Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 09:41
Static task
static1
Behavioral task
behavioral1
Sample
845abed239934629a99688c07f1e23ff_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
845abed239934629a99688c07f1e23ff_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
845abed239934629a99688c07f1e23ff_JaffaCakes118.exe
-
Size
312KB
-
MD5
845abed239934629a99688c07f1e23ff
-
SHA1
b84aaf9a8c58876203a382cbb9f35983c661c978
-
SHA256
2f1689da203281598db1d10818ead7f0e15a1601cecfd225a62fabe8686d93ab
-
SHA512
05f0e28878d5a58537d1c093dcef8d6f3d085f92abc565c0b7f53aa3dd50a8199b5ecb39638c84948edffc042677bdf9028729dce2df24ad556081a63cf13bb8
-
SSDEEP
6144:rVF2NOx/6fcDNdvxoJURDrO5HYPGmPQq3szP4P2szYUujGphL/JO+:b2NOxyMNdvaJURDrO5Hbm4q3DxzYzGT3
Malware Config
Extracted
xtremerat
emchiyeuminhanh.no-ip.org
᠐emchiyeuminhanh.no-ip.org
Signatures
-
Detect XtremeRAT payload 4 IoCs
resource yara_rule behavioral2/memory/328-29-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/4584-28-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/2988-31-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/328-32-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/files/0x000c000000023b42-4.dat modiloader_stage2 behavioral2/memory/760-37-0x0000000000400000-0x000000000046A000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} server_rat_xtreme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" server_rat_xtreme.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 760 dongmanhinh.exe 2988 server_rat_xtreme.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager dongmanhinh.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys dongmanhinh.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc dongmanhinh.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power dongmanhinh.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys dongmanhinh.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc dongmanhinh.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dongmanhinh.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dongmanhinh.exe" dongmanhinh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" server_rat_xtreme.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" server_rat_xtreme.exe -
resource yara_rule behavioral2/files/0x000a000000023b89-16.dat upx behavioral2/memory/2988-19-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/328-29-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/4584-28-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/2988-31-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/328-32-0x0000000000C80000-0x0000000000C96000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\InstallDir\Server.exe server_rat_xtreme.exe File created C:\Windows\InstallDir\Server.exe server_rat_xtreme.exe File opened for modification C:\Windows\InstallDir\ server_rat_xtreme.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dongmanhinh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server_rat_xtreme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3756129449-3121373848-4276368241-1000\{1C9D9A85-40DF-4D8A-B9B4-C659508E5EAE} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe 760 dongmanhinh.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3656 explorer.exe Token: SeCreatePagefilePrivilege 3656 explorer.exe Token: SeShutdownPrivilege 3656 explorer.exe Token: SeCreatePagefilePrivilege 3656 explorer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4796 wrote to memory of 760 4796 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe 85 PID 4796 wrote to memory of 760 4796 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe 85 PID 4796 wrote to memory of 760 4796 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe 85 PID 4796 wrote to memory of 2988 4796 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe 86 PID 4796 wrote to memory of 2988 4796 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe 86 PID 4796 wrote to memory of 2988 4796 845abed239934629a99688c07f1e23ff_JaffaCakes118.exe 86 PID 2988 wrote to memory of 4668 2988 server_rat_xtreme.exe 88 PID 2988 wrote to memory of 4668 2988 server_rat_xtreme.exe 88 PID 2988 wrote to memory of 328 2988 server_rat_xtreme.exe 89 PID 2988 wrote to memory of 328 2988 server_rat_xtreme.exe 89 PID 2988 wrote to memory of 328 2988 server_rat_xtreme.exe 89 PID 2988 wrote to memory of 4584 2988 server_rat_xtreme.exe 91 PID 2988 wrote to memory of 4584 2988 server_rat_xtreme.exe 91 PID 2988 wrote to memory of 4584 2988 server_rat_xtreme.exe 91 PID 2988 wrote to memory of 4584 2988 server_rat_xtreme.exe 91 PID 2988 wrote to memory of 328 2988 server_rat_xtreme.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\845abed239934629a99688c07f1e23ff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\845abed239934629a99688c07f1e23ff_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\dongmanhinh.exe"C:\Users\Admin\AppData\Local\Temp\dongmanhinh.exe"2⤵
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:760
-
-
C:\Users\Admin\AppData\Local\Temp\server_rat_xtreme.exe"C:\Users\Admin\AppData\Local\Temp\server_rat_xtreme.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4668
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:328
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:4584
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3656
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
397KB
MD57803b78247fc0932623028e2b98f7ff8
SHA1fac630d1315fdd8936ead20ada409cc34d2908bd
SHA256a19cbbea5a788f492e5cf2d55abfea57bf7623e4661db85d2756d5767e8a2972
SHA51256a6ab10595ec12a81698a17bc7fb9577853911e8215027773452488c2a8e95fd95f69d26ee59a49f0bab4055732cf74027f5c9241a64533226721a7e2f14704
-
Filesize
21KB
MD530d63fed34cd5640da16d9dac7168c30
SHA1aa83d65b22bee084dd6af3db970240d3c816ccd9
SHA256138db630d4f5dc56baa454eab4edd9835d6cbf6076049df85546abd07b1cc991
SHA51276dac8b7eb54e7ca6c19de4dad6cb1d77a532a538d6bacd46aea3eb8fe97cf9c382fd70b7e88bf76457c4b5906a3c980fa54449220911f91b3a116025138823e