Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-10-2024 14:04
Behavioral task
behavioral1
Sample
629ddaa1af4860f643b018a84d154e6e_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
629ddaa1af4860f643b018a84d154e6e_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
629ddaa1af4860f643b018a84d154e6e_JaffaCakes118.exe
-
Size
91KB
-
MD5
629ddaa1af4860f643b018a84d154e6e
-
SHA1
12f2d0b47d55f9e3b4ce214fdad8d971976ec098
-
SHA256
ac1a0185e728b9fdffe817496d9dfd33612f454e4a9af8a97cc458f445cb3133
-
SHA512
cb627f7785b4209bd4c8c91bbfdcaac6b88ea6c69697d88e91242685d7702e63421f6f83555ceea52a604c4e28296fd8b1f01ef633ea6ede5a9697c737fdf41f
-
SSDEEP
1536:dsq+QV4rObAdXWpf/y+7ozNwihURDoq4OZZZLlCIibyoM:E44rj/WodeRD68wbyo
Malware Config
Extracted
xtremerat
cnw55.xxxy.info
Signatures
-
Detect XtremeRAT payload 8 IoCs
resource yara_rule behavioral1/memory/2736-2-0x0000000010000000-0x0000000010050000-memory.dmp family_xtremerat behavioral1/memory/2272-6-0x0000000010000000-0x0000000010050000-memory.dmp family_xtremerat behavioral1/memory/2844-5-0x0000000010000000-0x0000000010050000-memory.dmp family_xtremerat behavioral1/memory/2844-10-0x0000000010000000-0x0000000010050000-memory.dmp family_xtremerat behavioral1/memory/2844-9-0x0000000010000000-0x0000000010050000-memory.dmp family_xtremerat behavioral1/files/0x000900000001660b-11.dat family_xtremerat behavioral1/memory/2736-12-0x0000000010000000-0x0000000010050000-memory.dmp family_xtremerat behavioral1/memory/2844-13-0x0000000010000000-0x0000000010050000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q1M5G32G-4R1Y-8FUT-740L-3344EHYLDQI3}\StubPath = "C:\\Windows\\system32\\InstallDir\\services.exe restart" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q1M5G32G-4R1Y-8FUT-740L-3344EHYLDQI3} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q1M5G32G-4R1Y-8FUT-740L-3344EHYLDQI3}\StubPath = "C:\\Windows\\system32\\InstallDir\\services.exe" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q1M5G32G-4R1Y-8FUT-740L-3344EHYLDQI3} svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\InstallDir\\services.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\InstallDir\\services.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\InstallDir\\services.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\InstallDir\\services.exe" svchost.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\InstallDir\services.exe svchost.exe File opened for modification C:\Windows\SysWOW64\InstallDir\ svchost.exe File opened for modification C:\Windows\SysWOW64\InstallDir\services.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 629ddaa1af4860f643b018a84d154e6e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2844 svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2736 2272 629ddaa1af4860f643b018a84d154e6e_JaffaCakes118.exe 30 PID 2272 wrote to memory of 2736 2272 629ddaa1af4860f643b018a84d154e6e_JaffaCakes118.exe 30 PID 2272 wrote to memory of 2736 2272 629ddaa1af4860f643b018a84d154e6e_JaffaCakes118.exe 30 PID 2272 wrote to memory of 2736 2272 629ddaa1af4860f643b018a84d154e6e_JaffaCakes118.exe 30 PID 2272 wrote to memory of 2736 2272 629ddaa1af4860f643b018a84d154e6e_JaffaCakes118.exe 30 PID 2272 wrote to memory of 2844 2272 629ddaa1af4860f643b018a84d154e6e_JaffaCakes118.exe 31 PID 2272 wrote to memory of 2844 2272 629ddaa1af4860f643b018a84d154e6e_JaffaCakes118.exe 31 PID 2272 wrote to memory of 2844 2272 629ddaa1af4860f643b018a84d154e6e_JaffaCakes118.exe 31 PID 2272 wrote to memory of 2844 2272 629ddaa1af4860f643b018a84d154e6e_JaffaCakes118.exe 31 PID 2272 wrote to memory of 2844 2272 629ddaa1af4860f643b018a84d154e6e_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\629ddaa1af4860f643b018a84d154e6e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\629ddaa1af4860f643b018a84d154e6e_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2736
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2844
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD5629ddaa1af4860f643b018a84d154e6e
SHA112f2d0b47d55f9e3b4ce214fdad8d971976ec098
SHA256ac1a0185e728b9fdffe817496d9dfd33612f454e4a9af8a97cc458f445cb3133
SHA512cb627f7785b4209bd4c8c91bbfdcaac6b88ea6c69697d88e91242685d7702e63421f6f83555ceea52a604c4e28296fd8b1f01ef633ea6ede5a9697c737fdf41f