Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 02:29
Static task
static1
Behavioral task
behavioral1
Sample
8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
8eb2020f1d3c549da4b6076341fa032f
-
SHA1
9ead9c8b3fce65bd6ea30da4a401fac8425e8d0b
-
SHA256
2abc906f7f08fb8a8d9eb9bdba17fc99a4c914dee6b24680175703c38d2e4a5f
-
SHA512
71b61a111fb825e91c236ff7c4d654631fa142f68ebbc86560d1f70ebd141cc3b39af8316dd5fe0a436d1205c6b7040e97a44512c5601429883f9fa8f5eb1a22
-
SSDEEP
24576:CaHMv6CorjqnyC8rMtBYp/MPHcOMgvf+QeS6v:C1vqjdC8rMtSVMvcOkQgv
Malware Config
Extracted
xtremerat
nerozhack.ddns.com.br
alonedevil.no-ip.org
gameszero.dyndns.org
Signatures
-
Detect XtremeRAT payload 5 IoCs
resource yara_rule behavioral1/memory/2932-55-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2736-60-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2676-63-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2676-65-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2736-67-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\System.exe taskmgr.exe File created C:\Windows\system32\drivers\etc\System.exe taskmgr.exe -
Executes dropped EXE 3 IoCs
pid Process 2156 app.exe 2828 app.exe 2932 app.exe -
Loads dropped DLL 3 IoCs
pid Process 2060 8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe 2156 app.exe 2828 app.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpdaterStartupUtility = "C:\\Windows\\system32\\drivers\\etc\\System.exe" taskmgr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\PlusServices = "C:\\Windows\\system32\\drivers\\etc\\System.exe" taskmgr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpdaterStartupUtility = "C:\\Windows\\system32\\drivers\\etc\\System.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\PlusServices = "C:\\Windows\\system32\\drivers\\etc\\System.exe" svchost.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2060-0-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/2156-41-0x0000000000400000-0x00000000004C4000-memory.dmp autoit_exe behavioral1/memory/2828-48-0x00000000008D0000-0x0000000000994000-memory.dmp autoit_exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\app.exe 8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\app.exe 8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\app.exe app.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2156 set thread context of 2828 2156 app.exe 30 PID 2828 set thread context of 2932 2828 app.exe 31 -
resource yara_rule behavioral1/memory/2932-55-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2932-54-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2736-60-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2932-51-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2932-47-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2932-46-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2676-63-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2676-65-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2736-67-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\SFBqMIUDMPeRYJaXntohQLbXLsu app.exe File opened for modification C:\Windows\SFBqMIUDMPeRYJaXntohQLbXLsu app.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language app.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language app.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language app.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2060 8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe 2060 8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe 2060 8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2060 8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe 2060 8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe 2060 8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2828 app.exe 2676 taskmgr.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2156 2060 8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe 29 PID 2060 wrote to memory of 2156 2060 8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe 29 PID 2060 wrote to memory of 2156 2060 8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe 29 PID 2060 wrote to memory of 2156 2060 8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe 29 PID 2060 wrote to memory of 2156 2060 8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe 29 PID 2060 wrote to memory of 2156 2060 8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe 29 PID 2060 wrote to memory of 2156 2060 8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe 29 PID 2156 wrote to memory of 2828 2156 app.exe 30 PID 2156 wrote to memory of 2828 2156 app.exe 30 PID 2156 wrote to memory of 2828 2156 app.exe 30 PID 2156 wrote to memory of 2828 2156 app.exe 30 PID 2156 wrote to memory of 2828 2156 app.exe 30 PID 2156 wrote to memory of 2828 2156 app.exe 30 PID 2156 wrote to memory of 2828 2156 app.exe 30 PID 2156 wrote to memory of 2828 2156 app.exe 30 PID 2156 wrote to memory of 2828 2156 app.exe 30 PID 2156 wrote to memory of 2828 2156 app.exe 30 PID 2156 wrote to memory of 2828 2156 app.exe 30 PID 2156 wrote to memory of 2828 2156 app.exe 30 PID 2156 wrote to memory of 2828 2156 app.exe 30 PID 2156 wrote to memory of 2828 2156 app.exe 30 PID 2828 wrote to memory of 2932 2828 app.exe 31 PID 2828 wrote to memory of 2932 2828 app.exe 31 PID 2828 wrote to memory of 2932 2828 app.exe 31 PID 2828 wrote to memory of 2932 2828 app.exe 31 PID 2828 wrote to memory of 2932 2828 app.exe 31 PID 2828 wrote to memory of 2932 2828 app.exe 31 PID 2828 wrote to memory of 2932 2828 app.exe 31 PID 2828 wrote to memory of 2932 2828 app.exe 31 PID 2828 wrote to memory of 2932 2828 app.exe 31 PID 2828 wrote to memory of 2932 2828 app.exe 31 PID 2828 wrote to memory of 2932 2828 app.exe 31 PID 2932 wrote to memory of 2736 2932 app.exe 32 PID 2932 wrote to memory of 2736 2932 app.exe 32 PID 2932 wrote to memory of 2736 2932 app.exe 32 PID 2932 wrote to memory of 2736 2932 app.exe 32 PID 2932 wrote to memory of 2736 2932 app.exe 32 PID 2932 wrote to memory of 2676 2932 app.exe 33 PID 2932 wrote to memory of 2676 2932 app.exe 33 PID 2932 wrote to memory of 2676 2932 app.exe 33 PID 2932 wrote to memory of 2676 2932 app.exe 33 PID 2932 wrote to memory of 2676 2932 app.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\app.exeC:\Windows\SysWOW64\app.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\app.exe"C:\Windows\SysWOW64\app.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\app.exe
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2736
-
-
C:\WINDOWS\SysWOW64\taskmgr.exeC:\WINDOWS\system32\taskmgr.exe5⤵
- Drops file in Drivers directory
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2676
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD5afb564741c2e34501330398ff8bc217c
SHA16c44e87dd2b7259ee91e707fa3c2ec2845d8888c
SHA256e9d0e5d900336b8548b435597324be10553d8c2b17294ad3fe1581809408447a
SHA5122f554bc2e2c14ea5ed36c4dc73f88046b1484f29ded2fae9ac5084902df0e0601b5f2274c93aaaea8862e209200804f36fae4b58bbb92ec048a478d90d620746
-
Filesize
510KB
MD5900ba50b614a0853060bf4c40f572806
SHA1699241a25f5674f460c89b1f578bd31e384bef53
SHA256f78d8dbf2b0e5b6ce2ac7ebb0a2ff86927a22af4e5a477a651f727dfbfd7f0de
SHA5127a32fca0e46b09e38b0ba39bada68fa866e9ca8f4ceb587ee44d98a9f76dda5c3795f42f138b350bd287cfbb07ebf0cf93d1dc8b0e7f6273d989f072f6a73ce3