Analysis
-
max time kernel
95s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2024 18:53
Static task
static1
Behavioral task
behavioral1
Sample
5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe
-
Size
60KB
-
MD5
5d3b3d8e6821442724565d30c0b7e4ce
-
SHA1
87465b555d0ff9be0fa7eb52bf60915c42d693b8
-
SHA256
1eb2041132eeb836eb70f8ac4895f37f8cc3ae21d9d04143058b1d924a6f11ca
-
SHA512
585639857f07a06b822d3c3374a056214e1e70b4031aadc328bddef6fa18ad9f95d51071a7cae4850d0cea7a4754ab200b32323d0597f1dd39d2b4c67bb31c68
-
SSDEEP
1536:ENnk5Ql7z8O/2xT0Z1AZWMgEdBhgwke0lQDlO/:ENnk548OYYZOBhg9e0lQhO/
Malware Config
Extracted
xtremerat
eqqqqe.zapto.org
Signatures
-
Detect XtremeRAT payload 5 IoCs
resource yara_rule behavioral2/memory/4976-5-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/4976-6-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/4996-7-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/4976-8-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/4996-9-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
resource yara_rule behavioral2/memory/4976-2-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4976-4-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4976-5-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4976-6-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4996-7-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4976-8-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4996-9-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3120 set thread context of 4976 3120 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4440 4996 WerFault.exe 91 4176 4996 WerFault.exe 91 -
Modifies registry key 1 TTPs 2 IoCs
pid Process 4972 reg.exe 4864 reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3120 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3120 wrote to memory of 2448 3120 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 84 PID 3120 wrote to memory of 2448 3120 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 84 PID 3120 wrote to memory of 2448 3120 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 84 PID 3120 wrote to memory of 1192 3120 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 85 PID 3120 wrote to memory of 1192 3120 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 85 PID 3120 wrote to memory of 1192 3120 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 85 PID 3120 wrote to memory of 4976 3120 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 86 PID 3120 wrote to memory of 4976 3120 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 86 PID 3120 wrote to memory of 4976 3120 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 86 PID 3120 wrote to memory of 4976 3120 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 86 PID 3120 wrote to memory of 4976 3120 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 86 PID 3120 wrote to memory of 4976 3120 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 86 PID 3120 wrote to memory of 4976 3120 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 86 PID 3120 wrote to memory of 4976 3120 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 86 PID 2448 wrote to memory of 4972 2448 cmd.exe 89 PID 2448 wrote to memory of 4972 2448 cmd.exe 89 PID 2448 wrote to memory of 4972 2448 cmd.exe 89 PID 1192 wrote to memory of 4864 1192 cmd.exe 90 PID 1192 wrote to memory of 4864 1192 cmd.exe 90 PID 1192 wrote to memory of 4864 1192 cmd.exe 90 PID 4976 wrote to memory of 4996 4976 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 91 PID 4976 wrote to memory of 4996 4976 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 91 PID 4976 wrote to memory of 4996 4976 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 91 PID 4976 wrote to memory of 4996 4976 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 91 PID 4976 wrote to memory of 3440 4976 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 92 PID 4976 wrote to memory of 3440 4976 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 92 PID 4976 wrote to memory of 3440 4976 5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:4972
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:4864
-
-
-
C:\Users\Admin\AppData\Local\Temp\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d3b3d8e6821442724565d30c0b7e4ce_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:4996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 4844⤵
- Program crash
PID:4440
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 4924⤵
- Program crash
PID:4176
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3440
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4996 -ip 49961⤵PID:948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4996 -ip 49961⤵PID:2672