Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2024 04:53

General

  • Target

    5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe

  • Size

    356KB

  • MD5

    5f1793d3ffb3795933fbc89a26af14a6

  • SHA1

    d9549074e85a42a6293730ce5774b99fd25b05fd

  • SHA256

    6b7209dc4b89c3a82a7be457ff09734a4547e935d9ad0e336addba90f3a50626

  • SHA512

    cb995b1ca2e655085b1bd0db3791260f5b760d40c4eb8edc76794bc8b1fcf9c47879f1157d30bd20d0aec0d2c0a23aeaafe279a8f4f32abbd0e0d955bfc6ea86

  • SSDEEP

    6144:CN/SNNZ7+/EufNb0zEAlAgBarMg+5VYbKuXjFaWiHO8zGK3z4:CN/KO//F0JLYri5ybKuEWit3z4

Malware Config

Signatures

  • Detect XtremeRAT payload 6 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5f1793d3ffb3795933fbc89a26af14a6_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

    Filesize

    52KB

    MD5

    e4bbce796cd9b358256f890365046bbe

    SHA1

    3c0d48a67b8d20e983ccf5cf3003c5d1cefec6ad

    SHA256

    e05c381832247e8917b3ae342314242a7120b64299629cb3d9f260edf5de3d81

    SHA512

    c6130b45be1883db20f9fef3a57fa208367d87c96941378edd4e9214c77c9e2d7baa8e0b4d75c4eaa32ccabbb34f952a085175e3a51317e451f75d8ac5eefa26

  • memory/2704-16-0x0000000010000000-0x0000000010045000-memory.dmp

    Filesize

    276KB

  • memory/2704-17-0x0000000010000000-0x0000000010045000-memory.dmp

    Filesize

    276KB

  • memory/2704-20-0x0000000010000000-0x0000000010045000-memory.dmp

    Filesize

    276KB

  • memory/2704-27-0x0000000010000000-0x0000000010045000-memory.dmp

    Filesize

    276KB

  • memory/2728-23-0x0000000010000000-0x0000000010045000-memory.dmp

    Filesize

    276KB

  • memory/2728-47-0x0000000010000000-0x0000000010045000-memory.dmp

    Filesize

    276KB

  • memory/2844-1-0x0000000001000000-0x0000000001059000-memory.dmp

    Filesize

    356KB

  • memory/2844-3-0x0000000001000000-0x0000000001059000-memory.dmp

    Filesize

    356KB

  • memory/2844-0-0x0000000001001000-0x0000000001003000-memory.dmp

    Filesize

    8KB

  • memory/2844-22-0x0000000001000000-0x0000000001059000-memory.dmp

    Filesize

    356KB

  • memory/2844-24-0x0000000001001000-0x0000000001003000-memory.dmp

    Filesize

    8KB