Analysis
-
max time kernel
134s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-08-2024 08:31
Static task
static1
Behavioral task
behavioral1
Sample
c2a189976102cd5e6939b66025764e04_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
c2a189976102cd5e6939b66025764e04_JaffaCakes118.exe
-
Size
704KB
-
MD5
c2a189976102cd5e6939b66025764e04
-
SHA1
eaa3fe10bfa8952620025c8cfeef135ff57ab041
-
SHA256
d24478bb827dbfbc9fab5d0e124e04f0dc7bc74d226d86e6c1bd404de68a9788
-
SHA512
2b53134e560abef63c0ecabed454a76772e1ef3506a66fe65297ea89cb5fe282a8e96a884c00a549f101153f12b208d471af16ee0d5d54649588cd18526ef93f
-
SSDEEP
12288:t45MIjSBHm4JBOMO76QM3/+++lp1vHHVKV5gc0lvlF8qPBcIExFXDJiW7SI:tyDU/BOv6Q4+++BVMOlSqpctxviWOI
Malware Config
Extracted
xtremerat
ariloi99.no-ip.org
Signatures
-
Detect XtremeRAT payload 3 IoCs
resource yara_rule behavioral2/memory/1856-22-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/2280-27-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/1856-31-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation c2a189976102cd5e6939b66025764e04_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3316 LAUNCHER CHEAT-GAM3 V1.EXE 2280 SERVER.EXE -
resource yara_rule behavioral2/files/0x0007000000023425-14.dat upx behavioral2/memory/2280-19-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/1856-22-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/2280-27-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/1856-31-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2712 1856 WerFault.exe 87 2192 1856 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LAUNCHER CHEAT-GAM3 V1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c2a189976102cd5e6939b66025764e04_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVER.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2532 wrote to memory of 3316 2532 c2a189976102cd5e6939b66025764e04_JaffaCakes118.exe 84 PID 2532 wrote to memory of 3316 2532 c2a189976102cd5e6939b66025764e04_JaffaCakes118.exe 84 PID 2532 wrote to memory of 3316 2532 c2a189976102cd5e6939b66025764e04_JaffaCakes118.exe 84 PID 2532 wrote to memory of 2280 2532 c2a189976102cd5e6939b66025764e04_JaffaCakes118.exe 85 PID 2532 wrote to memory of 2280 2532 c2a189976102cd5e6939b66025764e04_JaffaCakes118.exe 85 PID 2532 wrote to memory of 2280 2532 c2a189976102cd5e6939b66025764e04_JaffaCakes118.exe 85 PID 2280 wrote to memory of 1856 2280 SERVER.EXE 87 PID 2280 wrote to memory of 1856 2280 SERVER.EXE 87 PID 2280 wrote to memory of 1856 2280 SERVER.EXE 87 PID 2280 wrote to memory of 1856 2280 SERVER.EXE 87 PID 2280 wrote to memory of 64 2280 SERVER.EXE 89 PID 2280 wrote to memory of 64 2280 SERVER.EXE 89 PID 2280 wrote to memory of 64 2280 SERVER.EXE 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2a189976102cd5e6939b66025764e04_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c2a189976102cd5e6939b66025764e04_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\LAUNCHER CHEAT-GAM3 V1.EXE"C:\Users\Admin\AppData\Local\Temp\LAUNCHER CHEAT-GAM3 V1.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3316
-
-
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 4804⤵
- Program crash
PID:2712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 4884⤵
- Program crash
PID:2192
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:64
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1856 -ip 18561⤵PID:2108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1856 -ip 18561⤵PID:748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
618KB
MD5cdf6e02bfac6c3a31a15cb80e6817116
SHA11c9142163e1d18f2d78c0e1fc4600497abac9e68
SHA256f2f7fca596bfd115eafa26a23db275fdc4504b17f42714e8c6bec76420ec37e7
SHA5122b6001cb95f3f623d84341de7fcee036612a43da9f120c5e2ac1f7ecac3d5072fb4c84def74b9cbbf29303bc0587443b9fb7e198c6b7ccd8b26075e48157d504
-
Filesize
33KB
MD517a6d3dfb91365a69293f3cc5f369bd4
SHA133ba2d27808f8496264344b37a39fca65d28c356
SHA256830418e7b6beab35f7c09f02007919245826132c713cc9d03d45d9c6d0772d34
SHA51296d3f7fe3e6de3d27bb7ca7c63e47727bc38a0800ddcd815988875ba8363f3f815ee17fedcecc183825d3f83db4faf405f2e3b52b2986b53d4178108ca5dfd5c