Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

ea290fb2b0...18.exe

windows7-x64

10

ea290fb2b0...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/09/2024, 23:21 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe

  • Size

    44KB

  • MD5

    ea290fb2b0e8b0739d1efc413bdf1446

  • SHA1

    2c993f99540fc51766d0cc51138172789a9b5e0f

  • SHA256

    dfa0db81a438c55bed8df439e8346f1637379f02318f10700763de0acc7c5bfe

  • SHA512

    b8162428ef642656fb6f90584104183316b2a81fecd874f62e1de2a2905f19894b0be3b1bd850bd393e63fdedcc05748ed174ba683164f0893bc5ccb728534b0

  • SSDEEP

    768:rBr+tjFqTPkAlfztB1lr6anXsmTg8uvm2DfOTwYPI+zoJ1L:FyRUHlrL1lr6anXTruvm2buQCozL

Score
10/10
xtremeratdiscoverypersistenceratspyware

Malware Config

Extracted

Family

xtremerat

C2

namehost.dyndns.org

Signatures

  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1428
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2856
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      2⤵
        PID:1392

    Network

    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      77.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      77.190.18.2.in-addr.arpa
      IN PTR
      Response
      77.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-77deploystaticakamaitechnologiescom
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      73.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.126.166.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.126.166.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      0.205.248.87.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.205.248.87.in-addr.arpa
      IN PTR
      Response
      0.205.248.87.in-addr.arpa
      IN PTR
      https-87-248-205-0lgwllnwnet
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      namehost.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      namehost.dyndns.org
      IN A
      Response
    • 52.111.227.11:443
      322 B
       7
    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      77.190.18.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      77.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      73.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      73.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      103.169.127.40.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      103.169.127.40.in-addr.arpa

    • 8.8.8.8:53
      56.126.166.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      56.126.166.20.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      130 B
       116 B
       2
      1

      DNS Request

      namehost.dyndns.org

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      0.205.248.87.in-addr.arpa
      dns
      71 B
       116 B
       1
      1

      DNS Request

      0.205.248.87.in-addr.arpa

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    • 8.8.8.8:53
      namehost.dyndns.org
      dns
      svchost.exe
      65 B
       116 B
       1
      1

      DNS Request

      namehost.dyndns.org

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1428-7-0x0000000000C80000-0x0000000000C93000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2856-6-0x0000000000C80000-0x0000000000C93000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2856-9-0x0000000000C80000-0x0000000000C93000-memory.dmp

      Filesize

      76KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.