Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2024 19:04
Static task
static1
Behavioral task
behavioral1
Sample
5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe
-
Size
56KB
-
MD5
5d42b90263e3c13a3d06ec6d459e2ca4
-
SHA1
1ee1f449e3b44e31340f7ebbf789f13a805cf6d7
-
SHA256
035e89e20d22fae4b7b02e0931ed164e4716392f705a4f608749289ca8fd16b3
-
SHA512
ffbce5f775d9ebd5176de4f20cee68cbfef223819c3318d559ff73796116c6878ff2ea93b3ead769beca6d064175cc31e1ce369f7f309f8a193c214b89e9a36b
-
SSDEEP
768:e8BWhOJdF2KL3jGf+JdPiBPU7C/lB9hUOuuqvorrnoHFLJYbawbEt10VfzCaa:RJdFryfk2DNhUOmvKKtCB2aa
Malware Config
Extracted
xtremerat
kadir645.no-ip.org
Signatures
-
Detect XtremeRAT payload 9 IoCs
resource yara_rule behavioral2/memory/3512-5-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral2/memory/3512-6-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral2/memory/1020-7-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral2/memory/3512-9-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral2/memory/3472-8-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral2/memory/3472-13-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral2/memory/3472-12-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral2/memory/3472-14-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral2/memory/1020-15-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe:*:Enabled:Windows Messanger" reg.exe -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{D680F4FM-1Y23-424O-Y6P3-172G7K26R03H} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D680F4FM-1Y23-424O-Y6P3-172G7K26R03H}\StubPath = "C:\\Windows\\system32\\winstock\\explorer.exe restart" explorer.exe -
resource yara_rule behavioral2/memory/3512-2-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/3512-4-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/3512-5-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/3512-6-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/1020-7-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/3512-9-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/3472-8-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/3472-13-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/3472-12-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/3472-14-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/1020-15-0x0000000010000000-0x000000001004B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\winstock\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\winstock\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "explorer.exe" explorer.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\winstock\explorer.exe explorer.exe File created C:\Windows\SysWOW64\winstock\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\winstock\ explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3296 set thread context of 3512 3296 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4488 1020 WerFault.exe 91 1416 1020 WerFault.exe 91 -
Modifies registry key 1 TTPs 2 IoCs
pid Process 2636 reg.exe 2964 reg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3296 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 3472 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3296 wrote to memory of 4140 3296 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 84 PID 3296 wrote to memory of 4140 3296 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 84 PID 3296 wrote to memory of 4140 3296 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 84 PID 3296 wrote to memory of 4624 3296 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 85 PID 3296 wrote to memory of 4624 3296 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 85 PID 3296 wrote to memory of 4624 3296 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 85 PID 3296 wrote to memory of 3512 3296 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 88 PID 3296 wrote to memory of 3512 3296 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 88 PID 3296 wrote to memory of 3512 3296 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 88 PID 3296 wrote to memory of 3512 3296 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 88 PID 3296 wrote to memory of 3512 3296 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 88 PID 3296 wrote to memory of 3512 3296 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 88 PID 3296 wrote to memory of 3512 3296 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 88 PID 3296 wrote to memory of 3512 3296 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 88 PID 4140 wrote to memory of 2636 4140 cmd.exe 89 PID 4140 wrote to memory of 2636 4140 cmd.exe 89 PID 4140 wrote to memory of 2636 4140 cmd.exe 89 PID 4624 wrote to memory of 2964 4624 cmd.exe 90 PID 4624 wrote to memory of 2964 4624 cmd.exe 90 PID 4624 wrote to memory of 2964 4624 cmd.exe 90 PID 3512 wrote to memory of 1020 3512 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 91 PID 3512 wrote to memory of 1020 3512 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 91 PID 3512 wrote to memory of 1020 3512 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 91 PID 3512 wrote to memory of 1020 3512 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 91 PID 3512 wrote to memory of 3472 3512 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 92 PID 3512 wrote to memory of 3472 3512 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 92 PID 3512 wrote to memory of 3472 3512 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 92 PID 3512 wrote to memory of 3472 3512 5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:2636
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:2964
-
-
-
C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d42b90263e3c13a3d06ec6d459e2ca4_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:1020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 4724⤵
- Program crash
PID:4488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 4884⤵
- Program crash
PID:1416
-
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3472
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1020 -ip 10201⤵PID:2564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1020 -ip 10201⤵PID:1048
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1