d50760731be92fe9

memory/1704-14-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3056-17-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1620-18-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3056-21-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3056-22-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-18 13:16

Reported

2024-07-18 13:26

Platform

win10v2004-20240709-en

Max time kernel

143s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\578a78ff215af0588458ddb15ac3428b_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3864-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3864-1-0x0000000000400000-0x0000000000424000-memory.dmp