Analysis
-
max time kernel
136s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2024 20:04
Static task
static1
Behavioral task
behavioral1
Sample
5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe
-
Size
237KB
-
MD5
5d789f67a2a4eb67b74952cf4310ecb2
-
SHA1
94c4e4f177cf86c879e4b9a179a9b19481e42a5b
-
SHA256
033575dfed11b3aad494bec5d1041b1076cdc75f6ab61407ecd2fa503c7f965a
-
SHA512
91e7fa12825a3559dbd4c96fa8261c29a5868d2279f007f9b3579e8a3b4bb71362fce7e213719e453b6718ef5fde7179e8ec98c115080f755d8f03bd042253bc
-
SSDEEP
6144:hOj6JqRe+3lnVW5GJZ2tNYLj8MfsrXRAD++wc1q4qqvqLO7:hKYqRr3NVzYKj86s2ScsQqLO7
Malware Config
Extracted
xtremerat
wach.no-ip.biz
Signatures
-
Detect XtremeRAT payload 4 IoCs
resource yara_rule behavioral2/memory/872-45-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/872-46-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/1800-49-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/1800-50-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2256 set thread context of 872 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 86 PID 2256 set thread context of 0 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2684 1800 WerFault.exe 87 3488 1800 WerFault.exe 87 -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2256 wrote to memory of 872 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 86 PID 2256 wrote to memory of 872 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 86 PID 2256 wrote to memory of 872 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 86 PID 2256 wrote to memory of 872 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 86 PID 2256 wrote to memory of 872 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 86 PID 2256 wrote to memory of 872 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 86 PID 2256 wrote to memory of 872 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 86 PID 2256 wrote to memory of 872 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 86 PID 2256 wrote to memory of 872 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 86 PID 2256 wrote to memory of 872 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 86 PID 2256 wrote to memory of 872 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 86 PID 2256 wrote to memory of 872 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 86 PID 2256 wrote to memory of 872 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 86 PID 2256 wrote to memory of 0 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe PID 2256 wrote to memory of 0 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe PID 2256 wrote to memory of 0 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe PID 2256 wrote to memory of 0 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe PID 2256 wrote to memory of 0 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe PID 2256 wrote to memory of 0 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe PID 2256 wrote to memory of 0 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe PID 2256 wrote to memory of 0 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe PID 2256 wrote to memory of 0 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe PID 2256 wrote to memory of 0 2256 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe PID 872 wrote to memory of 1800 872 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 87 PID 872 wrote to memory of 1800 872 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 87 PID 872 wrote to memory of 1800 872 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 87 PID 872 wrote to memory of 1800 872 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 87 PID 872 wrote to memory of 2812 872 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 89 PID 872 wrote to memory of 2812 872 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 89 PID 872 wrote to memory of 2812 872 5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d789f67a2a4eb67b74952cf4310ecb2_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:1800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 4804⤵
- Program crash
PID:2684
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 4884⤵
- Program crash
PID:3488
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2812
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1800 -ip 18001⤵PID:4804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1800 -ip 18001⤵PID:4344