Overview

overview

10

Static

static

7

efff2fe180...18.exe

windows7-x64

10

efff2fe180...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 14:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    efff2fe18024a3094929186dca954315_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    efff2fe18024a3094929186dca954315

  • SHA1

    2ba5cea58730f11b9b7d3fb582db68dbc8d16ca4

  • SHA256

    7dd9bd66025b79a1392b928ff5e2b3a62335465ebeabcf72e426f5490bd207d1

  • SHA512

    0d1f99669047d6fa6e6614928ee467708a224bc1dc947982d356d007bb1ba24a65de832b6a0ef1b24b0dbc5c5e02a169bd4e8bd3bc3ee4366979ff0c1fe3f872

  • SSDEEP

    24576:LqyeHypU4RJK007QGTojfj7XuHtXJ9pcvyZSQYBWt:nIypK7JTkLa

Score
10/10
modiloaderxtremeratdiscoveryevasionpersistenceratspywaretrojanupx

Malware Config

Extracted

Family

xtremerat

C2

nerozhack.ddns.com.br

€p ƒalonedevil.no-ip.org

gameszero.dyndns.org

Signatures

  • Detect XtremeRAT payload 9 IoCs
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • ModiLoader Second Stage 18 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 13 IoCs
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\efff2fe18024a3094929186dca954315_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\efff2fe18024a3094929186dca954315_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Users\Admin\AppData\Local\Temp\efff2fe18024a3094929186dca954315_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\efff2fe18024a3094929186dca954315_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4236
      • C:\Users\Admin\AppData\Local\Temp\efff2fe18024a3094929186dca954315_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\efff2fe18024a3094929186dca954315_JaffaCakes118.exe"
        3⤵
        • Checks computer location settings
        • Checks whether UAC is enabled
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1900
        • C:\Windows\mstwain32.exe
          "C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\efff2fe18024a3094929186dca954315_JaffaCakes118.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4244
          • C:\Windows\mstwain32.exe
            "C:\Windows\mstwain32.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2664
            • C:\Windows\mstwain32.exe
              "C:\Windows\mstwain32.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • System policy modification
              PID:4608
          • C:\Windows\RSOP.exe
            C:\Windows\RSOP.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            PID:3604
            • C:\Windows\RSOP.exe
              "C:\Windows\RSOP.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2016
              • C:\Windows\RSOP.exe
                "C:\Windows\RSOP.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2984
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3972
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 480
                    9⤵
                    • Loads dropped DLL
                    • Program crash
                    PID:852
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 488
                    9⤵
                    • Loads dropped DLL
                    • Program crash
                    PID:3660
                • C:\WINDOWS\SysWOW64\taskmgr.exe
                  C:\WINDOWS\system32\taskmgr.exe
                  8⤵
                  • Loads dropped DLL
                  • Adds Run key to start application
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: SetClipboardViewer
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:4632
    • C:\Windows\RSOP.exe
      C:\Windows\RSOP.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\RSOP.exe
        "C:\Windows\RSOP.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4268
        • C:\Windows\RSOP.exe
          "C:\Windows\RSOP.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:744
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1440
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 488
              6⤵
              • Program crash
              PID:3364
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 496
              6⤵
              • Program crash
              PID:4084
          • C:\WINDOWS\SysWOW64\taskmgr.exe
            C:\WINDOWS\system32\taskmgr.exe
            5⤵
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2788
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 1076
              6⤵
              • Program crash
              PID:348
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:640
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1440 -ip 1440
    1⤵
      PID:5060
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1440 -ip 1440
      1⤵
        PID:2144
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2788 -ip 2788
        1⤵
          PID:1088
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3972 -ip 3972
          1⤵
            PID:3028
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3972 -ip 3972
            1⤵
              PID:3488

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\aut9FBB.tmp
              Filesize

              300KB

              MD5

              a87e455284d5aaf624c6c419fa7f9bed

              SHA1

              dd7335f04ef50375b124106cc599d4def55f40ac

              SHA256

              3cdc6602fee91dc53c16573cf2f53dbcec491d53a0795312290a804a247a81a3

              SHA512

              000fbf010fdcc5d47be1500372d8ca4d2fe399a4c0e1a9299da5e42fa0fae77711f38be13bab1264e8dd78f321ac79fefdcea52953749756f8d33c225842ae32

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\zxymfvt
              Filesize

              9KB

              MD5

              1cae2b547a78ece24949e7abc5ce0832

              SHA1

              54c4b7d4973c22818f87f8a5c5c145e408c65095

              SHA256

              b4efccf8457046aaf4c5b272addd3299003f41ef19bad993ee2be0554a2922ce

              SHA512

              786a678a513f09528335b48fc9e87c0c0e12f795090bb76f27a74fed522bcb0bf842c2b649e1bc19d2b22dbbf76a83a5d0df8e70db242e258de97758ebdc56d8

              Download Submit

            • C:\Windows\cmsetac.dll
              Filesize

              33KB

              MD5

              a1efb85344da33edeceb6e7db669f289

              SHA1

              c1af0dc6dd034017a7687674d1162645789809ac

              SHA256

              4c78a6a35e38fbd6f0f7252fb6caef183174ce77e79bfe98b6f15aadde073c89

              SHA512

              5887488bdcca58cfefacf315e8f70c77ca3f34eeaf5308a55c069c7d71cfc7e1e88700733f83db90d9f204ff6be45a84e24e813cb9f7bf6566b926a783df31d9

              Download Submit

            • C:\Windows\mstwain32.exe
              Filesize

              1.2MB

              MD5

              efff2fe18024a3094929186dca954315

              SHA1

              2ba5cea58730f11b9b7d3fb582db68dbc8d16ca4

              SHA256

              7dd9bd66025b79a1392b928ff5e2b3a62335465ebeabcf72e426f5490bd207d1

              SHA512

              0d1f99669047d6fa6e6614928ee467708a224bc1dc947982d356d007bb1ba24a65de832b6a0ef1b24b0dbc5c5e02a169bd4e8bd3bc3ee4366979ff0c1fe3f872

              Download Submit

            • C:\Windows\ntdtcstp.dll
              Filesize

              7KB

              MD5

              67587e25a971a141628d7f07bd40ffa0

              SHA1

              76fcd014539a3bb247cc0b761225f68bd6055f6b

              SHA256

              e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

              SHA512

              6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

              Download Submit

            • memory/744-52-0x0000000010000000-0x000000001004D000-memory.dmp

              Filesize

              308KB

              Download

            • memory/744-47-0x0000000010000000-0x000000001004D000-memory.dmp

              Filesize

              308KB

              Download

            • memory/744-51-0x0000000010000000-0x000000001004D000-memory.dmp

              Filesize

              308KB

              Download

            • memory/744-50-0x0000000000400000-0x00000000004B1000-memory.dmp

              Filesize

              708KB

              Download

            • memory/880-25-0x0000000000400000-0x00000000004B1000-memory.dmp

              Filesize

              708KB

              Download

            • memory/880-0-0x0000000000400000-0x00000000004B1000-memory.dmp

              Filesize

              708KB

              Download

            • memory/1440-55-0x0000000010000000-0x000000001004D000-memory.dmp

              Filesize

              308KB

              Download

            • memory/1440-60-0x0000000010000000-0x000000001004D000-memory.dmp

              Filesize

              308KB

              Download

            • memory/1900-34-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/1900-29-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/1900-27-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/1900-32-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/1900-35-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/1900-33-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/1900-31-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/1900-26-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/1900-71-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/2016-109-0x0000000000400000-0x0000000000414000-memory.dmp

              Filesize

              80KB

              Download

            • memory/2016-133-0x0000000000400000-0x0000000000414000-memory.dmp

              Filesize

              80KB

              Download

            • memory/2016-125-0x00000000009E0000-0x00000000009EE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2016-103-0x0000000000400000-0x0000000000414000-memory.dmp

              Filesize

              80KB

              Download

            • memory/2016-132-0x00000000009E0000-0x00000000009EE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2664-98-0x0000000000400000-0x0000000000455000-memory.dmp

              Filesize

              340KB

              Download

            • memory/2788-56-0x0000000010000000-0x000000001004D000-memory.dmp

              Filesize

              308KB

              Download

            • memory/2788-59-0x0000000010000000-0x000000001004D000-memory.dmp

              Filesize

              308KB

              Download

            • memory/2788-61-0x0000000010000000-0x000000001004D000-memory.dmp

              Filesize

              308KB

              Download

            • memory/2984-130-0x0000000000150000-0x000000000015E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2984-127-0x0000000010000000-0x000000001004D000-memory.dmp

              Filesize

              308KB

              Download

            • memory/2984-126-0x0000000010000000-0x000000001004D000-memory.dmp

              Filesize

              308KB

              Download

            • memory/2984-136-0x0000000000150000-0x000000000015E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3604-81-0x0000000000400000-0x00000000004B1000-memory.dmp

              Filesize

              708KB

              Download

            • memory/3604-113-0x0000000000400000-0x00000000004B1000-memory.dmp

              Filesize

              708KB

              Download

            • memory/3972-134-0x0000000010000000-0x000000001004D000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4236-36-0x0000000000400000-0x0000000000455000-memory.dmp

              Filesize

              340KB

              Download

            • memory/4236-21-0x0000000000400000-0x0000000000455000-memory.dmp

              Filesize

              340KB

              Download

            • memory/4236-22-0x0000000000400000-0x0000000000455000-memory.dmp

              Filesize

              340KB

              Download

            • memory/4236-23-0x0000000000400000-0x0000000000455000-memory.dmp

              Filesize

              340KB

              Download

            • memory/4236-20-0x0000000000400000-0x0000000000455000-memory.dmp

              Filesize

              340KB

              Download

            • memory/4244-86-0x0000000000400000-0x00000000004B1000-memory.dmp

              Filesize

              708KB

              Download

            • memory/4268-42-0x0000000000400000-0x0000000000414000-memory.dmp

              Filesize

              80KB

              Download

            • memory/4268-54-0x0000000000400000-0x0000000000414000-memory.dmp

              Filesize

              80KB

              Download

            • memory/4268-37-0x0000000000400000-0x0000000000414000-memory.dmp

              Filesize

              80KB

              Download

            • memory/4268-40-0x0000000000400000-0x0000000000414000-memory.dmp

              Filesize

              80KB

              Download

            • memory/4608-117-0x0000000000DB0000-0x0000000000DBE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4608-97-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/4608-101-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/4608-119-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/4632-135-0x0000000010000000-0x000000001004D000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4632-139-0x0000000000AB0000-0x0000000000ABE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/5036-19-0x0000000000400000-0x00000000004B1000-memory.dmp

              Filesize

              708KB

              Download

            • memory/5036-44-0x0000000000400000-0x00000000004B1000-memory.dmp

              Filesize

              708KB

              Download