Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-07-2024 19:04

General

  • Target

    5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe

  • Size

    56KB

  • MD5

    5d42b90263e3c13a3d06ec6d459e2ca4

  • SHA1

    1ee1f449e3b44e31340f7ebbf789f13a805cf6d7

  • SHA256

    035e89e20d22fae4b7b02e0931ed164e4716392f705a4f608749289ca8fd16b3

  • SHA512

    ffbce5f775d9ebd5176de4f20cee68cbfef223819c3318d559ff73796116c6878ff2ea93b3ead769beca6d064175cc31e1ce369f7f309f8a193c214b89e9a36b

  • SSDEEP

    768:e8BWhOJdF2KL3jGf+JdPiBPU7C/lB9hUOuuqvorrnoHFLJYbawbEt10VfzCaa:RJdFryfk2DNhUOmvKKtCB2aa

Malware Config

Extracted

Family

xtremerat

C2

kadir645.no-ip.org

Signatures

  • Detect XtremeRAT payload 9 IoCs
  • Modifies firewall policy service 3 TTPs 6 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3296
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4140
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:2636
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:2964
    • C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3512
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
          PID:1020
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 472
            4⤵
            • Program crash
            PID:4488
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 488
            4⤵
            • Program crash
            PID:1416
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of SetWindowsHookEx
          PID:3472
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1020 -ip 1020
      1⤵
        PID:2564
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1020 -ip 1020
        1⤵
          PID:1048

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1020-7-0x0000000010000000-0x000000001004B000-memory.dmp

          Filesize

          300KB

        • memory/1020-15-0x0000000010000000-0x000000001004B000-memory.dmp

          Filesize

          300KB

        • memory/3472-8-0x0000000010000000-0x000000001004B000-memory.dmp

          Filesize

          300KB

        • memory/3472-13-0x0000000010000000-0x000000001004B000-memory.dmp

          Filesize

          300KB

        • memory/3472-12-0x0000000010000000-0x000000001004B000-memory.dmp

          Filesize

          300KB

        • memory/3472-14-0x0000000010000000-0x000000001004B000-memory.dmp

          Filesize

          300KB

        • memory/3512-2-0x0000000010000000-0x000000001004B000-memory.dmp

          Filesize

          300KB

        • memory/3512-4-0x0000000010000000-0x000000001004B000-memory.dmp

          Filesize

          300KB

        • memory/3512-5-0x0000000010000000-0x000000001004B000-memory.dmp

          Filesize

          300KB

        • memory/3512-6-0x0000000010000000-0x000000001004B000-memory.dmp

          Filesize

          300KB

        • memory/3512-9-0x0000000010000000-0x000000001004B000-memory.dmp

          Filesize

          300KB