Overview

overview

10

Static

static

3

845abed239...18.exe

windows7-x64

10

845abed239...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2024 09:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    845abed239934629a99688c07f1e23ff_JaffaCakes118.exe

  • Size

    312KB

  • MD5

    845abed239934629a99688c07f1e23ff

  • SHA1

    b84aaf9a8c58876203a382cbb9f35983c661c978

  • SHA256

    2f1689da203281598db1d10818ead7f0e15a1601cecfd225a62fabe8686d93ab

  • SHA512

    05f0e28878d5a58537d1c093dcef8d6f3d085f92abc565c0b7f53aa3dd50a8199b5ecb39638c84948edffc042677bdf9028729dce2df24ad556081a63cf13bb8

  • SSDEEP

    6144:rVF2NOx/6fcDNdvxoJURDrO5HYPGmPQq3szP4P2szYUujGphL/JO+:b2NOxyMNdvaJURDrO5Hbm4q3DxzYzGT3

Score
10/10
modiloaderxtremeratdefense_evasiondiscoverypersistenceratspywaretrojanupx

Malware Config

Extracted

Family

xtremerat

C2

emchiyeuminhanh.no-ip.org

᠐emchiyeuminhanh.no-ip.org

Signatures

  • Detect XtremeRAT payload 4 IoCs
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • ModiLoader Second Stage 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
    defense_evasion
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\845abed239934629a99688c07f1e23ff_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\845abed239934629a99688c07f1e23ff_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4796
    • C:\Users\Admin\AppData\Local\Temp\dongmanhinh.exe
      "C:\Users\Admin\AppData\Local\Temp\dongmanhinh.exe"
      2⤵
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:760
    • C:\Users\Admin\AppData\Local\Temp\server_rat_xtreme.exe
      "C:\Users\Admin\AppData\Local\Temp\server_rat_xtreme.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        3⤵
          PID:4668
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • System Location Discovery: System Language Discovery
          PID:328
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4584
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:3656

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\dongmanhinh.exe
      Filesize

      397KB

      MD5

      7803b78247fc0932623028e2b98f7ff8

      SHA1

      fac630d1315fdd8936ead20ada409cc34d2908bd

      SHA256

      a19cbbea5a788f492e5cf2d55abfea57bf7623e4661db85d2756d5767e8a2972

      SHA512

      56a6ab10595ec12a81698a17bc7fb9577853911e8215027773452488c2a8e95fd95f69d26ee59a49f0bab4055732cf74027f5c9241a64533226721a7e2f14704

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\server_rat_xtreme.exe
      Filesize

      21KB

      MD5

      30d63fed34cd5640da16d9dac7168c30

      SHA1

      aa83d65b22bee084dd6af3db970240d3c816ccd9

      SHA256

      138db630d4f5dc56baa454eab4edd9835d6cbf6076049df85546abd07b1cc991

      SHA512

      76dac8b7eb54e7ca6c19de4dad6cb1d77a532a538d6bacd46aea3eb8fe97cf9c382fd70b7e88bf76457c4b5906a3c980fa54449220911f91b3a116025138823e

      Download Submit

    • memory/328-29-0x0000000000C80000-0x0000000000C96000-memory.dmp

      Filesize

      88KB

      Download

    • memory/328-32-0x0000000000C80000-0x0000000000C96000-memory.dmp

      Filesize

      88KB

      Download

    • memory/760-21-0x0000000002430000-0x0000000002431000-memory.dmp

      Filesize

      4KB

      Download

    • memory/760-36-0x0000000002430000-0x0000000002431000-memory.dmp

      Filesize

      4KB

      Download

    • memory/760-37-0x0000000000400000-0x000000000046A000-memory.dmp

      Filesize

      424KB

      Download

    • memory/2988-19-0x0000000000C80000-0x0000000000C96000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2988-31-0x0000000000C80000-0x0000000000C96000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4584-28-0x0000000000C80000-0x0000000000C96000-memory.dmp

      Filesize

      88KB

      Download