Overview

overview

10

Static

static

3

546dae0132...18.exe

windows7-x64

10

546dae0132...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 00:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    546dae0132f9dac504e612c9dc3c4163_JaffaCakes118.exe

  • Size

    90KB

  • MD5

    546dae0132f9dac504e612c9dc3c4163

  • SHA1

    92068400766e11dac72a5376421db7509282baa1

  • SHA256

    d3e050241bc051ef74ac9f29b00a6940e86b7d9a4e379f053af78c7158c7833d

  • SHA512

    53e2290b2b296b8e3849863e814a38a2947c05a7ec954dedb3c0e2f83a1db309a49e766f57f9516fbc77fb1b8f4a18721f76602878ccd16eb0f28a9bb775aa27

  • SSDEEP

    1536:4l/UOz1dnuEIkYhq6ka8sCDcSm76lXwlppxEBSs1yCdMrPkz55bfU:G/v7xIj0jsCpb9qjEs3QMrPu5rU

Score
10/10
xtremeratdiscoverypersistenceratspywareupx

Malware Config

Extracted

Family

xtremerat

C2

fofo05333.no-ip.org

Signatures

  • Detect XtremeRAT payload 3 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\546dae0132f9dac504e612c9dc3c4163_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\546dae0132f9dac504e612c9dc3c4163_JaffaCakes118.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1740
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:1828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\server.exe
      Filesize

      31KB

      MD5

      17a25ac941c0c8120792bb261e9610de

      SHA1

      23edcf940b585ee7d8ff4d6ee3ab7e264f1a2ae2

      SHA256

      2aca490f5938f1db06e8e571f429b34bd61d39c3c0a62275ef8773f5ceba4c05

      SHA512

      23d94f02f206525eee55a9884a95b27eefcee1f139333adbf5cec55fbb64da8eecf3acd703859ee76413dfd28a95f18bc580cfd04cac4834b336625b916ca153

      Download Submit

    • memory/1740-20-0x0000000010000000-0x000000001004B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1740-14-0x0000000010000000-0x000000001004B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2312-17-0x0000000010000000-0x000000001004B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2312-13-0x0000000010000000-0x000000001004B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3012-4-0x0000000000B30000-0x0000000000B40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3012-5-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3012-3-0x00000000004A0000-0x00000000004AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3012-2-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3012-0-0x000007FEF592E000-0x000007FEF592F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3012-18-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3012-19-0x000007FEF592E000-0x000007FEF592F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3012-1-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

      Filesize

      9.6MB

      Download