Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/12/2024, 10:13
Static task
static1
Behavioral task
behavioral1
Sample
bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe
-
Size
96KB
-
MD5
bce7b5687b36b7c35764607777f1e422
-
SHA1
892b95d44508d28a2a848a7a3739cf28b2d108b0
-
SHA256
49c26e68251abe59804330e92802c8f88e320f0faef230f2a0a05161e31b2340
-
SHA512
72c6c9927010afc0889967bbe98292104129cbd16ba27eb6896d51201e3cd107fd469243bb66dbf6a1fcaa259978a97e0cfc3381737ca6feae43907761199d32
-
SSDEEP
1536:T2nk5Ql124DsfuMuG3bLCYP6eSVKmP+SW3+Bs9K7Hreyiye0PnD:T2nk5QBsmMd3bLCBKa+N+BcK7vip0PnD
Malware Config
Extracted
xtremerat
deve123.no-ip.biz
Signatures
-
Detect XtremeRAT payload 10 IoCs
resource yara_rule behavioral1/memory/2644-8-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2644-12-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2644-13-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2644-14-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2644-7-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2644-6-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2644-5-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2644-4-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2644-15-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2644-11-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat -
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2164 set thread context of 2644 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 2660 reg.exe 2772 reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2236 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 30 PID 2164 wrote to memory of 2236 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 30 PID 2164 wrote to memory of 2236 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 30 PID 2164 wrote to memory of 2236 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 30 PID 2164 wrote to memory of 2680 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 31 PID 2164 wrote to memory of 2680 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 31 PID 2164 wrote to memory of 2680 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 31 PID 2164 wrote to memory of 2680 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 31 PID 2164 wrote to memory of 2644 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2644 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2644 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2644 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2644 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2644 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2644 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2644 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2644 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2644 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2644 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2644 2164 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 32 PID 2644 wrote to memory of 2652 2644 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 35 PID 2644 wrote to memory of 2652 2644 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 35 PID 2644 wrote to memory of 2652 2644 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 35 PID 2644 wrote to memory of 2652 2644 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 35 PID 2680 wrote to memory of 2660 2680 cmd.exe 36 PID 2680 wrote to memory of 2660 2680 cmd.exe 36 PID 2680 wrote to memory of 2660 2680 cmd.exe 36 PID 2680 wrote to memory of 2660 2680 cmd.exe 36 PID 2644 wrote to memory of 2652 2644 bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe 35 PID 2236 wrote to memory of 2772 2236 cmd.exe 37 PID 2236 wrote to memory of 2772 2236 cmd.exe 37 PID 2236 wrote to memory of 2772 2236 cmd.exe 37 PID 2236 wrote to memory of 2772 2236 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2772
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2660
-
-
-
C:\Users\Admin\AppData\Local\Temp\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2652
-
-