Analysis
-
max time kernel
112s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2024 20:44
Static task
static1
Behavioral task
behavioral1
Sample
5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe
-
Size
86KB
-
MD5
5d97f256c1d8584001991b794bd2c3ea
-
SHA1
f00ecc7bf06f3c045a472c6a9adcdd2c0c78900b
-
SHA256
cd037732ed2cb703b893532714351df1d0f495ff0adbcd8a1a98d72114a98c53
-
SHA512
98a269562465b69d21fd327e4a39cd6fe76af079e70a648e384efa01b6bea2c833777b1681146b1fe6f1f216dbced9d9cf3278eeac57880b821530c98a59cc35
-
SSDEEP
1536:bLL7WmOwpujCEDCNrnD77Tv0eD1taRcKJe3sE:bLL7WmdujrCNTRqJe3sE
Malware Config
Extracted
xtremerat
sucucha.no-ip.biz
Signatures
-
Detect XtremeRAT payload 3 IoCs
resource yara_rule behavioral2/memory/3732-13-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/220-15-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/3732-16-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 220 server.exe 2584 Sever_Creado.exe -
resource yara_rule behavioral2/files/0x00080000000234c7-8.dat upx behavioral2/memory/220-12-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3732-13-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/220-15-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3732-16-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1212 3732 WerFault.exe 88 2152 3732 WerFault.exe 88 -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\MIME\Database Sever_Creado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset Sever_Creado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage Sever_Creado.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2584 Sever_Creado.exe 2584 Sever_Creado.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2236 wrote to memory of 220 2236 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe 87 PID 2236 wrote to memory of 220 2236 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe 87 PID 2236 wrote to memory of 220 2236 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe 87 PID 220 wrote to memory of 3732 220 server.exe 88 PID 220 wrote to memory of 3732 220 server.exe 88 PID 220 wrote to memory of 3732 220 server.exe 88 PID 220 wrote to memory of 3732 220 server.exe 88 PID 220 wrote to memory of 5000 220 server.exe 89 PID 220 wrote to memory of 5000 220 server.exe 89 PID 220 wrote to memory of 5000 220 server.exe 89 PID 2236 wrote to memory of 2584 2236 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe 95 PID 2236 wrote to memory of 2584 2236 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe 95 PID 2236 wrote to memory of 2584 2236 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:3732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 4844⤵
- Program crash
PID:1212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 5044⤵
- Program crash
PID:2152
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:5000
-
-
-
C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe"C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2584
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3732 -ip 37321⤵PID:1616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3732 -ip 37321⤵PID:2092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5f1c4308833a275cd4584a03928868f0f
SHA17d988a301fa336d52d215511ba6a9bf13d17770f
SHA256e33e7b74b832ee49efb705824c5090c41833ba85c28f76ab33b815451fbb55b2
SHA512b391b2ca2b1a7bbc9e284d9c586426e8394a93ed9f63facfc451324caa81878b493ed9d01bfe967b8e2712669a41352073bf59861cf6a557d3f532a928e4d25a
-
Filesize
33KB
MD557d785d83fafb9dd41b0b7da978781a9
SHA16b4a6864cf2c24097df3748c1ac0fbf1eb4c2d6c
SHA25655ff4c1eab4dd284c9b08fb5d311f10a66bd3856c22f67ea036c08d885bfefbc
SHA512f8deba7b85e4bfff073d406fdcb7484ddf1f236e0b4884a369d8942dd8ecba3a8949a126e2c4f97c1f803f55537674596afcb863712f6d293e9f084bdaadf5b2