Analysis
-
max time kernel
0s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 09:41
Static task
static1
Behavioral task
behavioral1
Sample
845abed239934629a99688c07f1e23ff_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
845abed239934629a99688c07f1e23ff_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
845abed239934629a99688c07f1e23ff_JaffaCakes118.exe
-
Size
312KB
-
MD5
845abed239934629a99688c07f1e23ff
-
SHA1
b84aaf9a8c58876203a382cbb9f35983c661c978
-
SHA256
2f1689da203281598db1d10818ead7f0e15a1601cecfd225a62fabe8686d93ab
-
SHA512
05f0e28878d5a58537d1c093dcef8d6f3d085f92abc565c0b7f53aa3dd50a8199b5ecb39638c84948edffc042677bdf9028729dce2df24ad556081a63cf13bb8
-
SSDEEP
6144:rVF2NOx/6fcDNdvxoJURDrO5HYPGmPQq3szP4P2szYUujGphL/JO+:b2NOxyMNdvaJURDrO5Hbm4q3DxzYzGT3
Malware Config
Extracted
xtremerat
emchiyeuminhanh.no-ip.org
᠐emchiyeuminhanh.no-ip.org
Signatures
-
Detect XtremeRAT payload 6 IoCs
resource yara_rule behavioral1/memory/2924-38-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/2908-35-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/2288-40-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/2924-41-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/2976-51-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/2892-56-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/files/0x000c000000012263-22.dat modiloader_stage2 behavioral1/memory/584-55-0x0000000000400000-0x000000000046A000-memory.dmp modiloader_stage2 behavioral1/memory/584-81-0x0000000000400000-0x000000000046A000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 584 dongmanhinh.exe 2288 server_rat_xtreme.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power dongmanhinh.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend dongmanhinh.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc dongmanhinh.exe -
Loads dropped DLL 3 IoCs
pid Process 2560 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe 2560 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe 2560 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\dongmanhinh.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dongmanhinh.exe" dongmanhinh.exe -
resource yara_rule behavioral1/memory/2560-17-0x0000000002400000-0x0000000002416000-memory.dmp upx behavioral1/memory/2288-23-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/files/0x0007000000016d17-28.dat upx behavioral1/memory/2924-38-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2908-35-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2288-40-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2924-41-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2976-47-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2976-51-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2892-56-0x0000000000C80000-0x0000000000C96000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dongmanhinh.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2560 wrote to memory of 584 2560 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe 31 PID 2560 wrote to memory of 584 2560 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe 31 PID 2560 wrote to memory of 584 2560 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe 31 PID 2560 wrote to memory of 584 2560 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe 31 PID 2560 wrote to memory of 2288 2560 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe 32 PID 2560 wrote to memory of 2288 2560 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe 32 PID 2560 wrote to memory of 2288 2560 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe 32 PID 2560 wrote to memory of 2288 2560 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\845abed239934629a99688c07f1e23ff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\845abed239934629a99688c07f1e23ff_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\dongmanhinh.exe"C:\Users\Admin\AppData\Local\Temp\dongmanhinh.exe"2⤵
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:584
-
-
C:\Users\Admin\AppData\Local\Temp\server_rat_xtreme.exe"C:\Users\Admin\AppData\Local\Temp\server_rat_xtreme.exe"2⤵
- Executes dropped EXE
PID:2288 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2664
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2924
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2908
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵PID:2820
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1084
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe" restart2⤵PID:2976
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"3⤵PID:2892
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:3048
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2984
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:904
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2856
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2904
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2692
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:3036
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2868
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:316
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2812
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:372
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:376
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:860
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2440
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2024
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:388
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:336
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1700
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2476
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2488
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2456
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2268
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2500
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2368
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2244
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1612
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1744
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2080
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2296
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2592
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
397KB
MD57803b78247fc0932623028e2b98f7ff8
SHA1fac630d1315fdd8936ead20ada409cc34d2908bd
SHA256a19cbbea5a788f492e5cf2d55abfea57bf7623e4661db85d2756d5767e8a2972
SHA51256a6ab10595ec12a81698a17bc7fb9577853911e8215027773452488c2a8e95fd95f69d26ee59a49f0bab4055732cf74027f5c9241a64533226721a7e2f14704
-
Filesize
7KB
MD528543f78036b0487b0dd668492a43595
SHA1471797918267ac22b95c6a142ddc7a3897de691f
SHA256fab447bb6f9599c08d9e0590a549ba6c2519590254b15e519e51a4ca22184192
SHA512e33d9673d63f35a24fa93cc2f5197f99b12bb564bfb4eb04c79885051c9fb0a88c667b1e793b080f79d902a83ed385413c1721ea5ac6bd2ebdf0588a8a5dcdad
-
Filesize
21KB
MD530d63fed34cd5640da16d9dac7168c30
SHA1aa83d65b22bee084dd6af3db970240d3c816ccd9
SHA256138db630d4f5dc56baa454eab4edd9835d6cbf6076049df85546abd07b1cc991
SHA51276dac8b7eb54e7ca6c19de4dad6cb1d77a532a538d6bacd46aea3eb8fe97cf9c382fd70b7e88bf76457c4b5906a3c980fa54449220911f91b3a116025138823e
-
Filesize
1KB
MD573ddcfdc9c7c2f1c2619cd42ee121a7e
SHA1b8ee76540fe387bb00960901b42120d626a5f0b7
SHA2560e0e81b789652bf0789a9947c26d6d2948a298f3cbfb7b9b5c91c3dcb8e61ad7
SHA512e087789dabd24ff04ba6087be60fc6d283985bb2aed2a1f6bde85fd06bf3ee202aaf752e766376454ff9dd4bfacf1d925624db42b384f97a294d62a57f820e66