Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 14:59
Behavioral task
behavioral1
Sample
d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
d7a32826a8931724221b193e9f448b04
-
SHA1
a284d56bcfb9f82177deaed765bda78d260f5d47
-
SHA256
f62cce747b4d393e3d2ab03f14ec4412f882333da5cce7a7bb368f4495cb8c19
-
SHA512
8709b4f9083cbd8b899b97ac12498d1ffd12081bfbe368073de397dfa861357b8b1531a7cd6a16914fd2eeb35eab7b6d37bdc01cad8be90dc36b82dea4cb4d11
-
SSDEEP
24576:OPze+0Pze+moJmnNg4XVMD0nDImeKvThFFmB5d:ize7zeJoJmNfND9eK7had
Malware Config
Extracted
xtremerat
neuromante.no-ip.org
ʨneuromante.no-ip.org
Signatures
-
Detect XtremeRAT payload 5 IoCs
resource yara_rule behavioral1/memory/2776-2-0x0000000010000000-0x000000001013F000-memory.dmp family_xtremerat behavioral1/files/0x0008000000016d63-6.dat family_xtremerat behavioral1/memory/2792-13-0x0000000010000000-0x000000001013F000-memory.dmp family_xtremerat behavioral1/memory/2892-19-0x0000000010000000-0x00000000100DF000-memory.dmp family_xtremerat behavioral1/memory/2776-21-0x0000000010000000-0x000000001013F000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Executes dropped EXE 1 IoCs
pid Process 2892 16server.exe -
Loads dropped DLL 2 IoCs
pid Process 2792 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 2792 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\16server.exe.exe d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe File created C:\Windows\SysWOW64\16server.exe d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe File created C:\Windows\SysWOW64\156Jasmine.jpg.exe 16server.exe File created C:\Windows\SysWOW64\156Jasmine.jpg 16server.exe File opened for modification C:\Windows\SysWOW64\156Jasmine.jpg DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 16server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2620 DllHost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2620 DllHost.exe 2620 DllHost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2776 2792 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 30 PID 2792 wrote to memory of 2776 2792 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 30 PID 2792 wrote to memory of 2776 2792 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 30 PID 2792 wrote to memory of 2776 2792 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 30 PID 2792 wrote to memory of 2776 2792 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 30 PID 2792 wrote to memory of 2584 2792 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 31 PID 2792 wrote to memory of 2584 2792 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 31 PID 2792 wrote to memory of 2584 2792 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 31 PID 2792 wrote to memory of 2584 2792 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 31 PID 2792 wrote to memory of 2584 2792 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 31 PID 2792 wrote to memory of 2892 2792 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 32 PID 2792 wrote to memory of 2892 2792 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 32 PID 2792 wrote to memory of 2892 2792 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 32 PID 2792 wrote to memory of 2892 2792 d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe 32 PID 2892 wrote to memory of 1536 2892 16server.exe 33 PID 2892 wrote to memory of 1536 2892 16server.exe 33 PID 2892 wrote to memory of 1536 2892 16server.exe 33 PID 2892 wrote to memory of 1536 2892 16server.exe 33 PID 2892 wrote to memory of 1536 2892 16server.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d7a32826a8931724221b193e9f448b04_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- System Location Discovery: System Language Discovery
PID:2776
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:2584
-
-
C:\Windows\SysWOW64\16server.exe"C:\Windows\system32\16server.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1536
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
278KB
MD5fdee1c532f09a7bc3de04ad0f2cedab8
SHA1545c17e779ceead437d405e4ad2cb85cef8d9c1e
SHA256b10fddf8ee07c401f6b0906d867b3eaf344ab0d3de93e8eee67eac740eb439f9
SHA5126a13fc519380ba48351930755d5a443ff277579d326594775bd41274669fa10f1b15d60e5a9b252c3fd9af50e6207f752ae99c9f7ecff1c6c536672945b9b40f
-
Filesize
661KB
MD526425b2fbb73627e02a1ea7f095eab7d
SHA1929b1d21ed7976f274df9520a0d53210969176b3
SHA256ce463e3d32f919e7c9870223fccde542d9f198d012a7dcb5738e75017fab59c1
SHA512ff3cc950d1c335395edb3f68577381c1153d24841136b1c9d828c742d02d47ed46cce8a7244bba030da1e464ac400baa0c53d6c32d99bf0a8fc82ba979cb332d