Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a4cddb4d05...18.exe

windows7-x64

10

a4cddb4d05...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2024, 23:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe

  • Size

    885KB

  • MD5

    a4cddb4d05923df30ff0794d478769b2

  • SHA1

    84d18e438a933601604055eb5aef4b492b9b6b33

  • SHA256

    444019851d9dff176ff5a031d0c64eb491b37ae2cd84bf3214474121851f377a

  • SHA512

    77dce82bcbd69e4aeb88b6bbc65825d021decf95799bee7807d392a46f6a58c1e3e7168e99d38e9c86f32e771ea07ce894ed50165bc68d09f1447b5050f1b914

  • SSDEEP

    24576:C5bfVHXcEjg9244W8N5Gp5KFbjDl75hmV1UMP9n+eh:CVtHX9f4UFHDZ5AVug9n+G

Score
10/10
xtremeratdiscoverypersistenceratspyware

Malware Config

Extracted

Family

xtremerat

C2

esam2at.no-ip.biz

Signatures

  • Detect XtremeRAT payload 12 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Users\Admin\AppData\Local\Temp\test.exe
      "C:\Users\Admin\AppData\Local\Temp\test.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Users\Admin\AppData\Local\Temp\test.exe
        "C:\Users\Admin\AppData\Local\Temp\test.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3556
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4448
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 484
            5⤵
            • Program crash
            PID:2736
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 492
            5⤵
            • Program crash
            PID:4608
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
          4⤵
            PID:4496
      • C:\Users\Admin\AppData\Local\Temp\c.exe
        "C:\Users\Admin\AppData\Local\Temp\c.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3280
        • C:\Users\Admin\AppData\Local\Temp\c.exe
          "C:\Users\Admin\AppData\Local\Temp\c.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3044
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3412
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 484
              5⤵
              • Program crash
              PID:4476
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 492
              5⤵
              • Program crash
              PID:3172
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
            4⤵
              PID:3536
            • C:\Users\Admin\AppData\Local\Temp\92file.exe
              "C:\Users\Admin\AppData\Local\Temp\92file.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3308
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4448 -ip 4448
        1⤵
          PID:2908
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3412 -ip 3412
          1⤵
            PID:3124
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4448 -ip 4448
            1⤵
              PID:5068
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3412 -ip 3412
              1⤵
                PID:2808

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\92file.exe
                Filesize

                570KB

                MD5

                ec947f168cb115927be76ab5c96d2579

                SHA1

                75624f129e2957bf769aced2e8932da4115c1d71

                SHA256

                eddb8d9143117dc95b3390d0884bd73d729dc4e334c097541baa25ccce28140e

                SHA512

                501aa21e93e0b9b3b42c49bda992692a7c016520eb7065e406cb2c7ee4e257033e94db13bc4f87263de73ff331517482895cf322f1c28bb593964da942afafba

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c.exe
                Filesize

                656KB

                MD5

                ccbb568cdc64c6c1bcd64017c75dc733

                SHA1

                2784342892f49a2cdf976ae36045be914ab034cd

                SHA256

                1c03614b1f39c952b06ee7722223aa687d4b4f5cbde61d251dc5a97ddfbfbdc1

                SHA512

                3a5852b0c23f1d13c388e3d81ad069a676347ebf81edd8b531d30edd7bad8814ba6813415dd7ab61e21b4cfda2d615e8c0c19c90afda5bcd25ef0437cd3be53d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\test.exe
                Filesize

                101KB

                MD5

                76d2a6e12aa765b6956151f1314bc324

                SHA1

                c1ae87020d101bdc4c1c4632fa9b4e87658d430f

                SHA256

                cedbecc6ad6efd885c511180a8d365268cedfb957031e868d52fe9de2b5eedda

                SHA512

                2245b2fd90689163514ca0ff637d07a890cb09b4280891272f6c31e1b95a671c389a8310bb7e0eb5d040cc5f3b547d3f0cb4b2a1c027ac77562f7c585c947ee1

                Download Submit

              • memory/1568-0-0x0000000000400000-0x00000000004C9E00-memory.dmp

                Filesize

                807KB

                Download

              • memory/1568-1-0x0000000000409000-0x000000000040A000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1568-20-0x0000000000400000-0x00000000004C9E00-memory.dmp

                Filesize

                807KB

                Download

              • memory/2116-9-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/2116-16-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/2116-35-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/3044-27-0x0000000010000000-0x00000000100D9000-memory.dmp

                Filesize

                868KB

                Download

              • memory/3044-29-0x0000000010000000-0x00000000100D9000-memory.dmp

                Filesize

                868KB

                Download

              • memory/3044-30-0x0000000000400000-0x00000000004AC000-memory.dmp

                Filesize

                688KB

                Download

              • memory/3044-31-0x0000000010000000-0x00000000100D9000-memory.dmp

                Filesize

                868KB

                Download

              • memory/3280-21-0x0000000000400000-0x00000000004AC000-memory.dmp

                Filesize

                688KB

                Download

              • memory/3280-33-0x0000000000400000-0x00000000004AC000-memory.dmp

                Filesize

                688KB

                Download

              • memory/3280-22-0x0000000000400000-0x00000000004AC000-memory.dmp

                Filesize

                688KB

                Download

              • memory/3308-49-0x0000000000400000-0x000000000049F000-memory.dmp

                Filesize

                636KB

                Download

              • memory/3412-37-0x0000000010000000-0x00000000100D9000-memory.dmp

                Filesize

                868KB

                Download

              • memory/3412-48-0x0000000010000000-0x00000000100D9000-memory.dmp

                Filesize

                868KB

                Download

              • memory/3556-25-0x0000000010000000-0x000000001004C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/3556-23-0x0000000010000000-0x000000001004C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/3556-26-0x0000000010000000-0x000000001004C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/4448-36-0x0000000010000000-0x000000001004C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/4448-47-0x0000000010000000-0x000000001004C000-memory.dmp

                Filesize

                304KB

                Download