Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20-07-2024 04:53
Static task
static1
Behavioral task
behavioral1
Sample
5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe
-
Size
356KB
-
MD5
5f1793d3ffb3795933fbc89a26af14a6
-
SHA1
d9549074e85a42a6293730ce5774b99fd25b05fd
-
SHA256
6b7209dc4b89c3a82a7be457ff09734a4547e935d9ad0e336addba90f3a50626
-
SHA512
cb995b1ca2e655085b1bd0db3791260f5b760d40c4eb8edc76794bc8b1fcf9c47879f1157d30bd20d0aec0d2c0a23aeaafe279a8f4f32abbd0e0d955bfc6ea86
-
SSDEEP
6144:CN/SNNZ7+/EufNb0zEAlAgBarMg+5VYbKuXjFaWiHO8zGK3z4:CN/KO//F0JLYri5ybKuEWit3z4
Malware Config
Signatures
-
Detect XtremeRAT payload 6 IoCs
resource yara_rule behavioral1/files/0x0009000000015ebb-6.dat family_xtremerat behavioral1/memory/2704-17-0x0000000010000000-0x0000000010045000-memory.dmp family_xtremerat behavioral1/memory/2704-20-0x0000000010000000-0x0000000010045000-memory.dmp family_xtremerat behavioral1/memory/2728-23-0x0000000010000000-0x0000000010045000-memory.dmp family_xtremerat behavioral1/memory/2704-27-0x0000000010000000-0x0000000010045000-memory.dmp family_xtremerat behavioral1/memory/2728-47-0x0000000010000000-0x0000000010045000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" server.exe -
Executes dropped EXE 1 IoCs
pid Process 2728 server.exe -
Loads dropped DLL 3 IoCs
pid Process 2844 5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe 2844 5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe 2728 server.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "㩃啜敳獲䅜浤湩䅜灰慄慴䱜捯污呜浥屰塉ぐ〰吮偍獜牥敶\u2e72硥e엸က엸က㼬" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\InstallDir\Server.exe server.exe File created C:\Windows\InstallDir\Server.exe server.exe File opened for modification C:\Windows\InstallDir\ server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2728 server.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2844 wrote to memory of 2728 2844 5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe 30 PID 2844 wrote to memory of 2728 2844 5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe 30 PID 2844 wrote to memory of 2728 2844 5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe 30 PID 2844 wrote to memory of 2728 2844 5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe 30 PID 2844 wrote to memory of 2728 2844 5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe 30 PID 2844 wrote to memory of 2728 2844 5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe 30 PID 2844 wrote to memory of 2728 2844 5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe 30 PID 2728 wrote to memory of 2704 2728 server.exe 31 PID 2728 wrote to memory of 2704 2728 server.exe 31 PID 2728 wrote to memory of 2704 2728 server.exe 31 PID 2728 wrote to memory of 2704 2728 server.exe 31 PID 2728 wrote to memory of 2704 2728 server.exe 31 PID 2728 wrote to memory of 2704 2728 server.exe 31 PID 2728 wrote to memory of 2704 2728 server.exe 31 PID 2728 wrote to memory of 2704 2728 server.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:2704
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5e4bbce796cd9b358256f890365046bbe
SHA13c0d48a67b8d20e983ccf5cf3003c5d1cefec6ad
SHA256e05c381832247e8917b3ae342314242a7120b64299629cb3d9f260edf5de3d81
SHA512c6130b45be1883db20f9fef3a57fa208367d87c96941378edd4e9214c77c9e2d7baa8e0b4d75c4eaa32ccabbb34f952a085175e3a51317e451f75d8ac5eefa26