Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2024 19:13
Static task
static1
Behavioral task
behavioral1
Sample
5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe
-
Size
227KB
-
MD5
5d4a74baedaf1de6584d15a2c80fa3ee
-
SHA1
9ce1c7cd2bff9972009979ca8b2001991bc836bb
-
SHA256
b8640645abeba0210c7bb760d5241cec41c188580c8e9274f5a57e982dd9ac47
-
SHA512
2d30930cd749bf2886fee6cf745926d516ec6967d5044d88ea0f2d550277a41ccf61fad711ed25b447820dd2c4d4241213e4d658326e35bab5fabe54d1df0987
-
SSDEEP
6144:iYZeOcuVD+g4fX28azwn22PF+ympFb0Jj4zrdh5:veOJV6ggm88w2o/mpZ0eN
Malware Config
Extracted
xtremerat
biladi2000.no-ip.info
Signatures
-
Detect XtremeRAT payload 23 IoCs
resource yara_rule behavioral2/memory/1568-15-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/4108-17-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/2072-19-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/2560-21-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/4352-23-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/5080-25-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/4336-27-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/4400-39-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/3628-47-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/552-49-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/4656-51-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/4756-53-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/1808-55-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/2160-57-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/4176-59-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/3116-71-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/2296-77-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/3744-79-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/3484-81-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/2040-83-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/4380-85-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/3372-87-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat behavioral2/memory/4484-90-0x0000000000C80000-0x0000000000CA2000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{86EYSQD3-MO6B-NY00-214Q-3P72B7FTBLB8} 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86EYSQD3-MO6B-NY00-214Q-3P72B7FTBLB8}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{86EYSQD3-MO6B-NY00-214Q-3P72B7FTBLB8} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86EYSQD3-MO6B-NY00-214Q-3P72B7FTBLB8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{86EYSQD3-MO6B-NY00-214Q-3P72B7FTBLB8} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86EYSQD3-MO6B-NY00-214Q-3P72B7FTBLB8}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" Server.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation Server.exe -
Executes dropped EXE 2 IoCs
pid Process 3116 Server.exe 4484 Server.exe -
Molebox Virtualization software 1 IoCs
Detects file using Molebox Virtualization software.
resource yara_rule behavioral2/files/0x00070000000234a1-32.dat molebox -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" Server.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4484 Server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4400 wrote to memory of 1568 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 87 PID 4400 wrote to memory of 1568 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 87 PID 4400 wrote to memory of 1568 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 87 PID 4400 wrote to memory of 1568 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 87 PID 4400 wrote to memory of 2060 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 88 PID 4400 wrote to memory of 2060 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 88 PID 4400 wrote to memory of 2060 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 88 PID 4400 wrote to memory of 2788 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 91 PID 4400 wrote to memory of 2788 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 91 PID 4400 wrote to memory of 2788 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 91 PID 4400 wrote to memory of 4108 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 92 PID 4400 wrote to memory of 4108 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 92 PID 4400 wrote to memory of 4108 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 92 PID 4400 wrote to memory of 4108 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 92 PID 4400 wrote to memory of 2072 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 93 PID 4400 wrote to memory of 2072 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 93 PID 4400 wrote to memory of 2072 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 93 PID 4400 wrote to memory of 2072 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 93 PID 4400 wrote to memory of 2560 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 94 PID 4400 wrote to memory of 2560 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 94 PID 4400 wrote to memory of 2560 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 94 PID 4400 wrote to memory of 2560 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 94 PID 4400 wrote to memory of 4352 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 97 PID 4400 wrote to memory of 4352 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 97 PID 4400 wrote to memory of 4352 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 97 PID 4400 wrote to memory of 4352 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 97 PID 4400 wrote to memory of 5080 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 100 PID 4400 wrote to memory of 5080 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 100 PID 4400 wrote to memory of 5080 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 100 PID 4400 wrote to memory of 5080 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 100 PID 4400 wrote to memory of 4336 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 101 PID 4400 wrote to memory of 4336 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 101 PID 4400 wrote to memory of 4336 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 101 PID 4400 wrote to memory of 4336 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 101 PID 4400 wrote to memory of 4452 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 102 PID 4400 wrote to memory of 4452 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 102 PID 4400 wrote to memory of 4452 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 102 PID 4400 wrote to memory of 3116 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 103 PID 4400 wrote to memory of 3116 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 103 PID 4400 wrote to memory of 3116 4400 5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe 103 PID 3116 wrote to memory of 1476 3116 Server.exe 104 PID 3116 wrote to memory of 1476 3116 Server.exe 104 PID 3116 wrote to memory of 1476 3116 Server.exe 104 PID 3116 wrote to memory of 3628 3116 Server.exe 105 PID 3116 wrote to memory of 3628 3116 Server.exe 105 PID 3116 wrote to memory of 3628 3116 Server.exe 105 PID 3116 wrote to memory of 3628 3116 Server.exe 105 PID 3116 wrote to memory of 552 3116 Server.exe 106 PID 3116 wrote to memory of 552 3116 Server.exe 106 PID 3116 wrote to memory of 552 3116 Server.exe 106 PID 3116 wrote to memory of 552 3116 Server.exe 106 PID 3116 wrote to memory of 4656 3116 Server.exe 108 PID 3116 wrote to memory of 4656 3116 Server.exe 108 PID 3116 wrote to memory of 4656 3116 Server.exe 108 PID 3116 wrote to memory of 4656 3116 Server.exe 108 PID 3116 wrote to memory of 4756 3116 Server.exe 109 PID 3116 wrote to memory of 4756 3116 Server.exe 109 PID 3116 wrote to memory of 4756 3116 Server.exe 109 PID 3116 wrote to memory of 4756 3116 Server.exe 109 PID 3116 wrote to memory of 1808 3116 Server.exe 110 PID 3116 wrote to memory of 1808 3116 Server.exe 110 PID 3116 wrote to memory of 1808 3116 Server.exe 110 PID 3116 wrote to memory of 1808 3116 Server.exe 110 PID 3116 wrote to memory of 2160 3116 Server.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d4a74baedaf1de6584d15a2c80fa3ee_JaffaCakes118.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:1568
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2060
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2788
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:4108
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2072
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2560
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:4352
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:5080
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:4336
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:4452
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:1476
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:3628
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:552
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:4656
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:4756
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1808
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2160
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:4176
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1900
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4484 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:2296
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3744
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2608
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3436
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3484
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2040
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4380
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3372
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3572
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3928
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1456
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ed9f7e62dac66369ada3f7b1462dfbf5
SHA19bb5db22fea46add7e825bd169ed19bfeb52cc0f
SHA256c4acb275967d5c738a1de0addea1472b0e287076157976ed2b7fc9d348ad5c9c
SHA5122a14ad0a6555e89a55a33952d3f5a6f676be117e4e113537e39daccc687656cb6ed10277ceb52cc3bd11e59dc4f6f329b42ce3de5b4b0ce544f0c7bca70d390a
-
Filesize
227KB
MD55d4a74baedaf1de6584d15a2c80fa3ee
SHA19ce1c7cd2bff9972009979ca8b2001991bc836bb
SHA256b8640645abeba0210c7bb760d5241cec41c188580c8e9274f5a57e982dd9ac47
SHA5122d30930cd749bf2886fee6cf745926d516ec6967d5044d88ea0f2d550277a41ccf61fad711ed25b447820dd2c4d4241213e4d658326e35bab5fabe54d1df0987