Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2024 23:21
Behavioral task
behavioral1
Sample
ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe
-
Size
44KB
-
MD5
ea290fb2b0e8b0739d1efc413bdf1446
-
SHA1
2c993f99540fc51766d0cc51138172789a9b5e0f
-
SHA256
dfa0db81a438c55bed8df439e8346f1637379f02318f10700763de0acc7c5bfe
-
SHA512
b8162428ef642656fb6f90584104183316b2a81fecd874f62e1de2a2905f19894b0be3b1bd850bd393e63fdedcc05748ed174ba683164f0893bc5ccb728534b0
-
SSDEEP
768:rBr+tjFqTPkAlfztB1lr6anXsmTg8uvm2DfOTwYPI+zoJ1L:FyRUHlrL1lr6anXTruvm2buQCozL
Malware Config
Extracted
xtremerat
namehost.dyndns.org
Signatures
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\wbem\\xml.exe restart" ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\wbem\\xml.exe" ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\wbem\\xml.exe" ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wbem\xml.exe ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe File created C:\Windows\SysWOW64\wbem\xml.exe ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wbem\ ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2856 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1428 wrote to memory of 2856 1428 ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe 82 PID 1428 wrote to memory of 2856 1428 ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe 82 PID 1428 wrote to memory of 2856 1428 ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe 82 PID 1428 wrote to memory of 1392 1428 ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe 83 PID 1428 wrote to memory of 1392 1428 ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe 83 PID 1428 wrote to memory of 1392 1428 ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe 83 PID 1428 wrote to memory of 2856 1428 ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea290fb2b0e8b0739d1efc413bdf1446_JaffaCakes118.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2856
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:1392
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1