Overview

overview

10

Static

static

3

916bd1bf4b...18.exe

windows7-x64

10

916bd1bf4b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 23:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    916bd1bf4bc489ea1fe45061d0f7210d_JaffaCakes118.exe

  • Size

    668KB

  • MD5

    916bd1bf4bc489ea1fe45061d0f7210d

  • SHA1

    07768f49507099f013f989b4536635a655f57660

  • SHA256

    d81e62234e9763b36a8f4acac3d8f4f2061d6140d1775ddd55164b4e8197be59

  • SHA512

    00f72fbb46396395b2a34790728ba23ad556e1353fa8934e42dd2212d992f5343fa65d122b672c0e728c3e2a3e6bb21fc35577d74840656c698fd3266db50e2d

  • SSDEEP

    12288:POqBSJNJ/+EkGz1lr3nxGteN4r3t8UOGz624SitfLmygYiW:2CScE7z193Rit8UJ62BmhgLW

Score
10/10
xtremeratdiscoverypersistenceratspyware

Malware Config

Extracted

Family

xtremerat

C2

yahoomail.3utilities.com

Signatures

  • Detect XtremeRAT payload 12 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 14 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 16 IoCs
  • Loads dropped DLL 9 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of SetThreadContext 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\916bd1bf4bc489ea1fe45061d0f7210d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\916bd1bf4bc489ea1fe45061d0f7210d_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Users\Admin\AppData\Local\Temp\916bd1bf4bc489ea1fe45061d0f7210d_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\916bd1bf4bc489ea1fe45061d0f7210d_JaffaCakes118.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\updater\Config.exe
          "C:\updater\Config.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1656
          • C:\updater\Config.exe
            C:\updater\Config.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3012
        • C:\updater\Config.exe
          "C:\updater\Config.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          PID:1964
          • C:\updater\Config.exe
            C:\updater\Config.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            PID:1664
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:1724
        • C:\updater\Config.exe
          "C:\updater\Config.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          PID:596
          • C:\updater\Config.exe
            C:\updater\Config.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2528
        • C:\updater\Config.exe
          "C:\updater\Config.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          PID:1092
          • C:\updater\Config.exe
            C:\updater\Config.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:812
        • C:\updater\Config.exe
          "C:\updater\Config.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          PID:2748
          • C:\updater\Config.exe
            C:\updater\Config.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            PID:2576
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:1332
        • C:\updater\Config.exe
          "C:\updater\Config.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          PID:2668
          • C:\updater\Config.exe
            C:\updater\Config.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1676
        • C:\updater\Config.exe
          "C:\updater\Config.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          PID:2756
          • C:\updater\Config.exe
            C:\updater\Config.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2188
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        3⤵
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\updater\Config.exe
          "C:\updater\Config.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1688
          • C:\updater\Config.exe
            C:\updater\Config.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2236
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:1548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ZPprfpd.cfg
    Filesize

    1KB

    MD5

    28b92d0b57db85ea0a13c5ebe53f9a38

    SHA1

    b44c1a59147be8614fb0efd76523a0d6bd266626

    SHA256

    dcf0eaaf79af71f084c0a5b055b5dd4558cd195234dbeee3f5bcea72e77bf9f8

    SHA512

    723998a5da5f160c2a9d6e8ef345f08c844de992584ab02bd2da6e646cdf31a2f85193e701614c415fb8bdc82104b32ee67834f5f3c1caa584382251b9e35e69

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ZPprfpd.dat
    Filesize

    2B

    MD5

    84cad01fdb44ae58dbe6c3973dcd87f5

    SHA1

    4700b42849fb35be323774820bf1bc8019d26c80

    SHA256

    8b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6

    SHA512

    6e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ZPprfpd.xtr
    Filesize

    343KB

    MD5

    6426d400c96fb9ffef4eaa54f6647f4c

    SHA1

    70a37871aff432790b6adf7d3fc4eb929476e082

    SHA256

    98bba0cf4c57ecd35b227f45e4aa6dd50ef7cfb1160235cc14687c96eb09fa3c

    SHA512

    2c8b4d3ab066cbfca6cf0c8d89d5044152b5e3d7100249cbedd1c816e3a4a94efc8bc6b79c1dab4bdf96e3ce476d6caccf625cfbe0aff3bf5e7a29dfcfa948c5

    Download Submit

  • C:\updater\Config.exe
    Filesize

    668KB

    MD5

    916bd1bf4bc489ea1fe45061d0f7210d

    SHA1

    07768f49507099f013f989b4536635a655f57660

    SHA256

    d81e62234e9763b36a8f4acac3d8f4f2061d6140d1775ddd55164b4e8197be59

    SHA512

    00f72fbb46396395b2a34790728ba23ad556e1353fa8934e42dd2212d992f5343fa65d122b672c0e728c3e2a3e6bb21fc35577d74840656c698fd3266db50e2d

    Download Submit

  • memory/1656-73-0x0000000023240000-0x000000002326A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1688-71-0x0000000023240000-0x000000002326A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1932-47-0x0000000000C80000-0x0000000000CE9000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1932-41-0x0000000000C80000-0x0000000000CE9000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1932-35-0x0000000000C80000-0x0000000000CE9000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1932-33-0x0000000000C80000-0x0000000000CE9000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2608-29-0x0000000000C80000-0x0000000000CE9000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2668-0-0x0000000023240000-0x000000002326A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2668-22-0x0000000023240000-0x000000002326A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2804-13-0x0000000000C80000-0x0000000000CE9000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2804-8-0x0000000000C80000-0x0000000000CE9000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2804-2-0x0000000000C80000-0x0000000000CE9000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2804-3-0x0000000000C80000-0x0000000000CE9000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2804-5-0x0000000000C80000-0x0000000000CE9000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2804-11-0x0000000000C80000-0x0000000000CE9000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2804-15-0x0000000000C80000-0x0000000000CE9000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2804-19-0x0000000000C80000-0x0000000000CE9000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2804-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2804-1-0x0000000000C80000-0x0000000000CE9000-memory.dmp

    Filesize

    420KB

    Download