Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 20:44
Static task
static1
Behavioral task
behavioral1
Sample
5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe
-
Size
86KB
-
MD5
5d97f256c1d8584001991b794bd2c3ea
-
SHA1
f00ecc7bf06f3c045a472c6a9adcdd2c0c78900b
-
SHA256
cd037732ed2cb703b893532714351df1d0f495ff0adbcd8a1a98d72114a98c53
-
SHA512
98a269562465b69d21fd327e4a39cd6fe76af079e70a648e384efa01b6bea2c833777b1681146b1fe6f1f216dbced9d9cf3278eeac57880b821530c98a59cc35
-
SSDEEP
1536:bLL7WmOwpujCEDCNrnD77Tv0eD1taRcKJe3sE:bLL7WmdujrCNTRqJe3sE
Malware Config
Extracted
xtremerat
sucucha.no-ip.biz
Signatures
-
Detect XtremeRAT payload 4 IoCs
resource yara_rule behavioral1/memory/3064-15-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2912-18-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/3064-19-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2912-32-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 2 IoCs
pid Process 3064 server.exe 2708 Sever_Creado.exe -
Loads dropped DLL 4 IoCs
pid Process 2576 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe 2576 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe 2576 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe 2576 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe -
resource yara_rule behavioral1/files/0x0008000000015dca-6.dat upx behavioral1/memory/3064-15-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2576-13-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2912-18-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/3064-19-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2912-32-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database Sever_Creado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset Sever_Creado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage Sever_Creado.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2708 Sever_Creado.exe 2708 Sever_Creado.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2576 wrote to memory of 3064 2576 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe 30 PID 2576 wrote to memory of 3064 2576 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe 30 PID 2576 wrote to memory of 3064 2576 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe 30 PID 2576 wrote to memory of 3064 2576 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe 30 PID 3064 wrote to memory of 2912 3064 server.exe 31 PID 3064 wrote to memory of 2912 3064 server.exe 31 PID 3064 wrote to memory of 2912 3064 server.exe 31 PID 3064 wrote to memory of 2912 3064 server.exe 31 PID 3064 wrote to memory of 2912 3064 server.exe 31 PID 3064 wrote to memory of 2296 3064 server.exe 32 PID 3064 wrote to memory of 2296 3064 server.exe 32 PID 3064 wrote to memory of 2296 3064 server.exe 32 PID 3064 wrote to memory of 2296 3064 server.exe 32 PID 3064 wrote to memory of 2296 3064 server.exe 32 PID 2576 wrote to memory of 2708 2576 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe 33 PID 2576 wrote to memory of 2708 2576 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe 33 PID 2576 wrote to memory of 2708 2576 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe 33 PID 2576 wrote to memory of 2708 2576 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2912
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2296
-
-
-
C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe"C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5f1c4308833a275cd4584a03928868f0f
SHA17d988a301fa336d52d215511ba6a9bf13d17770f
SHA256e33e7b74b832ee49efb705824c5090c41833ba85c28f76ab33b815451fbb55b2
SHA512b391b2ca2b1a7bbc9e284d9c586426e8394a93ed9f63facfc451324caa81878b493ed9d01bfe967b8e2712669a41352073bf59861cf6a557d3f532a928e4d25a
-
Filesize
33KB
MD557d785d83fafb9dd41b0b7da978781a9
SHA16b4a6864cf2c24097df3748c1ac0fbf1eb4c2d6c
SHA25655ff4c1eab4dd284c9b08fb5d311f10a66bd3856c22f67ea036c08d885bfefbc
SHA512f8deba7b85e4bfff073d406fdcb7484ddf1f236e0b4884a369d8942dd8ecba3a8949a126e2c4f97c1f803f55537674596afcb863712f6d293e9f084bdaadf5b2