Overview

overview

10

Static

static

5

b59361e332...18.exe

windows7-x64

10

b59361e332...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2024 23:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b59361e332e4225f6e6b2689c1187a72_JaffaCakes118.exe

  • Size

    888KB

  • MD5

    b59361e332e4225f6e6b2689c1187a72

  • SHA1

    97971b0503c202a2c4ee1c88dcf85c2bf08fa6f6

  • SHA256

    e8e36723daa8aaeaef03605d1e169e84032c320c67cb2c71177a26dc00d9a281

  • SHA512

    eaef4ced18fd72b770d86916af4a7cfdce73e50aa4a6a53c208256593da28713f52428aad4a73d2627497f4f4d7ea486beaa68ec1fa134cfe9bc32a864c98f3a

  • SSDEEP

    12288:LhhSJRyeHyKAhIV4LoJze68PvanRJkHVphYJGTaTFxfj5ItEByClkRqTHsoo4zkF:LqyeHypU4EJK007QGTojfjqIkF

Score
10/10
modiloaderxtremeratdefense_evasiondiscoveryevasionpersistenceratspywaretrojanupx

Malware Config

Extracted

Family

xtremerat

C2

nerozhack.ddns.com.br

€p ƒalonedevil.no-ip.org

gameszero.dyndns.org

Signatures

  • Detect XtremeRAT payload 4 IoCs
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • ModiLoader Second Stage 9 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • UPX packed file 39 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 14 IoCs
  • Hijack Execution Flow: DLL Search Order Hijacking 1 TTPs

    Possible initial access via DLL redirection search order hijacking.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b59361e332e4225f6e6b2689c1187a72_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b59361e332e4225f6e6b2689c1187a72_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Users\Admin\AppData\Local\Temp\b59361e332e4225f6e6b2689c1187a72_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\b59361e332e4225f6e6b2689c1187a72_JaffaCakes118.exe"
      2⤵
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\chrome.exe
        "C:\Windows\chrome.exe" \melt "C:\Users\Admin\AppData\Local\Temp\b59361e332e4225f6e6b2689c1187a72_JaffaCakes118.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2288
        • C:\Windows\chrome.exe
          "C:\Windows\chrome.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: SetClipboardViewer
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:2312
        • C:\Windows\RSOP.exe
          C:\Windows\RSOP.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2216
          • C:\Windows\RSOP.exe
            "C:\Windows\RSOP.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2988
            • C:\Windows\RSOP.exe
              "C:\Windows\RSOP.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2972
    • C:\Windows\RSOP.exe
      C:\Windows\RSOP.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\RSOP.exe
        "C:\Windows\RSOP.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Windows\RSOP.exe
          "C:\Windows\RSOP.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2248
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2860
          • C:\WINDOWS\SysWOW64\taskmgr.exe
            C:\WINDOWS\system32\taskmgr.exe
            5⤵
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1244
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Hijack Execution Flow

1
T1574

DLL Search Order Hijacking

1
T1574.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Hijack Execution Flow

1
T1574

DLL Search Order Hijacking

1
T1574.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

DLL Search Order Hijacking

1
T1574.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hxgfnlg
    Filesize

    9KB

    MD5

    1cae2b547a78ece24949e7abc5ce0832

    SHA1

    54c4b7d4973c22818f87f8a5c5c145e408c65095

    SHA256

    b4efccf8457046aaf4c5b272addd3299003f41ef19bad993ee2be0554a2922ce

    SHA512

    786a678a513f09528335b48fc9e87c0c0e12f795090bb76f27a74fed522bcb0bf842c2b649e1bc19d2b22dbbf76a83a5d0df8e70db242e258de97758ebdc56d8

    Download Submit

  • C:\Windows\RSOP.exe
    Filesize

    300KB

    MD5

    a87e455284d5aaf624c6c419fa7f9bed

    SHA1

    dd7335f04ef50375b124106cc599d4def55f40ac

    SHA256

    3cdc6602fee91dc53c16573cf2f53dbcec491d53a0795312290a804a247a81a3

    SHA512

    000fbf010fdcc5d47be1500372d8ca4d2fe399a4c0e1a9299da5e42fa0fae77711f38be13bab1264e8dd78f321ac79fefdcea52953749756f8d33c225842ae32

    Download Submit

  • C:\Windows\chrome.exe
    Filesize

    888KB

    MD5

    b59361e332e4225f6e6b2689c1187a72

    SHA1

    97971b0503c202a2c4ee1c88dcf85c2bf08fa6f6

    SHA256

    e8e36723daa8aaeaef03605d1e169e84032c320c67cb2c71177a26dc00d9a281

    SHA512

    eaef4ced18fd72b770d86916af4a7cfdce73e50aa4a6a53c208256593da28713f52428aad4a73d2627497f4f4d7ea486beaa68ec1fa134cfe9bc32a864c98f3a

    Download Submit

  • C:\Windows\cmsetac.dll
    Filesize

    33KB

    MD5

    f032f510ff1cd8ca94c6888fb2d9adb8

    SHA1

    415c7b2bb32df56384c2013391b0332d67ffd7ce

    SHA256

    9afcf97e82aea812e4286dfbebf30f11f9dd592cfa2129fea1a869e620acf2cc

    SHA512

    982ff9199b7d4ad22f5d899e8b8bfae10347af7a6b510ef8d30cb3a0a7a59a769256c157da4945ad12fbdcba53793875927c88c81f10546a85ce81e1d73dc925

    Download Submit

  • \Users\Admin\AppData\Roaming\Wplugin.dll
    Filesize

    108KB

    MD5

    8847a8302dacc1d6fca61f125c8fe8e0

    SHA1

    f399142bbf03660bee1df555ebbf3acc8f658cf0

    SHA256

    9c2726defa122089f8251fa104f76d66830f448774ab9bd634adbb6e492e3943

    SHA512

    2b028bb4139c352b80db1509d1a3f479a8ef7e9b3b73ddbf62e2d83d4e59adf4a0bd6b9d68409bc0b6fafb7a5f56844fbfed6d00b824a6b370689801ce1c837f

    Download Submit

  • memory/1244-81-0x0000000010000000-0x000000001004D000-memory.dmp

    Filesize

    308KB

    Download

  • memory/1244-78-0x0000000010000000-0x000000001004D000-memory.dmp

    Filesize

    308KB

    Download

  • memory/1784-153-0x0000000003300000-0x00000000033B1000-memory.dmp

    Filesize

    708KB

    Download

  • memory/1784-93-0x0000000003300000-0x00000000033B1000-memory.dmp

    Filesize

    708KB

    Download

  • memory/1784-34-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1784-32-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1784-41-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1784-87-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1784-47-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1784-46-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1784-45-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1784-36-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1784-40-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1784-92-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1784-38-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/2104-44-0x0000000000400000-0x00000000004B1000-memory.dmp

    Filesize

    708KB

    Download

  • memory/2104-29-0x0000000004590000-0x0000000004641000-memory.dmp

    Filesize

    708KB

    Download

  • memory/2104-1-0x0000000000400000-0x00000000004B1000-memory.dmp

    Filesize

    708KB

    Download

  • memory/2104-31-0x0000000004590000-0x0000000004641000-memory.dmp

    Filesize

    708KB

    Download

  • memory/2104-17-0x0000000004590000-0x0000000004641000-memory.dmp

    Filesize

    708KB

    Download

  • memory/2216-141-0x0000000000290000-0x000000000029E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2216-117-0x0000000000400000-0x00000000004B1000-memory.dmp

    Filesize

    708KB

    Download

  • memory/2216-139-0x0000000000290000-0x000000000029E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2216-142-0x0000000000400000-0x00000000004B1000-memory.dmp

    Filesize

    708KB

    Download

  • memory/2228-48-0x0000000003070000-0x0000000003121000-memory.dmp

    Filesize

    708KB

    Download

  • memory/2228-60-0x0000000000400000-0x00000000004B1000-memory.dmp

    Filesize

    708KB

    Download

  • memory/2228-30-0x0000000000400000-0x00000000004B1000-memory.dmp

    Filesize

    708KB

    Download

  • memory/2248-69-0x0000000010000000-0x000000001004D000-memory.dmp

    Filesize

    308KB

    Download

  • memory/2248-70-0x0000000010000000-0x000000001004D000-memory.dmp

    Filesize

    308KB

    Download

  • memory/2248-66-0x0000000010000000-0x000000001004D000-memory.dmp

    Filesize

    308KB

    Download

  • memory/2288-119-0x0000000000400000-0x00000000004B1000-memory.dmp

    Filesize

    708KB

    Download

  • memory/2288-113-0x0000000002BE0000-0x0000000002C91000-memory.dmp

    Filesize

    708KB

    Download

  • memory/2312-116-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/2312-154-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/2312-124-0x00000000003D0000-0x00000000003DE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2312-120-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/2312-115-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/2816-59-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2816-61-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2816-72-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2816-63-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2816-49-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2816-51-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2816-53-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2816-55-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2860-73-0x0000000010000000-0x000000001004D000-memory.dmp

    Filesize

    308KB

    Download

  • memory/2860-75-0x0000000010000000-0x000000001004D000-memory.dmp

    Filesize

    308KB

    Download

  • memory/2988-151-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2988-145-0x0000000000130000-0x000000000013E000-memory.dmp

    Filesize

    56KB

    Download