Analysis
-
max time kernel
136s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2024 14:04
Static task
static1
Behavioral task
behavioral1
Sample
8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe
-
Size
240KB
-
MD5
8bd8e4415921120e5381a8d0d6e97099
-
SHA1
8b9f58ac057c05db335f8d19818de827e0fb3b8c
-
SHA256
358a05a1b545dc2cf95b0c5081247f9fe2fce6f065b04d83d339fb71a748b22f
-
SHA512
ffd7289d23c12721ba2ca0a3ee2a790fd9308fb4be38ec09f5ce79c9ddbefb6e2d6b8850efb517b6d745d592fe509e56652a0a3db9654ff294ffc424ff3b28f8
-
SSDEEP
3072:aVnUJ8T2SXZyrgoBJtbN/3MCK2kevEwl/6GJHSp90uPrR5whRF0yXR3FeGABXurM:aVD/JdSI5ebm90mrRiP1eGANuTEU7ZWz
Malware Config
Signatures
-
Detect XtremeRAT payload 3 IoCs
resource yara_rule behavioral2/memory/4028-26-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/4384-28-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/4028-30-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" thehack.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} thehack.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4384 thehack.exe 3376 zhack.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" thehack.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" thehack.exe -
resource yara_rule behavioral2/files/0x000a000000023bff-4.dat upx behavioral2/memory/4384-18-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/4028-26-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/4384-28-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/4028-30-0x0000000000C80000-0x0000000000C96000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\InstallDir\Server.exe thehack.exe File created C:\Windows\InstallDir\Server.exe thehack.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zhack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thehack.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2172 cmd.exe 2224 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2224 PING.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4028 svchost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3052 wrote to memory of 4384 3052 8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe 85 PID 3052 wrote to memory of 4384 3052 8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe 85 PID 3052 wrote to memory of 4384 3052 8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe 85 PID 3052 wrote to memory of 3376 3052 8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe 86 PID 3052 wrote to memory of 3376 3052 8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe 86 PID 3052 wrote to memory of 3376 3052 8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe 86 PID 3052 wrote to memory of 2172 3052 8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe 88 PID 3052 wrote to memory of 2172 3052 8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe 88 PID 3052 wrote to memory of 2172 3052 8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe 88 PID 4384 wrote to memory of 4028 4384 thehack.exe 90 PID 4384 wrote to memory of 4028 4384 thehack.exe 90 PID 4384 wrote to memory of 4028 4384 thehack.exe 90 PID 2172 wrote to memory of 2224 2172 cmd.exe 91 PID 2172 wrote to memory of 2224 2172 cmd.exe 91 PID 2172 wrote to memory of 2224 2172 cmd.exe 91 PID 4384 wrote to memory of 4028 4384 thehack.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\thehack.exe"C:\Users\Admin\AppData\Local\Temp\thehack.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4028
-
-
-
C:\Users\Admin\AppData\Local\Temp\zhack.exe"C:\Users\Admin\AppData\Local\Temp\zhack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3376
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 & copy /Y "C:\Users\Admin\AppData\Local\Temp\zhack.exe" "C:\Users\Admin\AppData\Local\Temp\8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe" >> NUL2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\PING.EXEping -n 3 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2224
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5cdd786a7b2c69149de85a3d76b8a36e9
SHA1ee3af6788721d58544b86c504f3b6d72d0b3bff0
SHA2565321b74f9735983982d6ad5f33abfb62511348318bee012b8adf5fa27d977452
SHA5126b6d7d18cb053e6fd6b948245b7efce1f3aa943f3578701086204ded8377d38f23b48609e5ff3625b752c5783bab8424d3b5af82ad1a2fac13ec942e65be4491
-
Filesize
174KB
MD53a89bc20a2381179c7777a2ba3f8b2ca
SHA17f4bef007e0f35d575c7f876cc3e6531a4fe41a9
SHA25683768a88bbfa03d0aca58ae92f7a1c8f59837185dafe2f8d2cbf4a0f179dc3e1
SHA5125304484946212ad02cb9d6cb8ff2e07deffecba46622e877dfafe8c5e3e0ef2223d5c9e603a208830186e079dff6e3c246f4932f3cc3f74bdcf24cf6d90ab12b