Analysis

  • max time kernel
    95s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-07-2024 18:53

General

  • Target

    5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe

  • Size

    60KB

  • MD5

    5d3b3d8e6821442724565d30c0b7e4ce

  • SHA1

    87465b555d0ff9be0fa7eb52bf60915c42d693b8

  • SHA256

    1eb2041132eeb836eb70f8ac4895f37f8cc3ae21d9d04143058b1d924a6f11ca

  • SHA512

    585639857f07a06b822d3c3374a056214e1e70b4031aadc328bddef6fa18ad9f95d51071a7cae4850d0cea7a4754ab200b32323d0597f1dd39d2b4c67bb31c68

  • SSDEEP

    1536:ENnk5Ql7z8O/2xT0Z1AZWMgEdBhgwke0lQDlO/:ENnk548OYYZOBhg9e0lQhO/

Malware Config

Extracted

Family

xtremerat

C2

eqqqqe.zapto.org

Signatures

  • Detect XtremeRAT payload 5 IoCs
  • Modifies firewall policy service 3 TTPs 6 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3120
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:4972
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:4864
    • C:\Users\Admin\AppData\Local\Temp\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4976
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
          PID:4996
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 484
            4⤵
            • Program crash
            PID:4440
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 492
            4⤵
            • Program crash
            PID:4176
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
          3⤵
            PID:3440
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4996 -ip 4996
        1⤵
          PID:948
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4996 -ip 4996
          1⤵
            PID:2672

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/4976-2-0x0000000010000000-0x000000001004D000-memory.dmp

            Filesize

            308KB

          • memory/4976-4-0x0000000010000000-0x000000001004D000-memory.dmp

            Filesize

            308KB

          • memory/4976-5-0x0000000010000000-0x000000001004D000-memory.dmp

            Filesize

            308KB

          • memory/4976-6-0x0000000010000000-0x000000001004D000-memory.dmp

            Filesize

            308KB

          • memory/4976-8-0x0000000010000000-0x000000001004D000-memory.dmp

            Filesize

            308KB

          • memory/4996-7-0x0000000010000000-0x000000001004D000-memory.dmp

            Filesize

            308KB

          • memory/4996-9-0x0000000010000000-0x000000001004D000-memory.dmp

            Filesize

            308KB