Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2024, 23:54
Static task
static1
Behavioral task
behavioral1
Sample
a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe
-
Size
885KB
-
MD5
a4cddb4d05923df30ff0794d478769b2
-
SHA1
84d18e438a933601604055eb5aef4b492b9b6b33
-
SHA256
444019851d9dff176ff5a031d0c64eb491b37ae2cd84bf3214474121851f377a
-
SHA512
77dce82bcbd69e4aeb88b6bbc65825d021decf95799bee7807d392a46f6a58c1e3e7168e99d38e9c86f32e771ea07ce894ed50165bc68d09f1447b5050f1b914
-
SSDEEP
24576:C5bfVHXcEjg9244W8N5Gp5KFbjDl75hmV1UMP9n+eh:CVtHX9f4UFHDZ5AVug9n+G
Malware Config
Extracted
xtremerat
esam2at.no-ip.biz
Signatures
-
Detect XtremeRAT payload 12 IoCs
resource yara_rule behavioral2/memory/3044-31-0x0000000010000000-0x00000000100D9000-memory.dmp family_xtremerat behavioral2/memory/3044-29-0x0000000010000000-0x00000000100D9000-memory.dmp family_xtremerat behavioral2/memory/3044-27-0x0000000010000000-0x00000000100D9000-memory.dmp family_xtremerat behavioral2/memory/3556-26-0x0000000010000000-0x000000001004C000-memory.dmp family_xtremerat behavioral2/memory/3556-25-0x0000000010000000-0x000000001004C000-memory.dmp family_xtremerat behavioral2/memory/3556-23-0x0000000010000000-0x000000001004C000-memory.dmp family_xtremerat behavioral2/memory/3280-33-0x0000000000400000-0x00000000004AC000-memory.dmp family_xtremerat behavioral2/memory/2116-35-0x0000000000400000-0x0000000000421000-memory.dmp family_xtremerat behavioral2/memory/4448-36-0x0000000010000000-0x000000001004C000-memory.dmp family_xtremerat behavioral2/memory/3412-37-0x0000000010000000-0x00000000100D9000-memory.dmp family_xtremerat behavioral2/memory/4448-47-0x0000000010000000-0x000000001004C000-memory.dmp family_xtremerat behavioral2/memory/3412-48-0x0000000010000000-0x00000000100D9000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation c.exe -
Executes dropped EXE 5 IoCs
pid Process 2116 test.exe 3280 c.exe 3556 test.exe 3044 c.exe 3308 92file.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2116 set thread context of 3556 2116 test.exe 85 PID 3280 set thread context of 3044 3280 c.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 4476 3412 WerFault.exe 88 2736 4448 WerFault.exe 87 4608 4448 WerFault.exe 87 3172 3412 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 92file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language test.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language test.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1568 wrote to memory of 2116 1568 a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe 83 PID 1568 wrote to memory of 2116 1568 a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe 83 PID 1568 wrote to memory of 2116 1568 a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe 83 PID 1568 wrote to memory of 3280 1568 a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe 84 PID 1568 wrote to memory of 3280 1568 a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe 84 PID 1568 wrote to memory of 3280 1568 a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe 84 PID 2116 wrote to memory of 3556 2116 test.exe 85 PID 2116 wrote to memory of 3556 2116 test.exe 85 PID 2116 wrote to memory of 3556 2116 test.exe 85 PID 3280 wrote to memory of 3044 3280 c.exe 86 PID 3280 wrote to memory of 3044 3280 c.exe 86 PID 3280 wrote to memory of 3044 3280 c.exe 86 PID 2116 wrote to memory of 3556 2116 test.exe 85 PID 2116 wrote to memory of 3556 2116 test.exe 85 PID 3280 wrote to memory of 3044 3280 c.exe 86 PID 3280 wrote to memory of 3044 3280 c.exe 86 PID 3556 wrote to memory of 4448 3556 test.exe 87 PID 3556 wrote to memory of 4448 3556 test.exe 87 PID 3556 wrote to memory of 4448 3556 test.exe 87 PID 3044 wrote to memory of 3412 3044 c.exe 88 PID 3044 wrote to memory of 3412 3044 c.exe 88 PID 3044 wrote to memory of 3412 3044 c.exe 88 PID 3556 wrote to memory of 4448 3556 test.exe 87 PID 3556 wrote to memory of 4496 3556 test.exe 89 PID 3556 wrote to memory of 4496 3556 test.exe 89 PID 3044 wrote to memory of 3412 3044 c.exe 88 PID 3044 wrote to memory of 3536 3044 c.exe 91 PID 3044 wrote to memory of 3536 3044 c.exe 91 PID 3556 wrote to memory of 4496 3556 test.exe 89 PID 3044 wrote to memory of 3536 3044 c.exe 91 PID 3044 wrote to memory of 3308 3044 c.exe 97 PID 3044 wrote to memory of 3308 3044 c.exe 97 PID 3044 wrote to memory of 3308 3044 c.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:4448 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 4845⤵
- Program crash
PID:2736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 4925⤵
- Program crash
PID:4608
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4496
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c.exe"C:\Users\Admin\AppData\Local\Temp\c.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\c.exe"C:\Users\Admin\AppData\Local\Temp\c.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:3412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 4845⤵
- Program crash
PID:4476
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 4925⤵
- Program crash
PID:3172
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3536
-
-
C:\Users\Admin\AppData\Local\Temp\92file.exe"C:\Users\Admin\AppData\Local\Temp\92file.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3308
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4448 -ip 44481⤵PID:2908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3412 -ip 34121⤵PID:3124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4448 -ip 44481⤵PID:5068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3412 -ip 34121⤵PID:2808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
570KB
MD5ec947f168cb115927be76ab5c96d2579
SHA175624f129e2957bf769aced2e8932da4115c1d71
SHA256eddb8d9143117dc95b3390d0884bd73d729dc4e334c097541baa25ccce28140e
SHA512501aa21e93e0b9b3b42c49bda992692a7c016520eb7065e406cb2c7ee4e257033e94db13bc4f87263de73ff331517482895cf322f1c28bb593964da942afafba
-
Filesize
656KB
MD5ccbb568cdc64c6c1bcd64017c75dc733
SHA12784342892f49a2cdf976ae36045be914ab034cd
SHA2561c03614b1f39c952b06ee7722223aa687d4b4f5cbde61d251dc5a97ddfbfbdc1
SHA5123a5852b0c23f1d13c388e3d81ad069a676347ebf81edd8b531d30edd7bad8814ba6813415dd7ab61e21b4cfda2d615e8c0c19c90afda5bcd25ef0437cd3be53d
-
Filesize
101KB
MD576d2a6e12aa765b6956151f1314bc324
SHA1c1ae87020d101bdc4c1c4632fa9b4e87658d430f
SHA256cedbecc6ad6efd885c511180a8d365268cedfb957031e868d52fe9de2b5eedda
SHA5122245b2fd90689163514ca0ff637d07a890cb09b4280891272f6c31e1b95a671c389a8310bb7e0eb5d040cc5f3b547d3f0cb4b2a1c027ac77562f7c585c947ee1