Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2024, 10:13 UTC

General

  • Target

    bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe

  • Size

    96KB

  • MD5

    bce7b5687b36b7c35764607777f1e422

  • SHA1

    892b95d44508d28a2a848a7a3739cf28b2d108b0

  • SHA256

    49c26e68251abe59804330e92802c8f88e320f0faef230f2a0a05161e31b2340

  • SHA512

    72c6c9927010afc0889967bbe98292104129cbd16ba27eb6896d51201e3cd107fd469243bb66dbf6a1fcaa259978a97e0cfc3381737ca6feae43907761199d32

  • SSDEEP

    1536:T2nk5Ql124DsfuMuG3bLCYP6eSVKmP+SW3+Bs9K7Hreyiye0PnD:T2nk5QBsmMd3bLCBKa+N+BcK7vip0PnD

Malware Config

Extracted

Family

xtremerat

C2

deve123.no-ip.biz

Signatures

  • Detect XtremeRAT payload 10 IoCs
  • Modifies firewall policy service 3 TTPs 4 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Xtremerat family
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Modifies firewall policy service
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2772
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Modifies firewall policy service
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2660
    • C:\Users\Admin\AppData\Local\Temp\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\bce7b5687b36b7c35764607777f1e422_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:2652

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2644-8-0x0000000010000000-0x000000001004A000-memory.dmp

      Filesize

      296KB

    • memory/2644-12-0x0000000010000000-0x000000001004A000-memory.dmp

      Filesize

      296KB

    • memory/2644-13-0x0000000010000000-0x000000001004A000-memory.dmp

      Filesize

      296KB

    • memory/2644-14-0x0000000010000000-0x000000001004A000-memory.dmp

      Filesize

      296KB

    • memory/2644-7-0x0000000010000000-0x000000001004A000-memory.dmp

      Filesize

      296KB

    • memory/2644-6-0x0000000010000000-0x000000001004A000-memory.dmp

      Filesize

      296KB

    • memory/2644-5-0x0000000010000000-0x000000001004A000-memory.dmp

      Filesize

      296KB

    • memory/2644-4-0x0000000010000000-0x000000001004A000-memory.dmp

      Filesize

      296KB

    • memory/2644-3-0x0000000010000000-0x000000001004A000-memory.dmp

      Filesize

      296KB

    • memory/2644-15-0x0000000010000000-0x000000001004A000-memory.dmp

      Filesize

      296KB

    • memory/2644-2-0x0000000010000000-0x000000001004A000-memory.dmp

      Filesize

      296KB

    • memory/2644-11-0x0000000010000000-0x000000001004A000-memory.dmp

      Filesize

      296KB

    • memory/2644-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.