Analysis
-
max time kernel
94s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2024 23:59
Static task
static1
Behavioral task
behavioral1
Sample
cfaf2f9f41187d2c3bde26abd44943ed_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
cfaf2f9f41187d2c3bde26abd44943ed_JaffaCakes118.exe
-
Size
71KB
-
MD5
cfaf2f9f41187d2c3bde26abd44943ed
-
SHA1
0adf4ec0d322e9c4276c87e8e6a08cf41da60d54
-
SHA256
53650090b9038f83f9d9cb64768876abf59f6c0ad22fbb97050644ef09841a7a
-
SHA512
a6ce8955690870b4fe85a2bf78085e2a97f17a834b83f46fc6ae29c51bdfc5417058b60400e93c7b3c05fc4e1511c73424a8c9d3b668f8e56a19f42a9721e962
-
SSDEEP
1536:ObtbI4ZmN264cDWrZ9q5npFy5k1ufvrMK9SCgCnOV35:ObV4WrZIlKkAfvrMKthIp
Malware Config
Extracted
xtremerat
Create sebirkan99.no-ip.biz
Signatures
-
Detect XtremeRAT payload 5 IoCs
resource yara_rule behavioral2/memory/3660-24-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/3660-23-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/3624-25-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/3660-26-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/3624-27-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation cfaf2f9f41187d2c3bde26abd44943ed_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3632 hilem.exe 3660 hilem.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3632 set thread context of 3660 3632 hilem.exe 84 -
resource yara_rule behavioral2/files/0x000c000000023b93-6.dat upx behavioral2/memory/3632-12-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3660-17-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3632-21-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3660-22-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3660-24-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3660-23-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3624-25-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3660-26-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3624-27-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 892 3624 WerFault.exe 85 4908 3624 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hilem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hilem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfaf2f9f41187d2c3bde26abd44943ed_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5056 cfaf2f9f41187d2c3bde26abd44943ed_JaffaCakes118.exe 3632 hilem.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 5056 wrote to memory of 3632 5056 cfaf2f9f41187d2c3bde26abd44943ed_JaffaCakes118.exe 83 PID 5056 wrote to memory of 3632 5056 cfaf2f9f41187d2c3bde26abd44943ed_JaffaCakes118.exe 83 PID 5056 wrote to memory of 3632 5056 cfaf2f9f41187d2c3bde26abd44943ed_JaffaCakes118.exe 83 PID 3632 wrote to memory of 3660 3632 hilem.exe 84 PID 3632 wrote to memory of 3660 3632 hilem.exe 84 PID 3632 wrote to memory of 3660 3632 hilem.exe 84 PID 3632 wrote to memory of 3660 3632 hilem.exe 84 PID 3632 wrote to memory of 3660 3632 hilem.exe 84 PID 3632 wrote to memory of 3660 3632 hilem.exe 84 PID 3632 wrote to memory of 3660 3632 hilem.exe 84 PID 3632 wrote to memory of 3660 3632 hilem.exe 84 PID 3660 wrote to memory of 3624 3660 hilem.exe 85 PID 3660 wrote to memory of 3624 3660 hilem.exe 85 PID 3660 wrote to memory of 3624 3660 hilem.exe 85 PID 3660 wrote to memory of 3624 3660 hilem.exe 85 PID 3660 wrote to memory of 1756 3660 hilem.exe 86 PID 3660 wrote to memory of 1756 3660 hilem.exe 86 PID 3660 wrote to memory of 1756 3660 hilem.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfaf2f9f41187d2c3bde26abd44943ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cfaf2f9f41187d2c3bde26abd44943ed_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\hilem.exe"C:\Users\Admin\AppData\Local\Temp\hilem.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\hilem.exe
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:3624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 4805⤵
- Program crash
PID:892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 4885⤵
- Program crash
PID:4908
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:1756
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3624 -ip 36241⤵PID:2896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3624 -ip 36241⤵PID:2312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5e3919a4d64f3979d6c606daab9622f09
SHA18b3213b163083c142fe6a2fec15624c63f71ca39
SHA2569bcf15e7fd751f7c380c88a484b41964c3b55d31cdca912e9c2bae2f2eb4a84c
SHA512071dad0b1b944b1a3506afba358266fa9e449564c6d19b078c6d0c69b7d19c97471f47bdf7a8c09fd1f9d2286002ce0d18b87f52f0f7cacd062f28511da52c49