Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 19:04
Static task
static1
Behavioral task
behavioral1
Sample
5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe
-
Size
56KB
-
MD5
5d42b90263e3c13a3d06ec6d459e2ca4
-
SHA1
1ee1f449e3b44e31340f7ebbf789f13a805cf6d7
-
SHA256
035e89e20d22fae4b7b02e0931ed164e4716392f705a4f608749289ca8fd16b3
-
SHA512
ffbce5f775d9ebd5176de4f20cee68cbfef223819c3318d559ff73796116c6878ff2ea93b3ead769beca6d064175cc31e1ce369f7f309f8a193c214b89e9a36b
-
SSDEEP
768:e8BWhOJdF2KL3jGf+JdPiBPU7C/lB9hUOuuqvorrnoHFLJYbawbEt10VfzCaa:RJdFryfk2DNhUOmvKKtCB2aa
Malware Config
Extracted
xtremerat
kadir645.no-ip.org
Signatures
-
Detect XtremeRAT payload 8 IoCs
resource yara_rule behavioral1/memory/2112-10-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral1/memory/2112-11-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral1/memory/2264-14-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral1/memory/2736-17-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral1/memory/2112-18-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral1/memory/2736-22-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral1/memory/2736-21-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral1/memory/2264-24-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat -
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{D680F4FM-1Y23-424O-Y6P3-172G7K26R03H} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D680F4FM-1Y23-424O-Y6P3-172G7K26R03H}\StubPath = "C:\\Windows\\system32\\winstock\\explorer.exe restart" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{D680F4FM-1Y23-424O-Y6P3-172G7K26R03H} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D680F4FM-1Y23-424O-Y6P3-172G7K26R03H}\StubPath = "C:\\Windows\\system32\\winstock\\explorer.exe" svchost.exe -
resource yara_rule behavioral1/memory/2112-7-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral1/memory/2112-10-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral1/memory/2112-11-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral1/memory/2112-9-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral1/memory/2112-4-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral1/memory/2112-3-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral1/memory/2264-14-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral1/memory/2736-17-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral1/memory/2112-18-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral1/memory/2736-22-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral1/memory/2736-21-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral1/memory/2264-24-0x0000000010000000-0x000000001004B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\winstock\\explorer.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\winstock\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\winstock\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\winstock\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "explorer.exe" explorer.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\winstock\explorer.exe explorer.exe File created C:\Windows\SysWOW64\winstock\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\winstock\ explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2052 set thread context of 2112 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
pid Process 2280 reg.exe 1452 reg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 2736 explorer.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2052 wrote to memory of 1956 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 31 PID 2052 wrote to memory of 1956 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 31 PID 2052 wrote to memory of 1956 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 31 PID 2052 wrote to memory of 1956 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 31 PID 2052 wrote to memory of 2132 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 32 PID 2052 wrote to memory of 2132 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 32 PID 2052 wrote to memory of 2132 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 32 PID 2052 wrote to memory of 2132 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 32 PID 2052 wrote to memory of 2112 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 34 PID 2052 wrote to memory of 2112 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 34 PID 2052 wrote to memory of 2112 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 34 PID 2052 wrote to memory of 2112 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 34 PID 2052 wrote to memory of 2112 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 34 PID 2052 wrote to memory of 2112 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 34 PID 2052 wrote to memory of 2112 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 34 PID 2052 wrote to memory of 2112 2052 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 34 PID 2112 wrote to memory of 2264 2112 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 36 PID 2112 wrote to memory of 2264 2112 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 36 PID 2112 wrote to memory of 2264 2112 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 36 PID 2112 wrote to memory of 2264 2112 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 36 PID 1956 wrote to memory of 2280 1956 cmd.exe 38 PID 1956 wrote to memory of 2280 1956 cmd.exe 38 PID 1956 wrote to memory of 2280 1956 cmd.exe 38 PID 1956 wrote to memory of 2280 1956 cmd.exe 38 PID 2132 wrote to memory of 1452 2132 cmd.exe 37 PID 2132 wrote to memory of 1452 2132 cmd.exe 37 PID 2132 wrote to memory of 1452 2132 cmd.exe 37 PID 2132 wrote to memory of 1452 2132 cmd.exe 37 PID 2112 wrote to memory of 2264 2112 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 36 PID 2112 wrote to memory of 2736 2112 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 39 PID 2112 wrote to memory of 2736 2112 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 39 PID 2112 wrote to memory of 2736 2112 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 39 PID 2112 wrote to memory of 2736 2112 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 39 PID 2112 wrote to memory of 2736 2112 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:2280
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:1452
-
-
-
C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:2264
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2736
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD55d42b90263e3c13a3d06ec6d459e2ca4
SHA11ee1f449e3b44e31340f7ebbf789f13a805cf6d7
SHA256035e89e20d22fae4b7b02e0931ed164e4716392f705a4f608749289ca8fd16b3
SHA512ffbce5f775d9ebd5176de4f20cee68cbfef223819c3318d559ff73796116c6878ff2ea93b3ead769beca6d064175cc31e1ce369f7f309f8a193c214b89e9a36b