Analysis
-
max time kernel
134s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 08:32
Static task
static1
Behavioral task
behavioral1
Sample
bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe
-
Size
256KB
-
MD5
bc8e1da50706bcb8321e9801e5d0f3b0
-
SHA1
d4171182fbc73dada2558a2d01a9217078625c5d
-
SHA256
e41287f8c0fd9459833ad09d8285bb9a44690fdd172fd9a33b933f50ed21dbff
-
SHA512
c39cf3d9fd0a5cec9b8649812c8edb948df1d39e2d8edb9fab917da3768b68825066da2bfc86d4a83d7f75353e2b0e886fb94003769d5e6a4e1de559c4b17e38
-
SSDEEP
6144:332DaBByk9s4hw8JQl5WZl4TyQOI5JgpcvqNplcHsY85BT6V:nKMBMSw8JQpT0Iw5pKhMh2
Malware Config
Signatures
-
Detect XtremeRAT payload 4 IoCs
resource yara_rule behavioral1/memory/2584-40-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat behavioral1/memory/2584-39-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat behavioral1/memory/2556-50-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat behavioral1/memory/2556-52-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\SystemG\\System.exe restart" bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\SystemG\\System.exe" bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\SystemG\\System.exe" bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\SystemG\System.exe bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe File created C:\Windows\SysWOW64\SystemG\System.exe bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1740 set thread context of 2584 1740 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language calc.exe -
Modifies registry class 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1740 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 2556 calc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2584 1740 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2584 1740 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2584 1740 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2584 1740 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2584 1740 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2584 1740 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2584 1740 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2584 1740 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2584 1740 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2584 1740 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2584 1740 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2584 1740 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2584 1740 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2584 1740 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 31 PID 2584 wrote to memory of 2556 2584 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 32 PID 2584 wrote to memory of 2556 2584 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 32 PID 2584 wrote to memory of 2556 2584 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 32 PID 2584 wrote to memory of 2556 2584 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 32 PID 2584 wrote to memory of 2556 2584 bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\bc8e1da50706bcb8321e9801e5d0f3b0_JaffaCakes118.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\calc.execalc.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2556
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1