Malware Analysis Report

2025-01-02 02:46

Sample ID 240719-zh4xasyenm
Target 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118
SHA256 cd037732ed2cb703b893532714351df1d0f495ff0adbcd8a1a98d72114a98c53
Tags
xtremerat persistence rat spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd037732ed2cb703b893532714351df1d0f495ff0adbcd8a1a98d72114a98c53

Threat Level: Known bad

The file 5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware upx

Detect XtremeRAT payload

XtremeRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Unsigned PE

Program crash

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-19 20:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 20:44

Reported

2024-07-19 20:46

Platform

win7-20240705-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2576 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2576 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2576 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 3064 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 3064 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 3064 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 3064 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 3064 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 3064 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3064 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3064 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3064 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3064 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2576 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe
PID 2576 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe
PID 2576 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe
PID 2576 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe

"C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 smtp.gmail.com udp
NL 108.177.119.108:465 smtp.gmail.com tcp

Files

memory/2576-0-0x0000000074221000-0x0000000074222000-memory.dmp

memory/2576-1-0x0000000074220000-0x00000000747CB000-memory.dmp

memory/2576-2-0x0000000074220000-0x00000000747CB000-memory.dmp

\Users\Admin\AppData\Local\Temp\server.exe

MD5 57d785d83fafb9dd41b0b7da978781a9
SHA1 6b4a6864cf2c24097df3748c1ac0fbf1eb4c2d6c
SHA256 55ff4c1eab4dd284c9b08fb5d311f10a66bd3856c22f67ea036c08d885bfefbc
SHA512 f8deba7b85e4bfff073d406fdcb7484ddf1f236e0b4884a369d8942dd8ecba3a8949a126e2c4f97c1f803f55537674596afcb863712f6d293e9f084bdaadf5b2

memory/2576-14-0x0000000010000000-0x000000001004D000-memory.dmp

memory/3064-15-0x0000000010000000-0x000000001004D000-memory.dmp

memory/2576-13-0x0000000010000000-0x000000001004D000-memory.dmp

memory/2912-18-0x0000000010000000-0x000000001004D000-memory.dmp

memory/2912-16-0x0000000010000000-0x000000001004D000-memory.dmp

memory/3064-19-0x0000000010000000-0x000000001004D000-memory.dmp

\Users\Admin\AppData\Local\Temp\Sever_Creado.exe

MD5 f1c4308833a275cd4584a03928868f0f
SHA1 7d988a301fa336d52d215511ba6a9bf13d17770f
SHA256 e33e7b74b832ee49efb705824c5090c41833ba85c28f76ab33b815451fbb55b2
SHA512 b391b2ca2b1a7bbc9e284d9c586426e8394a93ed9f63facfc451324caa81878b493ed9d01bfe967b8e2712669a41352073bf59861cf6a557d3f532a928e4d25a

memory/2576-31-0x0000000074220000-0x00000000747CB000-memory.dmp

memory/2912-32-0x0000000010000000-0x000000001004D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 20:44

Reported

2024-07-19 20:46

Platform

win10v2004-20240709-en

Max time kernel

112s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\MIME\Database C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2236 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2236 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 220 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 220 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 220 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 220 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 220 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2236 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe
PID 2236 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe
PID 2236 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5d97f256c1d8584001991b794bd2c3ea_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3732 -ip 3732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3732 -ip 3732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 504

C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe

"C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 smtp.gmail.com udp
NL 108.177.119.108:465 smtp.gmail.com tcp
US 8.8.8.8:53 108.119.177.108.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/2236-0-0x00000000747D2000-0x00000000747D3000-memory.dmp

memory/2236-1-0x00000000747D0000-0x0000000074D81000-memory.dmp

memory/2236-2-0x00000000747D0000-0x0000000074D81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 57d785d83fafb9dd41b0b7da978781a9
SHA1 6b4a6864cf2c24097df3748c1ac0fbf1eb4c2d6c
SHA256 55ff4c1eab4dd284c9b08fb5d311f10a66bd3856c22f67ea036c08d885bfefbc
SHA512 f8deba7b85e4bfff073d406fdcb7484ddf1f236e0b4884a369d8942dd8ecba3a8949a126e2c4f97c1f803f55537674596afcb863712f6d293e9f084bdaadf5b2

memory/220-12-0x0000000010000000-0x000000001004D000-memory.dmp

memory/3732-13-0x0000000010000000-0x000000001004D000-memory.dmp

memory/220-15-0x0000000010000000-0x000000001004D000-memory.dmp

memory/3732-16-0x0000000010000000-0x000000001004D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Sever_Creado.exe

MD5 f1c4308833a275cd4584a03928868f0f
SHA1 7d988a301fa336d52d215511ba6a9bf13d17770f
SHA256 e33e7b74b832ee49efb705824c5090c41833ba85c28f76ab33b815451fbb55b2
SHA512 b391b2ca2b1a7bbc9e284d9c586426e8394a93ed9f63facfc451324caa81878b493ed9d01bfe967b8e2712669a41352073bf59861cf6a557d3f532a928e4d25a

memory/2236-30-0x00000000747D0000-0x0000000074D81000-memory.dmp