Analysis

  • max time kernel
    134s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-08-2024 08:31

General

  • Target

    c2a189976102cd5e6939b66025764e04_JaffaCakes118.exe

  • Size

    704KB

  • MD5

    c2a189976102cd5e6939b66025764e04

  • SHA1

    eaa3fe10bfa8952620025c8cfeef135ff57ab041

  • SHA256

    d24478bb827dbfbc9fab5d0e124e04f0dc7bc74d226d86e6c1bd404de68a9788

  • SHA512

    2b53134e560abef63c0ecabed454a76772e1ef3506a66fe65297ea89cb5fe282a8e96a884c00a549f101153f12b208d471af16ee0d5d54649588cd18526ef93f

  • SSDEEP

    12288:t45MIjSBHm4JBOMO76QM3/+++lp1vHHVKV5gc0lvlF8qPBcIExFXDJiW7SI:tyDU/BOv6Q4+++BVMOlSqpctxviWOI

Malware Config

Extracted

Family

xtremerat

C2

ariloi99.no-ip.org

Signatures

  • Detect XtremeRAT payload 3 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2a189976102cd5e6939b66025764e04_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c2a189976102cd5e6939b66025764e04_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Users\Admin\AppData\Local\Temp\LAUNCHER CHEAT-GAM3 V1.EXE
      "C:\Users\Admin\AppData\Local\Temp\LAUNCHER CHEAT-GAM3 V1.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3316
    • C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
      "C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1856
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 480
          4⤵
          • Program crash
          PID:2712
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 488
          4⤵
          • Program crash
          PID:2192
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        3⤵
          PID:64
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1856 -ip 1856
      1⤵
        PID:2108
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1856 -ip 1856
        1⤵
          PID:748

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\LAUNCHER CHEAT-GAM3 V1.EXE

          Filesize

          618KB

          MD5

          cdf6e02bfac6c3a31a15cb80e6817116

          SHA1

          1c9142163e1d18f2d78c0e1fc4600497abac9e68

          SHA256

          f2f7fca596bfd115eafa26a23db275fdc4504b17f42714e8c6bec76420ec37e7

          SHA512

          2b6001cb95f3f623d84341de7fcee036612a43da9f120c5e2ac1f7ecac3d5072fb4c84def74b9cbbf29303bc0587443b9fb7e198c6b7ccd8b26075e48157d504

        • C:\Users\Admin\AppData\Local\Temp\SERVER.EXE

          Filesize

          33KB

          MD5

          17a6d3dfb91365a69293f3cc5f369bd4

          SHA1

          33ba2d27808f8496264344b37a39fca65d28c356

          SHA256

          830418e7b6beab35f7c09f02007919245826132c713cc9d03d45d9c6d0772d34

          SHA512

          96d3f7fe3e6de3d27bb7ca7c63e47727bc38a0800ddcd815988875ba8363f3f815ee17fedcecc183825d3f83db4faf405f2e3b52b2986b53d4178108ca5dfd5c

        • memory/1856-31-0x0000000010000000-0x000000001004D000-memory.dmp

          Filesize

          308KB

        • memory/1856-22-0x0000000010000000-0x000000001004D000-memory.dmp

          Filesize

          308KB

        • memory/2280-19-0x0000000010000000-0x000000001004D000-memory.dmp

          Filesize

          308KB

        • memory/2280-27-0x0000000010000000-0x000000001004D000-memory.dmp

          Filesize

          308KB

        • memory/3316-23-0x00000000057C0000-0x000000000585C000-memory.dmp

          Filesize

          624KB

        • memory/3316-24-0x0000000005E40000-0x00000000063E4000-memory.dmp

          Filesize

          5.6MB

        • memory/3316-21-0x0000000000EE0000-0x0000000000F82000-memory.dmp

          Filesize

          648KB

        • memory/3316-26-0x0000000005930000-0x00000000059C2000-memory.dmp

          Filesize

          584KB

        • memory/3316-29-0x0000000005B20000-0x0000000005B76000-memory.dmp

          Filesize

          344KB

        • memory/3316-28-0x00000000058B0000-0x00000000058BA000-memory.dmp

          Filesize

          40KB

        • memory/3316-20-0x0000000072D1E000-0x0000000072D1F000-memory.dmp

          Filesize

          4KB

        • memory/3316-32-0x0000000072D1E000-0x0000000072D1F000-memory.dmp

          Filesize

          4KB